Information Security Activities of College Students: An Exploratory Study

By Mensch, Scott; Wilkie, LeAnn | Academy of Information and Management Sciences Journal, July 1, 2011 | Go to article overview

Information Security Activities of College Students: An Exploratory Study


Mensch, Scott, Wilkie, LeAnn, Academy of Information and Management Sciences Journal


ABSTRACT

Academic institutions prepare students for their professional field of study, but student awareness of Information Technology (IT) security issues continues to be poor (Livermore, 2006; McQuade, 2007). Most college students communicate via email and social networking sites, such as Twitter, MySpace, and Facebook. However, students are at risk for identity theft through fraudulent emails, stolen passwords, unsecured systems, and inadequate network practices (Harwood, 2008). This exploratory study identifies key findings and recommendations regarding information security attitudes, behaviors and tools used by college students along with suggestions for improving information security awareness at institutions of higher education.

INTRODUCTION

Communication, instruction, registration, advising, and administrative functions at institutions of higher education are increasingly conducted through technology-mediated communication (Allen & Seaman, 2010; Chueng & Huang, 2005; Jones, Johnson- Yale, Perez & Schüler, 2007; Salas & Alexander, 2008), including email (Jones, 2008; S. Jones, et al., 2007; Weiss & Hanson-Baldauf, 2008), blogs (Nackerud & Scaletta, 2008), learning management systems (Hawkins & Rudy, 2007; Jacob & Issac, 2008), and social media (Allen & Seaman, 2009; Ashraf, 2009; Ellison, 2007; Gilroy, 2010; Rosen & Nelson, 2008; Saeed, Yang, & Sinnappan, 2009).

Traditional data centers and corporate networks administrators control the types of data permitted on their networks and the methods used to access data. Because web sites and programs use the same port as a user's Web browser, hackers and cyber criminals often attempt to bypass security controls on computer networks. Thus, corporate network administrators often ban users from accessing private email accounts, instant messenger programs, and social networking sites, such as Twitter, MySpace, and Facebook (Brodkin, 2008). High school networks also commonly block access to these sites and filter email for malware and other unwanted content (Waters, 2007). Because institutions of higher education openly share a substantial amount of information and data, web sites are rarely banned and message content is not filtered, increasing the likelihood that students will encounter hackers or identity thieves while using institutional networks (Allison & DeBlois, 2008; Ziobron, 2003).

While institutions of higher education prepare students for professional careers (Cheung & Huang, 2005), effective information security awareness training has taken a back seat as prospective employers are expected to accept responsibility for training of college graduate hires (Okenyi & Owens, 2007; Turner, 2007). However, this approach is ineffective as sound IT security practices continue to fall through the cracks. Regardless of a student's vocational goals, colleges and universities must take a proactive approach to educate students about the potential risks associated with Internet usage and message security, as reported dollar losses from Internet crime have reached new highs (Internet Crime Complaint Center, 2009).

The need to plan, develop and implement IT security awareness training is crucial to ensure the security of student, faculty, and institutional data and information (The Campus Computing Project, 2007). In order to adequately develop training, a profile of end-user college student security attitudes and behaviors must be determined. Do information security attitudes and behaviors of college students differ based on factors such as age, gender, ethnicity, classification level, academic major, identity theft victimization, and use of computer security tools? Also, does the effective use of computer security tools differ based on factors such as age, gender, ethnicity, classification level, academic major, identity theft victimization, installation of PC anti-virus software, or installation of PC anti-spyware software?

The present study explores information security attitudes and behaviors of college students, and their use of computer security tools. The paper also highlights end-user security awareness practices to promote a better understanding of information security given the inherent dangers in the virtual world, and discusses strategies that institutions can employ to better protect personal information and data.

LITERATURE REVIEW

Human-caused security threats lurking in virtual spaces are ever-evolving. Under the Clery Act, university campuses are required to release yearly crime statistics on crimes including aggravated assault, burglary, theft, vandalism, and driving under the influence ("The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act" [Clery Act], 1990). However, cybercrime, a 24/7/365 threat (Computer Security Institute, 2009), is not tracked by universities. Yet, cyber thieves do an incredible amount of damage to individuals across all spectrums of society (Internet Crime Complaint Center, 2009). While campus safety programs addressing crimes covered by the Clery Act are clearly important, institutions of higher education should also proactively address end-user electronic data security and identity protection, particularly as it pertains to undergraduate and graduate students in the ubiquitous online world.

A variety of information security threats and attack methodologies exist and continue to evolve as technology progresses globally. Social engineering is a common tactic used by attackers and involves persuading people that the perpetrator is someone other than who he/she really is (Mitnick, 2002). Social engineers use deceit to convince people to release information or perform actions. In addition to threats from viruses and worms (Luo & Liao, 2007), the Computer Security Institute (2009) reports the most common attacks to be malware (64.9%), bots and zombies (23%), phishing messages (34%), denial of service attacks (29.2%), password sniffing (17.3%), browser exploitation (11%), social network profile exploitation (9%), and financial fraud (19.5%). Spyware, another worrisome threat, is client-side software that monitors and tracks computer activity and sends collected data secretly to remote machines. Spyware is often found in free downloadable software and may use the CPU and storage for tasks unknown to the end-user (Luo & Liao, 2007). Users running Windows operating systems are targets of most Spyware, but Macintosh operating systems may also be vulnerable (InfoWorld, 2010). Offline threats also exist which include shoulder surfing, dumpster diving (Okenyi & Owens, 2007), and laptop/mobile device theft, which is currently a major threat to organizations and individuals (Computer Security Institute, 2009; Young, 2009).

Identity theft, often associated with social engineering, involves someone gaining access to personal data without a person's knowledge often for purposes of committing identity fraud (Javelin Strategy & Research, 2009) and includes financial and non-financial crimes, such as criminal, government, and medical identity theft (Identity Theft Resource Center, 2010). The Identity Theft Resource Center (2010) cites financial identity theft, such as opening a new line of credit (55%) and stolen credit cards and debit cards (34%) as the most common types of identity theft, followed by governmental/benefit fraud, which includes tax return and employment fraud, and phone/utilities fraud. Data breaches and the Internet as sources of identity theft are up 5.3% from 2003 (Identity Theft Resource Center, 2009). According to the Identity Theft Resource Center (2010), the percentages of adult identity theft victims were 18-29 year-olds (20%), 30-39 year-olds (15%), 40-49 year-olds (25%), and 50-60 year-olds (20%). While 37% of victims knew the thief, 63% of victims did not know the thief (Identity Theft Resource Center, 2010). Most victims discover the crime within the first six months. Intangible costs include time lost from work, lost vacation time, and emotional losses (Identity Theft Resource Center, 2010). Victims spend 68 to 141 hours on average repairing the damage over several months. In terms of dollar costs, fraud committed on an existing account averaged $527 in 2008 and $2,104 for new accounts. Approximately 10% of victims required 2 years or more to clear their names and were also "secondarily wounded" by denial of or inability to get credit, increased insurance or credit card rates, and repeated contacts by collection agencies (Identity Theft Resource Center, 2010). While college students are concerned about identity theft (Trocchia & Ainscough, 2006), the measures they take to protect personal data and information may be lacking (Livermore, 2006).

