Assessing Ethical Severity of e-Learning Systems Security Attacks YAIR LEVY

advertisement
Assessing Ethical Severity of e-Learning Systems
Security Attacks
YAIR LEVY
Graduate School of Computer and Information Sciences
Nova Southeastern University
Ft. Lauderdale, FL 33314, USA
Tel: 954-262-2006
Fax: 954-262-3915
E-mail: levyy@nova.edu
MICHELLE M. RAMIM
Huizenga School of Business and Entrepreneurship
Nova Southeastern University
Ft. Lauderdale, FL 33314, USA
Tel: 954-262-5000
E-mail: ramim@nova.edu
RAYMOND A. HACKNEY
Business School
Brunel University
Uxbridge, UB8 3PH, UK
Tel: +44 (0)1895 265428
E-mail: Ray.Hackney@brunel.ac.uk
ABSTRACT
Security and ethical issues with information systems (IS) are important concerns for most organizations.
However, limited attention has been given to unethical behaviors and severity of cyber-security attacks, while these
instances appear to be critically important. Although managers have been embracing e-learning systems for
training and virtual-team collaborations, little is known about motivations for cyber-security attacks on such
systems.
Our research includes quantitative and qualitative study of 519 end-users who rated the ethical severity of five
common cyber-security attacks. This study investigated five types of security attacks for differences in perceived
severity according to gender, academic level, and age. Our findings reveal that the majority of users (90%) reported
their sense of severity as unethical across all five cyber-security attacks, while only a small minority of users
(3.24%) reported these cyber-security attacks to be ethical. This study also presents a further grounded analysis
through follow-up interviews.
Keywords: perceived ethical severity, ethics of cyber-security attacks, unauthorized Internet activities, severity
of unethical behaviors
Assessing Ethical Severity of e-Learning Systems
Security Attacks
Yair Levy1, Michelle M. Ramim2, and Raymond A. Hackney3
1Graduate
School of Computer and Information Sciences, Nova Southeastern University, Ft. Lauderdale, FL, USA
School of Business and Entrepreneurship, Nova Southeastern University, Ft. Lauderdale, FL, USA
3Business School, Brunel University, Uxbridge, UK
2Huizenga
ABSTRACT
Security and ethical issues with information systems (IS) are important concerns for most organizations.
However, limited attention has been given to unethical behaviors and severity of cyber-security attacks, while these
instances appear to be critically important. Although managers have been embracing e-learning systems for
training and virtual-team collaborations, little is known about motivations for cyber-security attacks on such
systems.
Our research includes quantitative and qualitative study of 519 end-users who rated the ethical severity of five
common cyber-security attacks. This study investigated five types of security attacks for differences in perceived
severity according to gender, academic level, and age. Our findings reveal that the majority of users (90%) reported
their sense of severity as unethical across all five cyber-security attacks, while only a small minority of users
(3.24%) reported these cyber-security attacks to be ethical. This study also presents a further grounded analysis
through follow-up interviews.
Keywords: perceived ethical severity, ethics of cyber-security attacks, unauthorized Internet activities, severity
of unethical behaviors
“A man's ethical behavior should be based effectually on sympathy, education, and social ties.”
- Albert Einstein (1879-1955)
INTRODUCTION
The seriousness of unethical behavior in today’s society is overwhelmingly documented, especially with regard
to IS management and security [1]. Moreover, rapid technological developments have generated much attention in
the news and other media outlets. Reports of unethical behaviors, such as identity theft and cyber-attacks, are highly
sensationalized. In the U.S. alone the Federal Bureau of Investigation (FBI) reported, from a survey of 2066
organizations in 2005, that cyber-attacks cost businesses some $67.2 billion annually in security expenditures [2]
and in the UK, Telewest reported that individuals spend over $3 billion annually on cyber-security [3] – the
enormous impact of these IS breaches is well documented. As a consequence, these emerging unethical behaviors
need to be investigated and contained. Himma [4] argued that cyber-security attacks are totally unjustified on ethical
grounds and perpetrators must be identified and appropriate sanctions be imposed. An earlier study attempts to
achive goes some way towards achieving this objective through a consideration of how recipients of information
may behave with regard to their ethics, supervisory level, and legal requirements [5]. However, it appears that very
limited attention has been given to investigating the ethical severity of cyber-security attacks and emerging
employees’ unethical behaviors within the context of growing organizational Web-based systems.
Given the news media hype about the global economic downturn, some employees face intense pressure to meet
expectations from their organizations and various stakeholders [6]. Additionally, corporate social responsibility
appears to be a façade rather than a sincere practice in most business organizations [7]. A surge in incidents of
unethical behavior has been reported in the U.S. news media, for example, the Bernie Madoff Ponzi scheme, the
2008 Singapore Grand Prix crash, and the ACORN scandal. Legal investigations of these incidents revealed that
employees were pressured to act unethically and illegally in order to reap personal gains. Despite the public
attention paid to these scandals, it appears that unethical behavior still occurs in significant circumstances.
Journal of Computer Information Systems
1
Nowadays, user misconduct is more likely to involve the use of IS resources. Furthermore, some individuals
believe that IS misuse is acceptable. Rogers [8], Cronan, Foltz, and Jones [9], and Harris [10] found that individuals
are using advanced information technology (IT) tools to engage in unethical behavior. Unethical behavior is defined
as any behavior that “violates social norms, whether or not such behavior also violates the law” [11]. While
measuring unethical behavior appears to be a daunting task, measuring individuals’ perceptions about the severity of
various unethical behavior can provide indication about their ethical decision making. Furthermore, Rogers [8] and
Harris [10] indicated that future managers are learning about specific technology breaching techniques in some IT
courses (i.e. hacking skills, approaches for installing sniffing software and for the identification of passwords,
developing denial-of-service (DoS) attacks, and learning how to manipulate weaknesses with Web connections).
The number of cyber-security incidents has climbed sharply over the past two decades, though only a small
percentage of such attacks is reported to the public [10]. It was reported that the majority of computer hackers are
below the age of 30, pointing to the need to investigate users in that age group and their perceptions about unethical
behaviors, specifically security attacks [10].
