Internet Groupware Use in A Policy-Oriented Computer Security Course
Richard Baskerville and Detmar Straub Georgia State University, Atlanta, Georgia 30303 USA
Key words:
Computer security education, CSCW
Abstract:
The use of security policy formulation as a central student task offers a pedagogical advance in the design of the introductory information security course. This advance, coupled with group support software via the Internet, is designed to improve student engagement and retention by enabling active learning in the classroom and structuring the outside-of-class student activities. A simple field study investigates the effectiveness of the principles and techniques.
1.
INTRODUCTION
The purpose of this paper is to report advances in computer security instruction through the use of computer supported collaborative work (CSCW) technologies for the purpose of discovery learning. The technologies and pedagogical techniques are applicable in other kinds of instruction; however, this application is specifically oriented for the purposes of computer security education. The instructional unit described in this paper is a one-semester graduate course entitled “Security and Privacy of Information and Information Systems.” This course adopts a typical North American structure: 45 hours of “contact” instruction over a 15-week period. The course is an elective or required component in several graduate degree programs: MBA, Master of Accountancy, and Master of Science in Computer Information Systems. The course is considered particularly important in the Electronic Commerce concentration within the last degree. The course description is: 1
2
Richard Baskerville and Detmar Straub This course is designed to develop knowledge and skills for security of information and information systems within organisations. It focuses on concepts and methods associated with planning, designing, implementing, managing, and auditing security at all levels and on all systems platforms, including world-wide networks. The course presents techniques for assessing risk associated with accidental and intentional breaches of security. It covers the associated issues of ethical uses of information and privacy considerations.
The course is offered in an urban setting within our College of Business. Typically the course meetings are scheduled in late afternoon to accommodate mid-career management professionals. The typical enrolment is 25-35 students. The average age of graduate students in this University is 31. The scope of this paper is limited to the organisation, role and effectiveness of newer pedagogical tools and techniques as applied in a business-oriented information security course. This scope does not permit treatment of the substance of such a course (viz. security policy) with any depth. However, where appropriate, references are provided that indicate the intellectual foundations of the course substance. The paper is organised in four sections. Following this introduction, section 2 describes the course orientation and primary objectives. Section 3 explains the pedagogical method followed in the course design. Section 4 describes the IT principles and technologies used to realise the pedagogical method. Section 5 describes a simple field study of the effects of applying these principles and technologies. Section 6 discusses the implications of this study.
2.
COURSE OBJECTIVE: POLICY FORMULATION
The course has a number of philosophical and practical objectives. As a management school course, the course is guided by the principle that organisations can lower their risk of security breaches through explicit and effective information security policies. The rationale for this principle, that management policies lie at the heart of information security, is premised on well-known management needs for policies that establish both direction and management support (Hayam and Oz 1993). Policies serve as a benchmark for: determining the nature and scope of information security management efforts, implementing controls in applications, assigning user access capabilities, carrying out investigations of computer abuses, and disciplining employees for security violations. These policies are a
Internet Groupware Use in A Policy-Oriented Computer Security Course
3
key element of the preventative protection of information systems. Despite the importance, the single biggest problem with most security efforts is the lack of a well-defined corporate information security policy (DeMaio 1995), or even basic security policies (Roy and Park 1994). The basic principles of security policy that were taught in the course, include: 1. That information security policies have such an abiding impact on security initiatives, policies need to be set at a high enough level that they can guide behaviour for years to come (Hoffer and Straub 1989). 2. Certain key processes are effective in formulating and managing information security policy, such as the proper mix of human and technical factors (Wood 1995). 3. Certain key processes are effective in enabling managers to communicate information security policies, values and goals to employees (Hoffer and Straub 1989; Straub and Welke 1998). 4. Information security policies are most valuable when they are combined with a comprehensive risk assessment, a prerequisite not only for the compilation of an information security policy but also for the step-bystep refinement of a policy to define a protection plan for (DeMaio 1995; Eloff et al. 1993; von Solms et al. 1994). 5. Evolving technologies dictate policy update requirements, and the distinction between military and industrial policies has been diminished (Lindup 1995). 6. There is a hierarchical relationship between "Policies," "Guidelines," and "Procedures" as follows below (Straub 1995).
