Information Systems Security and Safety Measures: The Dichotomy between Students' Familiarity and Practice
Lomo-David, Ewuuk, Shannon, Li-Jen, Academy of Information and Management Sciences Journal
Information systems security and safety measures (ISSSM) are attributes that, if properly implemented, contribute to the safety of computer systems, networks and information. This proper implementation will prohibit or delay viruses, malware and hackers from continuing to plague the digital environment. It is our contention in this study that the problem of data and cyber insecurity could be reduced if more systems users become familiar with and use our suggested ISSSM. Information on the relationship between familiarity with and usage of safe computing practices is needed to address this problem. This study analyzes the relationship between students' familiarity with ISSSM and actual usage of these measures on a daily basis. We use survey data from a sample of 867 students for the study. Results indicate that familiarity with ISSSM translates into practical use for six of the ten attributes. The six attributes are simple passwords, sophisticated passwords, daily computer system scan, scan of email attachments, anti-virus software, and firewalls. That four attributes that did not show significant relationships between familiarity and usage underscore the need for educational institutions to supplement methods of disseminating information about safe-computing to students.
One burning issue concerning information security and safety in contemporary digital computing is how university students' computing behaviors enhance or depreciate the safety and security of information in their domain. The overwhelming interest in the subject of digital information systems security has focused on the coder and distributor of virus and spam ware programs all over the internet. The human access component that requires careful protection of data by the end-user has recently become a subject of major discourse. Since the world has millions of students who access the internet every minute of every day, it is imperative for safety and security of information focus to shift to this large group of users to determine if there is a concomitance between what they are familiar with and what they actually practice. Also, the incessant connectivity of corporate and educational digital communication infrastructure and critical information exchange via the World Wide Web created a state of unsurpassed vulnerability (Crowley, 2003) that is genie-like in scope. This vulnerability calls for a concerted effort to determine if end-users' familiarity with and usage of ISSSM are related.
In 1996, the National Research Council for information security alert and the 1998 Decision Directive 63 by the President on the vulnerability of critical data in cyberspace is indicative of the importance of the problem. To solve this problem requires training and education in management information systems and security specialization degrees. In the same line of thought (Zhang, 2005) agrees that to ensure security of information and avoid Spyware invasion of systems require avid vigilance and education in information security issues. Also, the end user needs further education on current computer protection and privacy methodologies and all students should be computersecurity literate. Security awareness (Siponen & Kajava, 1998) steadily evolved through the years in three stages: "drawing peoples' attention on security issues, getting users acceptance, and getting users to learn and internalize the necessary security activities." In terms of drawing people's attention to the challenges of information technology, the Federal Executive Council of Nigerian in 2001 approved a National Information Technology Development Agency (NITDA) (Federal Executive Council) to bring information technology closer to the people by ensuring that "the entire citizenry is empowered with information technologies through the development of a critical mass of IT proficient and globally competitive manpower." The organization of the paper from this point on is as follows: related literature, purpose of the study, methodology, data analysis, results, discussion, conclusion, and recommendation for further research.
The vocabulary that covers information security is vast but for the sake of brevity, we are going to limit our related literature discourse to password protection security interests.
A password is a system protection or identity releasing, must-remember non-sensible or sensible combination of characters or word that grants or denies access to proprietary systems. Passwords can be categorized into simple and sophisticated. The simple passwords are easy to remember, easy to guess and non-hacker proof. Sophisticated passwords are more difficult to hack and require a combination of letters, numbers, and special characters to make them effective. On the whole, passwords can be algorithmically hashed by a person with avid interest in doing so. In explaining the password concept, (Weinshall and Kikpatrick, 2004) described it as a self-certifying method that requires a conscious effort to recollect. They argue that passwords should be seen as less perfect and therefore advocate the use of human natural characteristics for identification. The first level of software protection for any system is to understand how to create a password and use it to log into a protected system. Passwords, though most popular among the known authentication schemes, is the weakest (Stoller, 2009) because it can be stolen, it may be forgotten and unwittingly openly exhibited. Several researchers have proposed different approaches to password creation and use. Passwords' robustness is an attribute that can prevent unauthorized access to proprietary systems (Oreku & Jianzhong, 2009). Password authentication systems must identify the user and charge a fee based on the number of times of usage without implementing a password table that lends itself to a "replay attack" (Lin & Chang, 2009). Password authentication must be required to identify users who want entry into systems (Chang, Chen, & Hwang, 2004).