The motivation of future managers to engage in unethical behavior might be fueled by the temptation to
graduate quickly in order to obtain a high-paying managerial position [12], availability of convenient IT tools [13], a
sense of entitlement without consequences, and peer pressure, as well as a lack of understanding of the severity of
their actions [14]. Research has shown that business students engaging in misconduct in their academic career are
more likely to engage in unethical behavior during their professional managerial career [12]. Thus, the focus of this
work was to investigate future managers’ perceptions about the severity level of key IS attacks in the context of elearning systems, and to increase awareness for e-learning security issues, as well as their severity among IS
managers and researchers. Following the philosophy set by Leonard, Cronan, and Kreie [15] on investigating IS
related ethics, the nucleus idea behind our investigation posits that if individuals perceive the severity of key IS
security attacks to be low, then they might be more likely to engage in or seek help to engage in such unethical
behaviors.
E-learning systems originated from computer communication applications that were developed in the early
1980s. Such systems have shown tremendous growth over the past three decades, starting mainly in higher
education and quickly moving into corporate organizations and government agencies. In 2010, more than 5.6 million
U.S. students enrolled in at least one online course [16]. E-learning enrollment in higher education has proliferated
steadily by about 13% annually or 758,000 students annually over the past few years [17]. Additionally, e-learning
has captured about 32% of the adult education market [18]. However, e-learning systems have not just been the
learning platform for educational institutions. E-learning has furthermore expanded significantly into delivery of
various training modules for medical, corporate, and even military training units. In the medical field, physicians
and nurses are taking refresher courses and certificate trainings via e-learning systems, while many businesses are
offering their human resources (HR) training sessions via e-learning systems [19]. Within the corporate and the
service sector, e-learning systems are used by most marketing, sales, and research and development units to train
managers and employees yearly. In like manner, for over a decade the U.S. Government has been running an
internal e-learning system to deliver learning modules and develop skills of its employees (www.usalearning.gov).
In light of the fact that substantial evidence affirms the trend of e-learning system as a critical ingredient of the
business model, organizations are faced with the challenge of providing a secure and accountable e-learning
environment for their employees. Although there is a limited body of research on security attack prevention
strategies for Web-based systems, cyber-security does pose a real concern [20, 21], so much so that the U.S.
government has appointed a czar to help coordinate strategic efforts to reduce cyber-security threats (i.e. malware,
spoofing, phishing, and botnets, to name a few) [22]. Cyber-security attacks were also found to have a profound
crippling impact on the e-learning systems of higher educational institutions, while their implications for corporate
organizations are vastly unknown [23]. Many scholars have demonstrated the significance of investigating cybersecurity attacks on e-learning systems and the need to better understand their nature and ethical severity from the
perspective of impostors [24, 25].
According to Shaw [26], “ethics deals with individual characters and moral rules that govern and limit our
conduct”. He added that ethics “investigates questions of right and wrong, fairness and unfairness, good and bad,
duties and obligation, justice and injustice, as well as responsibility and the value that should guide us” [26]. Cronan
et al. [9], Leonard et al. [15], and Dorantes, Hewitt, and Goles [27] noted that ethical behavior is gender dependent,
indicating significant differences between males and females in both their ethical perceptions and behaviors. They
indicated that in general, males appear to be less ethically driven, whereas females appear to be more ethically
driven. Moreover, age and academic level were also found to show differences related to perceptions about ethical
behaviors. Kreie and Cronan [28] noted that “a person’s characteristics, such as gender, age, and education, may
also affect one’s view of what is ethical” [28]. Although such investigations appear to indicate gender, age, and
Journal of Computer Information Systems
2
academic level differences with ethical perceptions, not much is known about such differences within the context of
cyber-security attacks, especially in popular Web-based systems such as e-learning systems.
The aim of this study was to investigate individuals’ sense of ethical severity of e-learning security attacks and
unauthorized activities. Although there are several specific techniques of cyber-attacks, as noted, the focus of this
work is about the general sense of ethical severity of engaging in such an attack, rather than a specific cyber-attack
technique. The three key objectives of this study were:
a) To assess the extent that individuals perceive the severity of attacking an e-learning server and
unauthorized activities as ethical
b) To assess the demographics of those who perceive the severity of attacking an e-learning server and
unauthorized activities as ethical and as unethical
c) To assess if there are any significant differences on such ethical perceptions based on gender, age, and
academic level
The significance of this research is substantial for institutions and businesses as it provides evidence on how
individuals perceive the severity of attacking an e-learning server and unauthorized activities.
BACKGROUND
Ethical Severity of Attacks and Unauthorized Activities
A substantial rise has been observed in cyber-attacks over the years [29]. However, the required level of
sophisticated technological skills to unleash such cyber-attacks appears to have fallen over time. Saydjari [30]
reported that cyber-attacks are mainly attributed to the ease of committing such attacks, due to newly available
toolkits that are freely downloadable over the Internet. Ramim and Levy [23] documented a case of a devastating
cyber-attack that crippled an institution’s e-learning operations and caused substantial damage to their reputation.
Such an incident implies that businesses and organizations must be aware of the threats to their e-learning systems
from cyber-attacks in order to avoid damages, loss of confidence, and legal liability. As such, the first e-learning
security attack selected for this study was a general ‘attack on the server,’ and the aim was to assess individuals’
sense of ethical severity about such an attack.
The second unauthorized activity in this study deals with the interception of e-mails. Although e-mail
interception is a general issue, most e-learning systems have internal e-mail systems to enable specific
communication between the individual learner and the module or course instructor. The focus of this investigation
was the interception of such internal e-mails. Intercepting e-mails is defined as reading, altering, blocking, and/or
deleting e-mails sent to someone else. E-mail interception has also been easier than ever, due to rising surveillance
applications provided to businesses seeking to intercept employee communications, and others seeking to intercept
domestic communications of their spouses or partners [31]. We must emphasize that for some e-learning modules,
such as training on proprietary product development or new corporate innovations, intercepting internal e-learning
systems e-mails may provide additional knowledge or solutions that are not known otherwise, or be an exercise in
corporate espionage. This study targeted the individuals’ sense of ethical severity associated with e-mail
interception within e-learning systems.