SECURITY BEHAVIORS OF COLLEGE STUDENTS

As the interests and practices of Internet users change, institutions of higher education much ensure that students are continually educated about online risks. Popular online venues include social networking websites, which provide people with the opportunity to create an online profile to share with others (Barnes, 2006) and even create fictitious lives (Gorge, 2007). Social networking sites are "now visited by over two-thirds (67%) of the global online population... which includes both social networks and blogs,"... and has become "the fourth most popular online category - ahead of personal email" (Nielsen/NetRatings, 2009b, para. 1). Social networking is growing twice as fast as any of the other five most popular sectors which include search, portals, software manufacturers, member communities, and email (Nielsen/NetRatings, 2009a, p. 2).

Fogel & Nehmad (2008) found that 77.6% of college students use social networking sites and Ellison (2007) reports that 79-95% of college students have Facebook accounts. Half of Fogel & Nehmad's (2008) participants included instant messenger names on personal profiles, 65%) included a personal email address, 74% allowed anyone to view their profiles, 10% provided a phone number, and 10% provided their home address. This scenario is a major concern as malware and viruses may be sent through email and instant messenger programs. Social networking sites are also subject to hijacking and fake log-in pages, and password management is lacking since people often use the same password and username for various sites(Mansfield-Devine, 2008).. Therefore, once an a user's Facebook credentials are known, it is easy to gain access to a bank account with the same username and password (Mansfield-Devine, 2008). Many social network users are also not aware that the applications endorsed by a social network are not supplied by the site and there is no assurance of who wrote the software or where it's hosted (Mansfield-Devine, 2008).

Personal data from social networks can also be mined for purposes of conducting phishing attacks. Jagatic, Johnson, Jakobsson & Menczer (2007) conducted a study of college students where 72% of the social network group clicked on the phishing link. Phishing success rates were highest among sophomores (26%) and those classified as "other" (50%) for the control group (receivers of a phishing email from an unknown person with a university address), and highest among freshmen (76%) and "other" (76%) for the social network group. Phishing success rates also were highest among education majors (50%) in the control group, and science (80%>) and business (72%») majors in the social network group. Students in technology-related majors had the lowest phishing success rates (0% control; 36% social network). Jagatic, et al. (2007) also spoofed an email message as forwarded from a friend to a group of friends and, even though the experiment contained a coding flaw, 53 % of the sample still clicked on the phishing link). Social networking is now recognized as a concern by security professionals as social network profile attacks were added to the Computer Security Institute's 2009 survey for the first time. Many of these attacks are hatched as a result of successful social engineering efforts by attackers, including bots and zombies that originate from the infected computers of end-users. For purposes of this study, security attitudes and behaviors surveyed includes elements such as online account password management, anti-virus and anti-spyware software installation and use, propensity to click on email or instant message hyperlinks, wireless computing behaviors, identity theft victimization, and offline security measures (credit report monitoring, document shredding, etc.). The present study generated the following hypotheses to analyze security attitudes and behaviors of undergraduate and graduate students:

H1: There are no significant differences in overall information security attitudes of college students based on factors such as age, gender, ethnicity, classification level, academic major, identity theft victimization, installation of PC anti-virus software, or installation of PC anti-spyware software.

H2: There are no significant differences in information security behaviors of college students based on factors such as age, gender, ethnicity, classification level, academic major, identity theft victimization, installation of PC anti-virus software, or installation of PC anti-spyware software.

END-USER SECURITY SOFTWARE

A variety of security software is available to end-users including, firewalls, anti-virus software (Mitnick, 2006), and anti-spyware software. Browser-based tools, such as pop-up blockers and phishing filters, are also available. The question is whether end-users employ security tools and how diligent users are about updating security software (Jokela & Karlsudd, 2007). Also, college students may not know if anti-virus is installed on their computers and may not know how to remove a virus once it's discovered (Jokela & Karlsudd, 2007). The present study generated the following hypothesis to analyze the use of computer security tools by undergraduate and graduate students:

H3: There are no significant differences in college students ' use of computer security tools based on factors such as age, gender, ethnicity, classification level, academic major, identity theft victimization, installation of PC anti-virus software, or installation of PC anti-spyware software.

THE C.I.A. TRIAD

Modeling is an important facet when studying information security. Models help researchers explain abstract, often complex, concepts and relationships. The basis for information security models originated in 1994 when the National Security Telecommunications and Information Systems Security Committee (NSTISSC) derived the Comprehensive Model for Information Systems Security, also known as the C.I.A. triad (Whitman & Mattord, 2009) and graphically represented by the McCumber Cube (McCumber, 1991). In the model, information systems security concerns "three critical characteristics of information: confidentiality, integrity, and availability" (NSTISSC, 1994). Confidentiality, the heart of any security policy, encompasses a set of rules that determine access to objects and involves access control of data by users (or groups). An important facet of confidentiality is "the assurance that access controls are enforced" (NSTISSC, "Critical Information Characteristics", para. 2.). This component was further defined by Bell & LaPadula (Bell, 1973) and the U.S. Department of Defense (Trusted Computer System Evaluation Criteria, 1983). The second characteristic is integrity, which Pfleeger defined as "'assets' (which) can only be modified by authorized parties" (1989). Integrity relates to the "quality of information that identifies how closely the data represent reality" (NSTISSC, "Critical Information Characteristics", para. 5). The construct was further defined by Graham & Denning (1972), Biba (1977), and Clark & Wilson (1987). The third characteristic, availability, "ensures the information is provided to authorized users when it's requested or needed" and serves as a "check-and-balance constraint" on the model (NSTISSC, "Critical Information Characteristics", para. 7). Two additional concepts have been added to the CIA triad by many security practitioners. Authenticity involves verifying the authenticity of the user and ensures that inputs to a system are from a trusted source (Stallings & Brown, 2008). Finally, accountability requires an entity's actions to be traced uniquely to that entity (Stallings & Brown, 2008).

SECURITY AWARENESS AND TRAINING

Information systems are composed of six components: software, hardware, data, people, procedures and networks (Whitman & Mattord, 2009). Technological controls are only a part of the security solution. People and procedures are components that are often overlooked in security considerations (Whitman & Mattord, 2009) and people are the most important part of the solution (Hall, 2005, para. 5). The fact that college students are technologically-sawy in using information technology (Kirkwood & Price, 2005) does not assure that they also understand the risks and take appropriate measures to protect personal information and data from hackers and thieves. Policy, education and training, awareness and technology are required to assure information security for both individuals and organizations (Whitman & Mattord, 2009). Awareness training reduces risk and is essential to prevent hacking success rates at both the individual and organizational levels (Okenyi & Owens, 2007J. Thus, a successful security awareness program must shift the paradigm from "ad hoc secure behavior to a continuous secure behavior" (Okenyi & Owens, 2007, p. 306).

METHODOLOGY

The population sample for the present study consisted of 2,000 undergraduate and graduate students from a mid-sized eastern university. University policies restricted the use of emails to 2,000 addresses; email addresses were randomly chosen by the graduate research office and sent to full-time undergraduate and graduate students enrolled in all degree programs at the university. The email sent by the graduate research office to the 2,000 students noted above encouraged participation in the study and provided a link to the survey via Survey Monkey; participation was voluntary. A reminder email was sent by the graduate research office one week following the initial email notification. An approved informed consent form was completed by all student participants. Participants were identified by a unique identification number to maintain confidentiality. The data collected was downloaded into the Statistical Package for the Social Sciences 14.0 (SPSS) where all analysis and statistical tests were performed.

INSTRUMENTS

Based on a review of the literature and theoretical standpoints, the researchers developed and pilot tested a 6-item Likert scale consisting of 2 1 items to determine the security awareness of undergraduate and graduate students the previous academic year using an informal sampling of several classes that included students from several discipline areas across campus. Likert scaling is designed to measure people's attitudes and awareness (Nachmias & Nachmias, 1987). The survey used in the present study was administered via a web-based system to all current undergraduate and graduate students. Survey research has its advantages and disadvantages. Advantages include lower costs, relatively small biasing error, greater anonymity, and accessibility. Disadvantages include "a low response rate, opportunity for probing, and the lack of control over who fills out the questionnaire" (Frankfort-Nachmias and Nachmias, 1996, p. 248).