Overall information security policy expresses policy at the highest level of abstraction. It is a statement about the importance of the information resource and management and employee responsibility to safeguard the resource. This statement is so critical to subsequent security efforts that it is desirable to have this policy approved by and signed by the Chairperson of the Board of Directors or the CEO. Targeted information security policies are responses, in a fairly pointed way, to risks identified during risk assessments. Targeted policies also typically reflect firm objectives, beliefs, values, and stakeholder responsibilities. These are intended to represent how the organisation must function with respect to security. Targeted policies should be approved by a steering committee of managers which includes IT specialists in security, design and development, and
4
Richard Baskerville and Detmar Straub
strategic planning. An important element to policies is the statement of sanction for non-compliance. Targeted policies are implemented downstream by either guidelines, procedures, or a combination of both. Guidelines are usually thought of as optional or voluntary on the part of employees, while procedures specify particular security actions, controls and technological solutions. The first and primary skill set students develop in this course is to “design organisational policies for information security and privacy.” The course is organised into five modules with associated policy labs (see Table 1.) These modules are from two-to-four weeks in length. The topics of the first module include ethics, privacy and the basic principles of policy design and formulation. In this module, the students learn the fundamentals of security policy writing. The remaining four modules cover the traditional computer security topics: risks, controls, security design, and risk analysis. This organisation means that the students can approach these final four modules in an “active” mode. In each of these modules, the student becomes actively engaged in formulating organisational security policies regarding risks, controls, system development, and risk analysis. Table 1. Course and policy lab organisation Course Modules 1. Policy Design 2. Threat Scenarios
3. Specifying Information and Network Safeguards
4. Planning and Organising Information Security 5. Planning Risk Analysis
Lab Activity The Extended Concordia Casting Case Lab 1: Security Classification Policy E.g. Data, Object, and Multimedia Lab 2: Virus Policy Lab 3: Personnel Policy Lab 4: Password Policy E.g., Application and Software Security Lab 5: Data Communications Policy E.g., Network and Internet Policies Lab 6: Disaster Recovery & Backup Policy Lab 7: Safeguards Design & Maintenance Policy E.g., System Development, Maintenance and Operations Lab 8:“Due care” Policy E.g., Physical Security
Student activity in each of the course modules is presented as a “laboratory experiment” in policy formulation. These “labs” usually involve more than one session. In the first module, the labwork
Internet Groupware Use in A Policy-Oriented Computer Security Course
5
centres on a security case setting. We adapted the Harvard Business School Case: “Concordia Casting” (McFarlan 1993). This case is not originally intended or oriented toward computer security. However, it provides a detailed context and a problem setting that permits students to operate in a shared problem-solving mode. The students have to adapt general security principles, common risks, safeguards and security organisation to the rather turbulent IT setting provided by this particular case. To support this goal, Harvard’s Concordia Casting Case has been extended for the course purposes with additional fictional material that completes the setting as a context for security policies (Straub 1996). In the first module, students study principles of policy formulation, including the hierarchical nature of security policy. As described above, the basic hierarchy used in this course assumes three levels of policy. The first level is a general, overall corporate security policy, rather more of a statement of commitment and philosophy, that is endorsed at the highest levels of the organisation. Based on this policy, the organisation adopts, at level 2, a number of “targeted” security policies that bring the organisations commitment and philosophy into focus on particular security areas. These targeted policies are implemented with lower level procedures in the third level. See Figure 1. This paper will generally address the student learning associated with overall and targeted policies. Although the students did several class exercises in developing more specific procedures to implement the policies, we will focus on the work with these higher-level policies. The overall policies for the Concordia Casting Case were provided to the students as part of the extended case description. These toplevel policies provided the initial examples of the policies that would have to be developed for the case. These policies are adapted from the overall policy in a real setting, The Victoria Department of Premier and Cabinet. This Department of the Australian Commonwealth of Victoria provides an excellent example of this policy hierarchy. The example was also chosen because the entire policy is publicly available on the Internet (Department of Premier and Cabinet Victoria 1995). As adapted, the overall policy presented to the students is below.
6
Richard Baskerville and Detmar Straub
Overall Policy
Targeted Policy 1
Procedure 1.1
Procedure 1.2
Targeted Policy 2
Procedure 1.3
Procedure 2.1
Procedure 2.2
Procedure 2.3
Figure 1. Security Policy Hierarchy
COURSE CASE: EXAMPLE OF CORPORATE STATEMENT ON INFORMATION SECURITY 1. Policy: Concordia Casting will implement and maintain adequate information security management policies to protect their information assets, shareholders, employees, and trading partners. 2. Rationale: The Concordia Casting information security plan must deal with critical risks and potential threats to its information asset in a manner commensurate with due care for business continuity and achieving organizational goals, priorities, principles and goals. Security plans will be applied equally across the organization, and will strike a balance between ease of use, relative cost, feasibility and availability of resources.
In each of the remaining four modules, one or more policy labs centre student activity on analysing the detailed principles of computer security, and adapting these principles to a particular
Internet Groupware Use in A Policy-Oriented Computer Security Course
7
organisational setting by conceiving targeted security policies. As is often the case in practice, this setting is not a straightforward application, but one characterised by rapid change, technological predicaments and limited resources. In this way, the students develop their ability to 1. 2. 3. 4.
Design organisational policies for information security and privacy Create threat scenarios of potential vulnerabilities for particular settings Specify safeguards for computer-based information assets Plan and organise the information security and privacy function within an organisation 5. Determine a planning process for analysing information risks and choosing optimal organisational responses
These five objectives are the stated goals of the course, and align with the five course modules presented in Table 1. There are eight labs that formulate policies for these five modules. One group of three students writes certain targeted policies for each of these eight labs. Other students then critique these policies. The authors then revise their policies taking this critique into account. This process continues until the entire student body reaches a substantial agreement on adopting the policies for Concordia Casting. This process means that the students must follow an eight-heading topical outline for their policy formulation that is provided in the course structure. This structure is illustrated in Figure 2.
8
Richard Baskerville and Detmar Straub
Classification Policy Virus Policy Personnel Policy Password Policy Corporate Statement on Information Security Data Communications Policy Virus Policy Safeguards Design & Maintenance Policy Due Care Policy
Figure 2. Concordia Casting Policy Framework
This policy framework provides the context for the course objectives. Students learn about various kinds of risks and safeguards in the course of formulating policies. This design means that students who master the material will leave the course with practised policyformulation skills and situated knowledge about computer security. In the following two sections, we will explore the pedagogical advantages to this approach and the supporting technology in greater depth.
3.