The third unauthorized activity in this study deals with unauthorized file sharing. There has been substantial
work on unauthorized file sharing, where the vast majority of such research investigates the distribution of music
files over the Internet via peer-to-peer applications [32]. Unauthorized file sharing can be done by individuals during
various e-learning activities. However, unauthorized file sharing during exams appears to be one of the most
common unethical violations during e-learning exams [33]. We must emphasize that file sharing during exams may
provide personal gains for employees who are required to complete e-learning exams for the purpose of
certifications or other corporate requirements. For example, employees who are taking HR training exams for
certifications or medical professionals taking refresher exams may be tempted to request and share files. As such,
the focus of this investigation was on assessing individuals’ sense of ethical severity related to unauthorized file
sharing during e-learning exams.
Unauthorized access was the fourth unethical activity this study investigated. According to Stallings [34], one
of the key intruder-based attacks is the “acquisition of privileges or performance of actions beyond those that have
been authorized” (p. 306). User access permission and general system authentication have been a great challenge,
while newly released technologies such as biometrics and multi-biometrics systems appear promising. Unauthorized
access by learners of e-learning systems or e-learning materials has also been a challenge [24, 35, 36]. Likewise, we
must emphasize here that given the significant increase in e-learning systems use in corporate organizations, the use
of such systems for housing of corporate proprietary training information has increased as well. Thus, the aim of this
work was also to study individuals’ sense of ethical severity related to unauthorized access to e-learning systems.
Journal of Computer Information Systems
3
According to the 2009 report of the Internet Crime Complaint Center (www.ic3.gov) [37], spoofing attacks
were among the top reported Internet crimes. A spoofing attack is defined as a situation where an individual
impersonates someone else to commit an unethical act. One spoofing example within the context of e-learning can
occur when an individual posts a flaming message to a discussion board, and impersonates another individual by
signing with that other individual’s name (A simple example of this can be done on discussion boards that allow
anonymous posting). According to Dinev [38], a spoofing attack is a very serious Internet fraud. He also noted that
such attacks can “cause significant business, personal, and social damage” (p. 82). Existing literature has
documented the ease with which spoofing attacks can be carried out with very limited technical knowhow [39].
Although to our knowledge no specific research has been done on spoofing attacks in e-learning systems, protecting
against such attacks within such environments have been documented [24], while instances of such attacks on elearning systems have been observed. This study also included spoofing as one of the e-learning security attacks
investigated.
To summarize, the five common components of security attacks and unauthorized activities that this study
investigated are attacks on the server, e-mail interception, unauthorized file sharing, unauthorized access, and
spoofing attacks. As this study is defined by e-learning security, descriptions of the five security attacks and
unauthorized activities were communicated to the study participants. The five e-learning security attacks and
unauthorized activities are noted in Table I. The descriptions were provided to participants in the introduction
section of the survey. The scale used to assess the participants’ sense of ethical severity was a 5-point Likert-type
scale with the following format: 1= ‘ethical’, 2 = ‘somewhat ethical’, 3=‘slightly unethical’, 4=‘unethical’, and
5=‘very unethical’.
TABLE 1. Five E-learning Security Attacks and Unauthorized Activities Investigated
Attack or Unauthorized
Activity Name
Description
3. Unauthorized File Sharing
Initiating a cyber-attack on the e-learning server via the Internet and rendering it
unavailable
Reading, altering, blocking, and/or deleting e-mails sent to someone else in e-learning
systems
Unauthorized file sharing during e-learning exams
4. Unauthorized Access
Unauthorized access to e-learning systems
5. Spoofing Attacks
Attacks by individuals who impersonate their peers to falsify data
1. Attacks on the Server
2. E-mail Interception
METHODOLOGY, DATA ANALYSIS, AND RESULTS
We sampled 1,100 students attending online courses at the undergraduate and graduate level during the six
terms prior to Fall 2011. The target survey participants consisted of business students attending three higher
educational institutions in the southeastern region of the US including two public institutions (a state university & a
state community college) and a private university. The reason for selecting the three educational institutions was to
diversify the sample to further generalize the results. A total of 519 responses were received, which represents about
47% of the response rate. Responses came from 268 females (51.6%) and 251 males (48.4%). The academic level
based on undergraduate and graduate level was about half, with 261 participants (50.3%) undergraduate and 258
(49.7%) graduate students. The majority of the students, 434 (83.6%), were under the age of 34. In terms of the
institutional distribution, about 17% of our study participants were from the state community college, about 36%
from the private university and the rest, about 47%, attended the state university. Figure 1 illustrates a summary of
the demographic distribution of the study participants
Journal of Computer Information Systems
4
FIGURE 1. Demographic Distribution of Study Participants (N=519)
Quantitative Results
The central aim of this study was to assess individuals’ perceived ethical severity across the five types of elearning security attacks. We started by conducting an overall frequency assessment across all five security attacks
and unauthorized activities. To simplify our discussion of the results, we defined an ‘ethical individual’ as one who
reported either ‘4’ (unethical) or ‘5’ (very unethical), when asked to rate the ethical severity of the security attacks
and unauthorized activities. Similarly, we defined an ‘unethical individual’ as one who reported either ‘1’ (ethical)
or ‘2’ (somewhat ethical) when asked to rate such unethical activities. It is important to note that the severity of
attacking the e-learning server is equivalent to the severity of an attempt to shut down the organization’s e-learning
program. To put this in perspective, an attempt to attack an e-learning server is comparable to activating the fire
alarm at the university campus, so that classes will be cancelled, exams will not be conducted, assignments will not
be collected, etc. Hence, the importance of assessing the ethical severity of the attacks and unauthorized activities
appears to be highly warranted in the context of our ever-growing digital dependability.
