Information security and ethics in educational context : the development of conceptual framework to examine their impact

(1)

INFORMA

TION

SECURITY AND ETHICS IN EDUCATIONAL

CONTEXT: THE DEVELOPMENT OF CONCEPTUAL

FRAMEWORK TO EXAMINE THEIR IMPACT

Meysam Namayand

eh

",

Maslin raasrom

'',

and Zur

aini

tsmau"

"

Cent

re for Advanced Software

En g

in

ee

r

i ng

,

Un iv

e

r sity Te

chno

logy

M

a

laysi

a

"

D

e

part

m

e

nt of Sci

ence,

Coll

ege

of Science

a

nd Tec

hnolo

gy,

U

ni

ver s

it y

Tec h nol o g y

Malaysi

a

ABSTRACT

Informationsecur ity and ethics arevie wed as majorareas of inte res t by many academic rese archers and ind ustrial experts. Information security and ethics is define d as an all-encompassin g te rm that refe rs to allac tivitie s needed to sec ure informat io n and systems that supports

it

in order to facilita te its eth ica l use . In this research, the importa nt part of curre nt studies introduced and the funda me ntal concepts of a security framework are explained. To achie ve the goals of info rmation securi ty and ethics, sugges ted frame wo rk discussed from educati on al level to trainin g stage in order to evalua te computer ethics and its soc ial impac ts. Using surve y research, insightISprovided rega rdin g theextent to which

and how unive rs ity student have dealt with iss ues of compu ter ethics and to address the resu lt of designe d compu ter ethics fram ewo rk on their future career and behaviou ralexperience.

1.INTRODUCTION

The current developm en t III infor ma tion and commu nication tec hnologies have impac ted all sectors in our daily life where docs not mat rer whether it is techn ical or routine. To ensure effective working of informat ion sec urit y, vari o us controls and measures had been implemented as the current polic ies and guideline s betwe en co mputer developers (Ham id, 2007). However, lack of pro per co mputer ethics withi n inform a tion securi ty is affect inged uca tionalsocie ty day by day.

Undoub ted ly, the mostimporta nt ofthese co ntrols is to define an understandab le fra mewo rk or mode l for studen ts who roles futurecomputer enginee r or scientist. Hence, this project exa mines awar ene ss and informa tion

of students incomputer ethics from educat ional aspect. Also from Mala ys ian perspective, re vie w of related research(Mas lin & Zuraint. 2008 ) indicatestheexistence of conflictingviewsconcern ing theethica l percepti on s of

stude nts. In roda y's global econ o my, compute r sec urity and comput e r ethics awa re ness IS an im po rtant

component of any managem ent inform a tion syste m (Nort h,ctal2006).

It would an unde niable element of security in Mala ysia n com puter tech nologyas Malays ia is ra nked H outof10 to p infec ted countr iesin theAsia Pacific region as atargetforcyb e r attackers{Sani,2006). Indeed,po ints out that there is a need to unders tand the basic cultural, social , legal and ethical issue s inherent in the discip line of computing. For these reasons, it is essential that as a future computer pro fessionals are taugh t the meaning of

responsibleconduct(Lang ford , 2000).

As tbe computer et hics was one of the major topics wh ic h have bee nthrougho utthe past decades.inorder to pre ve nt the peop le from the social impac t, therefore in this part ofintro duc tion, we ha ve a short milestone on com pu ter ethics and related history of des igned. During the late 1970s,Josep h weizcn baum. a computer scientist

at Massachu setts Institute of Technology in Boston. created a computerprogramthat heculledELIZA. Inhis first experiment with ELIZA. he scripted

it

10 provid e a crude imita tionofa psychothe rapistengaged in an initia l interview withapatient. Inthe mid 1970s, Walter Mane r bega n to use the term "computer et hics " to refe r to that field of inq ui ry dealin g with ethical prob lem s aggra vated.

tran sfor medor createdby co mp uter technology.

Man e roffered an expe riment al course 011 the subject

at Univer s ity. During the late I970 s. Maner generate d muc h Interes tJI1unive rsi ty- le vel computer ethics courses. He offered a variety of workshops and lectur es at computer science conferences and philosophy confer e ncesacrossAmerica.