PEDAGOGICAL OBJECTIVE: DISCOVERY LEARNING
The student groupwork that underlies the policy labs is designed to fulfil a pedagogical theme in the course design. This pedagogical theme is “discovery” or “active” learning in a collaborative team. This form of discovery learning substantially improves the retention of knowledge by raising the degree of intellectual development required to complete the course requirements (Johnson and Johnson 1986). One of the highest degrees of intellectual development is known as “commitment in relativism” (Perry 1970) or “constructed knowledge”
Internet Groupware Use in A Policy-Oriented Computer Security Course
9
(Davis 1993). This degree of learning occurs when students form their own positions on course issues, and support these positions using not only the course “received knowledge,” but also their own beliefs, analyses, experience and values. Two of the four main types of instructional delivery in this course involve discovery learning. These four types include (1) a traditional reading list that includes journal articles and book chapters, (2) traditional expository and Socratic lectures, (3) active classrooms, and (4) groupwork. In general, the lectures are short (twenty minutes or less), and interspersed with student activity (active classrooms). Moreover, the student activity interleaves teacher-to-student learning and student-tostudent learning. In active learning situations, students verify and extend their comprehension by applying what they are learning. These activities are sometimes motivational, in that they occur before a lecture and form an opportunity for the students to discover what they want to know about a topic. Otherwise, these activities occur during or after a lecture and help the students situate what they have learned, i.e., discover how to use what they know about a topic. These activities are usually structured in a sequence with a few minutes of quiet reflection followed by a goal-directed small group interaction. This sequence promotes learning by introverted as well as extroverted learners. These two styles are rather difficult to accommodate in a single course element. Extroverted students learn by expressing and explaining concepts interactively. Introverted students learn by developing internal frameworks that integrate the concepts. Poorly organised active classrooms may favour extroverts. While the majority of university students (especially in a business school) are extroverts, excluding the introvert may limit learning by most highperformance scholars1 (American Psychological Association 1992; Brightman 1998; Davis 1993; Myers and McCaulley 1985). Students are organised into three-person teams for the groupwork. Eight of these teams are responsible for drafting sections of the Concordia case targeted policies. All of the teams are required to review and comment on the policies as a group. Appendix A provides an example of the outcome of this groupwork. This example shows the data classification policy formulated for the Concordia case. This 1
More than half of typical university undergraduates have been characterised as “extroverts” according to the Myers-Briggs Type indicators. Most faculty and honour-society students, on the other hand, have been characterised as “introverts” according to data from the Centre for Applied Psychological Type (CAPT) (cf. Brightman 1998).
10
Richard Baskerville and Detmar Straub
policy has been revised following comments from other students and student teams. Students learn during this groupwork in the same student-to-student mode as the active classroom technique. However, the IT support (discussed in the following section) encourages this student activity to occur outside of the classroom.
4.
PEDAGOGICAL TOOL: GROUPWARE
The course pedagogical strategy is supported by IT in several ways. As a framework for understanding the role of these technologies, we will use the “time/place” framework (DeSanctis and Gallupe 1987). This framework categorises human interaction by the coincidence or non-coincidence in time and place. There are four simple categories or modes (see Table 2): 1. Same-time/same-place interaction are face-to-face meetings. 2. Same-time/different-place are real-time interactions using technology to communicate, such as telephone conference calls, Internet chat rooms or video conferencing. 3. Different-time/same-place interaction is embodied in shift work, where crafted products are physically passed from one person to another. 4. Different-time/different-place interactions involve electronic messages or electronically crafted products are left in some form of electronic repository for further work by others. Table 2. Usage Modes of Course Group Work Technologies Same Time Different Time Same Place TCB Works Different Place WebCT, Chatroom TCB Works, Course Web Facility
First, as is becoming increasingly common in university courses, a large part of the course reading material is available from the Internet. For example, several of the most current practitioner surveys are available via commercial web pages (e.g. CSI 1998; Equifax 1997; Ernst & Young 1997) along with corporate white papers, current state laws and draft legislation. Other articles are linked through on-line library services and password-protected course web pages. This web site provides an information “broadcast” source that also includes course practical information, presentation graphics used in lectures, current news, sample student work and assignments. This facility provided a repository of different-time/different-place material provided for the students by the instructor and by other students.
Internet Groupware Use in A Policy-Oriented Computer Security Course
11
Second, a battery of five text-based chat rooms are available for Internet student group meetings. This technology is part of a commercial package, WebCT. This tool is intended to support instructional environments using World Wide Web-based Internet delivery. WebCT was developed in the Department of Computer Science at the University of British Columbia by a team headed by Murray W. Goldberg2. This tool provided the main facility for Sametime/different-place group support. Since the setting in this case was a city-centre university in a sprawling urban and suburban community, there were expectations that this tool would be heavily subscribed by students seeking to complete outside-of-classroom group assignments without the travel inconvenience. However, the outcome did fulfil this expectation. After an introductory in-class session and a single required out-of-class session, student use of this facility diminished rapidly. There were some complaints about unreliable Internet access providers that made participation by all group members risky, but mostly it appeared that students found it more convenient to meet on campus in conjunction with various other activities and class meetings. In addition, it is possible that some groups delegated responsibility for commenting on certain policies to one individual in the group. This is division of workload is a common response among business school students to outside teamwork when meetings are inconvenient. While this delegation effectively defeats the collaborative learning benefits that enhance extrovert learning, at least some of the discovery learning benefits were preserved among the introvert-style learners. The central groupware technology employed was TCBWorks Version 1.1. This version is a web-based groupware system developed in 1996 at the Terry College of Business at The University of Georgia. TCBWorks was developed by Alan Dennis, Sridar Pootheri, and Vijaya Natarajan. The TCBWorks software was acquired by SoftBicycle Company of Washington DC and is being redeveloped into a commercial product.3 This groupware was used in two modes. The first mode of usage was in support of same-time/same-place group activities. The class met as a group in a room that provided each student with a Internet-web enabled workstation. All students logged 2
For more information on WebCT, see http://homebrew.cs.ubc.ca/webct/ or email
[email protected] or
[email protected] 3 The non-commercial version may remain available free to educational institutions. At the time of writing, a “test drive” is available via the Internet at http://tcbworks.cba.uga.edu. Contact Alan Dennis at
[email protected] for further information.