Contrary to prior literature about substantial numbers of individuals who are unethically driven, we found that a
large majority of our study participants appear to self-report their perceptions as ethically driven across all five elearning security attacks. Specifically, we found that the overall percentage of ethical individuals was very high
(‘Attacks on the Server’: 452 or 87.1%; ‘E-mail Interception’: 492 or 94.8%; ‘Unauthorized File Sharing’: 439 or
84.5%; ‘Unauthorized Access’: 465 or 89.6%; ‘Spoofing Attacks’: 490 or 94.4%). These results indicate that the
majority of our study participants (an average of 90.1%) appears to understand the severity of these e-learning
security attacks, while a small minority of the individuals (an average of 3.24%) appears to be unethical. To better
understand the age, gender, and academic level distribution among the two extreme groups, ethical versus unethical,
Figure 2 provides an additional distribution breakdown of the majority of individuals who indicated that the actions
are ethical, and the breakdown of the small minority of individuals who indicated the opposite. It is important to
note that although we assessed academic level in this study, one can make the analogy between this measure and the
amount of years that an employee works for a corporate or a government organization, from the point of view of
familiarity with various organizational IS.
Journal of Computer Information Systems
5
Figure 2. Distribution of Ethically and Unethically Driven Students (N=519)
We tested for observable gender differences linked to the perceived ethical severity of e-learning security
attacks. We conducted a nonparametric test using the Mann-Whitney U Test on the five security attacks and
unauthorized activities based on gender. The reason for using a nonparametric test is due to the ordinal data used in
the rankings of the individuals’ perceptions of ethical severity. Results of the gender analysis are presented in Table
II. We found that although gender differences exist on all five activities, a statistically significant gender difference
exists only for ‘Unauthorized File Sharing’ (at p<0.005), where females reported the severity of such activities less
ethical, indicating that they are significantly more ethically driven. Our results also indicated that across all five
activities, females rate the ethical severity of these e-learning security attacks and unauthorized activities as more
severe, also indicating that in general, they are more ethically driven, which is consistent with prior literature.
TABLE 2. Gender Analysis using the Mann-Whitney U Test (N=519)
e-Learning
Males
Females
Non-parametric (MannSecurity Attacks
(n=251)
(n=268)
Whitney U Test)
& Unauthorized Activities
M
SD
M
SD
Z
Sig. (2-t)
Attacks on the Server
4.51
0.83
4.46
0.82
-1.050
0.294
E-mail Interception
4.66
0.67
4.62
0.66
-1.064
0.287
Unauthorized File Sharing
4.15
1.03
4.44
0.78
-2.986 **
0.003
Unauthorized Access
4.36
0.86
4.51
0.75
-1.947
0.052
Spoofing Attacks
4.59
0.72
4.62
0.66
-0.449
0.653
* - p < 0.05; ** - p < 0.01
The data was also assessed for differences between academic level (undergraduate & graduate) on their
perceived ethical severity of e-learning security attacks, as we hypothesized that individuals who spend more time in
the system may find the severity of engaging in such attacks less ethical due to their prolonged exposure to an
academic setting. We conducted a similar analysis using the Mann-Whitney U Test based on academic level. Table
III depicts the results of the academic level analysis. We found that significant academic level differences exist only
for ‘Attacks on the Server’ (p<0.001), where graduates (i.e. individuals who have longer exposure to the
organizational ISs) were found to be more ethically driven. It is important to note that the higher the score, the more
unethical the individual perceived an activity to be, which indicates they are more ethical – i.e. an inverse
relationship. Overall, across all five activities, our results indicated that more graduates than undergraduates report
these e-learning security attacks, indicating that graduates are generally more ethical.
TABLE 3. Academic Level (Undergraduate/Graduate) Analysis using Mann-Whitney U Test
e-Learning
Males
Females
Non-parametric (MannSecurity Attacks
(n=251)
(n=268)
Whitney U Test)
& Unauthorized Activities
M
SD
M
SD
Z
Sig. (2-t)
e-Learning
Security Attacks
& Unauthorized Activities
Attacks on the Server
E-mail Interception
Unauthorized File Sharing
Unauthorized Access
Spoofing Attacks
Undergraduate
(n=261)
M
4.36
4.62
4.23
4.38
4.55
SD
0.91
0.65
0.97
0.84
0.74
Graduate
(n=258)
M
4.62
4.66
4.37
4.49
4.66
SD
0.71
0.68
0.87
0.77
0.62
Non-parametric
(Mann-Whitney U Test)
Z
Sig. (2-t)
-3.504
-1.066
-1.515
-1.482
-1.730
**
0.000
0.286
0.130
0.138
0.084
* - p < 0.05; ** - p < 0.01
Journal of Computer Information Systems
6
We undertook a further analysis for differences between participants’ age groups. Similarly, another nonparametric test using the Kruskal-Wallis H Test of multiple groups based on age groups was conducted. The results
of the age-group analysis are presented in Table IV. We found that there were significant differences based on age
level for all items with ‘Attacks on the Server’, ‘Unauthorized File Sharing’, ‘Spoofing Attacks’ (p<0.001), ‘E-mail
Interception’ (p<0.01), and ‘Unauthorized Access’ (p=0.001). Across all five activities there was an increasing
trend, a pattern indicating that the older the individual is, the more severe he/she ranks the attacks. This suggests
that with age, individuals become more ethical with regard to the measured unethical activities. Additionally, we
found no significant differences among the three institutions based on the variables tested, which led us to believe
that these differences are not institutional dependent.
TABLE 4. Age Analysis using the Kruskal-Wallis H Test (N=519)
e-Learning
Security Attacks
& Unauthorized Activities
Attacks on the Server
E-mail interception
Unauthorized File Sharing
Unauthorized Access
Spoofing Attacks
Non-parametric
(Mann-Whitney U Test)
Z
Sig. (2-t)
33.037 **
0.000
20.353 **
0.009
30.261 **
0.000
25.569 **
0.001
29.751 **
0.000
* - p < 0.05; ** - p < 0.01
Following the statistical results on the 519 quantitative records, a qualitative assessment was undertaken to elicit the
‘soft complexity’ behind the survey results.