(2)

regard ing soft ware ownership. Becaus e of the work of Parker and othe rs, the fo undation had been laid for com pu terethics as anacademicdiscipline . Inthemid-Sus. James MO(H of Dar tmout h College publis hed his influential article "What is Computer Eth ics? In Comp uter s and Eth ics, a spec ial issue of the journalon thatparticular time.

During the 1990s,new university courses, research centers, conferences, journa ls, articles and textbook s appeared,and a widediversity of addition al schola rsand topics beca me involved. The mid- 1990s has heral de d the beginning of a second generatio n of Co mputer Ethics which con tain the new conceptof security. The time has come to build upo n and elaborate the conce ptua l foundation whilst, inparall el, developing the frame works within which pract ical actioncan occur, thus reducingthe probability of unforeseen effects of informa tio n tcchnologyapplic nuo n.

In _·O{}(}.... the computer revolution can be usefully divided into three stag....s, two of which have already occurred.the introductionstage andthe permeationstag e. The world entered the third and most important stage "the power stage" in which many of the mos t serious social. political. legal. and ethical questions invo lving inform atio n techno logy will prese nt themselves on a large scale.Theimpor tant miss ionin thisera is to believe that future developments in info rm ation technolog y will make compute r ethics more vibrant and more Important than ever. Computer eth ics is made to research about securityand it's benefi cialaspec ts.

The rema inder of this paper is organi zedasfollows: section 2 describesthe detail s of DAMA frame work by furthe r phases on section 3. In section 4 the related theori es arc disc ussedfro methicalviews.

2.FRAMEWORK

We have developed a fra mework for developmen t of information security with computer ethics respec t to educationa l conce ption. The further discussion follows the exact code of ethics which arc including Privacy, Property, Accu racy and Accessibility. As Fig . I depicts. DAMA (Delirmna, Attitudc, Morality. Awareness) framework examines inform ation security and computer ethics from two major dimensions: the cducsnonsl and

s

ecuri ty tr

sinmg.

In additionDAM A fra meworkare also exp lo red to suggested the educational core of computer ethics which is the effective ways to teach inform ation securi ty along with computer eth ics from the basis of educa tional leve lrathe rthan higher level

The educationaldimensio n is focusingonthe cere of informatio n security which considers along with

s

wsrcncss. mor

a/II; , atti

tud

e

and

dilemma.

In fact, educati on al dimen sion is explored from various perspectives to have relevance for group rather than ind ividuals where the main focus of this issue has been mentioned in tra ining level. Exa mples of quest ions in order to gu ide the develop ment of DA MA framework refere nces include: have you ever heard about compu te r ethics?What are ethicaldilemmasand its socialimpac ts?

The othe r main phase of educational dimension is moraldevelo pmen tthat includes personalbeliefs related to the irbackground ofcomputer ethics. In fact, It focus on morality and further effectivenessthat how individual mora lity can change their atti tude and therefore acqu ire appro pr iateaware ness henc e evalua teethic aldilemmas.

Educatio n

_f-+

c:

Trainin

g

~

•

Acce,,,bill1y A"arcnc,s Tedmical

E

+

_Inform_al

Accurac y Altitude

--±-

•

• I

Prop

:",

I

Morality

ComplltcL"Ethics

--±-

~

a

I

Oilcmn~

I

In rormalio n Secunry

Fig. I DAMA Fram ework .

Moreo ver. security and training dimens ion is what stude ntsthemselves man ifes tcore of info rma tionsecurity alon g v,..ith the he lp of formal and informal discuss ion. The scc uruy dimension inc ludes info rmal discuss ion of common mis takes that happens amo ng most of secur ity consultant and officers which arc relev ant to information securityethics. It incl udes discussio ns of specific exploits of currc nr weaknesses and may result as uneth ical behaviour. The goal of security dimens ion IS to communicate students from technic al perspective to theoreticaltraining.

DAMA approaches presen t methods and creative ide as for teachin g of compute r eth ics with respect of informat ion security for diverse audiences The framewo rk's dimens ions cover the basic levels tor compu ter ethics lectures and class room discussio ns

related to ethicalbehaviour offutu recom puterscient ists The main emphasis is to presentscreativeand ben eficial methods for learni ng experiences in various kinds of Infor mation security ethics. The aut hor s place particular focus that will require students to buildand re builttheir beliefs in different ways in order to know unethical beh aviours and their soc ial impacton their future career.

