ETPRO – NCSA

Extracted from:

2008 National Cyberethics, Cybersafety, Cybersecurity Baseline Study

October 2008

Full Report Available from: http://staysafeonline.mediaroom.com/index.php?s=67&item=44.13

Conducted by: Educational Technology, Policy Research, and Outreach Davina Pruitt-Mentle, Ph.D. www.edtechpolicy.org

for

National Cyber Security Alliance www.staysafeonline.org

1 Executive Summary

Introduction I believe all the issues discussed in this survey to be important and viable to the current canvass of our Information technology has moved beyond a society. Students are becoming more and more en- luxury solely for the business world, to be- gulfed in the cyber world and I fear that many of come an integral part of the modern world; it them are getting lost with no guidance for making correct choices. I applaud any efforts to make these is ubiquitous outside the formal classroom set- issues a more important and frequently addressed ting and is becoming a universal part of the K- concern of every student body across America! 12 environment. Technology clearly has (Northeast Educator) brought a large number of positive effects to have admitted to steroid/HGH use and/or

the educational community, including im- gambling; author fabrication like James Frey’s proved access to information, improved simu- A Million Little Pieces; recent instances of lation capabilities, enhanced productivity, and students cheating on national SAT and AP ex- a means to provide technology-based assistive ams; and students hacking into school systems support. In spite of these advances, technology to change grades or check on college accep- has also brought challenges. tance status. Studies conducted over the past several decades indicate that 75-95% of col- The power and possibilities that technology lege students have admitted to academic dis- affords students comes with drawbacks if in- honesty.ii The Center for Academic Integrity appropriately used, whether such use is inten- reports that nearly 75% of high school stu- tional or unintentional. Improving student dents admit to academic dishonesty. A study knowledge and awareness of Cyberethics, Cy- i conducted in 2000 and 2001, of 4500 students bersafety, and Cybersecurity (C3) concepts at 25 high schools, revealed that 74% admitted will provide them with the means to protect to cheating on a major exam.iii The National themselves, and will enhance the safety and Crime Prevention Council reports that 43% of security of our national infrastructure. Nurtur- teens have been victims of cyberbullying in ing a C3 sensibility is every bit as important to the last year.iv Ethical and moral decisions are our future as technology training. We need an occurring throughout the students’ K-12 expe- integrated approach to develop a technologi- rience. In the 2005 Pew Internet and American cally-savvy workforce that understands the Life report, Protecting Teens Online, 64% of context and usage of digital communication as online teens (ages 12-17) stated that they do well as the nuts and bolts behind coding and things online that they wouldn’t want their functionality. The need for enhanced C3 in- parents to know about, and 79% stated that struction is evident by recent media focus on they aren’t careful enough when giving out the topic. Cheating and violations have information about themselves online.v been at the forefront of news in all facets of our society: the collapse of Enron and Only recently has Cybersecurity awareness in WorldCom corporations amid fraud and insid- the educational setting made it to the radar er trading; numerous world sports figures in- screen. Yet, the Federal Trade Commission cluding track and field, football, and baseball, (FTC) reportsvi that for the seventh year in a

