Communication, instruction, registration, advising, and administrative functions at institutions of higher education are increasingly conducted through technology-mediated communication (Allen & Seaman, 2010; Chueng & Huang, 2005; Jones, Johnson-Yale, Perez & Schuler, 2007; Salas & Alexander, 2008), including email (Jones, 2008; S. Jones, et al., 2007; Weiss & Hanson-Baldauf, 2008), blogs (Nackerud & Scaletta, 2008), learning management systems (Hawkins & Rudy, 2007; Jacob & Issac, 2008), and social media (Allen & Seaman, 2009; Ashraf, 2009; Ellison, 2007; Gilroy, 2010; Rosen & Nelson, 2008; Saeed, Yang, & Sinnappan, 2009).
Traditional data centers and corporate networks administrators control the types of data permitted on their networks and the methods used to access data. Because web sites and programs use the same port as a user's Web browser, hackers and cyber criminals often attempt to bypass security controls on computer networks. Thus, corporate network administrators often ban users from accessing private email accounts, instant messenger programs, and social networking sites, such as Twitter, MySpace, and Facebook (Brodkin, 2008). High school networks also commonly block access to these sites and filter email for malware and other unwanted content (Waters, 2007). Because institutions of higher education openly share a substantial amount of information and data, web sites are rarely banned and message content is not filtered, increasing the likelihood that students will encounter hackers or identity thieves while using institutional networks (Allison & DeBlois, 2008; Ziobron, 2003).
While institutions of higher education prepare students for professional careers (Cheung & Huang, 2005), effective information security awareness training has taken a back seat as prospective employers are expected to accept responsibility for training of college graduate hires (Okenyi & Owens, 2007; Turner, 2007). However, this approach is ineffective as sound IT security practices continue to fall through the cracks. Regardless of a student's vocational goals, colleges and universities must take a proactive approach to educate students about the potential risks associated with Internet usage and message security, as reported dollar losses from Internet crime have reached new highs (Internet Crime Complaint Center, 2009).
The need to plan, develop and implement IT security awareness training is crucial to ensure the security of student, faculty, and institutional data and information (The Campus Computing Project, 2007). In order to adequately develop training, a profile of end-user college student security attitudes and behaviors must be determined. Do information security attitudes and behaviors of college students differ based on factors such as age, gender, ethnicity, classification level, academic major, identity theft victimization, and use of computer security tools? Also, does the effective use of computer security tools differ based on factors such as age, gender, ethnicity, classification level, academic major, identity theft victimization, installation of PC anti-virus software, or installation of PC anti-spyware software?
The present study explores information security attitudes and behaviors of college students, and their use of computer security tools. The paper also highlights end-user security awareness practices to promote a better understanding of information security given the inherent dangers in the virtual world, and discusses strategies that institutions can employ to better protect personal information and data.
Human-caused security threats lurking in virtual spaces are ever-evolving. Under the Clery Act, university campuses are required to release yearly crime statistics on crimes including aggravated assault, burglary, theft, vandalism, and driving under the influence ("The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act" [Clery Act], 1990). …