3 .

EDUCATIONAL DIMENSION

3.1 DAMA

(3)

only by those who are going to design or program

computers. Because of the wides pre ad preva lence of

computers insocietya core of ethical prece pts rel ating to

computer techno logy shou ld be comm unic ated not only

to compute r professionals. but to the general pub lie

through all levels of education. The issue should be

viewed from the perspect iveofsociety and perspect iveof

computerprofessionals(Sp inello .2003).

In looking at the compute r ethics there is a great

emphasis upon incorporating ethical and social impact

issues through o ut the curriculum starting at the point

when children first become compu ter users in schoo l. In

partic ular. there arc a set of guidelines regarding what

students in generalneed to know aboutcomputer ethics .

The preparation of future computer professiona ls should

be examined at both the high school and university

computerscie ncecurricu lum(Forcht.er al., 2004).

The researchers (Masli n & Zurami. 2008)arc in the

process of developing new recommendations at both

levels ofcurricu lum . Inthc highschoolcurriculum, the re

willbeboth generaland specificapproach es to ethicsand

social impactissues.

The generalapproach is toincorporate these concerns

across the curriculum. not jus t incomputer courses. This

is in keeping with the philosophy that computers sho uld

be integrated across the curriculum as a tool for all

discipli nes. The specific approach is to develop social

impact modules with in the co mput er courses that will

focus on these concerns (Foster, 2004).

At the university level the researchers faces a

yet-to-be resolved dilemm a of how to implement the

proposed societal stra nd 1t1 the new curr iculum

recommendations. There is much discu ssion, but little

action, regarding the necessity of preparing ethically and

socially resp onsible computer scientists, especially in

lightof rhehighly pub licized computervirusesthatare an

embarrassmen tto the pro fession. When~ombined with

other compu ter science core mate rial, the teaching of

ethics is made complicated by the fact that it is not as

concrete as the rest of the curric ulum. In accepting the

value-laden nature of techn ology, resear chers should

recognize the need to teach a methodology of explicit

ethica lanalysis inall decision-makingrela ted technology.

The moral development is at tile heart of interest in the

morality clement. In this model (Dark, cr al., 2006),

researchers wanted to create educationa l opport unities

that allow students to examine their existing beliefs

regarding ethica l and technical issues and in relation to

existing technical. pro fessio nal. legal, and cultural

solutions. Inan earlier section, itdescribed ho w students

examinethese solutions with anexternal, objective po int ofview.

Now, the student is positio ned at the centre of the intersecting circles. The is aim 10 create educational

opportunities that allow and enco urage studen ts to

explore "who am [ now" in relation to technical,

professional, cultural. and legal solutions to thes eethical

andsecurity issues. and ask s questions such as "what is

the relations hip between who am l, who Iwantto be, and

these issues andsolutions"?

The most im port ant factor in effectiv e compu ter

security is peop le' s attitudes, actions, and theirsense of

right and wrong (Huff & Frey. 2005). Problems and

issues raised inthe computing environment. Topics10 be

discussed include misuse of cornpurcrs. conce pts of

privacy. codes of conduct for computer professiona ls.

disputed rig hts to products, defining ethical. moral, and

lega l parameters, and what security practitioners should

do about ethics.

The Issue of comp utersecurityhas falleninto thegray

area that educators and industry alike hav e avoided for

fearthattoo litt le knowled gecould be hazardous and100

much could be dangerous. Mos t organizatio ns

ackn ow ledge the need for data security, but, atthe same

time, approach security as hardw are. It may be more

import ant, and ta rmore successful to address the issue of

data securityas an attitude ratherthan atechnology.

3.

2

PAPA

According to (M ason. 1986) decision makers place

such a high value on information that they will often

invade somconc's privacy to get it. Mark eting researchers

have been know n 10 go through people's gar bage to learn

what produ cts they buy, and government officials have

statione d monito rs inrestro om s to gather tra ffic stat istics

to be usedinjustifyingexpansionofthe facilities.