1 row, tops the list of consumer ing particular subject areas or examining fraud, and identity theft affects more than 10 progress. This study used both qualitative and million people every year, representing an an- quantitative data and focused on: nual cost to the economy of $50 billion dol- lars. Key findings from the 2007 CSI Com- • What is the nature and extent of C3 learn- puter Crime and Security Surveyvii of IT secu- ing in U.S. K-12 schools? rity administrators (primarily government • Who are the major providers of C3 content agencies and large corporations), found one- in U.S. K-12 schools? fifth suffered one or more kind of security in- • What is the perceived importance of C3 cident and most from a “targeted attack.” Fi- content for U.S. K-12 school programs? nancial fraud overtook virus attacks as the • What content is being delivered to educa- source of the greatest financial losses, and in- tors, and how is it being taught? sider abuse of network or email edged out vi- • What, if any, are the issues and barriers rus incidents as the most prevalent security viii that impede the delivery of C3 content in problem. SANS listed web browser securi- U.S. K-12 school programs? ty, phishing and pharming attachments, and unencrypted laptops as just three out of twenty Data were gathered from a web-based survey, top security risks of 2007. For 2008, Georgia designed specifically for this project. Quantit- Tech’s Information Security Center’s top five ative data were supplied by 1569 educators emerging cyber threats included Web 2.0 and and 94 technology coordinators. Educators client-side attacks, targeted messaging attacks, and local education agency (LEA) technology Botnets, and threats to mobile convergence ix coordinators/directors also responded to an and Radio Frequency Identification systems. open-ended survey question allowing them to Google has stepped up its vigilance to report enter their own words in a text box. Qualita- webpages containing malware. Google esti- tive data were collected by group and individ- mates that more than 1% of all search results ual interviews. A total of 219 educators, local contained at least one result that point to mali- x education agencies’ technology direc- cious content. Denial of Service attacks, vi- tor/coordinators, and state technology direc- ruses, worms, Trojan horses, and computer tors and/or their representatives participated in fraud cost the country billions of dollars each these focus groups. Arrangements were made year. In almost all cases, security recommen- for individual interviews for participants who dations for reducing the incidences of inap- wanted to share but were unable to make the propriate or unsafe technology use included focus group dates and times. Focus groups and “user education” as a key solution. interviews lasted between one hour and one hour and 20 minutes. The Survey Purpose and Process Conclusion In 2008, a survey was conducted to explore the nature of Cyberethics, Cybersafety, and Past efforts in teacher education (both in- Cybersecurity (C3) educational awareness service and pre-service) have focused on policies, initiatives, curriculum, and practices teachers becoming knowledgeable about spe- currently taking place in the U.S. public and cific instructional technologies. Teacher tech- private K-12 educational settings. The study nology training has been geared toward skills establishes baseline data on C3 awareness, development, integration techniques and pro- which can be used for program design and as a viding students with hands-on opportunities to foundation for future studies on either expand- use technology. However, this training has not

2 been complemented by a similar national in- cators was explored. If we look through the itiative on Cyberethics, Cybersafety, and Cy- eyes of educators, we see little C3 content be- bersecurity (C3) content. Teaching someone ing shared with students. Content delivery is to drive is dangerous, unless you also teach usually limited to one-day assemblies or indi- them the rules of the road. vidual lessons, and has primarily focused on “Internet safety,” particularly emphasizing The call for a national focus impacting student online predators, not sharing personal infor- and educator awareness and knowledge about mation and “stranger danger” campaigns. The C3 efforts has surged recently. State legisla- majority of educators indicate a lack of confi- tion has started to surface regarding Cybersa- dence regarding Cyberethics, Cybersafety, and fety awareness curricula (aka Internet safety) Cybersecurity issues. They admit to a limited and cyberbullying. Schools are expanding awareness about most C3 topics, and a lack of their Acceptable Use Policies (AUP), PTA understanding that prohibits them from shar- groups are hosting safety assemblies, and a ing information with students in either formal plethora of Internet safety providers are en- classroom lessons or in informal “teachable gaged in awareness campaigns. moments.”