RESEARCH DESIGN

The study followed a descriptive research design using survey methods with statistical treatments. The design was a cross-sectional survey. Cross-sectional design is the most frequently used study design (Babbie, 1990, p. 65). Descriptive statistics, such as frequency distributions, means, and standard deviations, were utilized to analyze student demographic characteristics, and correlation tests (Cohen, 1988) were performed to determine if significant relationships exist between each of the categorical variables. T-tests of independent samples and analyses of variance (ANOVA) were also conducted to compare differences in security attitude scores and sub-scale scores among the groups. Post hoc multiple comparison tests (Gabriel, 1987) were conducted to determine where differences between means existed. Statistical significance for all tests was set at the 95% level (p > .05).

VARIABLES

The study featured an independent variable consisting of scores derived from the 21 -item security attitudes survey. To provide additional analysis, the Likert scale was divided into four subscales, categorized as follows: security behaviors (7-item subscale), use of computer security tools (5-item subscale), wireless security (5-item subscale), and data privacy (4-item subscale). Results from the data privacy and wireless security subscales will be discussed in subsequent articles.

Several categorical variables were included in the study. Age was categorized into four groups (1 = 18 to 23 years of age, 2 = 24 to 30 years of age, 3 = 31 to 36 years of age, 4 = 37+ years of age). Gender was categorized as male or female. Ethnicity was categorized into six groups (1 = White, 2 = Hispanic, 3 = African- American, 4 = Asian, 5 = Native American, 6 = Other [race not specified or non-resident alien]). Major was categorized into nine groups (1= Education, 2= Humanities & Social Sciences, 3= Health & Human Services, 4= Business, 5 = Fine Arts, 6 = Criminology, 7 = Natural Science, 8 = Information Technology, 9 = Other). Classification was categorized into six groups (1 = Freshman, 2 = Sophomore, 3 = Junior, 4 = Senior, 5 = Graduate, 6 = Other). Additional categorical variables included identity theft victimization with responses classified into three response groups (1 = Yes, 2 = No, 3 = Don't know). Participants were also asked if antivirus was installed on their personal computers. Responses were classified into four groups (1 = Yes, 2 = No, 3 = Yes, but not updated, 4 = Don't know). Participants were asked if anti-spyware was installed on their personal computers. Responses were classified into four groups (1 = Yes, 2 = No, 3 = Yes, but it expired, 4 = Don't know). Participants who affirmatively answered that they had a home wireless network were also asked if they changed the wireless router's default administrator password. Responses were classified into four groups (1 = Yes, 2 = No, 3 = Don't know).

RELIABILITY ANALYSIS

Internal consistency reliability analysis was performed on the Likert subscales of the measure to provide a reliability measurement. Results revealed an internal consistency of a = .69 for the total scale computed from the raw scores of 21 Likert items. Tukey's test for additivity was significant (F = 130.083, ? = .000, a = .05) indicating that several scale items may be related. Exploratory factor analysis was conducted to determine if the instrument accurately measured the study's variables and to serve as an estimate to identify unobserved or latent variables that may account for the true variance of the observations. Eigenvalues of 1.0 indicate that a factor is significant (Gorsuch, 1983). Results revealed that 64.9% of the variance could be explained by the first seven factors with eigenvalues of 1.0 or more. Fifteen percent of the variance is explained by a single factor, 1 1 .7% of the variance is explained by a second factor, 11.6% of the variance is explained by a third factor, 8% of the variance is explained by a fourth factor, 7% of the variance is explained by a fifth factor, 6.6% of the variance is explained by a sixth factor, and 5% of the variance is explained by a seventh factor. Scale items 7 through 1 1 loaded high on factor 1 (security and browser tools). Items 5 and 6 loaded high positive on factor 2 and item 12 loaded high negative on factor 2 (security behaviors - communication tools). Items 14 through 17 loaded high on factor 3 (wireless security). Items 18 through 20 loaded high on factor 4 (data privacy). Items 1, 2 and 21 loaded high on factor 5 (security behaviors - personal identification/passwords). Items 3 and 13 loaded high on factor 6 (security behaviors - public spaces). Item 4 loaded high on factor 7 (financial security - electronic data privacy).

RESULTS

Descriptive statistics were used to analyze demographic data and Likert scale results. Correlation tests were also performed to determine if significant relationships exist between the categorical variables. Initially receiving 134 responses, the researchers eliminated incomplete responses, yielding a final sample size of N = 127 participants. Participants were mostly freshman and sophomores (45.6%) or graduate students (21.3%), female (63%), Caucasian (81.9%)), and 18 to 23 years of age (71.7%). Most majored in Education (18.9%), Humanities & Social Sciences (17.3%), Business (16.5%), or Healthcare (12.6%). The majority of participants have not been a victim of identity theft (85.8%), have anti-virus software installed (80.3%), and have anti-spyware software installed on their PCs (74.8%).

Due to the way the questions were structured, five survey items were reverse coded prior to analysis. Security attitude score ranges were classified as: Very Low = 0-21; Low = 22-42; Moderately Low = 43-63; Moderately High = 64-84; High = 85-105; and Very High = 106-126. Only 6% of participants recorded very high scores (n = 8) and 44% recorded high scores (n = 56). Another 48% recorded moderately high scores (n = 61) and 1.5% recorded moderately low scores (n = 2). Mean security attitude scores overall were 85.02 (SD = 11.579). Participant scores ranged from 63 to 116 (Figure 1).

SECURITY ATTITUDES SURVEY AND SUB-SCALES

Security attitude survey. As summarized in the first data column of Table 1, the lowest mean scores, 24-30 year olds, were 6+ points lower than the 18-23 year-old group. On average, male security attitude scores were 4+ points higher than female scores. In terms of ethnicity, scores of Hispanics averaged 20+ points lower than those self-classified as "other," the highest scoring ethnic group, and 10 points lower than African- Americans and Asians. The lowest scores by classification were among juniors and graduate students, who scored 10+ points lower than the highest scoring groups, sophomores and those self-classified as "other". Attitude scores of information technology majors were 16+ points higher than healthcare majors, the lowest scoring group by major. Attitude scores of identity theft victims averaged 8+ points higher than the lowest scoring participants (those that didn't know if they were an identity theft victim). Participant attitude scores regarding anti-virus software installation averaged 6+ points higher than those that were unsure if anti-virus software is installed, and attitude scores regarding antispyware software installation averaged 13+ points higher than those that were unsure if antispyware software is installed.

Correlation tests conducted on security attitudes scores by categorical variables revealed significant positive relationships between age and classification (R = A2\,p = .000, a = .05, twotailed), and a significant negative relationship between age and ID theft victimization (R = -.185, ? = .037, a = .05, two-tailed). A significant negative relationship exists between gender and classification (R = -.236, ? = .008, a = .05, two-tailed) and a significant positive relationship exists between installation of PC anti-virus software and installation of PC anti-spyware software (R = .213, ? = .002, a = .05, two-tailed).

