Assessing Ethical Severity of e-Learning Systems Security Attacks YAIR LEVY
advertisement
Assessing Ethical Severity of e-Learning Systems Security Attacks YAIR LEVY Graduate School of Computer and Information Sciences Nova Southeastern University Ft. Lauderdale, FL 33314, USA Tel: 954-262-2006 Fax: 954-262-3915 E-mail: levyy@nova.edu MICHELLE M. RAMIM Huizenga School of Business and Entrepreneurship Nova Southeastern University Ft. Lauderdale, FL 33314, USA Tel: 954-262-5000 E-mail: ramim@nova.edu RAYMOND A. HACKNEY Business School Brunel University Uxbridge, UB8 3PH, UK Tel: +44 (0)1895 265428 E-mail: Ray.Hackney@brunel.ac.uk ABSTRACT Security and ethical issues with information systems (IS) are important concerns for most organizations. However, limited attention has been given to unethical behaviors and severity of cyber-security attacks, while these instances appear to be critically important. Although managers have been embracing e-learning systems for training and virtual-team collaborations, little is known about motivations for cyber-security attacks on such systems. Our research includes quantitative and qualitative study of 519 end-users who rated the ethical severity of five common cyber-security attacks. This study investigated five types of security attacks for differences in perceived severity according to gender, academic level, and age. Our findings reveal that the majority of users (90%) reported their sense of severity as unethical across all five cyber-security attacks, while only a small minority of users (3.24%) reported these cyber-security attacks to be ethical. This study also presents a further grounded analysis through follow-up interviews. Keywords: perceived ethical severity, ethics of cyber-security attacks, unauthorized Internet activities, severity of unethical behaviors Assessing Ethical Severity of e-Learning Systems Security Attacks Yair Levy1, Michelle M. Ramim2, and Raymond A. Hackney3 1Graduate School of Computer and Information Sciences, Nova Southeastern University, Ft. Lauderdale, FL, USA School of Business and Entrepreneurship, Nova Southeastern University, Ft. Lauderdale, FL, USA 3Business School, Brunel University, Uxbridge, UK 2Huizenga ABSTRACT Security and ethical issues with information systems (IS) are important concerns for most organizations. However, limited attention has been given to unethical behaviors and severity of cyber-security attacks, while these instances appear to be critically important. Although managers have been embracing e-learning systems for training and virtual-team collaborations, little is known about motivations for cyber-security attacks on such systems. Our research includes quantitative and qualitative study of 519 end-users who rated the ethical severity of five common cyber-security attacks. This study investigated five types of security attacks for differences in perceived severity according to gender, academic level, and age. Our findings reveal that the majority of users (90%) reported their sense of severity as unethical across all five cyber-security attacks, while only a small minority of users (3.24%) reported these cyber-security attacks to be ethical. This study also presents a further grounded analysis through follow-up interviews. Keywords: perceived ethical severity, ethics of cyber-security attacks, unauthorized Internet activities, severity of unethical behaviors “A man's ethical behavior should be based effectually on sympathy, education, and social ties.” - Albert Einstein (1879-1955) INTRODUCTION The seriousness of unethical behavior in today’s society is overwhelmingly documented, especially with regard to IS management and security [1]. Moreover, rapid technological developments have generated much attention in the news and other media outlets. Reports of unethical behaviors, such as identity theft and cyber-attacks, are highly sensationalized. In the U.S. alone the Federal Bureau of Investigation (FBI) reported, from a survey of 2066 organizations in 2005, that cyber-attacks cost businesses some $67.2 billion annually in security expenditures [2] and in the UK, Telewest reported that individuals spend over $3 billion annually on cyber-security [3] – the enormous impact of these IS breaches is well documented. As a consequence, these emerging unethical behaviors need to be investigated and contained. Himma [4] argued that cyber-security attacks are totally unjustified on ethical grounds and perpetrators must be identified and appropriate sanctions be imposed. An earlier study attempts to achive goes some way towards achieving this objective through a consideration of how recipients of information may behave with regard to their ethics, supervisory level, and legal requirements [5]. However, it appears that very limited attention has been given to investigating the ethical severity of cyber-security attacks and emerging employees’ unethical behaviors within the context of growing organizational Web-based systems. Given the news media hype about the global economic downturn, some employees face intense pressure to meet expectations from their organizations and various stakeholders [6]. Additionally, corporate social responsibility appears to be a façade rather than a sincere practice in most business organizations [7]. A surge in incidents of unethical behavior has been reported in the U.S. news media, for example, the Bernie Madoff Ponzi scheme, the 2008 Singapore Grand Prix crash, and the ACORN scandal. Legal investigations of these incidents revealed that employees were pressured to act unethically and illegally in order to reap personal gains. Despite the public attention paid to these scandals, it appears that unethical behavior still occurs in significant circumstances. Journal of Computer Information Systems 1 Nowadays, user misconduct is more likely to involve the use of IS resources. Furthermore, some individuals believe that IS misuse is acceptable. Rogers [8], Cronan, Foltz, and Jones [9], and Harris [10] found that individuals are using advanced information technology (IT) tools to engage in unethical behavior. Unethical behavior is defined as any behavior that “violates social norms, whether or not such behavior also violates the law” [11]. While measuring unethical behavior appears to be a daunting task, measuring individuals’ perceptions about the severity of various unethical behavior can provide indication about their ethical decision making. Furthermore, Rogers [8] and Harris [10] indicated that future managers are learning about specific technology breaching techniques in some IT courses (i.e. hacking skills, approaches for installing sniffing software and for the identification of passwords, developing denial-of-service (DoS) attacks, and learning how to manipulate weaknesses with Web connections). The number of cyber-security incidents has climbed sharply over the past two decades, though only a small percentage of such attacks is reported to the public [10]. It was reported that the majority of computer hackers are below the age of 30, pointing to the need to investigate users in that age group and their perceptions