This survey attempted to better understand the The survey results indicate that the majority of level of Cyberethics, Cybersafety, and Cyber- educators (67%) are interested in learning security educational awareness policies, initia- more about C3 topics, and that they feel Cybe- tives, curriculum, and practices currently tak- rethics, Cybersafety, and Cybersecurity are ing place in the U.S. public and private K-12 important and critical components to using educational settings. The results provide valu- technology appropriately. Overall, 53.8% of able information into how state, regional, and respondents indicate feeling ill-prepared to local institutions are addressing C3 awareness. talk about C3 topics, and for most Cybersecur- Input indicates that financial constraints, time ity topics, this rises to over 60%. Educators commitments, bureaucratic processes, and an have a strong desire to learn more about all already over-packed curriculum agenda make three areas, but feel they lack professional de- it difficult for schools to successfully pursue velopment opportunities. A comprehensive C3 awareness efforts at the level they believe national approach to responding to the prob- is necessary. lem would aim to increase the training oppor- tunities for educators, help bridge the gap be- The National C3 Baseline Survey findings tween existing Internet awareness curriculum confirm the need for expanded C3 awareness partners, call for expanding content to include and training in the educational community. a broader range of topics covered (particularly This report describes how students receive safety and security), and include program awareness of Cyberethics, Cybersafety, and evaluation. More hands-on training opportuni- Cybersecurity topics in the educational set- ties for educators (not just resources and as- ting, and what specific C3 topics are ad- semblies), and increased and on-going C3 dressed currently by local educational agen- awareness opportunities for youth throughout cies. Additionally, insight into educators’ the K-12 experience would provide the com- comfort levels, what topics present themselves prehensive effort needed to close the gap be- in the general educational setting, type and tween danger and knowledge. time commitment devoted to professional de- velopment toward C3 topics, perceived needs As in all surveys, the conclusions are based on of educators, and training preferences of edu- responses from a cohort, in this case partici-

3 pating educators. Although every effort was holders may want to pick and choose which made to ensure a comprehensive set of educa- recommendations to implement. While this tors were included in the survey, and the de- approach is understandable in light of today’s mographics in Section 2 indicate this to be the funding constraints and full curricula, it case, all surveys are limited by the true ran- should be used with caution. A concerted and domness of the participation and the extensi- united effort is essential to keep both our bility of the survey to the population they children and our national IT infrastructure safe represent. Based on the statistics of the survey, and secure. the interviews conducted, and the considerable experience of those conducting the study, the 1. It Takes a Nation Educational Technology Policy Research and Outreach (ETPRO) organization believes the We need to get the info to kids and par- findings represent the true state of C3 aware- ents. Radio and TV are often, unfortunate- ness and education in the K-12 community. ly their main media source. We are remiss if we do not have this type of information Nothing in this report opposes the upwelling broadcasted on these media. (Northeast of educators and schools that are optimistical- LEA Technology Coordinator/Director) ly and effectively utilizing technology to pro- mote learning, and engage and prepare stu- The issues of Cyberethics, Cybersafety, and dents for 21st Century demands. However, this Cybersecurity cut across education, govern- trend is complemented by an increase in com- ment, and industry and are imperative to both plexity of C3 concepts, education, and en- our success and our security in the 21st Cen- forcement. Therefore, this survey seeks to il- tury. Providing information on these topics luminate the gaps in current C3 policies, should not be considered the domain of only awareness initiatives, curriculum, and practic- education. Resources, both content and funds es currently taking place in the U.S. public need to be created through cross-domain part- and private K-12 educational settings, and the- nerships. The businesses and industries that reby help to move the agenda forward to ad- are driving technology advancements may be dress these problems in the early stages by in the best position to provide the expertise in informing national policymakers and key areas such as Cybersecurity. Funding for edu- stakeholders. The survey will also hopefully cation is always under pressure, but due to the promote further discussion and studies around importance, funding should be created and these importance issues. allocated to assure these topics are appro- priately addressed. Recommendations Impact requires a thrust using multiple means. The recommendations, which follow, have Current efforts serve only as a bandaid, as emerged from the survey findings and reflect most instruction is limited to policy statements the data reviewed across multiple methodolo- in an AUP, signing a student code of conduct gies, merged with experience and discussions packet, or attending a one-day assembly. with a variety of educators and policy makers. While better than nothing, decades of research These recommendations, although split into show single-contact coverage, whether in the separate topics, overlap and reinforce each classroom or at one-time workshops for teach- other, and together make a coherent policy ers, has little impact. Ongoing instruction is framework to move aggressively forward to needed throughout the K-12 experience, start- fill the C3 knowledge gap. Interested stake- ing in the early grades (many teacher respon-