12
Richard Baskerville and Detmar Straub
onto the TCBWorks groupware and reviewed the section of Concordia Information Security Policy under discussion. Every student could read the policies and comments, and could enter comments into the group system. Typically, this policy was introduced by the authors and then, guided by the instructor, discussed by the class as a whole. When time permitted, the class was permitted to reflect on the proposed policy and comment as individuals by entering their comments into TCBWorks. These comments appeared as an appendix to the policy and were anonymous in order to promote creativity and participation. These comments were then discussed by the class, with particular opportunity for a response by the authors. The major effect of this group activity was discovery learning by introverted learners. Where time permitted, TCBWorks was also used to obtain a preliminary vote from the students. This anonymous voting facility not only measured the degree of class consensus on the value of the current proposal, but also congealed the student’s internal commitment of knowledge in the form of an expression of their own appraisal of the policy under consideration. TCBWorks was also used in a different-time/different-place mode. Prior to the preliminary discussion, the student team responsible for proposing a policy was required to meet, agree on the formulated policy, and post the proposal on TCBWorks. After the preliminary inclass discussion, all student teams were required to discuss their team response to the policy. The teams were given several days during which they were required to meet and formulate their comments on the policies. Each team was then able to post their team comments on the policies. Where individual comments had been entered during class, the team comments were appended to the individual comments. The team comments, like the individual comments, were anonymous to promote creativity and participation. Once the comment deadline had expired, the team responsible for authoring the policy would meet to discuss the comments and revise the policies. These revisions were also posted using TCBWorks. TCBWorks would then be used once again in a same-time/sameplace group mode during the next class meeting to announce the revisions and invite further discussion (live discussions were hardly anonymous) and to revise the voting. Where voting indicated a comparatively low commitment to the policy, the items were further discussed. (Most policies achieved an 80% commitment or better.) This voting mechanism was important for exposing disagreement and heterogeneity in the group as a whole. Because this heterogeneity improves learning within the group (Brightman 1998); and because
Internet Groupware Use in A Policy-Oriented Computer Security Course
13
confronting students with different interpretations of a given situation has been shown to improve student problem-solving strategies (Gokhale 1995); extra discussion time was devoted to policies with lower commitment. In some cases, further anonymous comments were invited before concluding the policy. Appendix B provides a transcript of the full TCBWorks policy discussion comments and voting for the Classification Policy and Table 3 illustrates the final vote on the policy (effectively the percentage of the class in favor of adopting the policy, given as a fraction). From the table it is clear that a high degree of consensus characterised each of the policy discussions except the Information Sensitivity Classification. A disproportionate amount of time was therefore dedicated in discussing this policy. Aside from the concerns expressed in the groupware, this particular class discussion brought out the disagreement engendered in the group because of the Concordia Casting problem setting. Concordia Casting was experiencing problems with an overextended and understaffed development group. The discussion focused on the degree to which such a firm should commit its limited resources in creating a more-orless complex data classification scheme. This was a rich learning environment as students came to grips with alternative analyses and differing cultural and value bias represented within the class. Table 3. Student Commitment to Classification Policies Policy Commitment General Policy on Classification 0.90 Information Sensitivity Classification 0.68 Data Access Authorization Classification 0.89 Equipment Classification 0.79 Policy Average 0.81
5.
FIELD EVALUATION
The primary purpose of this design regarded the delivery of effective instruction. A simple field study was conducted to seek indications of the effects of this pedagogy during the instructional unit. Since only one session of this course is offered annually, it was impractical to summon a control group, and a field experiment was not in order. In other words, an examination of project performance of a control group (a group without the groupware or policy orientation) could not be contrasted with project performance of an experimental
14
Richard Baskerville and Detmar Straub
group (a group with the groupware or policy orientation). A simple, although indirect, alternative is to use student opinion as the basis for evaluation. Such student surveys of instructional effectiveness have been shown to highly correlate with student performance (Frey 1973). In this field study, a simple survey of the effect of the techniques described in this paper was circulated to students in the course. The survey consisted of twenty-one items using a five-point Likert scale along a agree-disagree format. The twenty-one items were organised to solicit student opinions of the effectiveness of the course pedagogy along two dimensions. The first dimension was the four aspects of this design: (1) usage of security policy as the focus of student tasks, (2) usage of groupware during class, (3) usage of groupware outside of class, and (4) usage of Internet chat for group meetings. The second dimension was the effect of each aspect. Students were asked to evaluate whether each of these aspects (1) helped them to learn, (2) made it easier to learn, (3) kept them interested, (4) was enjoyable and (5) ought to be further increased in usage by the course. One additional item queried whether the Internet chat made it easier for groups to meet. The complete questionnaire may be found in Appendix C. Table 4 details the mode of student responses to each of these items arranged along the two dimensions.4 Table 4. Modal Responses of student evaluation of instructional effectiveness of the use of policy, and groupware (n = 23) Increased Eased Increased Increase Desire for Learning Learning Interest enjoyment further usage Organisation 3 3 4 4 1 al Policy Groupware 4 4 4 4 3 in class Groupware 3 3 3 4 3 outside of class Internet chat 2 1 2 3 3 rooms Convenience 5 of chat room
Organisational Policy. The data suggest that in this setting, focusing the course activity on organisational policy is neither more 4
The small number of observations, limited control, indirect measurement, lack of a control group and ordinal data place severe constraints on the meaningfulness of most statistical operations in this simple field study. The mean is invalid in this setting. As a consequence, the analysis is limited to descriptive statistics.
