Academic institutions prepare students for their professional field of study, but student awareness of Information Technology (IT) security issues continues to be poor (Livermore, 2006; McQuade, 2007). Most college students communicate via email and social networking sites, such as Twitter, MySpace, and Facebook. However, students are at risk for identity theft through fraudulent emails, stolen passwords, unsecured systems, and inadequate network practices (Harwood, 2008). This exploratory study identifies key findings and recommendations regarding information security attitudes, behaviors and tools used by college students along with suggestions for improving information security awareness at institutions of higher education.
Communication, instruction, registration, advising, and administrative functions at institutions of higher education are increasingly conducted through technology-mediated communication (Allen & Seaman, 2010; Chueng & Huang, 2005; Jones, Johnson- Yale, Perez & Schüler, 2007; Salas & Alexander, 2008), including email (Jones, 2008; S. Jones, et al., 2007; Weiss & Hanson-Baldauf, 2008), blogs (Nackerud & Scaletta, 2008), learning management systems (Hawkins & Rudy, 2007; Jacob & Issac, 2008), and social media (Allen & Seaman, 2009; Ashraf, 2009; Ellison, 2007; Gilroy, 2010; Rosen & Nelson, 2008; Saeed, Yang, & Sinnappan, 2009).
Traditional data centers and corporate networks administrators control the types of data permitted on their networks and the methods used to access data. Because web sites and programs use the same port as a user's Web browser, hackers and cyber criminals often attempt to bypass security controls on computer networks. Thus, corporate network administrators often ban users from accessing private email accounts, instant messenger programs, and social networking sites, such as Twitter, MySpace, and Facebook (Brodkin, 2008). High school networks also commonly block access to these sites and filter email for malware and other unwanted content (Waters, 2007). Because institutions of higher education openly share a substantial amount of information and data, web sites are rarely banned and message content is not filtered, increasing the likelihood that students will encounter hackers or identity thieves while using institutional networks (Allison & DeBlois, 2008; Ziobron, 2003).
While institutions of higher education prepare students for professional careers (Cheung & Huang, 2005), effective information security awareness training has taken a back seat as prospective employers are expected to accept responsibility for training of college graduate hires (Okenyi & Owens, 2007; Turner, 2007). However, this approach is ineffective as sound IT security practices continue to fall through the cracks. Regardless of a student's vocational goals, colleges and universities must take a proactive approach to educate students about the potential risks associated with Internet usage and message security, as reported dollar losses from Internet crime have reached new highs (Internet Crime Complaint Center, 2009).
The need to plan, develop and implement IT security awareness training is crucial to ensure the security of student, faculty, and institutional data and information (The Campus Computing Project, 2007). In order to adequately develop training, a profile of end-user college student security attitudes and behaviors must be determined. Do information security attitudes and behaviors of college students differ based on factors such as age, gender, ethnicity, classification level, academic major, identity theft victimization, and use of computer security tools? Also, does the effective use of computer security tools differ based on factors such as age, gender, ethnicity, classification level, academic major, identity theft victimization, installation of PC anti-virus software, or installation of PC anti-spyware software? …