These arc examples of snooping that do not use the

computer. The generalpublic ISaware that the computer

canbe used for this purpose, but it is pro bably not aware

of the case with which per sonal data can be accessed. If

you know ho w to go about the search process. you call

obtain practicall y any types of personal and financial

informalionaboutprivatecitizens.Her e four majoraspect

ofMason's theoryshallbe studied:

3.2 .

1

Privacy

Privacy may define as the claim of ind ivid uals to

deter m ine for the mselves when. to whom, and to what

extent individually identifie d data about them IS

communicatedor used .Most invasionsof pri\acyarcnot

this dramatic or this visible. Rather,they creep lip on us

slowly as, for example. when a group of eli,crvc files

relating toastudentandhis or heracti vities;HCintegrated

intoa single largedatabase.

Co llections of informa tion reveal intimate details

about a student and can thereby depr ive the person ofthe

oppo rtunity to form certain pro fessio nal and personal

relationshi ps.This is the ultim ate cost ofan invasion of

privacy. $0 whyintegrate databasesinthe fi rstplace.It is

becau se the bringing together ofdisparatedata makes the

developmentofnew informat ionrelat ions hips possib le .

3 .2

.2

Accura cy

Accur acy represents the legitimacy. precision and

authenticitywith which information is ren dered. Because

of the per vasiven ess ofinform ationaboutind ivid ualsand

organizations conta ined in info rma tion systems. special

(4)

known mistakes. Difficult ques tions remain when inaccurate information is shared between computer systems. Any framework should describe the legal liabili ty Issues associated with information .Who is held accountable for the errors"? This is an important question may come acrossevery researcher's mind or which party liable for inexact or incorrect information that leads to devastation ofanother.

3.2.3Prop ert y

One of the more controvers ial areas of computer ethicsconcerns the intellec tual property rightsconnected with software ownership. Some people, likc Richard Stallman who started the Frec Software Foundat io n,

believethatsoftwa reownershipshould not be allowed at all. He claims thatall info rmation should be free, and all

programs should be available for copyi ng, studying and

modifying byanyone who wishes to do so. Others argue

rhut software companies or programmers would not

inves t\\ccks and monthsof workand significantfunds in the development of software if they could not get the investment back in the form of license fees or sales (Maso n,1 9R6).

Today's software indu stry is a multib illion dollarpart

of the economy; and software companies claim to lose billions of dollarsper year through illegalcopying.Many people think that software should be ow n able. but

"casualcopying" of personallyownedprograms forone's

friends should also be per mitted.The software industry claims thatmillions of dollars in sales are lost becauseof suchcopying.

3.2.4 Acc es sibility

Accessibility represen ts the legitimacy, precisio n and authenticity with which information IS rendered. Regarding this importantaspect ofresearch this ques tion

may come across the peopl e's mind who is held

accounta ble for errors? Who can you trust in orde r to ovrsocrce your project? In fact, in term compute r ethics accessibility means, what kind of information would available for thc legalusersand students.

4.SECURITY AND TRAINING LEVEL

In terms of computer ethics, security would be <In

undeniab le facto r of it Therefore, short review on

informatio n security which is influence in computer

ethicswillhelp the researcher toidentifythe furtherstudy. Many differe ntterms have been used to describe security

in thc IT areas where informa tion sec urity has become a commonly used concept, and is a broaderter m than data securityand ITsecu rity.Informationis dependentondata as a car rier and onITas atool to manage the info rmation.

Information sccunty IS focused 011 info rmatio n that

data represent. and on related protection req urrcm c nrs. So the definition of informatio n system secu rity is "the

protection of information systems aga inst unautho rized

access to or modification of information, whether in storage. processing or transit, and against the denial of service to authorized usersor the provisio n of service 10

unauthorized users. including those measures necessary

to detect, docum ent, and counter such threats". Four characteristics of info rma tion security arc: availability,

confidentiality, integrity andaccountabi lity.simplifiedas "the right information to the right people in the right time" Availability: concerns the expected usc of

resources Within the desired rimcfra me. Con fidentiality:

re lates to data no t being accessible or revea led to unauthorized peop le Integrity concerns protection

against undesired changes. Accountability refers to the ab ility ofdistinctly derivin g per form ed opera tions from

an indi v idual. Bot h technical and administrat ive security

measures are required to achieve these four

charact eristics.