Organizations boost the confidence of their clients by having a password requirement combined with preregistered questions and answers in their database. The drawback to the preregistered question and answer such as "what high school did you attend?" is that the answer to such a question cannot be too difficult to obtain by an ardent intruder. We suggest that the registrant be given the opportunity to create at least ten questions and provide the answers concomitantly. At entry beyond the password permission zone, the requester is asked to provide answers to random selection of questions. When the answer provided matches the answer in the database, the requester is given entry permission to the system.
Pervasiveness of security problems
The unfortunate continuous success of intrusions into systems and the attendant loss of capital, money, man hours, and goodwill are attributed to several influences. A study by Teer, Kruck, and Kruck (2007) found that students are not the most savvy when it comes to protecting their passwords. They often allow others to make use of and share their passwords. In social engineering circles, releasing a password to a persistent imposter is not as burdensome as a fullfledged attack on a computer system (Mitnick & Simon, 2002), but it does promote avoidable vulnerability. Research found that using social engineering physical approach to solicit usernames and passwords successfully netted 80% of respondents who released their user names and 60% who released their passwords (Orgill, Romney, Bailey, & Orgill, 2004). In a study at Sydney University, researchers used bogus email to ask students to provide their passwords and usernames for purposes of system upgrade. The result was that 47% of the participants succumbed to the prank (Greening, 1966).
Sometimes institutions understand the challenges that privacy poses but they do not employ new technology for privacy enforcement (Brodie, Karat, & Feng, 2005). The enforcement of privacy policies combined with password use for data protection can mean better data and system handling. Misgivings about negative publicity drive companies that have suffered intrusions to withhold information from the public. This is contained in CSI/FBI Computer Crime Security Survey which also indicates that security incident reporting has increased from 20% to 25% (Gordon, Martin, Loeb, Lucyshyn, & Richardson, 2006). Some companies have strong sentiments about reporting of security breaches because the knowledge, if made public, will present an imperfect persona of the organization (Roberts, 2005). Reporting of intrusions can elicit client legal actions but more importantly is the fact that failure of organizations to install breach control mechanisms such as firewalls and anti-virus software is tantamount to contributing to the problem. A study explored how security breach announcement affected market reactions and thus the value of firms but found the result inconclusive (Cuvosoglu, Mishap, & Raghunatan, 2004).
The primary purpose of this study is to determine if there is a significant relationship between familiarity with ISSSM on the one hand and actual usage on the other. In other words, do students who say they are familiar with ISSSM also practice the use of these measures in their daily affairs with computers?
Familiarity refers to having a general knowledge of the existence and may be rudimentary functions of an ISSSM. Use refers to having the intellectual, theoretical and practical capacity to apply each ISSSM when the circumstance calls for it.
This research is part of a larger study that is exploring the understanding and appreciation of ISSSM across educational institutions in Turkey, Republic of China (ROC), and Nigeria. The data for this study was extracted from 24 questions that formed three parts of the larger study. In the first section students were asked to indicate on a three-point Likert-type scale whether they are unfamiliar, somewhat familiar or extremely familiar with a given security measure. In the second section they were asked to indicate the percentage of times, (<31%, 31-50%, and >50%), that they use each measure on a regular basis. The third section solicited some demographic information. The survey instrument was widely critiqued by other researchers in Nigeria, Europe and U.S. for redundancy, ambiguity and readability of questions. To administer this instrument, professors at a random sample of 20 out of the 90 member universities of the National Universities Commission that accredits institutions of higher learning in Nigeria were contacted to participate in the study. They administered the survey to their students. The surveys were sent as email attachments to enable participants to download and digitally make their selections and return the instruments via email. Prior to full blown administration of the questionnaire, a 1 00-person pilot test was conducted to ensure that the statements were easy to understand.
Descriptive statistics and cross tabulations were used to analyze the data in this study. In Table IA are the frequencies/percentages of levels of familiarity (unfamiliar, somewhat familiar and extremely familiar) and levels of usage (<31%, 31%-50%, > 50%).
One thousand one hundred surveys and 867(79%») usable responses were distributed and returned respectively. Demographics information are as follows: Gender: female (54%), male (46%>); Classification: undergraduate (63%>), graduate (38%); Major: Arts & Sciences (29%), Business (37%>), Engineering (18%>), others (1 6%>); Level of experience in computing: Expert (46%>), Very good (22%), Good (18%), Poor/Novice (14%).
Comparative Descriptions of ISSSM
The following are relevant descriptions of each measure accompanied by representative graphics. Figures 1A to 10B are paired graphical representations of the contents of Table 1A.