Qualitative Analysis
The qualitative investigation attempted to elicit rich ‘thoughtful behavior’ of the individuals to uncover reasons
behind the quantitative results. The technique is common to social science research and aims to gain an in-depth
understanding of human action and beliefs. The ‘why’ questions within our analysis are considered critical to the
validity of the findings and the resultant authoritative insights for policy suggestions. Consequently, further research
was based on semi-structured interviews through a solicitation e-mail asking the same 519 anonymous participants
to volunteer to partake in the follow-up investigation. The qualitative research technique was adopted through a
grounded theory to identify the ‘why’ behind the findings and based upon conceptual ideas [40], originally proposed
by Glaser and Straus [41]. The main aim is to discover respondents’ main beliefs about possible reasons for the
‘why’ behind our empirical findings. We received 14 anonymous volunteers from all three institutions, which
appears to be adequate for qualitative analysis, given the labor-intensive nature of the qualitative data collection.
Participant distribution included eight from a state university, six from a private university, and three from the state
community college, while no identifying information was collected.
Our first question was a general one prior to showing our quantitative results. We asked if e-learners were
generally ethical or unethical through their engagement with the online resources. As we anticipated, there was no
obvious distinctive view and a broad split of opinions suggesting individuals were both ethical and unethical in
relation to their behavior. One interviewee noted:
“I believe there is a mixture of both. Although there are individuals who conduct themselves ethically
during on line exams, unfortunately there are others who may choose to access online resources or engage
in other unauthorized activities during online exams”
Another noted:
“I think about 75% ethical and 25% unethical”
Some individuals do feel their peers act unethically, as they perceive that ‘there is no form of monitoring’ in elearning. This was further substantiated by the responses, suggesting it is unlikely that unethical behavior can be
mediated or changed. While the general perceptions appear to indicate there is a split among individuals between
their ethical and unethical behaviors, it might very well be that extensive media coverage on unethical engagements
and the publicizing of engagements in unethical activities by some individuals hype the phenomena. As we
discovered, there may only be a ‘few bad apples’ responsible for unethical activities, while the vast majority are
ethical individuals seeking candid learning experiences.
Journal of Computer Information Systems
7
The participants were again provided with the list of the five items under investigation and were asked if the
activities could be perceived in an ethical way. They indicated that for individuals who are taking e-learning courses,
these are very clear unethical behaviors. Some responses included:
“I don't think so. There is no grey area with the activities described”
“Removal of the words ‘unauthorized’ and ‘attack’ from the questions would not change the survey taker's
perception of them”
At that point in the interview, the results, including the figures and tables above, were given to the interviewees.
They were asked if they felt that these represented a ‘good measure’ of ethical severity. The individuals generally
felt that our quantitative analysis was a good measure of the ethical severity of e-learning server attacks. One
representative reply was that:
“Although there are a host of other unauthorized activities within e-learning these questions should
provide a good measure of individuals’ ethical severity of attacks in general”
One overarching interview question asked ‘why individuals thought the way they did.’ Most individuals were
surprised and ‘unsure’ why their peers ‘thought the way they did’. On one hand, there were those who noted that
they expected such results:
“Because most individuals are honest. We do have that small percent that will try anything”
and
“Most people believe that others will do the right thing”
while on the other hand, there were those who still believed that more people are fundamentally unethical:
“I can't say why, I expected opposite results”
Another question posed during the interviews was about the gender-based differences based on an ethical stance,
who was viewed as more ethical, and why our results indicated that females were more ethical. The respondents
generally indicated that males behaved unethically and were more likely to be ‘risk affine’ in their attitudes and
reactions to formal procedures. One statement provided sums up the responses as:
“Slightly females. The reason being males in real life are risk takers and at times look for short cuts”
Responses related to the behavior of ‘younger’ or ‘older’ individuals produced an unclear view and the category
appeared to be insignificant. This question was then extended to ‘graduate’ and ‘undergraduate’ differences, which
again produced no clear distinction by the interviewees between the two.
”I would think in this case that it would be equal to both groups. They both have knowledge of how to
manipulate computers if needed”
The statistical analysis showed that 3.24% of e-learners perceived the five e-learning security attacks (Table I) as
ethical, indicating that they are unethical. We asked interviewees ‘why’ they thought those who responded this way
did so. Subsequent interview responses demonstrated a further distancing from this behavior. The alienation of the
small percentage of individuals who behave this way is predictable. One explanation for these ‘bad apples’ suggests
a plausible reason:
“Perhaps the new generation perceived the use of technologies differently and not really for the purpose of
learning.”
It is evident that the adoption of online systems certainly presents more opportunities for unethical behavior. The
final two interview questions solicited suggestions on the regulations and/or sanctions that a university should
impose to reduce (or eliminate) unethical behavior. The responses were consistent and forthright about the need for
‘severe punishment’ to be imposed on culprits, with some responses even recommending expulsion from the
program, i.e.;
‘If the person is found guilty of unethical behavior in a free and fair hearing the penalties should include,
for example, paying for lost time and damaged equipment and for especially severe crimes, expulsion and
referral to the police….’
In general, the qualitative evidence strongly backs our initial quantitative findings. It also provides useful insights
into the perceived ethical behavior of individuals and proposed sanctions for offending culprits that may inform
policy decisions.
DISCUSSION
Most interestingly, this study reports that the majority (91%) of the participants viewed the investigated elearning security attacks as unethical or very unethical, while a small number (~3.3%) found such attacks to be
ethical or somewhat ethical. This indicates that the large majority of individuals appear to be ethically driven, while
there is a very small group of people who seem to be unethical. As file sharing is less technically challenging than
the other types of security attacks we analyzed, our results show that individuals perceive unauthorized file sharing
Journal of Computer Information Systems
8
during e-learning exams as more acceptable. One possible approach to managing the potentially unethical group of
individuals is to develop explicit policies about file sharing practices, and to add these policies to official business
communications, corporate employee manuals, and code of conduct documents. To enable individuals’ awareness
and familiarity with policy, instructors should discuss it in the first class session (online, on-campus, or training
facility), preferably during a chat at the beginning of the term or business training module. Another approach is to
discuss, or point individuals to, scenarios of unauthorized file sharing in the workplace, along with associated
consequences, so that they understand unethical behavior. Finally, corporate executives should counter incidents of
unauthorized file sharing with severe penalties.