Security behaviors subscale. As summarized in the second data column of Table 1, scores on the 7-item security behaviors subscale ranged from 6 to 42. Security behavior scores among 24-30 year olds were slightly higher than the other groups. In terms of academic major, scores of fine arts majors and information technology majors were 3 points higher on average than scores of criminology majors. Mean scores for males and females were comparable. In terms of ethnicity, scores of those self-classified as "other" were 6+ points higher on average than scores of Hispanics, the lowest scoring group. In terms of academic classification, scores of participants self-classified as "other" were 3 points higher on average than the lowest scoring groups, juniors, freshmen and graduate students. Scores on the identity theft item were comparable. Scores of participants that don't know if anti-virus software is installed were 3 points higher on average than the lowest scoring group, those with anti-virus software installed, but not updated. Scores by anti-spyware installation averaged 3 points higher among those that don't have anti-spyware installed compared to the lowest scoring group, those that have antispyware installed, but not updated.

Security tools subscale. As summarized in the third data column of Table 1, scores on the 5-item subscale ranged from 6 to 30. The highest subscale scores by age group were among those aged 37+ years and those aged 18-23 years; 24-30 year-olds recorded the lowest mean subscale scores. Scores of information technology and criminology majors were 6 to 7 points higher than mean scores of "other" majors and natural science majors, the lowest scoring groups by major. Scores for males averaged 4% higher than female scores. With regard to ethnicity, scores for Asians and African-Americans averaged 4 to 5 points higher than Hispanics, the lowest scoring group. Scores for sophomores and those self-classified as "other" averaged 4 to 5 points higher than the lowest scoring groups, juniors and seniors.

Scores for identity theft victims were 5 points higher than the lowest scoring group, those who did not know if they were identity theft victims. Scores for those with anti-virus software installed were 8 points higher than the lowest scoring group of participants, those that said it was not installed. Scores for those with anti-spyware software installed were 7 points higher than the lowest scoring group of participants, those that said it was not installed.

RESEARCH QUESTIONS

Statistical analysis was performed on the data collected. The significance level was set at the 95% level (p > .05).

Security attitudes. ANOVA tests were conducted to compare security attitude scores by the categorical variables of age, gender, major, ethnicity, identity theft victimization, and installation of anti-virus or anti-spyware programs, along with interaction effects between age and classification, age and identity theft victimization, gender and ethnicity, and PC anti-virus and PC anti-spyware installation. No statistically significant interaction effects in security attitude scores were found between the categorical variables, age and classification F(9,109) 1.663, p= .107, α =.05; age and identity theft victimization F(4, 11 7) .698, p = .595, α = .05; gender and ethnicity F(S, 115) .890, p =.490, α = .05; or PC anti-virus installation and PC antispyware installation F(6,l 14) .970, p = .449, α = .05.

Statistically significant differences in security attitude scores exist by gender, t (125,) = 2.062,; p = .041 (two-tailed), α = .05, 95% CI [.174, 8.49]. Male scores (M = 87.74, SD = 1 1.648) were significantly higher than female scores (M= 83.41, SD = 1 1.304).

Statistically significant differences in security attitude scores exist by classification F(5,121) 2.639, p = .027, α = .05, R^sup 2^ = .167. Multiple comparison tests revealed no significant differences in mean scores by classification group.

Statistically significant differences in security attitude scores exist by installation of PC anti-spyware software F(3,123) 9.044, p = .000, α = .01, R1 = .18. Multiple comparison tests (Gabriel, 1987) revealed statistically significant differences in mean scores between participants that answered "Yes" to having anti-spyware installed and those that answered "Yes, but expired" (MD = 9.818, p = .029, α = .05, 95% CI [.68, 18.96], and between those that answered "Yes" and those that answered "Don't know" (MD = 13.756, p = .000, α = .01, 95% CI [6.69, 20.82]. Participants that answered "Yes" to having anti-spyware installed scored significantly higher (M = 87.57, SD = 1 1.283) than those that answered "Yes, but expired" (M= 77.75, SD = 8.812), or "Don't know" (MD = 73.81, SD = 7.600).

No significant differences in security attitude scores exist by age F(3,123) 1.255, p = .293, α = .05, major F(8,1 18) 1.644, p = .120, α = .05, ethnicity F(5, 115) .894, p = .488, α = .05, identity theft victimization F(2,117) 1.669, p = .193, α = .05, or installation of PC anti-virus software F(3, 114) .361, p = .782, α = .05.

Security behaviors. ANOVA tests were conducted to compare security behaviors subscale scores by the categorical variables of age, gender, major, ethnicity, identity theft victimization, and installation of anti-virus or anti-spyware programs, along with interaction effects by age and classification, age and identity theft victimization, gender and ethnicity, and PC anti-virus and anti-spyware software installation. No significant interaction effects exist between age and classification F(9,109) 1.124, p = .352, α = .05; age and identity theft victimization, F(4,l 17) .242, p = .914, α = .05; gender and ethnicity, F(5, 115) .685, p = .635, α = .05; or PC anti-virus and anti-spyware software installation, F(6, 114) .370, p =.897, α = .05.

Statistically significant differences in security behaviors sub-scale scores exist by PC anti-spyware software installation F(3,123) 2.788, p = .043, α = .05, R2 = .064. Multiple comparison tests yielded no statistically significant mean differences between the groups.

No significant differences in security behaviors sub-scale scores exist by age F(3,123) .639, p = .592, α = .05, gender t (125; = .799, p = .426 (two-tailed), α = .05, ethnicity F(5,121) 2.146, p = .064, α= .05, classification F(5, 121) 1.456, α = .209, α = .05, major F(8,l 18) .970,/p = .463, α = .05, identity theft victimization F(2,124) .046, p = .955, α = .05, or PC anti-virus software installation F(3,123) 1.626, p = .187, α = .05.

Security tools. ANOVA tests were conducted to compare security behaviors sub-scale scores by the categorical variables of age, gender, major, ethnicity, identity theft victimization, and installation of anti-virus or anti-spyware programs, along with interaction effects by age and classification, gender and ethnicity, and anti-virus and anti-spyware software installation. No significant interaction effects exist between age and classification F(9,109) 1.284, p = .254, α = .05, or gender and ethnicity F(5, 115) .548, p = .740, α = .05. Statistically significant interaction effects exist between anti-virus and anti-spyware software installation F(6, 114) 2.543, p = .024, α =. 05, R2 = .118 (Figure 2).

SECURITY ATTITUDES

The study revealed several interesting results with regard to security attitude scores. The highest security attitude scores by age were among the youngest participants, 18-23 year-olds (M = 85.97), while the lowest security attitude scores were among 24-30 year-olds (M = 79.94). Of 18-23 year-olds, those classified as "other" and sophomores achieved the highest scores (M = 92.80 and M= 88.60, respectively). Sophomores also comprised 27% of 18-23 year-olds (n = 91). Graduate students comprised half of all 24-30 year-olds (n = 16).

Results by academic major were comparable to the findings of Jagatic, et al. (2007) and Weber, Safonov, & Schmidt (2008) as mean scores of information technology majors were among the highest. Mean scores of fine arts majors were also among the highest in this study. By contrast, mean scores among healthcare majors and criminology majors were among the lowest by academic major. Low attitude scores among criminology majors is a surprising result given that these students are destined for law enforcement and security-related careers that require security-conscious individuals. Low attitude scores for students destined for the healthcare industry are particularly troubling given the fact that this group will ultimately be responsible for protecting patient confidentiality and complying with healthcare laws, policies, and regulations, such as the Health Insurance Portability and Accountability Act of 1996 (McClanahan, 2008). The results of the present study may indicate a possible need for security awareness training of college students in criminology and healthcare disciplines.

