Creating appropriate paranoia within information assurance and security courses

Abstract

The requisite behavior of paranoia in dealing with information assurance and security topics building towards a professional or subject matter expert is highly valued. Specifically the behaviors of inquiry and awareness leading to informed suspicion and paranoia in evaluating security incidents is valued. Evaluating the social impact of paranoia within the primarily pedagological construct of a classroom is a difficult and pervasive issue for security faculty. The elements leading to institutionalized paranoia can be evaluated but the actualization of paranoia in a student as it manifests can not easily be measured. 

Introduction

Information assurance and security has a certain sense of paranoia that becomes part of the risk perception process. Do not trust emails from unknown sources, be careful what attachments you open, and definitely update your virus protection often. What is paranoia and is it a pejorative term used incorrectly? For a common definition of paranoia we can look at “In popular culture, the term paranoia is usually used to describe excessive concern about one’s own well-being, sometimes suggesting a person holds persecutory beliefs concerning a threat to themselves or their property and is often linked to a belief in conspiracy theories.”(“Paranoia”). This working definition shows that the concern may be excessive or of persecutory nature, but is that necessarily true?

As outbreaks occur and violations of peoples’ privacy and security are made common place the obvious if somewhat whimsical answer is that “Even if you’re paranoid it doesn’t mean they aren’t out to get you”. There are a large number of websites and publicly available information sources that detail protections strategies for the common user. The concept of strong passwords, virus protections, back-ups, firewalls, and such exist (InfraGard). What do we do when the user is going to be a student and more importantly an information assurance and security student? How do we develop an emotional or more importantly behavioral change in the student that will last through their career?

Implementing Security Awareness

Paranoia often is a feeder to security awareness and awareness of security posture.  Though security awareness may seem to be the same at both levels the fact remains that an operational definition of security awareness is “the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization”(“Security awareness”).  Though paranoia may be one of the symptoms of security awareness it is not a synonym.

Implementing a security awareness program at the University level can create its own issues. Simple activities such as password awareness create overhead and degrade user acceptance unless they are properly motivated. Further the language and the roots of security awareness can cause issues with acceptance.(Weirich & Sasse, 2001). While attempting to create awareness is a primary motivation we do not want to create outward hostility to the concept. These are issues while dealing with a general population.

Information assurance and security courses are filled with a self selecting population of people who have a goal to understand the issues and problems with security. The course will likely be filled with a self motivated group who will be exposed to the curriculum and tools that prove the science and techniques of information assurance and security. One of the authors attempts to seek balance between paranoia and often security apathy in the class by discussing recent cited cases of security breaches and then points out that the operating systems labs (with high student exposure), all operate open to the Internet with no virus protection or firewalls. Students (and the professor) can not remember a single case of infection in several years that was not purposely planted on the machine for pedagological reasons. This example has a tendency to increase the critical thinking of students in considering popular or cultural sustained beliefs about virus propagation.

Though students are exposed daily to discussions about information assurance and security breaches through popular media the awareness of how it impacts them does not appear to be understood. A simple exercise to create a sense of the issue is to ask a series of questions of the students:

1)    Has anybody had a computer that would not boot (hardware or disk failure)?

2)    Has anybody had a paper lost due to the wrong file being copied/deleted/changed/saved (software assurance or backups)?

3)    Has anybody had the power accidentally turned off to their system (Infrastructure failure, availability)?

4)    Has anybody sent an email and it never supposedly arrived and how could you prove if it did arrive (non-repudiation, confidentiality)?

5)    Has anybody ever received an email from somebody else or borrowed a friends login to browse the web (confidentiality, authorization)?

6)    Has anybody had the Internet go out at their house (infrastructure, availability)?

These simple examples move through the commonly used information assurance topics of confidentiality, integrity, availability, non-repudiation, and authorization. When these questions and similar topic questions are asked in entrance courses to information assurance and security courses the students begin to understand the scope of the issue and develop an awareness(Oates Lewandowski, 2005). When theft and physical security are added students self report that their ideas begin to be influenced. Since understanding and changing a long term behavior is outside the scope of this article it is important to note that creating informed and educated versus mythological ideas about security is important.