4 dents in this survey replied that C3 did not ap- rise to better appreciation of the appropriate ply to them or their students since they were in uses of technology and does not lump the is- elementary school), and continuing through sues under a vague heading of Internet safety. high school. Middle school seems to be the By spelling out particular elements under each end of many assembly programs on these top- domain, educational institutions can better de- ics. However, changes in technology, new sign and address critical content. Teaching the means of plagiarism, and current safety and topics as one, through branding such as digital security concerns require ongoing and ever- citizenship or cyberawareness makes it far too evolving education, for students, educators, easy to check off the topic as “covered,” while and parents. only scratching the surface of individual do- mains. In addition to classroom and teacher training, public awareness can be enhanced through 3. Reinterpretation of Technology Stan- efforts similar to the recent campaigns on dards green energy technologies and obesity. Public service announcements, talk shows, and news I consider myself basically computer illite- coverage are needed. Some instructionally- rate. I am able to function with my in class oriented cartoons talk about bullying. What computer to do attendance, input grades, about adding cyberbullying and other C3 top- check email, respond to email, and do ba- ics? Perhaps some of the toys included in fast sic Internet things like use a search en- food meals could be developed to promote gine. That is about it. (Southeast Educator) ethical, safe, and secure technology use. The possibilities are endless. Success can only re- Standards for both students and educators set sult from multiple efforts that includes a varie- expectations. Standards are a starting ty of partners focused on the common goal– point for most subject areas, but the pace of protecting our children and our nation, and change of technology creates a difficult chal- preparing for tomorrow. lenge: how to keep standards up to date. Many technology standards were finalized several 2. C3 Framework years ago before the advent of such issues as cyberbullying through text messages, test Schools tend to pick and choose which C3 sharing through cell phone cameras, and iden- topics to teach, and often only talk about Cy- tify theft through social networking sites. berethics (e.g. plagiarism or cyberbullying). While standards are often broad-based to al- As revealed through survey findings, Cybersa- low flexibility for evolving concerns, they fety and Cybersecurity are virtually ignored in need to be interpreted beyond the broad-stroke the educational setting, with the possible ex- basics to make an impact. Perhaps the solution ception of a narrow focus on predators. Teach- lies in more frequent updates to keep pace ing to a C3 framework, where Cyberethics, with change. Cybersafety, and Cybersecurity are taught as a whole, yet spotlighting each component’s im- In addition, just because there are technology portance, provides the opportunity for more standards, teachers do not necessarily see it as complete coverage. For example, one might their job to address them, integrated into their need to learn security procedures to avoid hav- primary content area. All educators, adminis- ing a computer vulnerable to an attack, as well trators, specialists and teachers need to under- as the ethical reasons not to hack into a com- stand that teaching the technology standards is puter to change grades. A separate focus gives their responsibility.

5 4. Comprehensive, Systemic and Sequen- professional development which takes funding tial Content Suggested and expertise. Much of this expertise needs to come from outside the traditional “educational Educators know that topics such as fractions content domains.” Additional funding and re- cannot be taught in a day. We know from dec- sources are needed both to provide content for ades of research that presenting material mul- local education agencies and to provide re- tiple times, in multiple ways, sequentially over lease time for teachers to be trained, at a time time has the best return and maximum impact. where budgets for education are tight and Yet complex topics such as those capturedwi- funding for technology professional develop- thin Cyberethics, Cybersafety, and Cyberse- ment is almost non-existent. If indeed national curity are often covered in a single session. security, economic welfare of citizens, safety One-day assemblies are helpful, but the im- for youth, and a more ethical behavior across pact can be minimal given the plethora of con- U.S. society is desired, then government, tent that needs to be covered and the difficulty business/industry, and education need to team in maintaining student focus in an assembly up to provide the needed information and re- format. C3 topics need to be supported by sources to our teachers. more comprehensive content, taught using a variety of means over a longer timeframe, and 6. Don’t Forget Informal Settings refreshed as needs evolve. I discuss C3 issues with girls in Girl 5. Professional Development for Teachers Scouts from grades 1 - 5 as well. (North- a Must east Educator)

