Raising information
Al-
security awareness
in the academic
setting
by Andrew Cox and Sarah Connolly,
LITC, South Bank University and
James Currall, University of Glasgow
This paper examines three approaches to
increasing awareness in an academic setting:
a discussion session, a checklist and a web
based tutorial. All three are found to be
effective in raising motivation and
understanding of security because they
present the issues in an accessible, interesting
way.
The research for the paper was funded by the
JISC Committee for Awareness, Liaison and
Training as part of a project on the human and
organisational issues associated with network
security. http://litc.sbu.ac.uk/jcalt/
Universities, like many other institutions, are
working more and more online. Vital and confi-
dential messages about research or administrative
arrangements are exchanged by email. Documents
sitting on computers or the network represent
many man hours of work. Budget is spent online.
The more institutions depend on computers the
more important computer security becomes.
By security we could mean anything from virus
scanning, backing up work, choosing and changing
passwords - to interacting with secure servers and
encrypting or signing electronic messages. We
have seen great advances in security technology,
and the reliability of the network in the last few
years, but technology cannot mitigate all the risks.
All along the line users have to make decisions
with security implications, e.g. to keep their virus
files up to date, to update software, to treat email
attachments with caution, to make sensible choices
about when to encrypt message - or when not to
send information in electronic form at all.
though some of this, such as automatic updates of
virus fixes, can be provided as a background
service, there will always be points at which the
user has to make responsible decisions, with a
security risk attached.
The risks are as serious in the academic sector as
in, say, the financial sector. It may be more
straightforward to measure the potential cost of a
security breach or of system downtime at a bank.
The damage can be measured in terms of lost
business, in monetary terms. But even if less easily
quantifiable the risks for a University are still
great. And so too for users. For institutions secu-
rity failures can cause a loss of time, of data and of
reputation. The individual has those same things at
stake, and also their privacy.
So it is important that users need to understand
security at some level, but there are some barriers
to this. On the surface security does not seem an
inherently interesting topic, particularly as usually
presented. A student comes to a computer to write
a paper or do research, how the computer works is
not usually of inherent interest. Security may
threaten their ability to complete work, but it is not
something they wish to be concerned with. Users
are already struggling to understand computers and
networks. Is trying to explain security issues to
them just adding another layer of complexity that
they probably wont be able to cope with ? Even if
one acknowledges this but decides that training
users is unavoidable, there is a further barrier. It is
difficult to come to terms with the nature of risk: ie
how much effort should one spend on countering a
very unlikely event, which would be absolutely
disastrous if it happened? But ultimately the
difficulty of the topic is an argument for more
training, rather than less.
This article evaluates three simple approaches to
raising awareness, that may be able to overcome
these apparent barriers. One of the assumptions the
paper makes is that in fact security is not necessar-
ily boring. It is also the contention here that users,
though struggling with the technology, are both
interested and motivated to use the network re-
sponsibly. It probably goes without saying that an
awareness programme should be developed as part
of a wider Information Strategy (for which see
Alan Robiette. “Developing an information secu-
rity policy”. http://www.jisc.ac.uk/pub01/
security_policy.html).
VINE 123 — 11
Raising information security awareness in the academic setting
The discussion session
One approach to increasing security awareness is
through courses. Ideally aspects of security should
be covered in training for the use of any applica-
tion, e.g. the dangers of viruses should be covered
in a course on email. But there is also a need for
general security awareness raising sessions, e.g.
about choosing good passwords or anti-virus
protection. There is a danger that such training
could be boring or even anxiety provoking, be-
cause it would be easy to take the approach of
simply setting out a list of do’s and don’ts, and
restrictive rules - and the consequences of not
observing them. It is doubtful that if attendance
was voluntary that many would attend this sort of
training session. The approach also does not
accord very well with the typical liberal, relaxed
culture of University life.
But there is scope for a more discursive approach,
that even excites interest in the topic. One only has
to read the newspaper regularly to understand that
the activities and mind set of hackers, the theft of
identity and the hazards to privacy of email are
fascinating. Running stories about online privacy,
say, are full of human and ethical interest. The
technology is secondary, essentially the interest is
in the human communication.
At South Bank University in Spring 2001 we
experimented with a consciousness raising session
with a selected group of support staff. This was
part of a series of lunch time lectures, offered to
staff as a Continuing Professional Development on
a voluntary basis. The session lasted around an
hour.
Structure of the session
The session started with a review of the literature
of computer security, pointing out that much of it
concentrates on hardware and software solutions,
and ignores the whole issue of human interaction
with systems. The fraction of the literature that
does stress human issues is largely taken up with
the hacker and hacker culture. Some literature
acknowledges the importance of the ‘insider’ as a
threat. But even this is again to stress malice above
incompetence, ignorance or shortage of time as the
main causes of security failures. The opening