Specifically, Figure IA indicates that while 69%> of respondents are extremely familiar with or aware of simple passwords, 64%> use it fifty percent of the time and greater (see Figure IB). Usage of simple passwords by only 64%> of students is not extremely impressive considering the fact that even a simple password is necessary to keep some data safe, maintain some system integrity and delay some intrusions. We expected more than 70% of respondents to actively use simple passwords more than 50%> of the time.
Figures 2a and 2b illustrate that 87% of respondents are unfamiliar with sophisticated passwords. To add to that, only a dismal 4% use it more than 50 percent of the time. This should raise an alarm because the non-use or non-application of sophisticated passwords by 96%> (100%4%) of students less than 50% of the time is a perilous contribution to the problem of system compromise.
Daily Computer System Scan
Figures 3 a and 3b show that 50% of respondents are unfamiliar with daily computer systems scan but 69% use it more than 50% of the time. Because daily computer system scan is an automatic process in contemporary computing most people may probably know that it is happening during the boot process and interpret that as using it. The test of actual usage may come from response to a system glitch combined with the need to successful execute an immediate system scan.
Scan of Email Attachments
Figures 4a and 4b indicate that 75% of respondents are unfamiliar with scan of email attachments while 54% use it more than 50% of the time. Again, since email scanning is generally an automatic process respondents may consider familiarity and usage to fall in the same realm of understanding and therefore claim usage.
Figures 5 a and 5b indicate that 56% of respondents are unfamiliar with anti-virus software but only 15% use it more than 50% of the time. Most computer systems today have preinstalled anti-virus software or have an online access to one and therefore usage may be automatic. The data that indicates that only 15% use it more than 50% of the time may be a reflection of those who do not have an online access to anti-virus software and therefore have to purchase and install their own copy.
Password on Email Attachments
Figure 6a indicates that 79% of respondents are unfamiliar with creation of a password, building it into a file and attaching the file to an email message. Figure 6b indicates that less than 1% use passwords on email attachments more than 50% of the time. That 79% of respondents are unfamiliar with password attachment and a dismal less than 1 % use it for more than 50% of the time should be unacceptable in contemporary computing. This is a reflection of findings in previous studies (Teer, Kruck, & Kruck, 2007) and (Aytes & Connolly, 2004) that show students disinterest in computers and data safety.
Figure 7a indicates that 95% of respondents are unfamiliar with biometrie authentication while only 1% uses it more than 50% of the time (Figure 7b). Since biometrie authentication uses the uniqueness of what humanity already has such as finger printing or retinal scanning and we do not have to make an effort to remember anything such as passwords, it is a technology that should be required to interface between all systems users and systems. It is hardly surprising to learn that 95 % of students are unfamiliar with biometrie authentication.
Figure 8a shows that 63 % of respondents are unfamiliar with firewalls while only 7% use it more than 50% of the time (Figure 8b). Firewalls filter incoming traffic before they arrive at the computer station and therefore their presence may not be apparent to the non-sawy user.
Intrusion Detection Systems
Figure 9a shows that 44% of respondents are unfamiliar with intrusion detection systems while 4% (Figure 9b) use it more than 50% of the time.
Multifaceted Authentication Systems
Figure 10a shows that 94% of respondents are unfamiliar with multifaceted authentication systems while less thanl% (Table 10b) uses it more than 50% of the time.
HYPOTHESES TESTED FOR THIS STUDY
Table 2 shows the null hypotheses for this study.
Table 3 shows the results of SPSS 15 cross tabulations and Chi-Squares of familiarity with and usage of information systems security and safety measures.
Hypothesis 1 : Simple passwords. We did find a significant relationship between familiarity with and usage of simple passwords at the .05 level.
Hypothesis 2: Sophisticated passwords. We found a significant relationship between familiarity with and usage of sophisticated passwords at the .05 level.
Hypothesis 3: Daily computer systems scan. We found a significant relationship between familiarity with and usage of daily computer systems scan at the .05 level.
Hypothesis 4: Scan of email attachments. We found a significant relationship between familiarity with and usage of Scan of email attachments at the .05 level.
Hypothesis 5: Anti-virus software. We found a significant relationship between familiarity with and usage of anti- virus software at the .05 level.
Hypothesis 6: Passwords on email attachments. We found no significant relationship between familiarity and usage of scan of email attachments at.05 level.
Hypothesis 7: Biometrie authentication. We found no significant relationship between familiarity with and usage of biometrie authentication at the .05 level.