about unethical behaviors, specifically security attacks [10]. The motivation of future managers to engage in unethical behavior might be fueled by the temptation to graduate quickly in order to obtain a high-paying managerial position [12], availability of convenient IT tools [13], a sense of entitlement without consequences, and peer pressure, as well as a lack of understanding of the severity of their actions [14]. Research has shown that business students engaging in misconduct in their academic career are more likely to engage in unethical behavior during their professional managerial career [12]. Thus, the focus of this work was to investigate future managers’ perceptions about the severity level of key IS attacks in the context of elearning systems, and to increase awareness for e-learning security issues, as well as their severity among IS managers and researchers. Following the philosophy set by Leonard, Cronan, and Kreie [15] on investigating IS related ethics, the nucleus idea behind our investigation posits that if individuals perceive the severity of key IS security attacks to be low, then they might be more likely to engage in or seek help to engage in such unethical behaviors. E-learning systems originated from computer communication applications that were developed in the early 1980s. Such systems have shown tremendous growth over the past three decades, starting mainly in higher education and quickly moving into corporate organizations and government agencies. In 2010, more than 5.6 million U.S. students enrolled in at least one online course [16]. E-learning enrollment in higher education has proliferated steadily by about 13% annually or 758,000 students annually over the past few years [17]. Additionally, e-learning has captured about 32% of the adult education market [18]. However, e-learning systems have not just been the learning platform for educational institutions. E-learning has furthermore expanded significantly into delivery of various training modules for medical, corporate, and even military training units. In the medical field, physicians and nurses are taking refresher courses and certificate trainings via e-learning systems, while many businesses are offering their human resources (HR) training sessions via e-learning systems [19]. Within the corporate and the service sector, e-learning systems are used by most marketing, sales, and research and development units to train managers and employees yearly. In like manner, for over a decade the U.S. Government has been running an internal e-learning system to deliver learning modules and develop skills of its employees (www.usalearning.gov). In light of the fact that substantial evidence affirms the trend of e-learning system as a critical ingredient of the business model, organizations are faced with the challenge of providing a secure and accountable e-learning environment for their employees. Although there is a limited body of research on security attack prevention strategies for Web-based systems, cyber-security does pose a real concern [20, 21], so much so that the U.S. government has appointed a czar to help coordinate strategic efforts to reduce cyber-security threats (i.e. malware, spoofing, phishing, and botnets, to name a few) [22]. Cyber-security attacks were also found to have a profound crippling impact on the e-learning systems of higher educational institutions, while their implications for corporate organizations are vastly unknown [23]. Many scholars have demonstrated the significance of investigating cybersecurity attacks on e-learning systems and the need to better understand their nature and ethical severity from the perspective of impostors [24, 25]. According to Shaw [26], “ethics deals with individual characters and moral rules that govern and limit our conduct”. He added that ethics “investigates questions of right and wrong, fairness and unfairness, good and bad, duties and obligation, justice and injustice, as well as responsibility and the value that should guide us” [26]. Cronan et al. [9], Leonard et al. [15], and Dorantes, Hewitt, and Goles [27] noted that ethical behavior is gender dependent, indicating significant differences between males and females in both their ethical perceptions and behaviors. They indicated that in general, males appear to be less ethically driven, whereas females appear to be more ethically driven. Moreover, age and academic level were also found to show differences related to perceptions about ethical behaviors. Kreie and Cronan [28] noted that “a person’s characteristics, such as gender, age, and education, may also affect one’s view of what is ethical” [28]. Although such investigations appear to indicate gender, age, and Journal of Computer Information Systems 2 academic level differences with ethical perceptions, not much is known about such differences within the context of cyber-security attacks, especially in popular Web-based systems such as e-learning systems. The aim of this study was to investigate individuals’ sense of ethical severity of e-learning security attacks and unauthorized activities. Although there are several specific techniques of cyber-attacks, as noted, the focus of this work is about the general sense of ethical severity of engaging in such an attack, rather than a specific cyber-attack technique. The three key objectives of this study were: a) To assess the extent that individuals perceive the severity of attacking an e-learning server and unauthorized activities as ethical b) To assess the demographics of those who perceive the severity of attacking an e-learning server and unauthorized activities as ethical and as unethical c) To assess if there are any significant differences on such ethical perceptions based on gender, age, and academic level The significance of this research is substantial for institutions and businesses as it provides evidence on how individuals perceive the severity of attacking an e-learning server and unauthorized activities. BACKGROUND Ethical Severity of Attacks and Unauthorized Activities A substantial rise has been observed in cyber-attacks over the years [29]. However, the required level of sophisticated technological skills to unleash such cyber-attacks appears to have fallen over time. Saydjari [30] reported that cyber-attacks are mainly attributed to the ease of committing such attacks, due to newly available toolkits that are freely downloadable over the Internet. Ramim and Levy [23] documented a case of a devastating cyber-attack that crippled an institution’s e-learning operations and caused substantial damage to their reputation. Such an incident implies that businesses and organizations must be aware of the threats to their e-learning systems from cyber-attacks in order to avoid damages, loss of confidence, and legal liability. As such, the first e-learning security attack selected for this study was a general ‘attack on the server,’ and the aim was to assess individuals’ sense of ethical severity about such an attack. The second unauthorized activity in this study deals with the interception of e-mails. Although e-mail interception is