Male security attitude scores (M= 87.74, SD = 11.648) were significantly higher than female scores (M= 83.41, SD = 11.304). This finding appears to support prior research that there is a digital divide with regard to gender (Cooper, 2006; Jones, Johnson- Yale, & Millermaier, 2009) and a lack of self-confidence in dealing with computer security issues (Jackson, 2007; Jackson, Ervin, Gardner, & Schmitt, 2001; Jokela & Karlsudd, 2007). In terms of ethnic minority groups, this study also found that the lowest mean security attitude scores by ethnicity were among Hispanics and Native Americans, while mean scores of African- Americans and those self-classified as "other" were among the highest. Scores of Caucasians were also slightly below the average sample mean (M = 85.02). These findings may indicate that Hispanics are less security aware (Norum & Weagley, 2006) and appear to contrast survey results from Unisys Security Index (2010) which found that Hispanics are more concerned about unauthorized access or misuse of personal information than Caucasians or African- Americans.

In terms of academic classification, there appears to be a wide disparity of results as the lowest mean scores were among juniors and graduate students, while the highest scores were among sophomores, seniors, and those self-classified as "other" [5 of n = 8 were > age 30]. Freshmen mean scores were slightly below average mean attitude scores for the sample (M = 85.02). As one might expect, identity theft victims had the highest mean security attitude scores compared to non-victim participants or those who don't know if they are an identity theft victim.

Participants that have active anti-spyware software installed appear to be more securityconscious than those that either let their anti-spyware license expire or don't know if antispyware software is installed. Participants that had anti-spyware installed on their computers usually had anti-virus software installed. Four participants had no anti-virus or anti-spyware software installed (Mensch & Wilkie, 2009). Perhaps this provides a partial explanation for the millions of PCs that are infected with viruses and/or malware worldwide (Young, 2009).

SECURITY BEHAVIORS AND SECURITY TOOLS

Additional analysis was conducted on two subscales of the security attitude scale: security behaviors and security tools. The highest security behavior subscale scores by age were among 24-30 year-olds (M= 33.25) and 18-23 year-olds (M= 32.27), while 31-36 year-olds and 37+ year-olds recorded the lowest mean security behavior subscale scores (M= 31.75 and M = 31.88, respectively). Interestingly, mean security tools subscale scores were highest among 37+ year-olds (M= 19.63) and 18-23 year-olds (M= 18.35). Security tools scores were lowest among 24-30 year-olds (M= 15.50) and 31-36 year-olds (M= 16.92). While one might expect that maturity and experience would result in more security-conscious behaviors, the results of this study do not support that assumption. It appears that age does not necessarily portend wisdom when it comes to security behaviors, such as clearing Internet history/data, updating anti-virus and anti-spyware software, logging out of financial institution web sites, or installing and using security tools, especially with regard to the 31-36 year-old age group. Also, while 2430 year-olds more effectively exhibit security behaviors, the failure to complement those behaviors with the use of basic security tools (anti-virus and anti-spyware software) may give this age group a false sense of security when it comes to protecting personal information and data. Future studies should be conducted to delve more deeply into behavioral profiles by age to determine if these results occur more widely through the general end-user population and to discover additional underlying factors that may contribute to these findings.

While the differences in mean security behavior scores and security tools scores by gender did not significantly differ, mean scores for males were higher than females on both subscales. Again, this result is in line with research by Jones, et al. (2009) and Jokela & Karlsudd (2007) on gender differences with regard to security measures.

With regard to ethnicity, Asians and African-Americans seem to be more likely to adopt security-conscious behaviors and use security tools more readily than Hispanics, a group that scored consistently lower than other groups on the two security subscales reported on herein. Future studies should investigate underlying factors which might contribute to these results.

In terms of academic classification, security behavior scores varied. The lowest security behavior subscale scores by classification were among juniors, freshmen and graduate students, while the highest scores were among those classified as "other" and seniors. With regard to the security tools subscale, the lowest mean scores by academic classification were among juniors and seniors, while the highest scores were among sophomores and those classified as "other." Since juniors recorded low mean scores for both the security behavior and security tools subscales, future studies should investigate contributing factors to this finding and determine if targeted security awareness training is warranted for this group.

In terms of academic major, one would expect criminology majors to be among the most security-conscious of all college students; however, mean security behavior scores of this group were among the lowest by major. Security behavior scores for healthcare majors were also low, another a troubling finding. With regard to the use of security tools, mean subscale scores were highest for criminology majors. As with the prior findings on security behaviors and age, use of security tools may give criminology majors a false sense of security when it comes to protecting personal information and data. Not surprisingly, information technology majors routinely received some of the highest scores on both the security behavior and security tools subscales, supporting similar research findings (Jagatic, et al., 2007); however, fine arts majors also recorded high security tools scores. Future research studies should investigate the factors attributed to security behaviors, as well as installation and use of various security tools by academic discipline.

Another surprising result was that identity theft victims recorded mean security behavior scores comparable to the other two groups. It is puzzling that mean scores for victims of identity theft were not significantly higher given that security-conscious behaviors might prevent future loss of financial and personal information. This finding may indicate a need for targeted security awareness training for identity theft victims. By contrast, the highest security tools subscale scores were among identity theft victims. As with the findings on security behaviors by age and academic major, the installation and use of security tools may give identity theft victims a false sense of security when it comes to protecting personal information and data.

On both the security behavior and security tools subscales, the highest mean scores were among those with anti-virus and anti-spyware installed (M= 19.04 and M= 19.52, respectively). The lowest mean scores were among those that don't have anti-virus or anti-spyware software installed (M= 11.00 and M= 12.50, respectively), or don't know if anti-virus software or antispyware software is installed (M= 13.14 and M= 12.56, respectively). Significant interaction effects exist between the PC anti-virus software installation and PC anti-spyware software installation variables. Thus, people that have anti-virus software installed also have anti-spyware software installed.

In this study, 80.3% of participants have anti-virus installed, slightly lower than the 88% of participants in Jokela & Karlsudd's (2007) study. Jokela & Karlsudd's (2007) study also reported that "quite a few students (5%)" do not know whether antivirus software is installed or updated. In the present study, a much higher percentage of students don't know if anti-virus software is installed or updated (14.1%) and another 15% of participants do not have anti-virus installed at all (Mensch & Wilkie, 2009). Also, almost 15% of participants hardly ever or never run anti-virus software on their computers (n = 19) and only 44% do so always or most of the time (Mensch & Wilkie, 2009). Further, 70.9% of participants hardly ever or never run antivirus software on USB memory devices (n = 90) and only 1 1% do so always or most of the time (Mensch & Wilkie, 2009). Also, 74.8% of participants have anti-spyware installed, 6% of participants don't have anti-spyware installed, or do not know if it is installed (13%), and 6% have it installed, but it is expired. Further, 23.6% of participants hardly ever or never update anti-spyware software (n = 29), and 22.8% hardly ever or never run anti-spyware software on their computers (n = 29). Only 40.2% update anti-spyware software always or most of the time, while 40.1% run anti-spyware always or most of the time (Mensch & Wilkie, 2009). Perhaps this explains why corporate IT managers often restrict use of USB and other devices on corporate networks (Goodchild, 2008) and the concerns expressed about end-users by security professionals (Young, 2009). These findings clearly indicate a need for end-user training on the installation, use and routine updating of security tools to better protect personal information and data. Future studies should investigate additional factors that contribute to ineffective or nonexistent use of computer security tools by college students.