Hypothesis 8: Firewalls. We found a significant relationship between familiarity with and usage of Firewalls at the .05 level.
Hypothesis 9: Intrusion detection systems. We found no significant relationship between familiarity with and usage of intrusion detection systems at the .05 level.
Hypothesis 10: Multifaceted authentication systems. We found no significant relationship between familiarity with and usage of multifaceted authentication systems at the .05 level.
The discussion below will focus on the six ISSSM that showed significant relationships between familiarity and usage at the .05 level. The other four that did not show significant relationship will not be discussed in detail.
Significant ISSSM: Regarding simple passwords, we found that a large percentage (69%) of respondents is extremely familiar with it and do actually use it in their daily access to computer systems. Sixty four percent of respondents use it more than 50% of the time. When we added the 64%> of those who use it more than 50% of the time to the 1 1% who use it between 31% to 50% of the time, we found that 75% of respondents use simple passwords 31%- 100% of the time. This indicates that being familiar with simple passwords does translate into its use. It should be noted that simple passwords do not protect malicious entry into a system as much as sophisticated passwords. As for sophisticated passwords 87 percent of respondents are unfamiliar with it and 90% use it less than 31% of the time. In this case, unfamiliarity with sophisticated passwords translates into nonuse. This is understandable because familiarity has to precede usage which in turn bolsters familiarity.
Daily computer system scan occurs each time you turn on the computer. Even though fifty percent of respondents are unfamiliar with daily computer system scan, 69% use it more than 50% of the time. Since the process is automatic, even those who are unfamiliar with it have their computing devices scanned during each access.
Scanning email attachments ensures that viruses embedded in files do not infect a computer system. In most systems this is an automatic process but there are computers that require users to manually scan the system for viruses. Seventy one percent of respondents are unfamiliar with scanning systems for viruses even though 54% use the process more than 50% of the time. The high percentage of users may be due to the fact that most system scans for viruses in file attachments are automatic and require no input from users.
Anti-virus software is designed to protect computer systems from being infected by viruses. Fifty six percent of respondents are unfamiliar with anti-virus software. Only 1 5% use it more than 50%) of the time. The unfamiliarity of a large percentage of respondents explains the very low 15% usage. Because anti-virus software scanning is an automatic process, several end-users may not be aware that their computers are constantly being scanned for viruses. It is occasionally that end-users will conduct a manual scan for viruses because the automatic process is obsolete and needs updating. Firewalls are either software or hardware that filters information coming into computer systems. Sixty three percent of respondents are unfamiliar with firewalls while 78% use it less than 30% of the time. Because firewalls are designed to automatically protect computer systems, most users may neither be familiar with it nor know that they use it, if they are not very savvy in computing.
Based on the results from this study, we conclude that students who are familiar with the functions of simple passwords are also practical users and therefore may have some simple protection of their systems or files. The predictive power of hypothesis one was p=.000, indicating a high probability that the two factors, familiarity and usage are significantly related. Regarding sophisticated passwords, a relationship does exist between familiarity and usage thus indicating that these respondents' files can be protected better than others. The significant relationship found between familiarity and usage of daily computer system scan indicates that these respondents can have a safer computing experience. Familiarity and usage are highly related in the case of scanning of email attachments thus meaning that these respondents' emails attachments will not be easily infected by viruses. In the case of anti-virus software, a relationship does exist between familiarity and usage thus confirming that respondents who are familiar with this factor also use it to ensure that system integrity is not compromised. Testing familiarity with and usage of firewalls indicated a strong relationship. This attests to the fact that respondents who are familiar with firewalls use it to shield their systems from invasion by rogue software.
Familiarity and usage did not show a significant relationship in the cases of placing passwords on email attachments, biometrie authentication, intrusion detection systems and multifaceted authentication systems. This lack of significant relationship is an indication that familiarity in these cases does not translate into usage and therefore renders computer systems less safe.
To secure the network servers and protect the users' privacy, many experts suggested providing options of access control and authentication. While many companies have been providing various services to satisfy the customers' needs which include digital advertisement, marketing, music, gaming, video, network, and many others, it is vital to make the application development environment publicly available so that it becomes easier for application developers to apply security to programs designed for the users (Ahamad, 2008). Moreover, the digital protection awareness program might be invaluable in higher education institutions to prepare our prospective employees entering into the digital work life environment of the 21 century.