a general issue, most e-learning systems have internal e-mail systems to enable specific communication between the individual learner and the module or course instructor. The focus of this investigation was the interception of such internal e-mails. Intercepting e-mails is defined as reading, altering, blocking, and/or deleting e-mails sent to someone else. E-mail interception has also been easier than ever, due to rising surveillance applications provided to businesses seeking to intercept employee communications, and others seeking to intercept domestic communications of their spouses or partners [31]. We must emphasize that for some e-learning modules, such as training on proprietary product development or new corporate innovations, intercepting internal e-learning systems e-mails may provide additional knowledge or solutions that are not known otherwise, or be an exercise in corporate espionage. This study targeted the individuals’ sense of ethical severity associated with e-mail interception within e-learning systems. The third unauthorized activity in this study deals with unauthorized file sharing. There has been substantial work on unauthorized file sharing, where the vast majority of such research investigates the distribution of music files over the Internet via peer-to-peer applications [32]. Unauthorized file sharing can be done by individuals during various e-learning activities. However, unauthorized file sharing during exams appears to be one of the most common unethical violations during e-learning exams [33]. We must emphasize that file sharing during exams may provide personal gains for employees who are required to complete e-learning exams for the purpose of certifications or other corporate requirements. For example, employees who are taking HR training exams for certifications or medical professionals taking refresher exams may be tempted to request and share files. As such, the focus of this investigation was on assessing individuals’ sense of ethical severity related to unauthorized file sharing during e-learning exams. Unauthorized access was the fourth unethical activity this study investigated. According to Stallings [34], one of the key intruder-based attacks is the “acquisition of privileges or performance of actions beyond those that have been authorized” (p. 306). User access permission and general system authentication have been a great challenge, while newly released technologies such as biometrics and multi-biometrics systems appear promising. Unauthorized access by learners of e-learning systems or e-learning materials has also been a challenge [24, 35, 36]. Likewise, we must emphasize here that given the significant increase in e-learning systems use in corporate organizations, the use of such systems for housing of corporate proprietary training information has increased as well. Thus, the aim of this work was also to study individuals’ sense of ethical severity related to unauthorized access to e-learning systems. Journal of Computer Information Systems 3 According to the 2009 report of the Internet Crime Complaint Center (www.ic3.gov) [37], spoofing attacks were among the top reported Internet crimes. A spoofing attack is defined as a situation where an individual impersonates someone else to commit an unethical act. One spoofing example within the context of e-learning can occur when an individual posts a flaming message to a discussion board, and impersonates another individual by signing with that other individual’s name (A simple example of this can be done on discussion boards that allow anonymous posting). According to Dinev [38], a spoofing attack is a very serious Internet fraud. He also noted that such attacks can “cause significant business, personal, and social damage” (p. 82). Existing literature has documented the ease with which spoofing attacks can be carried out with very limited technical knowhow [39]. Although to our knowledge no specific research has been done on spoofing attacks in e-learning systems, protecting against such attacks within such environments have been documented [24], while instances of such attacks on elearning systems have been observed. This study also included spoofing as one of the e-learning security attacks investigated. To summarize, the five common components of security attacks and unauthorized activities that this study investigated are attacks on the server, e-mail interception, unauthorized file sharing, unauthorized access, and spoofing attacks. As this study is defined by e-learning security, descriptions of the five security attacks and unauthorized activities were communicated to the study participants. The five e-learning security attacks and unauthorized activities are noted in Table I. The descriptions were provided to participants in the introduction section of the survey. The scale used to assess the participants’ sense of ethical severity was a 5-point Likert-type scale with the following format: 1= ‘ethical’, 2 = ‘somewhat ethical’, 3=‘slightly unethical’, 4=‘unethical’, and 5=‘very unethical’. TABLE 1. Five E-learning Security Attacks and Unauthorized Activities Investigated Attack or Unauthorized Activity Name Description 3. Unauthorized File Sharing Initiating a cyber-attack on the e-learning server via the Internet and rendering it unavailable Reading, altering, blocking, and/or deleting e-mails sent to someone else in e-learning systems Unauthorized file sharing during e-learning exams 4. Unauthorized Access Unauthorized access to e-learning systems 5. Spoofing Attacks Attacks by individuals who impersonate their peers to falsify data 1. Attacks on the Server 2. E-mail Interception METHODOLOGY, DATA ANALYSIS, AND RESULTS We sampled 1,100 students attending online courses at the undergraduate and graduate level during the six terms prior to Fall 2011. The target survey participants consisted of business students attending three higher educational institutions in the southeastern region of the US including two public institutions (a state university & a state community college) and a private university. The reason for selecting the three educational institutions was to diversify the sample to further generalize the results. A total of 519 responses were received, which represents about 47% of the response rate. Responses came from 268 females (51.6%) and 251 males (48.4%). The academic level based on undergraduate and graduate level was about half, with 261 participants (50.3%) undergraduate and 258 (49.7%) graduate students. The majority of the students, 434 (83.6%), were under the age of 34. In terms of the institutional distribution, about 17% of our study participants were from the state community college, about 36% from the private university and the rest, about 47%, attended the state university. Figure 1 illustrates a summary of the demographic distribution of the study participants Journal of Computer Information Systems 4 FIGURE 1. Demographic Distribution of Study Participants (N=519) Quantitative Results The central aim of this study was to assess individuals’ perceived ethical severity across the five types of elearning