Internet Groupware Use in A Policy-Oriented Computer Security Course
15
nor less effective than other facets of information security. However, it does increase student interest and makes the course more enjoyable. This is likely a natural outcome of the increased student engagement in formulating the policy. There were eight policy formulation labs, and the data indicate that this quantity of labs should not be increased further for this pedagogical aid. The low desire for further usage coupled with the interest and enjoyment indicators suggest that eight labs is probably the maximum number that will be effective for an instructional unit of this size. Groupware: The use of groupware during the class meetings appears to have been reasonably effective in improving both student engagement and learning performance. Its usage in about eight labs is probably optimal. However, usage outside of class does not appear to have generally improved or diminished the learning experience, nor affected student interest. There is a suggestion that groupware outside of class is fun, but the degree of its usage for an instructional unit of this size may have been optimal in this course. Internet Chat: The use of Internet chatrooms for group work was less effective. They neither improved the learning experience nor piqued the interest of the students. While there may have been a very minor improvement in the student enjoyment of the class, there was limited interest in further use of the facility. What is very impressive is the solid potential of Internet as a vehicle for supporting outside of class group work. The group work chatrooms were extremely convenient, but unappealing. Chatroom use was further explored with an on-line class in sametime, different place mode. This particular class dealt with security software and was only indirectly related to software policy. Students held the chat window on-screen while “touring” various publicdomain and commercial security software vendor World Wide Web sites, along with hacker sites. The instructor used the chat facility to lead an on-line discussion and guide discovery learning by the students. A separate survey measured the effectiveness of the chat tool using a structure similar to the survey in Appendix C. The mode of the responses was 5 for every item, indicating that the chatroom can be an effective and appealing discovery learning tool when professionally facilitated.
16
6.
Richard Baskerville and Detmar Straub
DISCUSSION
The field study is not a definitive scientific experiment and the conclusions that can be drawn from the results are limited. The data from the field study suggests that the principles and technologies can be effective in improving student learning in an information systems security course. The evidence suggests that the use of groupware during class meetings led to improved student learning performance and raised student interest in the topic. On its own, the use of organisational security policy as the central task in the course had a neutral effect on learning. There are several additional dimensions to this suggestion. First, security policy is a substantive topic in a security course in addition to its usage in this instance as a pedagogical aid. There is a need for students to understand this material regardless of whether it is facilitated via groupware. The neutral response suggests that student understanding of policy as a result of the pedagogy is unchanged. Their grasp of policy is neither improved nor diminished. Second, security policy was a candidate for use as the central task in the groupware application. By using these policies in this dimension we enabled the improved IT security learning and engagement of the students by introducing a task that demanded the use of groupware. This neutral effect suggests that while organisational policy might be the central task in a management school course, a more technical task could be substituted in a computer science or engineering school course without diminishing student comprehension of organizational policy. In other words, the groupware-induced learning goes beyond the substance of the immediate task in the groupware exercise. The use of groupware and Internet chat in this course for sametime, different-place work yielded several surprises. At present, the chief limitation for Internet group usage is slow Internet connections and the relatively low power of the workstations on the student end. A factor in this field study (and a factor in many university facilities) was the limited outside-of-class access to oversubscribed student computer labs. Thus, the groupware mode is a weak-link phenomenon. From discussions with the students, it seems the groups (and the class) cannot exceed the technical limits of the lowestpowered student computer and Internet link. If the lowest technical limits are exceeded, the group will effectively begin to exclude its most poorly equipped member. Since the student body is not skewed toward wealthier students, the low bandwidth of low-cost Internet connections prevents the use of graphics, audio and video interaction
Internet Groupware Use in A Policy-Oriented Computer Security Course
17
in the chatrooms. The unreliability of home dial-up Internet connections also likely negatively impacted effects. But the convenience of home connectivity indicates the potential is huge as student home and campus access improves. One practical near-term solution to Internet link limitations would involve scheduled “lab periods” in addition to normal class (lecture) meetings. In many university settings, scheduled lab periods permit reserved computer rooms and enforce a single meeting time for all students in the course. During this period, student groups could meet using Internet links and groupware and chat rooms. Those students with adequate home connectivity could link up from home. Others could use the reserved university computer room. This solution would add a third structure: same time, different place, same bandwidth for Internet access.
7.
CONCLUSION
Security instruction is a good candidate for improvement through new technological aids. Good security practices are not only critical for the success of the Internet, they are also central issues in a contemporary pedagogy. This paper has shown how these tools are evolving as classroom aids. More importantly, the paper has demonstrated the central role that student formulation of security policy is in a modern course on this topic. The approaches taken during the course to making policy development the course focus met with some successes and some failures. Since security is such a critical part of most manager's thinking about the information resource (Lewis et al. 1995), further development of the pedagogical approach is important for the IS discipline.