Further research using the same framework might be conducted and targeted at Fortune 500 companies. It will be interesting to find the status of familiarity with and usage of ISSSM in the healthcare industry and among academics as well. This study might be replicated in the US, Canada, Europe and other African countries. The current study identified six ISSSM that lend themselves to familiarity and usage. A study should be conducted to identify the attributes that make these six ISSSM amenable to the concomitance of familiarity and usage. Appendix A shows the instrument used for this study.
Ahamad, M. (2008). Emerging cyber threads report for 2009. Georgia: Georgia Tech Information Security Center.
Aytes, K. & T. Connolly (2004). Computer security and risky computing practices: A rational choice perspective. Journal of Organizational and End User Computing, 16(3), 22-40.
Brodie, C, C.Karat & J.Feng (2005). Usable security and privacy: as case study of developing privacy management tools. Pittsburgh, PA: SOUPS, (July), 6-8.
Chang, CC, K.L. Chen & M.S. Hwang (2004). End-to-end security protocol for mobile communications with end-user identification/authentication. Wireless Personal Communication, 28(2), 95-106.
Crowley, E. (2003). Information System Security Curricular Development. Proceedings of the 4thConference on Information Technology Curriculum, 249-255.
Cuvosoglu, H., B. Mishap & S. Raghunatan (2004). The effect of Internet Security Breach Annoucement on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers. International Journal of Electronic Commerce, 9, 69-104.
Federal Executive Council, Nigeria (2008). National Informatioin Technology Development Agency. 12(3), Retrieved December 3, 2008 fromhttp://www.nitda.gov.ng.
Gordon, L., L. Martin, M. Loeb, W. Lucyshyn, & R Richardson, (2006). CSI/FBI Computer Crime and Security Survey.
Greening, T. (1966). Ask and Ye Shall Receive: A Study in Social Engineering. ACM SIGSAC Review 14(2), 8-14.
Lin, I. & C. Chang (2009). A countable and time-bound password-based user authentication scheme for the application of electronic commerce. Information Science, 179, 1269-1277.
Mitnick, K. & W. Simon (2002). The Art of Deception: Controlling the Human Elements of Security. Indianapolis, G?: Wiley Publishing, Inc.
National Research Council (1996). U.S. Policies Should Foster Broad Use Of Encryption Technologies. Retrieved July 15, 2009, http://epic.org/crypto/reports/nrc_release.html
Oreku, G.S. & L. Jianzhong (2009). End-User Authentication (EUA) Model Password Security. Journal of Organizational and End- User Computing 2 1 (2), 28-,( 1 6 pages).
Orgill, G.L., et al. (2004). The urgency for effective user privacy education to counter social engineering attacks on secure computer systems. Proceedings of the 5th Conference on Information Technology Education, 171-181.
Presidential Decision Directive (1998). The Clinton Administration's Policy on Critical Infrastructure Protection: Presidential Decision Directive 63, Retrieved July 16,2009 fromhttp://www.fas.org/irp/offdocs/paper5 98.htm,
Roberts, K. (2005). Security Breaches, Privacy Intrusions, and Reporting of Computer Crimes. Journal of Information Privacy & Security, 1(4), 22-33.
Siponen, T.M. & J. Kajava (1998). The dimensions and categories of information security awareness. Proceedings of the IFIP TCIl 14th International Conference on Information Security.
Stoller, J. (2009). Authentication-passwords and beyond. CMA Management, 44(3), 44-46.
Teer, F.P., S.E. Kruck & G.P. Kruck (2007). Empirical Study of Students' Computer Security - Practices/Perceptions. Journal of Computer Information Systems, 47(3), 105-110.
Weinshall, D. & S. Kirkpatrick (2004). Passwords you will never forget. ACM^ Vienna, Austria: ACM, April, 13991402.
Zhang, X. (2005). What do consumers really know about Spyware? Communications of the ACMAS(S), 44-48.
Ewuuk Lomo-David, North Carolina A&T State University
Li-Jen Shannon, Sam Houston State University…
Questia, a part of Gale, Cengage Learning. www.questia.com
Publication information: Article title: Information Systems Security and Safety Measures: The Dichotomy between Students' Familiarity and Practice. Contributors: Lomo-David, Ewuuk - Author, Shannon, Li-Jen - Author. Journal title: Academy of Information and Management Sciences Journal. Volume: 12. Issue: 1/2 Publication date: January 1, 2009. Page number: 29+. © The DreamCatchers Group, LLC 2007. Provided by ProQuest LLC. All Rights Reserved.
This material is protected by copyright and, with the exception of fair use, may not be further copied, distributed or transmitted in any form or by any means.