Abstract – The requisite behaviors of fear and respect in dealing with information assurance and security topics building towards a professional or subject matter expert is highly valued. Creating situational and security awareness is an important behavior modification. Specifically the behaviors of inquiry and awareness leading to informed suspicion and respect in evaluating security incidents is valued. Evaluating the social impact of respect within the primarily pedagological construct of a classroom is a difficult and pervasive issue for security faculty. The elements leading to institutionalized respect can be evaluated but the actualization of respect in a student as it manifests cannot easily be measured.
Introduction
Many corporations have the distinction of being associated with the term FUD, which stands for fear, uncertainty and doubt. The term FUD is “in reference to marketing technique of spreading rumors about a competitor’s new product to dissuade customers from taking a ‘risk’ by buying it” (glossary). FUD is based upon the misrepresentation or creation of facts that preys on the emotions of the audience.
Many of us would agree that FUD may be a fun game to play around the office cooler, but is it the appropriate mode of operation for the administrators of our information systems? FUD may have the ability of opening the wallet for the purchase of the latest solution. But according to Duffy (2003), FUD is a short term solution that in the long run destroys the credibility of the security specialist. Thus, FUD is not an appropriate approach for the education of the information system student.
So, what is an appropriate approach to stimulate the thinking and security education training of the future information system professional? What about the concepts of fear and respect? These would need to be in the right proportion – too little would create a scenario in which the information given could be easily dismissed as only happening to the other guy. But, too much fear would have the same effect as FUD; the decision about what security methods to implement would be based solely on emotions with little to no regard to search for the truth or to analyze the potential for risk.
Currently information assurance and security has obtained a certain sense of respect. People are currently being educated about not trusting emails from unknown sources, being careful about what attachments to open, and the message to update virus protection often.
As outbreaks occur and violations of peoples’ privacy and security are made common place the obvious if somewhat whimsical answer is that “Even if you’re paranoid it doesn’t mean they aren’t out to get you”. There are a large number of websites and publicly available information sources that detail protections strategies for the common user. The concept of strong passwords, virus protections, back-ups, firewalls, and such exist (InfraGard). What do we do when the user is going to be a student and more importantly an information assurance and security student? How do we develop an emotional or more importantly behavioral change in the student that will last through their career?
Implementing Security Awareness
Fear and respect can be a feeder to security awareness and awareness of security posture. Though security awareness may seem to be the same at both levels, the fact remains that an operational definition of security awareness is “the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization”(“Security awareness”). Though fear and respect may be elements of security awareness they are not synonymous.
Implementing a security awareness program at the university or community college level can create its own issues. Simple activities such as password awareness create overhead and degrade user acceptance unless they are properly motivated. Further the language and the roots of security awareness can cause issues with acceptance (Weirich & Sasse, 2001). While attempting to create awareness there is a primary motivation that we do not want to create outward hostility to the concept of information assurance or security. These are issues while dealing with a general population.
Within the classroom and especially the laboratory environment the resources exist to allow for the demonstration of the ease to compromise a poorly protected system. Similarly the strategies and techniques necessary to demonstrate the ease of securing most systems can be demonstrated fairly successfully.
While information assurance and security courses are filled with a self selecting population of people who have a goal to understand the issues and problems with information assurance and security that may not be the case for a large percentage of the students in the computer classroom. For example, the student interested in programming may be more interested in learning several programming languages, the strengths and weakness of different programming language or syntax may have little desire or understanding of the need for information assurance and security. The computer forensics student may be more interested in learning the tools of the trade and see little need to examine information assurance and security. The student taking a class to improve a work related skill may not even think of attending an information assurance or security class, especially if they view information assurance or security as being in someone else’s job description.
The viewpoint that security needs to be baked in and not added as an afterthought means that all students in our computer classes, even students who are not planning on being security experts need to be given a dose of fear and respect concerning information assurance and security. Thus, a balanced attitude of respect for security needs to be expanded to most, if not all, courses a student takes in the computer arena.
Example of fear and respect at work in a university environment
The university author attempts to seek a balance between respect and often security apathy in the class by discussing recent cited cases of security breaches and then pointing out that the operating systems labs (with high student exposure) all operate in the open on the Internet with no virus protection or firewalls. Students (and the professor) can not remember a single case of infection in several years that was not purposely planted on the machine for pedagological reasons. This example has a tendency to increase the critical thinking of students in considering popular or cultural sustained beliefs about virus propagation.
Though students are exposed daily to discussions about information assurance and security breaches through popular media the awareness of how it impacts them does not appear to be internalized. A simple exercise to create a sense of the issue is to ask a series of questions of the students:
Has anybody had a computer that would not boot (hardware or disk failure)?
Has anybody had a paper lost due to the wrong file being copied/deleted/changed/saved (software assurance or backups)?