security attacks. We started by conducting an overall frequency assessment across all five security attacks and unauthorized activities. To simplify our discussion of the results, we defined an ‘ethical individual’ as one who reported either ‘4’ (unethical) or ‘5’ (very unethical), when asked to rate the ethical severity of the security attacks and unauthorized activities. Similarly, we defined an ‘unethical individual’ as one who reported either ‘1’ (ethical) or ‘2’ (somewhat ethical) when asked to rate such unethical activities. It is important to note that the severity of attacking the e-learning server is equivalent to the severity of an attempt to shut down the organization’s e-learning program. To put this in perspective, an attempt to attack an e-learning server is comparable to activating the fire alarm at the university campus, so that classes will be cancelled, exams will not be conducted, assignments will not be collected, etc. Hence, the importance of assessing the ethical severity of the attacks and unauthorized activities appears to be highly warranted in the context of our ever-growing digital dependability. Contrary to prior literature about substantial numbers of individuals who are unethically driven, we found that a large majority of our study participants appear to self-report their perceptions as ethically driven across all five elearning security attacks. Specifically, we found that the overall percentage of ethical individuals was very high (‘Attacks on the Server’: 452 or 87.1%; ‘E-mail Interception’: 492 or 94.8%; ‘Unauthorized File Sharing’: 439 or 84.5%; ‘Unauthorized Access’: 465 or 89.6%; ‘Spoofing Attacks’: 490 or 94.4%). These results indicate that the majority of our study participants (an average of 90.1%) appears to understand the severity of these e-learning security attacks, while a small minority of the individuals (an average of 3.24%) appears to be unethical. To better understand the age, gender, and academic level distribution among the two extreme groups, ethical versus unethical, Figure 2 provides an additional distribution breakdown of the majority of individuals who indicated that the actions are ethical, and the breakdown of the small minority of individuals who indicated the opposite. It is important to note that although we assessed academic level in this study, one can make the analogy between this measure and the amount of years that an employee works for a corporate or a government organization, from the point of view of familiarity with various organizational IS. Journal of Computer Information Systems 5 Figure 2. Distribution of Ethically and Unethically Driven Students (N=519) We tested for observable gender differences linked to the perceived ethical severity of e-learning security attacks. We conducted a nonparametric test using the Mann-Whitney U Test on the five security attacks and unauthorized activities based on gender. The reason for using a nonparametric test is due to the ordinal data used in the rankings of the individuals’ perceptions of ethical severity. Results of the gender analysis are presented in Table II. We found that although gender differences exist on all five activities, a statistically significant gender difference exists only for ‘Unauthorized File Sharing’ (at p<0.005), where females reported the severity of such activities less ethical, indicating that they are significantly more ethically driven. Our results also indicated that across all five activities, females rate the ethical severity of these e-learning security attacks and unauthorized activities as more severe, also indicating that in general, they are more ethically driven, which is consistent with prior literature. TABLE 2. Gender Analysis using the Mann-Whitney U Test (N=519) e-Learning Males Females Non-parametric (MannSecurity Attacks (n=251) (n=268) Whitney U Test) & Unauthorized Activities M SD M SD Z Sig. (2-t) Attacks on the Server 4.51 0.83 4.46 0.82 -1.050 0.294 E-mail Interception 4.66 0.67 4.62 0.66 -1.064 0.287 Unauthorized File Sharing 4.15 1.03 4.44 0.78 -2.986 ** 0.003 Unauthorized Access 4.36 0.86 4.51 0.75 -1.947 0.052 Spoofing Attacks 4.59 0.72 4.62 0.66 -0.449 0.653 * - p < 0.05; ** - p < 0.01 The data was also assessed for differences between academic level (undergraduate & graduate) on their perceived ethical severity of e-learning security attacks, as we hypothesized that individuals who spend more time in the system may find the severity of engaging in such attacks less ethical due to their prolonged exposure to an academic setting. We conducted a similar analysis using the Mann-Whitney U Test based on academic level. Table III depicts the results of the academic level analysis. We found that significant academic level differences exist only for ‘Attacks on the Server’ (p<0.001), where graduates (i.e. individuals who have longer exposure to the organizational ISs) were found to be more ethically driven. It is important to note that the higher the score, the more unethical the individual perceived an activity to be, which indicates they are more ethical – i.e. an inverse relationship. Overall, across all five activities, our results indicated that more graduates than undergraduates report these e-learning security attacks, indicating that graduates are generally more ethical. TABLE 3. Academic Level (Undergraduate/Graduate) Analysis using Mann-Whitney U Test e-Learning Males Females Non-parametric (MannSecurity Attacks (n=251) (n=268) Whitney U Test) & Unauthorized Activities M SD M SD Z Sig. (2-t) e-Learning Security Attacks & Unauthorized Activities Attacks on the Server E-mail Interception Unauthorized File Sharing Unauthorized Access Spoofing Attacks Undergraduate (n=261) M 4.36 4.62 4.23 4.38 4.55 SD 0.91 0.65 0.97 0.84 0.74 Graduate (n=258) M 4.62 4.66 4.37 4.49 4.66 SD 0.71 0.68 0.87 0.77 0.62 Non-parametric (Mann-Whitney U Test) Z Sig. (2-t) -3.504 -1.066 -1.515 -1.482 -1.730 ** 0.000 0.286 0.130 0.138 0.084 * - p < 0.05; ** - p < 0.01 Journal of Computer Information Systems 6 We undertook a further analysis for differences between participants’ age groups. Similarly, another nonparametric test using the Kruskal-Wallis H Test of multiple groups based on age groups was conducted. The results of the age-group analysis are presented in Table IV. We found that there were significant differences based on age level for all items with ‘Attacks on the Server’, ‘Unauthorized File Sharing’, ‘Spoofing Attacks’ (p<0.001), ‘E-mail Interception’ (p<0.01), and ‘Unauthorized Access’ (p=0.001). Across all five activities there was an increasing trend, a pattern indicating that the older the individual is, the more severe he/she ranks the attacks. This suggests that with age, individuals become more ethical with regard to the measured unethical activities. Additionally, we found no significant differences among the three institutions based on the variables tested, which led us to believe that these differences are not institutional dependent. TABLE 4. Age Analysis using the Kruskal-Wallis H Test (N=519) e-Learning Security Attacks & Unauthorized Activities Attacks on the Server E-mail