REFERENCES American Psychological Association. (1992) Learner-Centered Psychological Principles: Guidelines for School Redesign and Reform, American Psychological Association, Washington, D.C. Brightman, H. J. (1998) “On Learning Styles” , The Master Teacher Program, September 1998, http://www.gsu.edu/~dschjb/masterteacher.html, Georgia State University, Atlanta, (16 November 1998).
18
Richard Baskerville and Detmar Straub
CSI. (1998) “Issues and Trends: 1998 CSI/FBI Computer Crime and Security Survey” , 4 March 1998, http://www.gocsi.com/prelea11.htm, Computer Security Institute, San Francisco, Calif., (15 September 1998). Davis, B. (1993) Tools for Teaching, Jossey-Bass, San Francisco. DeMaio, H. B. (1995) “Protecting and Controlling Information in Complex System Environments.” in Handbook of IS Management, 1994-95 Yearbook, (R. Lumbaugh, ed.), Auerbach, New York, S281-S294. Department of Premier and Cabinet - Victoria. (1995) “Information Security Policy” , Operations IT&T-14, October, 1995, http://www.dpc.vic.gov.au/ocmpol/216e.htm, Department of Premier and Cabinet - Victoria, Melbourne, (1 September 1998). DeSanctis, G., and Gallupe, B. (1987) “A foundation for the study of group decision support systems.” Management Science, 33 (5). Eloff, J. H. P., Labuschagne, L., and Badenhorst, K. P. A. (1993) “A Comparative Framework for Risk Analysis Methods.” Computers & Security, 12 (6), 597-603. Equifax. (1997) “Executive Summary” , 1996 Equifax/Harris Consumer Privacy Survey, 22 June 1998, http://www.equifax.com/consumer/parchive/svry96/docs/summary.html, Equifax, Inc., (25 August 1998). Ernst & Young. (1997) “5th Annual Information Security Survey” , Download Library -- Assurance and Advisory, December 1997, http://www.ey.com/publicate/aabs/isaaspdf/FF0148.pdf, Ernst & Young LLP, Information Systems Assurance & Advisory Services, (15 September 1998). Frey, A. (1973) “Student ratings of teaching: Validity of several rating factors.” Science, 182, 83-85. Gokhale, A. A. (1995) “Collaborative Learning Enhances Critical Thinking.” Journal of Technology Education, 7 (1). Hayam, A., and Oz, E. (1993) “Integrating data security into the systems development life cycle.” Journal of Systems Management, 44 (8), 16-20. Hoffer, J., and Straub, D. (1989) “The 9 to 5 underground: Are you policing computer crimes?” Sloan Management Review, 30 (4), 35-43. Johnson, R. T., and Johnson, D. W. (1986) “Action research: Cooperative learning in the science classroom.” Science and Children, 24, 31-32. Lewis, B. R., Snyder, C. A., and Rainer, R. K., Jr. (1995) “An Empirical Assessment of the Information Resource Management Construct.” Journal of Management Information Systems, 12 (1 (Summer)), 199-223. Lindup, K. R. (1995) “A new model for information security policies.” Computers & Security, 14 (8), 691-695.
Internet Groupware Use in A Policy-Oriented Computer Security Course
19
McFarlan, F. W. (1993) “Concordia Casting Company.” Case 9-192-151, Harvard Business School, Cambridge, MA. Myers, I. B., and McCaulley, M. (1985) A Guide to the Development and Use of the Myers-Briggs Type Indicator, Consulting Psychologist Press. Perry, W. G. (1970) Forms of Intellectual and Ethical Development in the College Years, Holt,, Rinehart & Winston, New York. Roy, A., and Park, S. (1994) “EDP Control and Security: Common Issues and Problems.” Internal Auditing, 9 (3), 81-84. Straub, D. (1995) “Information Security Policies and Procedures.” CIS Department Manuscript, Georgia State University, Atlanta, Georgia. Straub, D. (1996) “Concordia Casting Reprise.” CIS 8680 Course Paper, Georgia State University, Atlanta, GA. Straub, D. W., and Welke, R. J. (1998) “Coping with systems risk: Security planning models for management decision-making.” MIS Quarterly, 22 (4), 441-469. von Solms, R., van de Haar, H., von Solms, S. H., and Caelli, W. J. (1994) “A framework for information security evaluation.” Information & Management, 26 (3), 143-153. Wood, C. C. (1995) “Writing InfoSec policies.” Computers & Security, 14 (8), 667-674.
APPENDIX A: STUDENT-GROUP CLASSIFICATION POLICY
GENERAL POLICY ON CLASSIFICATION 1. Policy: All of the following policies should be applied company wide. 2. Objective: To ensure standardized policies are in effect for all areas of the company. 3. Statement: Having uniform policy has the benefit of ensuring that information and information systems are handled consistently throughout the company.
20
Richard Baskerville and Detmar Straub
INFORMATION SENSITIVITY CLASSIFICATION 1. Policy: All data, no matter in what form of design, storage and dissemination have to be classified into three standard data sensitivity categories: 1.1. Secret Any information that is for use within the Company and unauthorized leak or release could expose the Company and its investors, creditors, business partners and customers to the risk of losing reputation, financial interest or competitive advantage. This information is available only to approved individuals 1.2. Confidential Any information that is for use within the Company and unauthorized leak or release could expose the Company and its investors, creditors, business partners and customers to the risk of losing reputation, financial interest or competitive advantage. However this information is available to entire departments. (Note: It is here that departments can specify further level of classification in the individual policies) 1.3. Public Information available for public consumption without any harm to the company or it's business partners. 2. Objective: To adequately manage, protect and distribute all information having varying degrees of sensitivity and criticality within an organization, and to ensure that sensitive data is not to be released to unauthorized people. 3. Statement: Users who authorized to access information with a given sensitivity level should have corresponding level of security clearance or authority. Also, there should have the security administrator to administer this system, i.e., administering and registering user authorizations. And there should be a manual that describes how to uses this system. Violation of this regulation is subject to discipline.
