Secure Learning Online

From E-Learning Faculty Modules

Contents

Module Summary

For online learning to be successful, students must be able to work in a secure environment. The concept of “security” covers a multi-layered approach, which involves secure technologies, secure instructor facilitation, and secure (and aware) learners. Security is a critical part of the structure of online learning—to protect learners and instructors, to promote learner creativity and innovations, and to ensure the validity of the learning and the degrees.


Takeaways

Learners will...

  • Define “security” in the context of online learning
  • Review some of the understood risks related to online learning, particularly the technologies, the instructor facilitation, and the learners
  • Understand the methods used to mitigate the perceived security risks in online learning
  • Apply some (or all) of the selected ideas they learn for enhancing the security of their online learning


Module Pretest

1. Please define “security” in the context of online learning.

2. What are some of the security considerations for e-learning technologies?

3. What are some of the security considerations related to instructor facilitation?

4. What are some of the security considerations related to aware learners?

5. What are some principles, approaches, and behaviors that may enhance the quality of online learning?


Main Contents

The concept of a secure and safe online learning environment is salient for multiple reasons. The traditional idea of “in loco parentis” suggests that institutions of higher education stand in for parents to try to ensure the safety and security of the students as they come to college. A safe learning environment allows students to have the space to risk-take in order to acquire new learning and skills. Some write: “… collaborative knowledge creation and innovation can occur when team members take risks. Educationally sound software must promote a psychologically secure environment” (Kildare, Williams, & Hartnett, 2006, p. 101). E-learning also needs to happen in an environment where people’s privacy is protected (per the Family Education Rights and Privacy Act or "FERPA"), where student innovations are credited correctly, and where identities are authenticated and not mis-used. The online learning should not involve the incurring of legal liabilities. Ultimately secure learning enables learner success. It ensures the validity of the learning and the conferred degrees.


What is “Security”?

Security then, specifically, refers to freedom from harm. Harm, in the e-learning context, may refer to any of the following points:

  • Corrupted or lost communications, messages, grades, data, or work
  • A compromised learner or instructor identity
  • Stolen personal or private information
  • Stolen or compromised student ideas and innovations
  • Corrupted socio-technical systems (systems where people work and interact via a technological structure)
  • The dilution of the learning and / or degree with in-authenticated learners (academic dishonesty)


Some Security Principles

The relevant security principles may evolve. Security is a multi-layered issue, involving the technologies and the people involved in the learning. Security itself is never absolute. Rather, it is partial and dynamic. A system, to be secure, must have ways to detect system compromises, to unequivocally identify the methods used to compromise the system and potential perpetrators. The system optimally has to be recoverable, reverted back to an earlier stage of uncorruptibility; it must be able to bounce back resiliently.


Security in Technological Systems

The changing risk environment of the Internet is a critical factor in e-learning. The Internet and WWW have been built in an open way to encourage worldwide participation. Various learning structures are built on open-source systems with widely accessible shared codes.

In the research literature, some instructors use a “Hacker Curriculum” about information security. They see (white-hat) hacking as “the ability to question the trust assumptions in the design and implementation of computer systems rather than any negative use of such skills” (Bratus, Shubina, & Locasto, 2010, p. 122). For people to defend a system well, they have to understand the interrelationships between the technological structures and have to be able to analyze and troubleshoot the “failure modes.”

While the technologies enable broad-range connectivity, interactions, virtual collaborations, and rich simulations and experiential learning, many of these same technologies involve degrees of risk. What then are some common risks?

Different snippets of codes which can cause harm, swipe data, destroy digital contents, and spy on the computer users may be transferred in a number of ways. They (Trojan horses, malware) may ride along with downloadable digital files, songs, photos, or videos. This malware may be riding on flash memory devices. File sharing sites may involve many infected files.

One issue that many universities and colleges are addressing now has to do with putting up a regime for verifying learner identities. This learner identity verification often is done with a mix of multiple layers—such as IP tracking, biometrics, and instructor interactions with the learner. The design of assignments may be set up so as to verify identities.

Black-hat hackers may use a combination of technological expertise and “social engineering” (manipulating people) to achieve their aims. They may access networks through hacking strategies, through building trapdoors, and through compromised accounts—and in other ways.

Email addresses may be spoofed, with messages eliciting private information from a learner. Phishing emails are common. One researcher explains:

Phishing emails usually contain a message from a credible looking source requesting a user to click a link to a website where she/he is asked to enter a password or other confidential information. Most phishing emails aim at withdrawing money from financial institutions or getting access to private information. Phishing has increased enormously over the last years and is a serious threat to global security and economy. There are a number of possible countermeasures to phishing. These range from communication-oriented approaches like authentication protocols over blacklisting to content-based filtering approaches” (Bergholz, 2009, p. 1).

Whole websites may be cloned in order to solicit the inputting of private information into various form fields.

The growing variety of digital devices used for ubiquitous (“ubi”) online learning for anytime-anywhere access also means a greater range of equipment used: mobile devices, hand-helds, smart phones, and laptops. Many of these devices interact via wireless methods, which involve potential signal interception risks. Some have suggested that the devices themselves may carry hidden electronics that enable some type of monitoring.

Various software applications may include points of vulnerability. There may be unforeseen exploits that may have been discovered by some but not related to the software manufacturers, who should patch the coding gaps.