Our results indicated that across all five e-learning security attacks under investigation, males found these
security attacks to be less severe than females, indicating that gender may be correlated to a varying sense of
severity about unethical security attacks. Subsequently, a sense of severity about unethical security attacks may
influence the path for decision making, which appears to be consistent with prior literature [42, 43]. Additionally, it
appears that males are more likely to be risk takers, while females tended to be the risk-averse gender. Research
suggests that pursuing a goal, such as an academic degree or attaining a professional certification via e-learning
systems, increases risk taking behavior [44]. Furthermore, prior research also appears to connect gender, personality
type, and age as indicators of risk-taking behavior [45]. Our results show that undergraduates, for the most part,
appear to perceive these attacks as only slightly less severe than graduates. However, some of the undergraduates in
our study were adult learners who were a bit older than average, and no direct correlation to age distribution was
established. Most critically, our results indicated that in terms of age, there is an increasing trend where the older the
individual is, the more severe he/she ranks the attacks. These results indicate that younger people, in particular
young males, appear to find the e-learning security attacks significantly less ethically severe or not severe at all.
Although we speculated that during the academic experience they would become aware of the ethical severity of
engaging in cyber attacks, our results revealed that for business majors, there is still a small group of mainly young
individuals who have either not become aware of the severity, or who simply appear unethical in all of their
endeavors.
In contrast to other ethics literature, we found that although our gender differences coincide with Kreie and
Cronan [42, 43], the magnitude of the differences is significantly smaller than what has been reported. Specifically,
Kreie and Cronan [42] indicated that “Men and women were distinctly, different in their assessment of what is
ethical. Men were less likely to consider behavior as unethical. Moreover, their own judgment was most often
influenced by their personal values and one environmental cue-whether the action was legal” (p. 74). In our study it
is clear that all the security attacks indicated are illegal, but we still found significant differences across the gender
comparison with a much smaller gap. Kreie and Cronan [43] found that there are notable differences between what
was considered ethical and unethical by the individuals across their five scenario measures, as well as a considerable
number of their participants (an average of 37%) perceiving unethical behaviors to be acceptable. Again, with these
findings, we argue that the overall understanding of individuals about what is ethical and what is unethical may have
changed over the years, whereas present-day individuals appear to better perceive right and wrong actions. Having
said that, we still found that there is a small group who appears to view one or more of these unacceptable e-learning
security attacks as ethical. Although this represented a small number of respondents, it is still a concern.
Specifically, we know that file sharing during e-learning sessions is less technically challenging than other security
attacks such as spoofing. Therefore, it is troubling that a significant majority appears to perceive such an attack as
more acceptable.
In relation to the policy that corporate executives, university administrators, and instructors or business trainers
should adopt, there is an opportunity to build a positive ethical culture by advocating their expectations for proper
behavior. In medical refresher courses, for example, clarification and reinforcement of unethical cyber attack
practices should be discussed frequently in course introductions, learning materials, and official training documents
(i.e. learners’ manual, code of conduct, and use of technology resources policies). The discussions and reminders of
potential consequences should be done for all types of course delivery and not only for online courses, as a
substantial number of courses nowadays use e-learning systems to supplement on-ground courses or training
modules. Unethical behavior should be addressed from the perspective of multiple stakeholders rather than strictly
from an individual’s viewpoint, indicating to the learner the ramifications of such attacks on the organizational IS
and the integrity of their own degree or training certificate. Employees should also be taught early in their career
about the ethical use of technology resources, and the social responsibility that they are held to as members of an
organization (i.e. university, workplace, etc.), and as members of society.
There were three key objectives for this research. First, we wished to assess the extent that individuals perceive
the severity of attacking an e-learning server and engaging in unauthorized activities as ethical. In other words, do
individuals perceive the attacking of an e-learning server to be an ethical or unethical activity? Second, we wished to
Journal of Computer Information Systems
9
determine the demographics of those who perceive the severity of attacking an e-learning server and unauthorized
activities as ethical and as unethical. Are there any specific demographic indicators for unethical students? Knowing
this, may help corporate executives, university administrators, and course instructors and business trainers to target
additional awareness programs. We believe that additional awareness programs have the ability to inhibit unethical
perceptions and reduce the likelihood of future attacks. Our third and last key objective was to assess whether there
are any significant differences for ethical perceptions based on gender, age, and academic level
(undergraduate/graduate).
Our sample included 519 individuals attending e-learning business courses in the U.S. The results of our
investigation revealed that the majority of the participants appear to self-report their perceptions as ethically driven
across all the five e-learning security attacks, which clearly indicates that they appear to understand the severity of
these attacks. We found that a very small minority of the participants rates these attacks as ethical, indicating that
they view these attacks as morally acceptable, and this is a cause for concern. In terms of the demographics
indicators that may represent that specific group, it appears to be a small group of younger males, primarily in their
20s, who constitute the majority of the unethical individuals. Finally, our gender, age, and academic level analysis
have indicated that in general, females are more ethical than males, individuals become more ethical with age, and
graduates (i.e. more years of exposure to the organizational ISs) appear to be more ethical.