DATA ACCESS AUTHORIZATION CLASSIFICATION 1. Policy: Authorization is affiliated with the sensitivity level of data and systems being accessed. As the data sensitivity rises so is the need to a strict access authorization. Following are three different levels of authorization that should be maintained throughout the Company: 1.1. High Authorization
Internet Groupware Use in A Policy-Oriented Computer Security Course
21
Required for highly sensitive or secret data. Authentication should be checked frequently and on an individual basis to guard against unauthorized access. (Example: access to files or machines is checked at each access) 1.2. Medium Authorization Required for highly sensitive or confidential data. Authentication should be checked occasionally and (at least) on a group basis to guard against unauthorized access. (Example: access to the company building may be checked once a day) 1.3. Low Authorization Required for unclassified confidential data. 2. Objective: To ensure that data and system are properly protected according to their sensitivity level. 3. Statement: Proper disposal of passwords, ids should be followed. Company's clients should be aware of when, how and under what circumstances should they access data.
EQUIPMENT CLASSIFICATION 1. Policy: All Company equipment acquired or in-use by the company must be classified into one of the following categories. 1.1. Mission Critical Loss of this equipment would immediately halt of company operation. (Example: Loss of all web servers at Amazon.com) 1.2. Highly Essential Loss of this equipment would immediately hinder company business, but would not halt operation. (Loss of a communication channel into the amazon.com web farm) 1.3. Essential Loss of this equipment would cause a hindrance to company business only if the loss was sustained for a prolonged period of time. (Example: Loss of the internal e-mail system between employees at amazon.com) 2. Objective: To ensure that all company equipment is classified according to it's business value 3. Statement: Classifying equipment based on its business value ensures that the proper amount of security will be used to protect the asset
22
Richard Baskerville and Detmar Straub
APPENDIX B: TCBWORKS POLICY DISCUSSION FOR THE CONCORDIA CLASSIFICATION POLICY 1. Policy: All of the following policies should be applied company wide.
2. Objective: To ensure standardized policies are in effect for all areas of the company. 3. Statement: Having uniform policy has the benefit of ensuring that information and information systems are handled consistently throughout the company. 4. As a general classification this works but these clasifications fail to allow for cross classification by functional area. Each area of the organization may need its own group classification which in turn would limit access at the same level to users within its own group.
INFORMATION SENSITIVITY CLASSIFICATION 1. Policy: All data, no matter in what form of design, storage and dissemination have to be classified into three standard data sensitivity categories: 1.1 Secret Any information that is for use within the Company and unauthorized leak or release could expose the Company and its investors, creditors, business partners and customers to the risk of losing reputation, financial interest or competitive advantage. This information is available only to approoved individuals 1.2. Confidential Any information that is for use within the Company and unauthorized leak or release could expose the Company and its investors, creditors, business partners and customers to the risk of losing reputation, financial interest or competitive advantage. However this information is available to entire departments. (Note: It is here that departments can specify furthur level of classification in the individual policies) 1.3. Public Information available for public consumption without any harm to the company or it's business partners. 2. Objective: To adequately manage, protect and distribute all information having varying degrees of sensitivity and criticality within an organization, and to ensure that sensitive data is not to be released to unauthorized people. 3. Statement: Users who authorized to access information with a given sensitivity level should have corresponding level of security clearance or authority. Also, there should have the security administrator to administer this system, i.e., administering and
Internet Groupware Use in A Policy-Oriented Computer Security Course
23
registering user authorizations. And there should be a manual that describes how to uses this system. Violation of this regulation is subject to discipline. 4. Since all data must be classified, there must be a classification for data that is approved for public release. This would probably be "Unclassified", which means that it is not possible to "leak" the information , and it does not damage the Company. Or a new catagory called "Public" could be added. I agree. There are classifications of information that imply damage to the company, but information is a resource and (hopefully) usually brings value to the company. Add a classification for such. 5. I'm getting lost somewhere... What are the distinctions between Secret, Confidential, Private, and Unclassified? 6. The policy is thoroughly defined and the objective is well defined. It is up to the employees whether the policy can be carried out. 7. Eliminate category PRIVATE. keep the rest and put all PRIVATE material into CONFIDENTIAL category 8. Data will be classified as: SECRET: Access only authorized on an individual basis. CONFIDENTIAL: Access only authorized on a departmental or job title basis. INTERNAL: Any employee can access. PROPRIETARY: Can be released to employees, and to business partners or customers who have signed a non-disclosure agreement. PUBLIC: Can be released to the public. 9. change "Secret" to "Protected"; make it read "...Company and/OR its investors...", remove all other categories except "Public", for a total of 2 categories 10. I feel that the problem here may be that it is hard to tell the difference among secret, confidential and private. So are we going to keep all the 3 definitions there, or modify them so that they become one group? That way, we can have one of the terms of either secret, confidential or private to parallel with "unclassified". 11. I disagree with #9: the distinction between classifications should cover more than levels of distribution of information but also consequences of distributing that information...just as the existing policy does. 12. It is good enough. I saw a similar Information Sensitivity Classification in one Textbook
24
Richard Baskerville and Detmar Straub
DATA ACCESS AUTHORIZATION CLASSIFICATION 1. Policy: Authorization is affiliated with the sensitivity level of data and systems being accessed. As the data sensitivity rises so is the need to a strict access authorization. Following are three different levels of authorization that should be maintained throughout the Company: 1.1. High Authorization Required for highly sensitive or secret data. Authentication should be checked frequently and on an individual basis to guard against unauthorized access. (Example: access to files or machines is checked at each access) 1.2. Medium Authorization Required for highly sensitive or confidential data. Authentication should be checked occasionally and (at least) on a group basis to guard against unauthorized access. (Example: access to the company building may be checked once a day) 1.3. Low Authorization Required for unclassified confidential data. 2. Objective: To ensure that data and system are properly protected according to their sensitivity level. 3. Statement: Proper disposal of passwords, ids should be followed. Company's clients should be aware of when, how and under what circumstances should they access data. 4. Perhaps a more explicit definition of "Occasionally", etc. regarding when to change a password. How can the policy be applied consistently to each division, if Div.#1 defines occasionally as once a week and Div #2 defines it as once a year?