Although technology has brought many Programs through Boys and Girls Clubs, 4-H, positive things to education and has cer- Boy Scouts, Girl Scouts, Parks and Recreation tainly enhanced our knowledge base and programs, after school programming, and be- access to content, it has also brought fore-and-after-care programs all provide addi- many challenges that are not positive. As tional learning opportunities for today’s youth. educators it is time we become technologi- These potential content providers should not cally literate so that as a classroom teach- be overlooked as additional intervention op- er, we can embrace the power of the tools portunities. However, program leaders (both and use them instead of needing to spend volunteer and professional) will need instruc- all our time policing. (Northwest LEA tion in C3 topics, and can benefit from pre- Technology Coordinator/Director) pared learning materials and lessons for their group. Once again, members of the business Just because a topic area is listed in a standard community can be tapped to provide expertise does not mean teachers are prepared to teach and enhance these teaching opportunities with it. Educators see the need, want to learn more, real-world experience and lessons. and are willing to put in the effort to learn the C3 content areas in order to pass the informa- Some teachers feel that C3 education is the tion on to their students. Providing curriculum responsibility of parents. However, many par- for students is not enough. Many C3 issues did ents are not prepared with the tools to deliver not exist when current educators were certi- information in these areas. Many adults have fied. Teachers need training on Cyberethics, only limited computer literacy; some lack the Cybersafety, and Cybersecurity topics. It takes language skills or financial resources to over- more than a workshop; schools need ongoing come these limitations. Adults in informal set-

6 tings can assist educators in providing the in- 8. IT Departments are Not the Silver Bul- formation for students and in helping parents let understand the importance. Particularly in the area of Cybersecurity and, 7. Policies, Processes and Procedures: to a lesser extent, in Cybersafety, educators Beyond Printed Text believe they have no role. Educators perceive that these issues are the domain of the Infor- The pace of change of technology requires mation technology (IT) department, and ig- continual updates to content and standards. nore the topics both in the classroom and in The technology portions of Acceptable Use their personal behavior. For example, they Policies (AUPs) and student handbooks need may assume all information on the school to be updated yearly. Instructional content network is secure. Consequently, they use needs to be updated to reflect best practices weak passwords, share their passwords, add and lessons learned. However, if these were unapproved software, or allow others to use distributed in printed form, budgets would be their computers. Because they do not recog- strained to the breaking point. Instead, updat- nize the dangers, teachers sometimes lose the ing digital resources of policy, procedure, and opportunity to instruct and guide. They miss content could allow for more frequent update. the opportunity to inform students why it is Incorporating comments from employees via ethically wrong to hack into the school com- listservs, blogs, and forums can enrich the di- puter to change grades. User education is crit- alogue and provide added . Creating this ical and the perception that IT departments dynamic digital information space may be have “fixed” everything or blocked inappro- critical to keeping up with technology priate content gives a false sense of security changes. and unrealistic expectation. We need to make sure teachers understand their role in all C3 Policies need to be reviewed to ensure that all areas. The limited focus on filtering and employees (including teachers), students and blocking and establishing policies that say no parents understand them. The topics need to blogs or social networks should give way to a be covered more thoroughly than in a quick broader focus on individual responsibility for overview at the beginning of the year, when so using technology wisely. When students leave many other things are distracting from the school they need to know what behaviors are content. The topics need to be addressed in appropriate and effective, so they are prepared on-going instruction, both to ensure that stu- for IT environments with less protection, and dents have the time and understanding to in- can act responsibly. ternalize the information and that new and transfer students receive the information. It is 9. Recording and Reporting imperative that consequences are included and supported by administrators and school au- Although documenting current efforts across a thorities (school boards and superintendent). local education agency or state is difficult, Teachers sometimes feel unsupported and let there is a need to record and report C3 content ethical violations go rather than follow ill- being offered in schools. Improving learning defined and unenforced policies. includes understanding knowledge gaps, pro- viding instruction, evaluating impact, and re- designing instruction. This process is aided by examining best practices rather than reinvent- ing content in isolation. Analyzing existing

7 content can also provide an opportunity for professional development. Prior to using exist- ing curriculum in the classroom, teachers can http://googleonlinesecurity.blogspot.com/2008/02/all-your- assess whether they have the perquisite know- iframe-are-point-to-us.html ledge to teach it, if it is having an impact, why there are knowledge gaps for their students or in the curriculum, and prepare themselves and the content for better results.