CONCLUSION

The results of this study reveal a troubling disconnect among many undergraduate and graduate students with regard to information security attitudes, effective security behaviors, and use of computer security tools. The researchers agree with Okenyi & Owens (2007) that a paradigm shift is needed towards continuous secure behavior. What actions should end-users and organizations take to protect personal information and data? For individuals, a multipronged approach will ensure secure Internet-related communication and access, including measures (Heinrichs, 2007; Luo & Liao, 2007; Mitnick, 2006) such as:

Installing and enabling a personal firewall;

Regularly scanning computers, storage devices and email with updated anti-virus and anti-spyware software;

Using browser-enabled pop-up blockers and other built-in browser technologies.

The results of this study lend credence to Schneier's (1999) statement that "security is not a product, it's a process" (para. 6). A reliance on technological controls to the exclusion of people and processes is insufficient (Okenyi & Owens, 2007). Organizations should provide security awareness training (Allison & DeBlois, 2008; Jagatic, et. al., 2007; Turner, 2007) to end-users to promote sound behavioral practices (Jones, 2008) in order to protect the confidentiality, integrity, and availability of personal and organizational data. Security awareness practices should include end-user training on topics (Agee & Chang, 2009; Goodchild, 2009; Gorge, 2007; Luo & Liao, 2007; Mansfield-Devine, 2008; Mitnick, 2002) such as:

Social engineering methods and tools used by attackers especially with regard to social media;

The risks of peer-to-peer file sharing networks and downloading unknown programs or files;

The risks of unsecure or unknown web sites and measures to identify and avoid these sites;

The risks of clicking on unknown email links and the risks associated with social networking sites;

The importance of regular data backups and alternative storage options such as external drives, CD/DVD's, or virtualization technologies; and

The importance of applying software patches and security updates on a regular basis.

Network users should be trained how to identify email message threats before clicking on links or attachments (U.S. Department of Justice, n.d.), including examination of email headers and message source code to differentiate a suspicious message from a legitimate one (Goldsborough, 2008; TechRepublic, 2006), and to open a browser and manually navigate to the web site address rather than clicking on a messaged hyperlink. Network user training should also include strong password construction techniques (Thomas, 2005; Weber, et al., 2008), including the following elements:

8 or more characters in length;

Combination of letters, numbers, and symbols; and

Mixed uppercase and lowercase letters, numbers, and symbols.

Organizations should also take proactive steps to reduce the likelihood of identity theft and personal data loss (Allison & DeBlois, 2008). First, written password management guidelines should be adopted and widely dispersed, and regular training sessions should be conducted regarding the routine use of these guidelines at school and at home. Suggested password guidelines (Mansfield-Devine, 2008; McDowell, Rafail, & Hernán, 2009) include:

Change passwords often;

Use different passwords for each account (especially financial institutions);

Don't share passwords with others;

Don't store passwords in the computer memory/history;

Don't use words that can be found in a language dictionary;

Use a mnemonic to remember a complex password;

Never email passwords or reply to emails with passwords or other sensitive data; and

Store password lists in a secure place.

Second, end-users should be taught how to construct a passphrase, which combines the first letters of a phrase coupled with numbers which substitute for words, as a more secure alternative to passwords (Charoen, Raman, & Olftnan, 2008; Weber, et al., 2008).

Third, training should also be provided to configure phishing filters and privacy settings in browsers and email clients, and to help users determine if a web site is legitimate, especially for sites using Secure Sockets Layer (SSL) or with bad SSL certifications (Goodchild, 2009; Krebs, 2006).

Lastly, educational institutions should update privacy and security policies to include all IT resources (Allison & DeBlois, 2008), while balancing the academic environment's need for openness with the need for individual privacy and data security (Agee & Yang, 2009). Institutions of higher education should also update end-user conduct policies to address standards of conduct on social networking sites (Gorge, 2007; Mitrano, 2006; Timm & Duven, 2008) while balancing students' freedom of expression. While computer usage policies are an integral part of computer security, a reliance on end-users to read policies may prove to be unreliable (Foltz, Schwager, & Anderson, 2008).

Despite training efforts, organizations cannot guarantee that end-users will practice security measures after training (Welander, 2007). For example, McMillan (2006) reported that 80% of West Point cadets still clicked on a fake email link even after hours of training. Attackers are also getting more sophisticated in their use of social media to target individuals for fraud and identity theft (Collins, 2009). In response, social media companies are working to improve the security and privacy of users (Zuckerberg, 2010). However, end-users must still proactively implement and monitor security procedures at social networking sites.

The results of this study bolster Mitnick' s (2002) assertion that "the human factor is truly security's weakest link" (p. 3). When considering information security, no matter how sophisticated the technological solutions, the end-user must learn to accept responsibility and take proactive measures to stay educated about available security tools and procedures to protect personal data and information in both online and offline venues. People and systems must work together to minimize vulnerabilities (Welander, 2007). Educational institutions are the first line of defense to provide training to the end-user student population to stem the tide of compromised computers that are used by thieves and hackers to steal identities and wreak havoc on the Internet.

LIMITATIONS OF THE STUDY

This study is exploratory in nature, is limited to the undergraduate and graduate student population, and does not extend to individuals in the same age groups that are not enrolled in a 4year college or post-graduate studies. Additional factors may exist which contribute to a better understanding of attitudes, behaviors, and use of computer security tools by college students.

FUTURE RESEARCH

While a = .69 is acceptable for purposes of internal consistency and reliability, the scale should be refined to increase internal consistency and reliability. Future studies should be conducted with larger sample sizes to increase effect size and should use an expanded population group. Future studies should also investigate use of additional computer security tools commonly available to end-users, such as pop-up blockers, browser-based filters, social network and IM privacy settings, and email junk mail filtering.

[Reference]

REFERENCES

Agee, A. S. & Yang, C. (2009, July/August). Top 10 IT issues 2009. Educause Review, 46-58.

Allen, I. E. & Seaman, J. (2009). Learning on demand: Online education in the United States. The Sloan Consortium. Retrieved May29, 2010, from http://www.sloan-c.org/publications/survey/index

Allison, D. H., & DeBlois, P. B. (2008, May/June). Top 10 IT issues 2008. Educause Review, 43(3), 1622-1629.

Ashraf, B. (2009). Teaching the Google-eyed YouTube generation. Education + Training, 51(5/6), 343-352

Babbie, E. (1990). Survey research methods (2nd ed.). Belmont, CA: Wadsworth Publishing.

Barnes, S. (2006). A privacy paradox: Social networking in the United States. First Monday (Online), 11(9), p. 1. Retrieved from OmniFile Full Text Mega database.

Bell, D. E. (1973, December). Secure Computer Systems: A Refinement of the Mathematical Model, MTR- 2547, Vol. III, The MITRE Corporation. Bedford, MA (ESD-TR-73- 278-III).

Biba, K. J. (1977). Integrity Considerations for Secure Computer Systems. The MITRE Corporation. Bedford, MA.

Brodkin, J. (2008, July). One in four firms block Facebook. NetworkWorld, p. 20.

Charoen, D., Raman, M., & Olfrnan, L. (2008). Improving end user behaviour in password utilization An action research initiative. Systemic Practice and Action Research, 21(1), 55-72.

Chueng, W. & Huang, W. (2005). Proposing a framework to assess Internet usage in university education: An empirical investigation from a student's perspective. British Journal of Educational Technology. 36(2), 237-253

Clark, D. D., & Wilson, D. R. (1987). A comparison of commercial and military computer security policies, pp. , 184-194.. Proceedings of the 1987 IEEE Symposium on Security and Privacy, Oakland, California, USA, April 1987. Los Alamitos, CA: IEEE Computer Society Press.