presentation also discussed the difficulties inherent
in the concepts of trust and risk.
12 — VINE 123
The main body of the session was based around a
series of headlines and extracts from newspapers
which were used as jumping off points to stimulate
more discussion of the issues.
• Basic security practice
“Watch out there is a hacker about”. (The
Daily Telegraph, January 8 th 2001) In this
article there is advice on backups,
passwords, securing information. Looking at
this story led to a discussion of how well
people felt they, colleagues and students
performed against these ‘common sense’
criteria. The session leaders tried to tease
out non-obvious aspects of the issues. For
example one of the pieces of advice is not to
‘ send sensitive information by email, except
encrypted.’ This is not a straight forward
piece of advice. To follow it one needs to
determine what is sensitive information, and
ideally identify different levels of
sensitivity, one needs a strategy to evaluate
sensitivity systematically. It also begs the
question of whether people know how to
encrypt information, how to send it once
encrypted and whether they understand the
different levels of encryption.
• Vulnerabilities
“Thieves of the future will steal your
identity”. (Sunday Times, December 10th
2000). The aim was to again problematise
perceptions of what is at risk online,
recognising that increased awareness of the
risks will increase motivation. What is at
risk if someone breaks into your account? Is
it simply loss of data (they delete a file),
corruption of data (they make small difficult
to detect changes), loss of privacy (they read
your files) or loss of reputation/trust (they
send messages under your identity)? The last
risk is arguably the most serious, but it is
also the least obvious. We also discussed
whether Universities can measure risk to
themselves, and what the University has at
risk.
• Enforcement of policies
“Policing online: three companies tell us
how they deal with email and web issues”
(Evening Standard, January 16 2001). This
article described the policies of three
companies towards people who broke
company rules on computer use in some
 Raising information security awareness in the academic setting
way, such as by sending an executable file
to a colleague or a document with a virus to
a business contact. The issue to discuss here
was how strict should the rules be, because
many of these companies were much harsher
than the University would be likely to be.
• Online shopping
• “Shoppers hacked off over online
dangers” (Daily Telegraph, Nov 9 2000)
• “Increasing consumer confidence in
the internet and security of online
shopping has uncovered a burgeoning
world-wide appetite for laver bread”
(Daily Telegraph, September 21
2000)
• “How best to shop securely online”
(The Times, October 16 2000)
To close off the discussion the
perennial issue of the security of
online shopping systems and
perceptions of their usefulness,
security and reliability was raised.
Success of the exercise
The session was successful in stimulating a vigor-
ous and well informed discussion, with a high level
of participation. People enjoyed the event. The
mixture of technical and non-technical staff was
good in allowing participants to inform each other.
An immediate benefit was the realisation that we
should try and increase awareness that the Univer-
sity virus scanning software is available for free to
all staff to install on their computers at home.
This was only a one off experimental event.
Clearly to be effective it might need to be tied to
more direct instruction. It did though appear to be
a simple, effective (if somewhat unscaleable) way
to increase understanding of the issues.
The checklist
Another simple but effective approach to raising
awareness is a checklist of do’s and don’ts that can
be easily circulated among staff (perhaps by
email), presented in an accessible, helpful way. An
example developed at University of Glasgow as a
spin off from the JCALT project, and is repro-
duced in Figure 1.
The precise content of the ‘top ten’ would obvi-
ously vary depending on the local computing
environment, any perception of specific problems
that were to be addressed or the level of under-
standing among the target user group. The
approach was found to be effective in stimulating
staff at Glasgow to reflect on their own practice
and recognise the importance of good practices
that are known about but easy to let lapse.
Online tutorial
A third approach to awareness raising is through
an online tutorial, (See Figure 2) perhaps built into
some process every user must perform, such as
logging in. The most interesting example of this
we have found was designed by James Madison
University. Periodically users are forced to make
changes to their password, before they can do this
they have to pass through a series of screens which
briefly describe scenarios that raise information
security issues, and challenge the user to say which
of the options presented they would choose. Users
are offered different scenarios if they are students,
‘faculty’ (ie academic staff) or staff. The dilemmas
posed by the tutorial very much present the issues
as ethical ones, rather than simple cases of choos-
ing right or wrong practice. In this sense the
approach is similar to the awareness raising ses-
sion tried at SBU. It also takes a broad view of
what security encompasses: including such things
as IPR and use of Napster. At the end of the
tutorial, the lessons are summed up on a page that
can be printed out, and the user can continue on to
change their password.
A sample of the tutorials can be viewed at http://
raven.jmu.edu/~dixonlm/quiz/ A report on their
philosophy and the success of the JMU tutorial can
be found summarised in a paper given to the
Commonwealth Virginia Information Technology
Symposium in 2000 (http://www.covits.com/
Session%20Descriptions/Workshop%20D.htm).
There is also their own checklist of safe practices,
called RUNSAFE. It is somewhat more technical
in approach to the issues than the Glasgow docu-
ment.
The tutorial approach seems a valuable model for
HE to pursue. It is scaleable and would work with
students as well as staff for whom the other meth-
ods described here are more obviously attuned.
VINE 123 — 13
Raising information security awareness in the academic setting