interception Unauthorized File Sharing Unauthorized Access Spoofing Attacks Non-parametric (Mann-Whitney U Test) Z Sig. (2-t) 33.037 ** 0.000 20.353 ** 0.009 30.261 ** 0.000 25.569 ** 0.001 29.751 ** 0.000 * - p < 0.05; ** - p < 0.01 Following the statistical results on the 519 quantitative records, a qualitative assessment was undertaken to elicit the ‘soft complexity’ behind the survey results. Qualitative Analysis The qualitative investigation attempted to elicit rich ‘thoughtful behavior’ of the individuals to uncover reasons behind the quantitative results. The technique is common to social science research and aims to gain an in-depth understanding of human action and beliefs. The ‘why’ questions within our analysis are considered critical to the validity of the findings and the resultant authoritative insights for policy suggestions. Consequently, further research was based on semi-structured interviews through a solicitation e-mail asking the same 519 anonymous participants to volunteer to partake in the follow-up investigation. The qualitative research technique was adopted through a grounded theory to identify the ‘why’ behind the findings and based upon conceptual ideas [40], originally proposed by Glaser and Straus [41]. The main aim is to discover respondents’ main beliefs about possible reasons for the ‘why’ behind our empirical findings. We received 14 anonymous volunteers from all three institutions, which appears to be adequate for qualitative analysis, given the labor-intensive nature of the qualitative data collection. Participant distribution included eight from a state university, six from a private university, and three from the state community college, while no identifying information was collected. Our first question was a general one prior to showing our quantitative results. We asked if e-learners were generally ethical or unethical through their engagement with the online resources. As we anticipated, there was no obvious distinctive view and a broad split of opinions suggesting individuals were both ethical and unethical in relation to their behavior. One interviewee noted: “I believe there is a mixture of both. Although there are individuals who conduct themselves ethically during on line exams, unfortunately there are others who may choose to access online resources or engage in other unauthorized activities during online exams” Another noted: “I think about 75% ethical and 25% unethical” Some individuals do feel their peers act unethically, as they perceive that ‘there is no form of monitoring’ in elearning. This was further substantiated by the responses, suggesting it is unlikely that unethical behavior can be mediated or changed. While the general perceptions appear to indicate there is a split among individuals between their ethical and unethical behaviors, it might very well be that extensive media coverage on unethical engagements and the publicizing of engagements in unethical activities by some individuals hype the phenomena. As we discovered, there may only be a ‘few bad apples’ responsible for unethical activities, while the vast majority are ethical individuals seeking candid learning experiences. Journal of Computer Information Systems 7 The participants were again provided with the list of the five items under investigation and were asked if the activities could be perceived in an ethical way. They indicated that for individuals who are taking e-learning courses, these are very clear unethical behaviors. Some responses included: “I don't think so. There is no grey area with the activities described” “Removal of the words ‘unauthorized’ and ‘attack’ from the questions would not change the survey taker's perception of them” At that point in the interview, the results, including the figures and tables above, were given to the interviewees. They were asked if they felt that these represented a ‘good measure’ of ethical severity. The individuals generally felt that our quantitative analysis was a good measure of the ethical severity of e-learning server attacks. One representative reply was that: “Although there are a host of other unauthorized activities within e-learning these questions should provide a good measure of individuals’ ethical severity of attacks in general” One overarching interview question asked ‘why individuals thought the way they did.’ Most individuals were surprised and ‘unsure’ why their peers ‘thought the way they did’. On one hand, there were those who noted that they expected such results: “Because most individuals are honest. We do have that small percent that will try anything” and “Most people believe that others will do the right thing” while on the other hand, there were those who still believed that more people are fundamentally unethical: “I can't say why, I expected opposite results” Another question posed during the interviews was about the gender-based differences based on an ethical stance, who was viewed as more ethical, and why our results indicated that females were more ethical. The respondents generally indicated that males behaved unethically and were more likely to be ‘risk affine’ in their attitudes and reactions to formal procedures. One statement provided sums up the responses as: “Slightly females. The reason being males in real life are risk takers and at times look for short cuts” Responses related to the behavior of ‘younger’ or ‘older’ individuals produced an unclear view and the category appeared to be insignificant. This question was then extended to ‘graduate’ and ‘undergraduate’ differences, which again produced no clear distinction by the interviewees between the two. ”I would think in this case that it would be equal to both groups. They both have knowledge of how to manipulate computers if needed” The statistical analysis showed that 3.24% of e-learners perceived the five e-learning security attacks (Table I) as ethical, indicating that they are unethical. We asked interviewees ‘why’ they thought those who responded this way did so. Subsequent interview responses demonstrated a further distancing from this behavior. The alienation of the small percentage of individuals who behave this way is predictable. One explanation for these ‘bad apples’ suggests a plausible reason: “Perhaps the new generation perceived the use of technologies differently and not really for the purpose of learning.” It is evident that the adoption of online systems certainly presents more opportunities for unethical behavior. The final two interview questions solicited suggestions on the regulations and/or sanctions that a university should impose to reduce (or eliminate) unethical behavior. The responses were consistent and forthright about the need for ‘severe punishment’ to be imposed on culprits, with some responses even recommending expulsion from the program, i.e.; ‘If the person is found guilty of unethical behavior in a free and fair hearing the penalties should include, for example, paying for lost time and damaged equipment and for especially severe crimes, expulsion and referral to the police….’ In general, the qualitative evidence strongly backs our initial quantitative findings. It also provides useful insights into the perceived ethical behavior of individuals and proposed sanctions for offending culprits that may inform policy decisions. DISCUSSION Most interestingly, this study reports that the majority (91%) of the participants viewed the investigated elearning security attacks as unethical or very unethical, while a small number (~3.3%) found such attacks to be ethical or somewhat ethical. This indicates that the large majority of individuals appear to be ethically driven, while there is a very small group of people who seem to be unethical. As file sharing is less technically challenging than the other types of security attacks we analyzed, our results show that individuals perceive unauthorized file sharing Journal of Computer Information Systems 8 during e-learning exams as more acceptable. One possible approach to managing the potentially unethical group of individuals is to develop explicit policies about file sharing practices, and to add these policies to official business communications, corporate employee manuals, and code of conduct documents. To enable individuals’ awareness and familiarity with policy, instructors should discuss it in the first class session (online, on-campus, or training facility), preferably during a chat at the beginning of the term or business training module. Another approach is to discuss, or point individuals to, scenarios of unauthorized file sharing in the workplace, along with associated consequences, so that they understand unethical behavior. Finally, corporate executives should counter incidents of unauthorized file sharing with severe penalties. Our results indicated that across all five e-learning security attacks under investigation, males found these security attacks to be less severe than females, indicating that gender may be correlated to a varying sense of severity about unethical security attacks. Subsequently, a sense of severity about unethical security attacks may influence the path for decision making, which appears to be consistent with prior literature [42, 43]. Additionally, it appears that males are more likely to be risk takers, while females tended to be the risk-averse gender. Research suggests that pursuing a goal, such as an academic degree or attaining a professional certification via e-learning systems, increases risk taking behavior [44]. Furthermore, prior research also appears to connect gender, personality type, and age as indicators of risk-taking behavior [45]. Our results show that undergraduates, for the most part, appear to perceive these attacks as only slightly less severe than graduates. However, some of the undergraduates in our study were adult learners who were a bit older than average, and no direct correlation to age distribution was established. Most critically, our results indicated that in terms of age, there is an increasing trend where the older the individual is, the more severe he/she ranks the attacks. These results indicate that younger people, in particular young males, appear to find the e-learning security attacks significantly less ethically severe or not severe at all. Although we speculated that during the academic experience they would become aware of the ethical severity of engaging in cyber attacks, our results revealed that for business majors, there is still a small group of mainly young individuals who have either not become aware of the severity, or who simply appear unethical in all of their endeavors. In contrast to other ethics literature, we found that although our gender differences coincide with Kreie and Cronan [42, 43], the magnitude of the differences is significantly smaller than what has been reported. Specifically, Kreie and Cronan [42] indicated that “Men and women were distinctly, different in their assessment of what is ethical. Men were less likely to consider behavior as unethical. Moreover, their own judgment was most often influenced by their personal values and one environmental cue-whether the action was legal” (p. 74). In our study it is clear that all the security attacks indicated are illegal, but we still found significant differences across the gender comparison with a much smaller gap. Kreie and Cronan [43] found that there are notable differences between what was considered ethical and unethical by the individuals across their five scenario measures, as well as a considerable number of their participants (an average of 37%) perceiving unethical behaviors to be acceptable. Again, with these findings, we argue that the overall understanding of individuals about what is ethical and what is unethical may have changed over the years, whereas present-day individuals appear to better perceive right and wrong actions. Having said that, we still found that there is a small group who appears to view one or more of these unacceptable e-learning security attacks as ethical. Although this represented a small number of respondents, it is still a concern. Specifically, we know that file sharing during e-learning sessions is less technically challenging than other security attacks such as spoofing. Therefore, it is troubling that a significant majority appears to perceive such an attack as more acceptable. In relation to the policy that corporate executives, university administrators, and instructors or business trainers should adopt, there is an opportunity to build a positive ethical culture by advocating their expectations for proper behavior. In medical refresher courses, for example, clarification and reinforcement of unethical cyber attack practices should be discussed frequently in course introductions, learning materials, and official training documents (i.e. learners’ manual, code of conduct, and use of technology resources policies). The discussions and reminders of potential consequences should be done for all types of course delivery and not only for online courses, as a substantial number of courses nowadays use e-learning systems to supplement on-ground courses or training modules. Unethical behavior should be addressed from the perspective of multiple stakeholders rather than strictly from an individual’s viewpoint, indicating to the learner the ramifications of such attacks on the organizational IS and the integrity of their own degree or training certificate. Employees should also be taught early in their career about the ethical use of technology resources, and the social responsibility that they are held to as members of an organization (i.e. university, workplace, etc.), and as members of society. There were three key objectives for this research. First, we wished to assess the extent that individuals perceive the severity of attacking an e-learning server and engaging in unauthorized activities as ethical. In other words, do individuals perceive the attacking of an e-learning server to be an ethical or unethical activity? Second, we wished to Journal of Computer Information Systems 9 determine the demographics of those who perceive the severity of attacking an e-learning server and unauthorized activities as ethical and as unethical. Are there any