Cohen, J. (1988). Statistical Power Analysis for the Behavioral Sciences (2nd ed.). Mahwah, NJ: Lawrence Erlbaum Associates.

Collins, H. (2009, December). 2010 Cyber-threat forecast sees hacks growing in sophistication and reach. Government Technology, Retrieved January 6, 2010 from http://www.govtech.com/gt/articles/735777

Computer Security Institute. (2009). 14th annual CSI/FBI computer crime and security survey (S. Peters, In Ed.), Retrieved May 20, 2010 at http://gocsi.com/survey

Cooper, J. (2006).The digital divide: The special case of gender. Journal of Computer Assisted Learning, 22, 320334

Ellison, N. (2007). Facebook Use on Campus: A Social Capital Perspective on Social Network Sites. Paper presented at the ECAR Symposium, Boca Raton, FL, December 5-7, 2007. Retrieved from http://www.educause.edu/ecar

Federal Trade Commission. (2010, February). Consumer sentinel network data book. Retrieved May 20, 2010, from www.ftc.gov

Fogel, J. & Nehmad, E. (2008). Internet Social Networking Communities: Risk Taking, Trust, and Privacy Concerns. Computers in Human Behavior, 25, 153-160

Foltz, C. B., Schwager, P. H., & Anderson, J. E. (2008). Why users (fail to) read computer usage policies. Industrial Management & Data Systems, 8(6), 701-712.

Gabriel, K.R. (1987). A simple method of multiple comparisons of means. Journal of the American Statistical Association, 73, 724-729.

Gilroy, M. (2010). Higher Education Migrates to YouTube and Social Networks. Education Digest: Essential Readings Condensed for Quick Review, 75(1), 18-22. Retrieved from ERIC database.

Goldsborough, R. (2008). Deciphering email headers. Tech Directions, 67(8), p. 7.

Goodchild, J. (2009, April). 5 security flubs users makers when browsing the web. Computer Security Officer. Retrieved June 1, 2010 from http://www.csoonline.com/article/print/489738

Goodchild, J. (2008, August). Web 2.0 Applications and sites (and security concerns). Computer Security Officer. Retrieved October 7, 2008, from http://www.csoonline.com/article/print/442215

Gorge, M. (2007). Security for third level organizations and other educational bodies. Computer Fraud & Security, 7, 6-9.

Gorsuch, R. L. (1983). Factor Analysis. Hillsdale, NJ: Lawrence Erlbaum.

Graham, G. S., and Denning, P. J. (1972). Protection-principles and practice. AFIPS Conference Proceedings, Vol. 40. Montvale, N.J.: SJCC, AFIPS Press, 417-429.

Hall, M. (2005). Secure the people. Computerworld. Retrieved May 20, 2010, from http://www.computerworld.eom/securitytopics/security/story/0, 1 080 1 , 1 00448,00. Html

Harwood, M. (2008, May). Academic culture, understaffing blamed for higher ed IT insecurity. Security Management. Retrieved November 20, 2008, from www.securitymanagement.com/

Hawkins, B. L., & Rudy, J. A. (2008). EDUCAUSE Core Data Service: Fiscal Year 2007 Summary Report. Retrieved May 22, 2010, from http:// net.educause.edu/apps/coredata/reports/2007/

Heinrichs, A. M. (2007, Feb.). Computer dangers that lurk within. Pittsburgh Tribune- Review, p. J5.

Identity Theft Resource Center. (2010). Identity theft: The Aftermath 2009. Retrieved July 1, 2010, from http://www.idtheftcenter.Org/artman2/uploads/l/Aftermath_2009_20100520.pdf

Identity Theft Resource Center. (2009). Identity theft: The Aftermath 2008. May 26, 2010, from ht^://www.idtheftcenter.org/artman2/public/m_press/identity_Theft_The_Aftermath_2008. shtml

InfoWorld. (2010, June). Macs under attack by high-risk Spyware. Infoworld Tech Watch. Retrieved June 3, 2010, from http://www.infoworld.com/print/ 125 698

Internet Crime Complaint Center (National White Collar Crime Center and The Federal Bureau of Investigation). (2009). Internet Crime Report. Retrieved March 13, 2010 fromwww.ic3.gov

Jackson, M. (2007). Exploring gender, feminism and technology from a communication perspective: An introduction and commentary. Women 's Studies in Communication, 30(2), 149-156.

Jackson, L. A., Ervin, K. S., Gardner, P. D., Schmitt, N. (2001a). Gender and the Internet: Women communicating and men searching. Sex Roles, 44, 363-379.

Jacob, S.M., & Issac, B. (2008, January). Mobile technologies and its impact - An analysis in higher education context. International Journal of Interactive Mobile Technologies. 2(1), 10-18.

Jagatic, T.N., Johnson, N.A., Jakobsson, M., & Menczer, F. (2007, October). Social phishing. Communications of the ACM, 50(10), 94-100.

Javelin Strategy & Research. (2009, February). 2009 Identity Fraud Report: Consumer Version, Retrieved May 20, 2010 fromwww.javelinstrategy.com

Jokela, P., & Karlsudd, P. (2007). Learning with security. Journal of Information Technology Education, 6, 291309.

Jones, J. G. (2008). Issues and concerns of directors of postsecondary distance learning programs regarding online methods and technologies. The American Journal of Distance Education, 22, 46-56.

Jones, S., Johnson- Yale, C, & Millermaier, S. (2009, October). U.S. college students' Internet use: Race, gender, and digital divides. Journal of Computer-Mediated Communication Monday, 14, 244-264.

Jones, S., Johnson- Yale, C, Perez, F. S., & Schüler, J. (2007). The internet landscape in college. Yearbook for the National Society for the Study of Education, 106(2), 39-51.

Kirkwood, A., & Price, L. (2005). Learners and learning in the twenty-first century: What do we know about students' attitudes toward and experiences of information and communication technologies that will help us design courses? Studies in Higher Education, 30, 257-274.

Krebs, B. (2006, Feb.) It's 10 p.m. Do you know where your identity is? Popular Mechanics, p. 54.

Lieberman Research Group. (2010). Unisys Security Index: United States 31 March 2010. Retrieved May 20, 2010 from http://www.unisyssecurityindex.com/us/

Livermore, A. (2006, July). College students at increased risk of identity theft; survey shows computer security habits are lacking. BusinessWire, Retrieved August 1, 2006, from LexisNexis Academic.

Luo, X. & Liao, Q. (2007). Awareness education as the key to ransomware prevention. Information Systems Security, 16, 195-202.

Mansfield-Devine, S. (2008, November). Anti-social networking: Exploiting the trusting environment of Web 2.0. Network Security, 4-7.

McClanahan, K. (2008). Balancing good intentions: Protecting the privacy of electronic health information. Bulletin of Science, Technology & Society, 28(1), 69-79. 0

McCumber, J. (1991). Information Systems Security: A Comprehensive Model. Proceedings of the 14th National Computer Security Conference, 1991. Retrieved June 1, 2010, from: wwwstatic.cc.gatech.edu/classes/AY2008/.. ./InfoSystemsSecurityModel.ppt

McDowell, M., Rafail, J., & Hernán, S. (2009). National Cyber Alert System - Cyber Security Tip ST04-002. United State Computer Emergency Readiness Team. Carnegie Mellon University. Retrieved May 22, 2010, from http://www.us-cert.gov/cas/tips/ST04-002.html

McMillan, R. (2006, November). Security group ranks human error as top security worry. NetworkWorld. Retrieved October 7, 2007, from http://www.networlovorld.oern/news/2006/111506-security-group-ranks-humanerror.html

McQuade, S. C. (2007). We must educate young people about cybercrime before they start college. Chronicle of Higher Education, 53(18), B29-B31.