Within the classroom at the university level developing a culture of awareness has also been deemed as paranoia. When discussing the issues of information assurance and security with faculty outside the school of technology there is little understanding of the issues. As a point of discussion within the information assurance and security classes the topic has been discussed “How to create awareness and security consciousness in the English department faculty”.

Students provided three methods to convince the “fictional” faculty member that being slightly paranoid about security is a good idea.

1)    Students determined that providing research that shows how other faculty members have been victims of “hacking” in the past would show risk.

2)    Students developed an idea that showing an active “hack” against a computer system would show how easily it could be done.

3)    Students discussed the idea of protecting a computer and showing how that one was harder to attack as a demonstration.

Since this was a class discussion there were no statistical protocols possible in determining participation, but in the three classes this discussion has been tried there has been a trend to follow the above themes. In one class of students an attempt to remove instructional bias the students were broken up into small groups (three or four students), and allowed to come to their own conclusions. Though not exact they also followed the above themes. Since previous instructional elements may have fed the conclusions this is somewhat expected. Of surprise to instructors was the simple lack of paranoid or irrational fear mongering.

The thread of showing what is possible and deriving an evidentiary analysis based on fact and not just opinion while dealing with information assurance and security topics displayed that critical thought was occurring in students. Yet the thread of paranoia wraps itself around the presupposition of systemic failure of technology to perform securely. Since creating awareness is a course objective and critiquing and evaluating are outcome based objective verbs for security awareness the pedagogy was deemed to be valid for the higher level students (juniors and seniors).

Future Work

There are two threads of inquiry being considered for future work. The first thread follows the concepts of creating and fostering a realistic understanding of security awareness among the user base. The issues of developing awareness while not creating hostility has been addressed in the literature, but the delivery mechanisms that are successful are few. The second thread of inquiry is the concept of mental process and what the students are adopting as a cognitive model for dealing with competing interests between freedom of utilization and constraints of security. This area has significant scholarship value since it may help develop solidly acceptable models for preparing users to accept information assurance and security practices and procedures.

The area of information assurance and security awareness needs user acceptance to succeed. Of particular concern is active user belligerence to the process of security and apathy towards security procedures. Creating knowledge that “bad stuff” can occur as part of the security awareness may have a causal link to active participation of the user in protecting information and physical assets.

Conclusion

Through classroom activities and discussion the concepts of security awareness and the negatively charged concept “paranoia” of technological intrusion are discussed. Fostering a certain amount of trepidation and detailing the risks in an organized manner creates awareness within students that may be missing prior to exposure to the concepts.  Utilizing real world factors and examples allow for the negative exposure to be mitigated by critical thinking strategies and awareness of solutions to the issues. Paranoia is a charged word that lends itself to an instant and emotional reaction within readers and students. It evokes an emotional response that is instantly visible and in itself creates higher security awareness. This is a valuable behavioral modification that hopefully will exist within the student beyond the classroom.

Bibliography

InfraGard. Seven Simple Computer Security Tips for Small Business and Home Computer Users.   Retrieved January 26th, 2006, from http://www.infragard.net/library/seven_tips.htm

Oates Lewandowski, J. (2005). Creating a culture of technical caution: addressing the issues of security, privacy protection and the ethical use of technology. Paper presented at the Conference Name|. Retrieved Access Date|. from URL|.

Paranoia.   Retrieved January 26, 2006, from http://en.wikipedia.org/wiki/Paranoia

Security awareness.   Retrieved January 26th, 2006, from http://en.wikipedia.org/wiki/Security_awareness

Weirich, D., & Sasse, M. A. (2001). Persuasive password security. Paper presented at the CHI ’01 extended abstracts on Human factors in computing systems, Seattle, Washington.

 

 

Leave a Reply