Has anybody had the power accidentally turned off to their system (Infrastructure failure, availability)?
Has anybody sent an email and it never supposedly arrived and how could you prove if it did arrive (non-repudiation, confidentiality)?
Has anybody ever received an email from somebody else or borrowed a friend’s login to browse the web (confidentiality, authorization)?
Has anybody had the Internet go out at their house (infrastructure, availability)?
These simple examples move through the commonly used information assurance topics of confidentiality, integrity, availability, non-repudiation, and authorization. When these questions and similar topic questions are asked in entrance courses to information assurance and security courses the students begin to understand the scope of the issue and develop an awareness (Oates-Lewandowski, 2005). When theft and physical security are added, students self report that their ideas begin to be influenced. Since understanding and changing a long term behavior is outside the scope of this article it is important to note that creating informed and educated versus mythological ideas about security is important. In entry level courses that are not based on information and assurance concepts, or are more widely available service courses to the university often the faculty are not aware of security concerns. Further the concepts of information assurance and security may be tagged onto the end of a course or not covered at all.
Within the classroom at the university level developing a culture of awareness has been deemed integral to a respect for information assurance and security. When discussing the issues of information assurance and security with faculty outside the school of technology there is little understanding of the specific issues. Faculty outside of the information assurance and security discipline, even if involved in the computer science or technological arts, may not be prepared to address security issues. Often awareness of the pedagological issues starts with informing the faculty and creating an appreciation of the issues through demonstration and discussion. This issue is even more troubling when the faculty may not be literate computer users.
As a point of discussion within the information assurance and security classes the topic has been discussed “How to create awareness and security consciousness in the English department faculty”. Students provided three methods to convince the “fictional” faculty member that being slightly paranoid about security is a good idea.
Students determined that providing research that shows how other faculty members have been victims of “hacking” in the past would show risk.
Students developed an idea that showing an active “hack” against a computer system would show how easily it could be done.
Students discussed the idea of protecting a computer and showing how that one was harder to attack as a demonstration.
Since this was a class discussion there were no statistical protocols possible in determining participation, but in the three classes this discussion has been tried there has been a trend to follow the above themes. In one class of students, in an attempt to remove instructional bias, the students were broken up into small groups (three or four students) and allowed to come to their own conclusions. While, these small groups did not come to exactly the same conclusions, the themes of their conclusions were very similar to the themes in the instructor lead discussions. Since previous instructional elements may have fed the conclusions this is somewhat expected. Of surprise to instructors was the simple lack of paranoid or irrational fear mongering. A more formal model is proposed in ideas for future work.
The thread of showing what is possible and deriving an evidentiary analysis based on fact and not just opinion while dealing with information assurance and security topics displayed that critical thought was occurring in students. Yet the thread of respect wraps itself around the presupposition of systemic failure of technology to perform securely. Since creating awareness is a course objective and critiquing and evaluating are outcome based objective verbs for security awareness the pedagogy was deemed to be valid for the higher level students (juniors and seniors).
Example of fear and respect at work in a community college environment
The community college author gives approximately the same dosage of fear and respect for the computer information systems majors he teaches as that received by the university author’s students. In addition, the community college author teaches service classes to non- majors. The two primary service classes are an introduction to PCs for individuals who are just getting started on computers and an office suite class that is required for several professional/technical degree programs across the campus.
The concepts of fear and respect were not an explicit approach for the community college when they designed their classes. Information assurance and security were treated as integral part of the curriculum and as such there was an explicit attempt to bake security into computer information system courses. In addition, the community college created information assurance/security classes as part of a CNSS 4011 (National Training Standard for Information Systems Security (INFOSEC) Professionals) based Advance Information Assurance Certificate program. After discussions with the university author, the community college author was made aware of the implicit use of fear and respect underlying the design of the computer information system coursework.
For the computer information system major, students are given several small doses of concern, fear and respect via the use of real world examples of information breaches regardless of source; human error, social engineering, bad programming, or equipment failure. Some examples of breaches could be the loss of tape backups, phishing, data miners, key loggers, Trojans, viruses, and the like. In some classes, the material is gathered by the instructor from magazines, newspaper, TV, or list serve. For some classes, the students are assigned the task of gathering current examples of information breaches. Regardless of the source for the example, the focus is on what actually occurs and methods to reduce the threat. For most classes, the threat reduction methods are subject to a cost/benefit analysis. This approach reduces the FUD factor and places a realistic and balanced approach to information assurance and security, while at the same time invoking a healthy level of fear and respect.
The working professional who is looking to take the Advance Information Assurance Certificate classes will have the same type of exposure to security breach issue as the individual majoring in computer information systems. The primary difference is in the level of technical detail of the breaches; the certificate student will be introduced to more technical details and will be held to a higher level of comprehension of the costs and benefits when doing their analysis. The professional also has the potential advantage of personal knowledge gained form having suffer from a breach, break down of a computer system, or operator mistakes.