Further research could explore the process of seeking qualitative feedback on previously observed phenomena
through so-called ‘thought experiments’. Maxwell reported that Albert Einstein used them quite extensively in his
research after observing phenomena, seeking the help of others to come up with plausible explanations for his
observations [46]. Einstein’s well known ‘thought experiment’, the ‘moving elevator’ (also known as ‘Einstein’s
elevator’), seeks plausible explanations for the theory of relativity. This ‘scientific approach’ could arguably support
social science applications, such as finding further explanations for ‘ethical’ behavior. It could usefully attempt to
investigate actual individual engagements in these e-learning security attacks and study more about their nature and
origins. An interesting comparison can be drawn between the results of our study and the results of a potential study
that investigates the individuals’ perceived ethical severity and the relationship to their actual engagement in
unethical behavior, such as initiating security attacks on an e-learning system. Also, future researchers could work
with other majors (engineering, technology, and non-technology) to investigate these results and determine whether
there are any differences among these individuals in their reported severity of unethical engagements, such as
attacking an e-learning server. Future studies should also explore risk-taking behavior driven by goal-setting and
should be carried out within the context of ethical use of technological resources.
CONCLUSION
The main goal of this study was to conduct an investigation on individuals’ perceptions of ethical severity
related to five common information security attacks and unauthorized activities within the context of e-learning. It is
evident that these issues represent a serious concern for corporate training, universities, and government agencies,
and measures must be imposed to eliminate or reduce the motivations for such behavior. It is apparent from
individuals’ perceptions about the severity of cyber-attacks that most people are ethical when it comes to these
attacks. However, the general public may be naively unaware of the potential damages to organizational services
should a cyber-attack be launched on an e-learning server. Moreover, we found that there is a small group of
primarily young males in their 20s who find such cyber-attacks acceptable. These individuals should be coached
early in their academic and corporate career about the severity of such attacks and the implications for their
organization, as well as the consequences of engaging in the unethical activities we mentioned. As such, we believe
that the findings of this study are somewhat positive, as most participants considered the five e-learning security
attacks to be unethical or very unethical, with the exception of a small group of individuals.
A fundamental part of this conclusion addresses the issue of unethical individuals. Although a small group, they
should be supervised or reformed to ensure total compliance with codes of conduct for the benefit of the community.
Our study has highlighted this approach through an applied context, research design, and policy formulation within
an e-learning environment. We specifically found that additional work related to individuals’ risk-taking behavior
driven by goal-setting may allow a better understanding of the consequences of their ethical decisions at a critical
time, such as for degree-seeking students nearing graduation or degree-seeking students who seek a better ‘start’ for
their grade point average (GPA) very early in their academic career. It will be useful and interesting to explore the
impact of peer pressure on these risk-taking behaviors. Our conclusions may also provide useful insights to the
policy makers who respond to the effects of individuals’ ethical behaviors in e-learning systems. Although in
regards to ethical severity, individuals in general perceive that a significant percentage of the population is unethical,
Journal of Computer Information Systems
10
we think that our findings can provide starting evidence that only a ‘few bad apples’ exist, appear to shade adverse
light on the vast majority of the people who are engaged in e-learning for the sake of true learning. Although a small
number of individuals appeared unethical, we believe institutions should advertise very strong sanctions for those
who are caught to ensure that the overall attitude towards e-learning remains highly credible. Based on our findings,
we feel strongly that all corporate training units and institutions of higher education should develop a specific code
of conduct, with clear definitions of unethical attacks. Moreover, executives should be aware that the vast majority
of e-learners are indeed ethical and should be treated as such without imposing collateral actions that reduces the
moral of those who strive to be ethical at all times.
ACKNOWLEDGMENTS
We would like to thank the users for participating in this study. Moreover, we would like to thank the JCIS
editor-in-chief Dr. Alex Koohang and the anonymous JCIS referees for their careful review and valuable
suggestions.
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
A. Matwyshyn, "CSR and the Corporate Cyborg: Ethical Corporate Information Security Practices,"
Journal of Business Ethics, vol. 88, pp. 579-594, 2009.
J. Evers. (2006). Computer crime costs $67 billion, FBI says. Available: http://news.cnet.com/Computercrime-costs-67-billion,-FBI-say/2100-7349_3-6028946.html
I. Thomson. (2006, February 10). Viruses cost UK consumers £3BN a year. Available:
http://www.v3.co.uk/vnunet/news/2149507/viruses-cost-uk-billion
K. Himma, "The Ethics of Tracing Hacker Attacks Through the Machines of Innocent Persons,"
International Journal of Information Ethics, vol. 2, pp. 1-13, 2004.
T. C. Rindfleisch, "Information technology and healthcare," Communications of the ACM, vol. 40, pp. 92100, 1997.
J. C. Sipior and B. T. Ward, "A Framework for Information Security Management Based on Guiding
Standards: A United States Perspective," Issues in Informing Science and Information Technology, vol. 5,
pp. 51-60, 2008.
A. Geva, "Three Models of Corporate Social Responsibility: Interrelationships between Theory, Research,
and Practice," Business and Society Review, vol. 113, pp. 1–41, 2006.
C. F. Rogers, "Faculty perceptions about e-cheating during online testing," Journal of Computing Sciences
in Colleges, vol. 22, pp. 206-212, 2006.
T. P. Cronan, C. B. Foltz, and T. W. Jones, "Piracy, IS misuse at the university," Communication of the
ACM, vol. 49, pp. 85-90, 2006.
J. Harris, "Maintaining ethical standards for a computer security curriculum," in Proceedings of the 1st
annual conference on Information security curriculum development, Kennesaw, Georgia, 2004, pp. 46-48.
M. Siponen and A. Vance, "Neutralization: New insights into the problem of employee information
systems security policy violations," MIS Quarterly, vol. 34, pp. 487-502, 2010.
R. A. Lawson, "Is Classroom Cheating Related to Business Students' Propensity to Cheat in the Real
World," Journal of Business Ethics, vol. 49, pp. 189-199, 2004.
K. K. Molnar, M. G. Kletke, and J. Chongwatpol, "Ethics vs. IT ethics: Do undergraduate students perceive
a difference?," Journal of Business Ethics, vol. 83, pp. 657-671, 2008.
N. T. Nguyen and M. D. Biderman, "Studying Ethical Judgments and Behavioral Intentions Using
Structural Equations: Evidence from the Multidimensional Ethics Scale," Journal of Business Ethics, vol.
83, 2008.