University of Glasgow Information Services

IT Security Action Points

James Currall and Others
February 2001

Introduction

Most staff and students within the University are heavily dependant on IT systems to do their work. Over recent years the
reliability of the machines and networks has improved enormously, to a point where the reliability of IT systems is
determined much more by the actions of individuals in the way that the systems are used. Essentially e-mail systems,
word processing programs, etc. are simply tools and like any tools they should be used carefully and with common sense.

It is important to remember that no amount of computer and network security is any use if machines, floppy disks, printouts,
etc. are left lying around in unlocked offices which anyone can wander in to. There is a particular problem in this respect
in relation to Sensitive and Personal data which are covered by the Data Protection Act 1998. A “Checklist for Personal
Data” is available to clarify the requirements of the Act and more information is to be found at the University Data Protection
Act web pages.

If you need help or advice in carrying out the actions suggested below, consult with your Faculty or Departmental IT staff
or with the Computing Service via the Advisory Service.

10 Action Points

Passwords and User Accounts

Remember that you will be held responsible for any actions originating from your workstation while you are logged in to
it.

Action point 1. Make sure a password is needed to access your machine whenever you are away from it; use a screen
saver password or workstation locking for short breaks and ensure that you log out if you are away for longer periods.

Action point 2. Don’t allow others to use your machine unattended (or a machine logged in as you) or to send e-mail from
your account.

Action point 3. Select passwords which are not to be found in dictionaries in any language, suitable passwords consist
of combinations of letters, numbers and punctuation!! (they should also be at least 6 characters long).

Action point 4. In general do not write down passwords, but as a last resort, if you feel that you are likely to forget your
password(s), hide the written copy away where only you would think of looking for it.

Action point 5. It is not good practice to tell other people your password; if it is necessary for someone to do something
on your machine, type the password for them (whilst they are not looking) and don’t under any circumstances give your
password to anyone asking for it over the phone or change it to something which someone else tells you to.

E-mail

As with any other form of communication you need to beware of the people out there who cannot be trusted and who can
make e-mail appear to come from your friends or colleagues. You might also wish to refer to the documents “Guidance
on the Use of E-mail” and “Security of Electronic Mail”.

Action point 6. Do not open e-mail attachments unless you are expecting them and there are no suspicious circumstances
surrounding the message containing them, if in doubt check with the supposed originator before opening them.

Viruses
We read about new computer viruses in the papers every week and the havoc that they can cause to businesses and
educational institutions. You can become the unwitting vehicle for disrupting the work of your colleagues and associates
if you do not take precautions.

Action point 7. Install a virus checker, keep it up-to-date and make sure that it is set to check files automatically - new
viruses appear at very frequent intervals.

Figure 1 – A Checklist example (continued opposite)

14 — VINE 123
 Raising information security awareness in the academic setting

Software
Most of the software that you need to do your work will be provided from reputable sources. There are many useful
programs available on the Internet to do particular tasks, but there can be risks associated with obtaining and using them.

Action point 8. Do not download software from the Internet unless there is a clear business need for it and you can trust
the source/server that is providing it; people do make copies of legitimate shareware/freeware programs available with
viruses or modifications which compromise the security of your machine and disguise damaging programs as seemingly
harmless games or cute animations which open up backdoors into your machine or unleash viruses on all those you
communicate with.
Personal Details
Would you give your personal details to a complete stranger if they asked you? The Internet is no different!
Action point 9. Do not leave your details (or anyone else’s) in web forms unless you have good reason to trust that the
organisation running the web site will use the information in a responsible way (many web sites offer rather dubious
benefits in exchange for details which they then use to send you junk mail or sell to other organisations for the same
purpose).
Backups and Information Loss
If the work that you do has value to either yourself or the University, then loss of that work due to failure of equipment
or human error is an issue that you ought to take seriously. You are the only person who can ensure that this does not
happen!

Action point 10. Store all the documents and data that you work with on a fileserver that is backed-up regularly rather
than on your machine’s built-in hard disk and if there are files for which you cannot do this then make backup copies to
a server or to floppy disk regularly, otherwise you might find that all the work that you have been doing for the last few
weeks is wiped out by damage to or breakdown of your machine.

Figure 1 – A Checklist example (continued from Page 14)

Figure 2 – Online tutorial

VINE 123 — 15
Raising information security awareness in the academic setting

Although it is quite intrusive users can choose to or support the introduction of relatively novel
click through if they are in a hurry or impatient. technologies such as the encryption of email.
There is no sense that giving the wrong answer
denies you access to the service. The scenarios are Contact details
interesting enough to excite comment and thought Andrew Cox
for those with the time to spare. LITC
South Bank University
Conclusion 103 Borough Road
London SE1 0AA
This paper argues that in Universities (as every- Email:coxam@sbu.ac.uk
where else) information security on the network is
of growing importance, that there can be no purely Dr. James Currall
technical solution to making systems secure and Computing Service
that for these reasons users’ behaviour is critical to University of Glasgow
the security of all. There needs to be a security Glasgow G12 8QQ
culture among users. Several approaches to raising Tel: +44 (0)141 339 8855 ext. 4855
awareness are then discussed. All seem valid Fax: +44 (0)141 330 4808
approaches, whether to raise awareness generally Email: J.Currall@compserve.gla.ac.uk

16 — VINE 123