For the students who register for the introductory class in which they learn that this is a keyboard and this is a mouse, the student is given information about how to protect themselves when they hook up their machine to the Internet. The student is given cursory information about various malware; such as viruses, Trojans, data miners, worms and the like. The students are shown how to update their operating systems and anti-virus software. They are also introduced to the dangers of opening email attachments and phishing. The introduction to the risk and possible mitigation strategies provides the backdrop for inducing fear and respect while at the same time giving the student the ability to have some controls; thus promoting a healthy fear (respect) about the new world they have decided to join via the Internet.
The students in the office suite are given the same base information given to the introduction to PC students. The office suite students are also given short (half-page) writing assignments concerning computer related issues. For the first two writing assignments, the community college author finds three articles and the student is required to read and write about one of articles. For the third writing assignment, the students are asked to find (most chose Internet search) and write about a current computer issue that the community college author has chosen. The computer issues change each term and are based on current attacks on computers; such as viruses, worms, social engineering, or ethics.
Future Work
There are two threads of inquiry being considered for future work. The first thread follows the concepts of creating and fostering a realistic understanding of security awareness among the user base. The issues of developing awareness while not creating hostility has been addressed in the literature, but the delivery mechanisms that are successful are few. The second thread of inquiry is the concept of mental process and what the students are adopting as a cognitive model for dealing with competing interests between freedom of utilization and constraints of security. This area has significant scholarship value since it may help develop solidly acceptable models for preparing users to accept information assurance and security practices and procedures.
The area of information assurance and security awareness needs user acceptance to succeed. Of particular concern is active user belligerence to the process of security and apathy towards security procedures. Creating knowledge that “bad stuff” can occur as part of the security awareness may have a causal link to active participation of the user in protecting information and physical assets.
Statistical analysis of student behavior and curricula evaluation is an important part of the process for creating better units of instruction. Evaluation of future classes should be strengthened and enhanced to create a better baseline if academia, government, and industry are interested in understanding what methods create significant changes. A complimentary and important concept would be the ability to create successful security awareness conduits through students who proselytize the issues to their users. Creating curriculum that enhances practitioner respect is good, but creating curriculum that enables practitioners to foment appropriate respect for information assurance and security is better.
A final area that is of interest is that this is an interdisciplinary problem. In the area of communications and advertising are the requisite skills necessary to create user buy-in. The same discipline that provided FUD as an acronym is the discipline that can create the communications mechanisms for pushing an agenda of security awareness.
Conclusion
Through classroom activities and discussion the concepts of security awareness and the often unfortunately negatively charged concept “fear” of technological intrusion are discussed. Fostering a certain amount of trepidation and detailing the risks in an organized manner creates awareness within students that may be missing prior to exposure to the concepts. Utilizing real world factors and examples allow for the negative exposure to be mitigated by critical thinking strategies and awareness of solutions to the issues. Fear often is a charged word that lends itself to an instant and emotional reaction within readers and students. It evokes an emotional response that is instantly visible and in itself creates higher security awareness. This is a valuable behavioral modification that hopefully will exist within the student beyond the classroom.
Bibliography
Duffy, Daintry. (2003). (2003) The FUD Factor. CSO online Retrieved March 9, 2006 from http://www.csoonline.com/read/040103/fud.html
Glossary. Fear, Uncertainty, Doubt (FUD). CSO online. Retrieved March 9, 2006 from http://www.csoonline.com/glossary/term.cfm?ID=1223
InfraGard. Seven Simple Computer Security Tips for Small Business and Home Computer Users. Retrieved January 26th, 2006, from http://www.infragard.net/library/seven_tips.htm
Oates-Lewandowski, J. (2005). Creating a culture of technical caution: addressing the issues of security, privacy protection and the ethical use of technology. Paper presented at the Proceedings of the 33rd annual ACM SIGUCCS conference on User services, Monterey, CA, USA.
Security awareness. Retrieved January 26th, 2006, from http://en.wikipedia.org/wiki/Security_awareness
Weirich, D., & Sasse, M. A. (2001). Persuasive password security. Paper presented at the CHI ’01 extended abstracts on Human factors in computing systems, Seattle, Washington.
Author Note:
Since this particular article was originally written about two years ago there have been several papers and journal articles on the idea of technical caution, security through education, and similar ideas. The article was rejected a few times because the reviewers didn’t like the idea of fear being used as a tool to create security. Unfortunately I am not one to mince words and I think it is asinine to think everybody works totally on logos and ignores emote. For this particular paper I really need to thank Russell Roscoe a great writer, an excellent scientist, and a good friend.