The World Wide Web itself is the site of the distribution of plenty of malicious viruses and worms which gum up technical systems, spam individuals in socio-technical ones, and which may drop nuisance adware (intrusive and unsolicited advertising), spying devices (like keyloggers), and other malware that may enable fraud, identity theft, and other problems.

Digital rights management tools have enabled only some small protections. A majority of the videos, the photos, and the textual data on the WWW are easily capturable (recordable) using freeware and some commercial software.


Security in Social Systems

Even if the technologies were absolutely secure, how people use the technologies and how they share information can add to the insecurity of online learning.

For example, one common mistake would be to allow unauthorized applications to be installed on a computer. Users may disabled automated security tools (firewalls, virus scans), or they may forget to update the software. They may download attachments or open HTML or plain-text messages from unknown senders. They may forget to lock down the wireless network that they have set up. They may surf to unknown or unverified websites. They may connect to untrustworthy wi-fi networks and unknowingly give away private information. They may go to a cloned site and fill out forms or registration pages with personal information.

Researcher suggest that they must continue to reinforce users’ proper responses to security dialogues (from software programs). Letting learners know the risks that they are taking on with non-action and then suggesting a preferred course of action may enhance prudent user decision-making.

Users have a strong tendency toward dismissing security dialogs unthinkingly. Prior research has shown that users' responses to security dialogs become significantly more thoughtful when dialogs are polymorphic, and that further improvements can be obtained when dialogs are also audited and auditors penalize users who give unreasonable responses (Villamarin-Salomón & Brustoloni, 2010, p. 363).

How learners share their passwords, smart cards, or tokens (with family and friends) may also create security risks. Or they use the same passwords for a number of accounts. They may participate in chat rooms or social networking sites and give up too much information about their habits, their familiar haunts, their preferences, and therefore make themselves vulnerable to stalkers (and targeted phishing, and targeted hacking).

These researchers have found that user training before software application use, “possibly employing games, or training embedded in the application itself, especially in the form of cartoons, can also help users make more prudent security decisions” (Villamarin-Salomón & Brustoloni, 2010, p. 363).

More sophisticated malware technologies (hardware and software), more targeted oppositional (adversarial) types of attacks, and mixes of strategies used to compromise systems may involve the need for more sophisticated responses. Many of these are beyond the purview of online instructors and students, but both play a critical role in observing anomalies and in reporting system compromises.

Those working on very privy and high-security learning contents may have to put in heavier layers of security. They may have to use preloaded devices that are non-modifiable. Or they may have to put in additional vetting for learners. They may have to train learners in a more in-depth way to counter the risks of complacency or poor information.

Faculty will need to be savvy about secure online learning, and they will need to create a culture of safety and then to enforce that.


The Online Classroom as a Public – Private Space

The online environment is porous, seen as both a private space (for students only) but also a public one in which students’ works may be shared and used as learning objects for others. What is learned in that space has to be carried forward into future learning, but the private information that may have been shared in the course of the learning should be kept private. Digital objects that have been created should not be downloaded and shared on other servers, for example. A course copyright policy that affirms the intellectual property protections of the contents in the online course should be clear.

Examples

Biometrics (Wikipedia entry)

Password authentication protocol (Wikipedia entry)

How To

Security in online learning is not only about having the proper technologies properly deployed and properly used. It is also about having people trained in being security-aware and sufficiently committed to taking the proper steps to be secure.

Possible Pitfalls

Some possible pitfalls to securing an online learning environment is to create a sense of panic or fear. In other words, a sense of paranoia may be the logical end conclusion of this concept if it is taken too far.

Secure online learning is about taking reasonable steps to secure an online learning space. It should not be about exclusion or fear-mongering or stereotyping.

Module Post-Test

1. Please define “security” in the context of online learning.

2. What are some of the security considerations for e-learning technologies?

3. What are some of the security considerations related to instructor facilitation?

4. What are some of the security considerations related to aware learners?

5. What are some principles, approaches, and behaviors that may enhance the quality of online learning?


References

Bergholz, A. (2009). AntiPhish: Lessons learnt. In the proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics - The Knowledge Discovery and Data Mining (CSI-KDD ’09). Paris, France. 1-2.

Bratus, S., Shubina, A., & Locasto, M.E. (2010). Teaching the principles of the hacker curriculum to undergraduates. In the proceedings if the Special Interest Group in Computer Science Education (SIGCSE ’10): Milwaukee, Wisconsin. ACM. 122 – 126.

Kildare, R., Williams, R. N., & Hartnett, J. (2006). An online tool for learning collaboration and learning while collaborating. In the proceedings of the Eighth Australasian Computing Education Conference (ACE 2006). Hobart, Tasmania, Australia. Conferences in Research in Practice in Information Technology: 52. Australian Computer Society, Inc. 101 – 108.

Villamarin-Salomón, R.M. & Brustoloni, J.C. (2010). Using reinforcement to strengthen users’ secure behaviors. In the proceedings of the Computer-Human Interactions 2010: Privacy Behaviors: Atlanta, Georgia. 363 – 372.


Extra Resources

K-State IT Security Threats Blog

File:KStateITSecurityThreatsBlog.jpg


InfoTech Tuesday


File:InfoTechTuesday.jpg


For All

Andrew Brandt’s “How to Safeguard your Online Security”. PC World. Jan. 26, 2009. Retrieved July 22, 2010.

Tim Wilson’s “The 10 Most Dangerous Things Users Do Online”. Security Dark Reading. Retrieved July 22, 2010.

For Youth

On Guard Online: Social Networking Sites.