4.1 Tech nic al level security

Fro m a technical perspective. the preservation of confidentiality, integrity availability and accountability

requires the adopt ion of [T security solutions such as

encryption of data and communication, physica l

eavesdropping. access control systems. secure code

programmmg. authorization and authentication

mechanisms, database security mechanisms. intrusion detection systems, firewalls. Atthis level it is possible to introdu ce frameworks and methods for the selection of

the appropriate tec hnological solution depending on the needs for aparticularapp lication with respect to security 111computerethics.

4.2Formal level security

The forma l level of information security is related with the set of policies. niles, contro ls, standards, etc. aimed to define an interface between the technological subsystem (Technical level ) and the behavioural

(comp uter ethics)subsystem(Informalle vel ).

Accord ing to many definitions of an information

security, this is the levelwhere much of the effort orthe informat ion security is concentrated. An interesting

review of the security literature iden tifies a (rend in information system research movingaway fromanar row technical viewpoint towards a socio-orgamzarion a! perspective.

4.3Informallevel secur ity

In the domain of the info rmal level of info rmation security, theunit ofanalysis isindividualand the research

is concernedabout behaviou ralissues like values, attitude,

beliefs, and no rms that arc dom inant. and influenci ng an

indi vidua l employee regarding security practices in an

organization. The solutions suggested inthis domain arc more descriptive than prescriptive 111 nature and the

findi ngsat this level need to be effectively implem ented

throug h other level s (i.e. forma l and technical). An inter esting rev iew of research papers in the behav ioural

(5)

5.THEO RIESPERSPECTIVE

Ethics is an impo rtant face tofcomprehensive security of informa tion system's security. Research in ethics and informa tion sys tems has been also carried outside the information securitycommunity. Anyhow, researcher sees that the relationship ofhackers and information security

personnelhas notyetbeen properlyana lyzed.Withinthis short re vie w, a philosophica lpoint ofvicw shall be taken,

and problem s ofestablishing eth ical protec tion measures againstviolations of information securityshallbe studicd.

Furthe r analys is leads 10 quite opposite results of the main streamargumentsthat support the need of common ethical theories for info rmation security. This addition provides with a framework that is feasible within the current technology, supports natural social behaviour of

human beings and is itera tive enabling forming of larger commun ities from smaller units.

Recently. tile trend app ears to be that the ethics approved by the security co mmunity is having the law enforcemen t (Cruz & Frey. 2004). Several attempts arou ndthe wor ld arc made10 enforce properbehaviour in the infor mat ion society by theoretical methods. From

information security point of view, hac ke rs arc seen as crim inals. una ware of the results of their immoral

activi tiesmaking fun outof seriousproblems,

Hack e r community. all the other hand. sees infor mation security staff as militants that respecting the freedom of individual and informatio n (Fowler. 2004),

Furt he r depth into the conflict can be found by

int roducing ano ther dimens ion to the classification of ethic al theo ries into two cat egories: Phe nom en o log ist vs. Positivist and indivi dualist vs. collectivist ethics.

Pbenomenclogism vs. Positivism: Acco rd ing to the phe no me no logical school. what is good is given in the situation. derived from the logic and language of the situation or from dialo gue and de bate about "goodness".

Positivism encourages s to observe the rca l world and derive ethicalprinciples inductively.

Individualism vs. Collectivism: Accordi ng to the individualist ic school. the moral authority is located in the individua l whe reas collectivism says that a larger collectivity must care the moral authority. Major schools, based on these concepts, ca n be listed to be Collective Rule-Bascd Ethics. Individual Rule- Based Ethics. A

derailed analysis ofthese schools is provided by (Leiwe

& Heikkur i. 1998).

Also from distribu tedinformationsystemsperspective security of information systems requi res both technical

and non-technical measures. special effort must be paid on the assurance thatall methods support each othe rand do not set contra dic tory or infeasible requirements for each otherwhich contain two major theo retical elemen ts:

Ethics negotiation phase is where organizations or individualsrepresenting them selves negotiate the content

of ethical communication agreemen t over specific

communicanonchannels.