specific demographic indicators for unethical students? Knowing this, may help corporate executives, university administrators, and course instructors and business trainers to target additional awareness programs. We believe that additional awareness programs have the ability to inhibit unethical perceptions and reduce the likelihood of future attacks. Our third and last key objective was to assess whether there are any significant differences for ethical perceptions based on gender, age, and academic level (undergraduate/graduate). Our sample included 519 individuals attending e-learning business courses in the U.S. The results of our investigation revealed that the majority of the participants appear to self-report their perceptions as ethically driven across all the five e-learning security attacks, which clearly indicates that they appear to understand the severity of these attacks. We found that a very small minority of the participants rates these attacks as ethical, indicating that they view these attacks as morally acceptable, and this is a cause for concern. In terms of the demographics indicators that may represent that specific group, it appears to be a small group of younger males, primarily in their 20s, who constitute the majority of the unethical individuals. Finally, our gender, age, and academic level analysis have indicated that in general, females are more ethical than males, individuals become more ethical with age, and graduates (i.e. more years of exposure to the organizational ISs) appear to be more ethical. Further research could explore the process of seeking qualitative feedback on previously observed phenomena through so-called ‘thought experiments’. Maxwell reported that Albert Einstein used them quite extensively in his research after observing phenomena, seeking the help of others to come up with plausible explanations for his observations [46]. Einstein’s well known ‘thought experiment’, the ‘moving elevator’ (also known as ‘Einstein’s elevator’), seeks plausible explanations for the theory of relativity. This ‘scientific approach’ could arguably support social science applications, such as finding further explanations for ‘ethical’ behavior. It could usefully attempt to investigate actual individual engagements in these e-learning security attacks and study more about their nature and origins. An interesting comparison can be drawn between the results of our study and the results of a potential study that investigates the individuals’ perceived ethical severity and the relationship to their actual engagement in unethical behavior, such as initiating security attacks on an e-learning system. Also, future researchers could work with other majors (engineering, technology, and non-technology) to investigate these results and determine whether there are any differences among these individuals in their reported severity of unethical engagements, such as attacking an e-learning server. Future studies should also explore risk-taking behavior driven by goal-setting and should be carried out within the context of ethical use of technological resources. CONCLUSION The main goal of this study was to conduct an investigation on individuals’ perceptions of ethical severity related to five common information security attacks and unauthorized activities within the context of e-learning. It is evident that these issues represent a serious concern for corporate training, universities, and government agencies, and measures must be imposed to eliminate or reduce the motivations for such behavior. It is apparent from individuals’ perceptions about the severity of cyber-attacks that most people are ethical when it comes to these attacks. However, the general public may be naively unaware of the potential damages to organizational services should a cyber-attack be launched on an e-learning server. Moreover, we found that there is a small group of primarily young males in their 20s who find such cyber-attacks acceptable. These individuals should be coached early in their academic and corporate career about the severity of such attacks and the implications for their organization, as well as the consequences of engaging in the unethical activities we mentioned. As such, we believe that the findings of this study are somewhat positive, as most participants considered the five e-learning security attacks to be unethical or very unethical, with the exception of a small group of individuals. A fundamental part of this conclusion addresses the issue of unethical individuals. Although a small group, they should be supervised or reformed to ensure total compliance with codes of conduct for the benefit of the community. Our study has highlighted this approach through an applied context, research design, and policy formulation within an e-learning environment. We specifically found that additional work related to individuals’ risk-taking behavior driven by goal-setting may allow a better understanding of the consequences of their ethical decisions at a critical time, such as for degree-seeking students nearing graduation or degree-seeking students who seek a better ‘start’ for their grade point average (GPA) very early in their academic career. It will be useful and interesting to explore the impact of peer pressure on these risk-taking behaviors. Our conclusions may also provide useful insights to the policy makers who respond to the effects of individuals’ ethical behaviors in e-learning systems. Although in regards to ethical severity, individuals in general perceive that a significant percentage of the population is unethical, Journal of Computer Information Systems 10 we think that our findings can provide starting evidence that only a ‘few bad apples’ exist, appear to shade adverse light on the vast majority of the people who are engaged in e-learning for the sake of true learning. Although a small number of individuals appeared unethical, we believe institutions should advertise very strong sanctions for those who are caught to ensure that the overall attitude towards e-learning remains highly credible. Based on our findings, we feel strongly that all corporate training units and institutions of higher education should develop a specific code of conduct, with clear definitions of unethical attacks. Moreover, executives should be aware that the vast majority of e-learners are indeed ethical and should be treated as such without imposing collateral actions that reduces the moral of those who strive to be ethical at all times. ACKNOWLEDGMENTS We would like to thank the users for participating in this study. Moreover, we would like to thank the JCIS editor-in-chief Dr. Alex Koohang and the anonymous JCIS referees for their careful review and valuable suggestions. REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] A. Matwyshyn, "CSR and the Corporate Cyborg: Ethical Corporate Information Security Practices," Journal of Business Ethics, vol. 88, pp. 579-594, 2009. J. Evers. (2006). Computer crime costs $67 billion, FBI says. Available: http://news.cnet.com/Computercrime-costs-67-billion,-FBI-say/2100-7349_3-6028946.html