EQUIPMENT CLASSIFICATION 1. Policy: All Company equipment aquired or in-use by the company must be classified into one of the folling categories. 1.1. Mission Critical Loss of this equipment would immediately halt of company operation. (Example: Loss of all web servers at Amazon.com) 1.2. Highly Essential Loss of this equipment would immediately hender company business, but would not halt operation. (Loss of a commnication channel into the amazon.com web farm) 1.3. Essential Loss of this equipment would cause a henderance to company business only if the loss was sustained for a prolonged
Internet Groupware Use in A Policy-Oriented Computer Security Course
25
period of time. (Example: Loss of the internal e-mail system between employees at amazon.com) 2. Objective: To ensure that all company equipment is classified according to it's business value 3. Statement: Classifying equipment based on its business value ensures that the proper amount of security will be used to protect the asset 4. The last level (non-essential) should be changed. From a shareholder perspective, the company should not be purchasing non-essential equipment. If loss of this equipment causes any strain at all on business operations, then it is essential equipment. It is not clear what the distinction is between Highly Essential and Essential. They are both described as potential for causing "substantial loss to the Company". The only difference is "halt operation" and "impair operation"....that is a fuzzy line.
APPENDIX C: STUDENT EVALUATION OF EFFECTIVENESS QUESTIONNAIRE CIS 8680 In-process Review Fall 1998, Dr. Baskerville Circle a number below to the right of each statement according to the degree of your agreement with each statement. Key: (1) - Strongly disagree, (2) disagree, (3) neither agree nor disagree, (4) agree, (5) strongly agree. 1 2 3
4 5 6
Using organizational policy as the central task in this course helped me to learn more about information security and privacy. Using organizational policy as the central task in this course made it easy to learn about information security and privacy Using organizational policy as the central task in this course helped to keep me interested and involved in the various course topics. Using TCBWorks for classroom policy discussions in this course helped me to learn more about information security and privacy. Using TCBWorks for classroom policy discussions in this course made it easy to learn about information security and privacy Using TCBWorks for classroom policy discussions in this course helped to keep me interested and involved in the various course topics
(1) (2) (3) (4) (5) (1) (2) (3) (4) (5) (1) (2) (3) (4) (5)
(1) (2) (3) (4) (5) (1) (2) (3) (4) (5) (1) (2) (3) (4) (5)
26 7
8
9
10 11 12 13 14 15 16 17 18 19 20 21
Richard Baskerville and Detmar Straub Using TCBWorks for outside of classroom policy discussions and comments in this course helped me to learn more about information security and privacy. Using TCBWorks for outside of classroom policy discussions and comments in this course made it easy to learn about information security and privacy Using TCBWorks for outside of classroom policy discussions and comments in this course helped to keep me interested and involved in the various course topics. Using WebCT Chat in this course helped me to learn more about information security and privacy. Using WebCT Chat in this course made it easy to learn about information security and privacy Using WebCT Chat in this course helped to keep me interested and involved in the various course topics. The usage of WebCt Chat made it easier for my team/group to meet outside of class. I enjoyed using organizational policy as the central task in this course. I enjoyed using TCBWorks for classroom policy discussions.
(1) (2) (3) (4) (5)
I enjoyed using TCBWorks for outside of classroom policy discussions and comment I enjoyed using WebCT Chat for outside of classroom policy discussions and comments. The amount of time spend on organizational policy should be increased in this course The usage of TCBWorks for classroom policy discussions and voting should be increased in this course The usage of TCBWorks for outside of classroom policy discussions and comments should be increased in this course. The usage of WebCT Chat for outside of classroom policy discussions and comments should be increased in this course.
(1) (2) (3) (4) (5)
(1) (2) (3) (4) (5)
(1) (2) (3) (4) (5)
(1) (2) (3) (4) (5) (1) (2) (3) (4) (5) (1) (2) (3) (4) (5) (1) (2) (3) (4) (5) (1) (2) (3) (4) (5) (1) (2) (3) (4) (5)
(1) (2) (3) (4) (5) (1) (2) (3) (4) (5) (1) (2) (3) (4) (5) (1) (2) (3) (4) (5) (1) (2) (3) (4) (5)