Ethics enforceme ntphase is where each organization enforces changes in the ethical code of conduct by spec ifying administrative and man agerial routines operational guide lines, mon itor ing procedures. and

s

ancuons

for unacc epta ble behaviour. Organizatio ns or university indiv iduals involved in negotiatio n should code desi red ethical norms in terms of acceptable behaviour within the inform ation processing.Agreeme nt should be searched and once rea ched . contract made and agreed norms enforced throughout the organization. In

the optimal case. ethics has the law enforcement and

juridica l actions against violat ions can be prosecuted in court.

6.CONCLUSiON

Educational centers within higher educational level

have unique opportunity 10 he lp and educate computer users in orde r to face with ethical dilem mas. Therefore.

this wouldbe the main challengeofthis study to focus011

computer ethics with the help of suggested frame work.

As a res ult. computer ethics is becoming a field in need of research based upon a necessityto provide information

foreducation which is related to security concepts, The legal struc ture appears to be limited in its ability to provide eth ical behav iour effe ctive ly. While notwish ing

10 be alarmis ts, research suggests the needs to be

concerted effort on thc part of the all the computer

profession al soc ieties to upda tetheirethica l codes andto

incorporate aprocess of continualsecurity.

REFERENCES

Bynum,

T. .

Computer ethics: Basic concepts and historical overview, Stanford .

Encyclopedia

o

f

PJ

IJJosophy. 2006_

Cruz.

J

.

•

and Frey. W., An effective strategy tor integrating ethics across the curric ulum in engineering.

An /IBE T 2000

Ch:lllcl1gc.

Science and

Ff/J:(iJ1c

cring

Ethics,

vol. 9.110 .3,pp. 543-568. 2004.

Dark. M" Epstein, R.•Mora les. l...Ccun rcnrun e. T.• Yuan, Q., Ali. M., Rose. M.• and Hurter. N.. A framework forinformation securityethics educat ion.

I'

roc.

Of th

e

/(P

Col

loqium for

t

nto muuion

S

y stems

Sccu

rit,..

Edacstioa. University of Mary land . University Colle ge Adelphi.MD Jun e 5-8, 2006.

Forclu. K. A" Pierson. J. K.. and Ba uman. B. M..

Deve lo ping awarenessofcomputerethics, ACM. 199 8, Foster,A.L, Insec ure and unaware. The Chronicle of HigherEducetion.(May 7,2004 ).p. 33.

Fow ler.

T. 8.

.

Techno logy 's changing ro le 111

intellectual property rights. IT Pm 4, vol.2. pp , 39-44.

2004.

Ham id. N.•Info rmatio n sec uri ty and computer ethics

-Too ls.theoriesandmodeling, NorthCarolina University.

IgbiScience

Pu

oticmion;

vol. I, pp. 543-568. 2007.

(6)

peda gogically focused modelof virtue in the pract ice of

compu ting,Under Re vie w.pp. 30-32, 2005.

Lan g ford, D., Pract ical compute r ethics, London McG raw Hill,pp. 118-127 , 2000 .

Leiwe , J., and Heikkur t, S" An analysis of ethics as foundatio n

of

infor mation security indistributed systems, P/Vc.Jl" AnlllwlHall',1/"ilntemstionntCoat ;011 System Sciences.pp. 213-222, 1998 .

Maslin M., and Zuraim. l. Computer securi ty and

compute rethics aware ness: Acomponen tof manageme nt information system, M<I!aysJ~1 Calif IEEE

Iech

notogv

mit! Soci.:(vMoeeeinc.200R.

Mason , R.0., Four ethical issues of the information age, M,1nilgementtntormationSystemsQ/I<1I-rer£v, vol 10, no.l, pp.5-12, 19X6.

xorth, M. M., George. R., and North, S. M.

Comp ute r sec urity and ethics aware ness in un iversity

cnvironrncrus : A challenge for management of

information sysh:t1lS. rI(/H, Florida, United States of

Am

erica

,

pp

, 4

3 4-439,

2006.

Saui. R.,Cybcrcrimc Gains Momentum . NewStraits Times.April3. 2006

Spin ello. R., Cybercthics: morality and law in cyberspace,Th ird eduion. Sudbury. vel.2,2003,