I. Thomson. (2006, February 10). Viruses cost UK consumers £3BN a year. Available: http://www.v3.co.uk/vnunet/news/2149507/viruses-cost-uk-billion K. Himma, "The Ethics of Tracing Hacker Attacks Through the Machines of Innocent Persons," International Journal of Information Ethics, vol. 2, pp. 1-13, 2004. T. C. Rindfleisch, "Information technology and healthcare," Communications of the ACM, vol. 40, pp. 92100, 1997. J. C. Sipior and B. T. Ward, "A Framework for Information Security Management Based on Guiding Standards: A United States Perspective," Issues in Informing Science and Information Technology, vol. 5, pp. 51-60, 2008. A. Geva, "Three Models of Corporate Social Responsibility: Interrelationships between Theory, Research, and Practice," Business and Society Review, vol. 113, pp. 1–41, 2006. C. F. Rogers, "Faculty perceptions about e-cheating during online testing," Journal of Computing Sciences in Colleges, vol. 22, pp. 206-212, 2006. T. P. Cronan, C. B. Foltz, and T. W. Jones, "Piracy, IS misuse at the university," Communication of the ACM, vol. 49, pp. 85-90, 2006. J. Harris, "Maintaining ethical standards for a computer security curriculum," in Proceedings of the 1st annual conference on Information security curriculum development, Kennesaw, Georgia, 2004, pp. 46-48. M. Siponen and A. Vance, "Neutralization: New insights into the problem of employee information systems security policy violations," MIS Quarterly, vol. 34, pp. 487-502, 2010. R. A. Lawson, "Is Classroom Cheating Related to Business Students' Propensity to Cheat in the Real World," Journal of Business Ethics, vol. 49, pp. 189-199, 2004. K. K. Molnar, M. G. Kletke, and J. Chongwatpol, "Ethics vs. IT ethics: Do undergraduate students perceive a difference?," Journal of Business Ethics, vol. 83, pp. 657-671, 2008. N. T. Nguyen and M. D. Biderman, "Studying Ethical Judgments and Behavioral Intentions Using Structural Equations: Evidence from the Multidimensional Ethics Scale," Journal of Business Ethics, vol. 83, 2008. L. N. K. Leonard, T. P. Cronan, and J. Kreie, "What influences IT ethical behavior intentions—planned behavior, reasoned action, perceived importance, or individual characteristics?," Information & Management, vol. 42, pp. 143–158, 2004. I. E. Allen and J. Seaman, "Class Differences: Online Education in the United States, 2010," The Sloan Consortium2010. A. R. Johnson, "Distance learning in higher education," Review of higher education, vol. 32, pp. 542-545, 2009. Journal of Computer Information Systems 11 [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] B. Means, Y. Toyama, R. Murphy, M. Bakia, and K. Jones. (2009). Evaluation of evidence-based practices in online learning: A meta-analysis and review of online learning studies. Available: http://www.ed.gov/rschstat/eval/tech/evidence-based-practices/finalrepott.pdf N. Geri and D. Gefen, "Is There a Value Paradox of E-learning in MBA Programs?," Issues in Informing Science and Information Technology, vol. 4, pp. 163-174, 2007. E. Kritzinger, "Information security in an e-learning environment," in International federation for information processing, education for the 21st Centiuy - Impact of ict and digital resources. vol. 210, T. D. Kumar, Ed., ed Boston: Springer, 2006, pp. 345-349. J. D'Arcy and A. Hovav, "Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures," Journal of Business Ethics, vol. 89, pp. 59-71, 2009. "Obama Calls for Cyber Czar," Information Management Journal, vol. 43, p. 16, 2009. M. Ramim and Y. Levy, "Securing e-learning systems: A case of insider cyber attacks and novice IT management in a small university.," Journal of Cases on Information Technology, vol. 8, pp. 24-34, 2006. K. El-Khatib, L. Korba, Y. Xu, and G. Yee, "Privacy and Security in E-Learning," Journal of Distance Education Technologies, vol. 1, pp. 1-19, 2003. S. Furnell, "Cybercrime in society.," in Connected Minds, Emerging Cultures: Cybercultures in Online Learning, S. Wheeler, Ed., ed Charlotte, NC: Information Age Publishing, 2008. W. H. Show, Business Ethics, 6th ed. Belmont: Thompson-Wadsworth, 2008. C. A. Dorantes, B. Hewitt, and T. Goles, "Ethical decision-making in an IT context: The roles of personal moral philosophies and moral intensity," in Hawaii International Conference on System Sciences, Big Island, HI, 2006, pp. 1-10. J. Kreie and T. P. Cronan, "How men and women view ethics," Association for Computing Machinery. Communications of the ACM, vol. 41, pp. 70-78, 1998. N. Ye, J. Giordano, and J. Feldman, "A process control approach to cyber attack detection," Communications of the ACM, vol. 44, pp. 76-82, 2001. O. S. Saydjari, "Cyber defense: art to science," Communications of the ACM, vol. 47, pp. 52-57, 2004. G. D. Nord, T. F. McCubbins, and J. H. Nord, "E-monitoring in the workplace: privacy, legislation, and surveillance software," Communication of the ACM, vol. 49, pp. 72-77, 2006. F. v. Lohmann, "Voluntary collective licensing for music file sharing," Communications of the ACM, vol. 47, pp. 21-24, 2004. N. T. Tippins, J. Beaty, F. Drasgow, W. M. Gibson, K. Pearlman, D. O. Segall, and W. Shepherd, "Unproctored Internet Testing In Employment Settings," Personnel Psychology, vol. 59, pp. 189-255, 2006. W. Stallings, Network security essentials: Applications and standards, 4th ed. Upper Saddle River, NJ: Prentice Hall, 2011. Y. Levy and M. Ramim, "Initial development of a learners’ ratified acceptance of multi-biometrics intentions model (RAMIM)." Interdisciplinary Journal of E-Learning and Learning Objects, vol. 5, pp. 379-397, 2009. M. Bruhn, M. Gettes, and A. West, "Identity and access management and security in higher education," EDUCAUSE Quarterly, vol. 26, pp. 12–16, 2003. "2009 Internet Crime Report - Internet Crime Complaint Center," ed, 2009. T. Dinev, "Why spoofing is serious internet fraud," Communications of the ACM, vol. 49, pp. 76-82, 2006. T. N. Jagatic, N. A. Johnson, M. Jakobsson, and F. Menczer, "Social phishing," Communications of the ACM, vol. 50, pp. 94-100, 2007. G. Mey and K. Mruck, Eds., Grounded Theory Reader (HSR-Supplement 19). Cologne: ZHSF, 2007, p.^pp. Pages. B. G. Glaser and A. L. Strauss, Discovery of Grounded Theory. Strategies for Qualitative Research. Chicago: Aldine Publishing Company, 1967. J. Kreie and T. P. Cronan, "How Men and Women View Ethics," Communication of the ACM, vol. 41, pp. 70-76, 1998. J. Kreie and T. P. Cronan, "Making Ethical Decisions," Communication of the ACM, vol. 43, pp. 66-71, 2000. S. A. Jeffrey, S. Onay, and R. P. Larrick, "Goal attainment as a resource: The cushion effect in risky choice above a goal," Journal of Behavioral Decision Making, vol. 23, pp. 191–202, 2010. Journal of Computer Information Systems 12 [45] [46] R. Pat-Horenczyk, O. Peled, T. Miron, D. Brom, Y. Villa, and C. M. Chemtob, "Risk-Taking Behaviors Among Israeli Adolescents Exposed to Recurrent Terrorism: Provoking Danger Under Continuous Threat?," The American Journal of Psychiatry, vol. 164, pp. 66-72, 2007. J. A. Maxwell, Qualitative Research Design: An Interactive Approach, 2nd ed. Thousand Oaks, CA: Sage Publications, 2005. Journal of Computer Information Systems 13