L. N. K. Leonard, T. P. Cronan, and J. Kreie, "What influences IT ethical behavior intentions—planned
behavior, reasoned action, perceived importance, or individual characteristics?," Information &
Management, vol. 42, pp. 143–158, 2004.
I. E. Allen and J. Seaman, "Class Differences: Online Education in the United States, 2010," The Sloan
Consortium2010.
A. R. Johnson, "Distance learning in higher education," Review of higher education, vol. 32, pp. 542-545,
2009.
Journal of Computer Information Systems
11
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
[33]
[34]
[35]
[36]
[37]
[38]
[39]
[40]
[41]
[42]
[43]
[44]
B. Means, Y. Toyama, R. Murphy, M. Bakia, and K. Jones. (2009). Evaluation of evidence-based practices
in online learning: A meta-analysis and review of online learning studies. Available:
http://www.ed.gov/rschstat/eval/tech/evidence-based-practices/finalrepott.pdf
N. Geri and D. Gefen, "Is There a Value Paradox of E-learning in MBA Programs?," Issues in Informing
Science and Information Technology, vol. 4, pp. 163-174, 2007.
E. Kritzinger, "Information security in an e-learning environment," in International federation for
information processing, education for the 21st Centiuy - Impact of ict and digital resources. vol. 210, T. D.
Kumar, Ed., ed Boston: Springer, 2006, pp. 345-349.
J. D'Arcy and A. Hovav, "Does One Size Fit All? Examining the Differential Effects of IS Security
Countermeasures," Journal of Business Ethics, vol. 89, pp. 59-71, 2009.
"Obama Calls for Cyber Czar," Information Management Journal, vol. 43, p. 16, 2009.
M. Ramim and Y. Levy, "Securing e-learning systems: A case of insider cyber attacks and novice IT
management in a small university.," Journal of Cases on Information Technology, vol. 8, pp. 24-34, 2006.
K. El-Khatib, L. Korba, Y. Xu, and G. Yee, "Privacy and Security in E-Learning," Journal of Distance
Education Technologies, vol. 1, pp. 1-19, 2003.
S. Furnell, "Cybercrime in society.," in Connected Minds, Emerging Cultures: Cybercultures in Online
Learning, S. Wheeler, Ed., ed Charlotte, NC: Information Age Publishing, 2008.
W. H. Show, Business Ethics, 6th ed. Belmont: Thompson-Wadsworth, 2008.
C. A. Dorantes, B. Hewitt, and T. Goles, "Ethical decision-making in an IT context: The roles of personal
moral philosophies and moral intensity," in Hawaii International Conference on System Sciences, Big
Island, HI, 2006, pp. 1-10.
J. Kreie and T. P. Cronan, "How men and women view ethics," Association for Computing Machinery.
Communications of the ACM, vol. 41, pp. 70-78, 1998.
N. Ye, J. Giordano, and J. Feldman, "A process control approach to cyber attack detection,"
Communications of the ACM, vol. 44, pp. 76-82, 2001.
O. S. Saydjari, "Cyber defense: art to science," Communications of the ACM, vol. 47, pp. 52-57, 2004.
G. D. Nord, T. F. McCubbins, and J. H. Nord, "E-monitoring in the workplace: privacy, legislation, and
surveillance software," Communication of the ACM, vol. 49, pp. 72-77, 2006.
F. v. Lohmann, "Voluntary collective licensing for music file sharing," Communications of the ACM, vol.
47, pp. 21-24, 2004.
N. T. Tippins, J. Beaty, F. Drasgow, W. M. Gibson, K. Pearlman, D. O. Segall, and W. Shepherd,
"Unproctored Internet Testing In Employment Settings," Personnel Psychology, vol. 59, pp. 189-255,
2006.
W. Stallings, Network security essentials: Applications and standards, 4th ed. Upper Saddle River, NJ:
Prentice Hall, 2011.
Y. Levy and M. Ramim, "Initial development of a learners’ ratified acceptance of multi-biometrics
intentions model (RAMIM)." Interdisciplinary Journal of E-Learning and Learning Objects, vol. 5, pp.
379-397, 2009.
M. Bruhn, M. Gettes, and A. West, "Identity and access management and security in higher education,"
EDUCAUSE Quarterly, vol. 26, pp. 12–16, 2003.
"2009 Internet Crime Report - Internet Crime Complaint Center," ed, 2009.
T. Dinev, "Why spoofing is serious internet fraud," Communications of the ACM, vol. 49, pp. 76-82, 2006.
T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer, "Social phishing," Communications of the
ACM, vol. 50, pp. 94-100, 2007.
G. Mey and K. Mruck, Eds., Grounded Theory Reader (HSR-Supplement 19). Cologne: ZHSF, 2007,
p.^pp. Pages.
B. G. Glaser and A. L. Strauss, Discovery of Grounded Theory. Strategies for Qualitative Research.
Chicago: Aldine Publishing Company, 1967.
J. Kreie and T. P. Cronan, "How Men and Women View Ethics," Communication of the ACM, vol. 41, pp.
70-76, 1998.
J. Kreie and T. P. Cronan, "Making Ethical Decisions," Communication of the ACM, vol. 43, pp. 66-71,
2000.
S. A. Jeffrey, S. Onay, and R. P. Larrick, "Goal attainment as a resource: The cushion effect in risky choice
above a goal," Journal of Behavioral Decision Making, vol. 23, pp. 191–202, 2010.
Journal of Computer Information Systems
12
[45]
[46]
R. Pat-Horenczyk, O. Peled, T. Miron, D. Brom, Y. Villa, and C. M. Chemtob, "Risk-Taking Behaviors
Among Israeli Adolescents Exposed to Recurrent Terrorism: Provoking Danger Under Continuous
Threat?," The American Journal of Psychiatry, vol. 164, pp. 66-72, 2007.
J. A. Maxwell, Qualitative Research Design: An Interactive Approach, 2nd ed. Thousand Oaks, CA: Sage
Publications, 2005.
Journal of Computer Information Systems
13
Download