Mensch, S. E. & Wilkie, L. (2009, June). Network Security Training for College Students - A Case Study. Insights to a Changing World, 7(1).

Mitnick, K. (2006, June). Mitigating malware in userland. Retrieved January 12, 2009, from http://www.appsense.com/files/documentation/AppSense-White-Paper-Mitnick.pdf

Mitnick, K. (2002). The Art of Deception. Hoboken, NJ: John Wiley & Sons.

Mitrano, T. (2006, Nov./Dec). A wider world: Youth privacy, and social networking technologies. EDUCAUSE Review, 16-28.

Nachmias, D. and Nachmias, C. (1987). Research methods in the Social Sciences. New York: St. Martins Press.

Nackerud, S. & Scaletta, K. (2008). Blogging in the academy. New Directions For Student Services, 124, 71-87.

National Security Telecommunications And Information Systems Security Committee. (1994, June). National Training Standard For Information Systems Security (Infosec) Professionals (No. 4011). Retrieved May 20, 2010, from http://www.cnss.gov/Assets/pdf/nstissi_4011. pdf

Nielsen/NetRatings (2009a). Global faces and networked places. Retrieved June 1, 2010, from http://blog.nielsen.com/nielsenwire/wp-content/uploads/2009/03/nielsen_globalfaces_mar09.pdf

Nielsen/NetRatings (2009b). Social Networks & Blogs Now 4th Most Popular Online Activity, Ahead of Personal Email. Retrieved June 15, 2009, from http://enus.nielsen.com/main/news/news_releases/2009/march/ social_networks

Norum, P. S. &Weagley, R. O. (2006-2007). College students, Internet use, and protection from online identity theft. Journal of Educational Technology Systems, 35, 45-59.

Okenyi, P. O., & Owens, T. J. (2007). On the anatomy of human hacking. Information Systems Security, 16, 302314.

Pfleeger, CP. (1989). Security in Computing. Upper Saddle River, NJ: Prentice-Hall.

Rosen, D. & Nelson, C. (2008). Web 2.0: A new generation of learners and education. Computers in the Schools, 25(3-4), 211-224.

Saeed, N., Yang, Y., & Sinnappan, S. (2009). Emerging web technologies in Higher Education: A case of Incorporating blogs, podcasts and social bookmarks in a web programming course based on students' learning styles and technology preferences. Educational Technology & Society, 12 (4), 98-109.

Salas, G. & Alexander, J. S. (2008). Technology for institutional enrollment, communication and student success. New Directions for Student Services, 124, 103-116.

Schneier, B. (1999, Dec. 15). Crypto-Gram Newsletter. Retrieved May 20, 2010, from http://www.schneier.com/ crypto-gram-99 12.html#l

Stallings, W., & Brown, L. (2008). Computer Security: Principles and Practice. Upper Saddle River, NJ: Prentice Hall.

TechRepublic. (2006). Examine e-mail headers to determine their real origin. Retrieved May 1, 2006, from http://techrepublic.com.com/5102-1009-6056367.html

The Campus Computing Project (October, 2007). The Campus Computing Report. Retrieved May 22, 2010, from www.campuscomputing.net\

The College Board. (2010). College Search, Retrieved May 24, 2010 from http://collegesearch.collegeboard.com

The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act. 20 U.S.C. A. § 1092(f). (1990).

Thomas, B. (2005). Simple formula for strong passwords (SFSP) tutorial. SANS Institute, Retrieved May 20, 2010, from http://www.sans.org/reading_room/whitepapers/authentication/simple-formula-strong-passwordssfsp-tutorial_1636

Timm, D. M., &. Duven, C. J. (2008). Privacy and social networking sites. New Directions for Student Services, 124, 89-102.

Trocchia, P. J. & Ainscough, T. L. (2006). Characterizing consumer concerns about identification technology. International Journal of Retail & Distribution Management, 34(S), 609-620.

Turner, M. L. (2007, September). Training your staff to protect SIS data. University Business, 61-64.

U.S. Department of Defense. (1983). Trusted Computer System Evaluation Criteria. DoD 5200.28-STD. Retrieved May 28, 2010, from http://csrc.nist.gov/publications/history/dod85.pdf

U.S. Department of Justice, (n.d.). Special report on "phishing". Retrieved January 12, 2009, from http://www.usdoj.gov/criminal/fraud/docs/phishing.pdf

Waters, J. K. (2007). Locked down, not out. THE. Journal, 34(2), 34-39.

Weber, J. E., Güster, D., Safonov, P., & Schmidt, M.B. (2008). Weak password security: An empirical study. Information Security Journal: A Global Perspective, 17, 45-54.

Welander, P. (2007, November). Cybersecurity: The human factor. Supplement to Control Engineering, 2-3.

Weiss, M. & Hanson-Baldauf, D. (2008). Email in academia: Expectations, use and instructional impact. Educause Quarterly, 1,42-50.

Whitman, M. E., Mattord, H. J. (2009). Principles of Information Security (3rd ed.). Boston, MA: Thomson Course Technology.

Young, J. (2009, May). Top 10 threats to computer systems include professors and students. Education Digest, 74(9), 24-27.

Ziobron, B. (2003, July). Keeping campus networks safe and secure. Cabling Installation & Maintenance, 27-30.

Zuckerberg, M. (2010, May). Making Control Simple. Message posted to http://blog.facebook.com/blog.php?post=391922327130

[Author Affiliation]

Scott Mensch, Indiana University of Pennsylvania

LeAnn Wilkie, Indiana University of Pennsylvania

The rest of this article is only available to active members of Questia

Sign up now for a free, 1-day trial and receive full access to:

  • Questia's entire collection
  • Automatic bibliography creation
  • More helpful research tools like notes, citations, and highlights
  • A full archive of books and articles related to this one
  • Ad-free environment

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
One moment ...
Default project is now your active project.
Project items

Items saved from this article

This article has been saved
Highlights (0)
Some of your highlights are legacy items.

Highlights saved before July 30, 2012 will not be displayed on their respective source pages.

You can easily re-create the highlights by opening the book page or article, selecting the text, and clicking “Highlight.”

Citations (0)
Some of your citations are legacy items.

Any citation created before July 30, 2012 will labeled as a “Cited page.” New citations will be saved as cited passages, pages or articles.

We also added the ability to view new citations from your projects or the book or article where you created them.

Notes (0)
Bookmarks (0)

You have no saved items from this article

Project items include:
  • Saved book/article
  • Highlights
  • Quotes/citations
  • Notes
  • Bookmarks
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

(Einhorn, 1992, p. 25)

(Einhorn 25)

1

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited article

Information Security Activities of College Students: An Exploratory Study
Settings

Settings

Typeface
Text size Smaller Larger Reset View mode
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

Help
Full screen

matching results for page

    Questia reader help

    How to highlight and cite specific passages

    1. Click or tap the first word you want to select.
    2. Click or tap the last word you want to select, and you’ll see everything in between get selected.
    3. You’ll then get a menu of options like creating a highlight or a citation from that passage of text.

    OK, got it!

    Cited passage

    Style
    Citations are available only to our active members.
    Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn, 1992, p. 25).

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences."1

    1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

    Cited passage

    Thanks for trying Questia!

    Please continue trying out our research tools, but please note, full functionality is available only to our active members.

    Your work will be lost once you leave this Web page.

    For full access in an ad-free environment, sign up now for a FREE, 1-day trial.

    Already a member? Log in now.