ENDNOTES

i Cyberethics, Cybersafety and Cybersecurity, referred to as C3® is a Cyberawareness framework developed by Pruitt- Mentle, 2000. More about the development of the framework can be found in Appendix A. Other Terms and Acronyms can be found in Appendix B. ii Goodwin, A. 2007. Exploring the Relationship between Moral reasoning and Student’ Understanding of the Honor Code. Dissertation University of Maryland, 2007. iii Center for Academic Integrity Study: Student Cheating in American High Schools. Donald L. McCabe May 2001 http://www.academicintegrity.org/ iv The National Crime Prevention Council Stop Cyberbully- ing Before It Starts. http://www.ncpc.org/resources/enhancement- assets/ncpc_cms/cyberbullying-pdf v See Pew Internet and American Life Project Reports: Fami- ly, Friends and Community. http://www.pewInternet.org/PPF/r/152/report_display.asp vi Federal Trade Commision 2007 Identity Fraud Survey Re- port. Javelin Strategy and Research http://www.privacyrights.org/ar/idtheftsurveys.htm#Jav2007 vii CSI 2007 Computer Crime and Security Survey. http://www.gocsi.com/ viiiSANS Top 20 2007 Security Ricks. http://www.sans.org/top20/ ix The Georgia Tech Information Security Center (GTISC), Emerging Cyber Threats Report for 2008. http://www.gatech.edu/newsroom/release.html?id=1531 x Niels Provos, Anti-Malware Team. Google Online Security Blog. Feb. 11, 2008. All your iframe are point to us. http://googleonlinesecurity.blogspot.com/

8 Appendix B C3 FRAMEWORK

Promoting socially and ethically responsible brakes. The first is a moral choice, the second use of technology is not a new phenomenon in is the way we behave, and the third requires education. Promoting responsible use has and further action, and each operates at a different continues to be acclaimed by many as a strat- cognitive level and therefore needs to be egy under several brands to include digital taught differently. Clearly there is overlap citizenship, cyberawareness, and cyberciti- between each, however the differences are zenship. important to address.

Existing strategies of instruction include de- tailing student, teacher, and administration standards in AUP and student handbooks. Ad- The Need for Developing a National ditionally, IT departments have installed In- Focus on C3 ternet filtering and blocking software within state and local education agencies to ensure students’ safe and secure technology use. However, some argue that having rules in Many educational entities tend to pick and handbooks and blocking/filtering content is choose which C3 topics to teach, and often not equivalent to safe practice instruction. only talk about Cyberethics (e.g. plagiarism or Students need to understand the “why” behind cyberbullying). As revealed through survey the rules, and be able to institute best practices findings, Cybersafety and Cybersecurity are within their normal activities. Once students virtually ignored in the educational setting, leave the school and are using unblocked, with the possible exception of a narrow focus open systems, they are left unprotected and on predators. Teaching to a C3 framework, are not able to make the distinction between where Cyberethics, Cybersafety, and Cyberse- safe and dangerous practices. Additionally, curity are taught as a whole, yet each having a often school policies and instruction are un- unique focus, spotlighting the importance of coordinated and do not include all Cybereth- each component, provides the opportunity for ics, Cybersafety, and Cybersecurity (C3®) top- more complete coverage. Although clearly ics because state and local education agency there is subject overlap (for example, one standards use broad-stroke statements to guide might need to learn security procedures to curriculum and competency. Interpretations of avoid having a computer vulnerable to an at- these standards or guidelines have in some tack, and the ethical reasons not to “hack” into cases missed the mark related to C3 issues and a computer to change grades), a separate focus how they correlate with human behavior. Eth- gives rise to better appreciation of the appro- ics is intended to represent personal choice. priate uses of technology and does not negate Using the analogy of riding a bicycle, ethical- the issues into one cloud labeled “Internet ly we choose not to ride on our neighbors safety.” Analogously, automobile education is grass. Safety refers to safe practices, i.e. ride not one amorphous topic, but includes topics on the right side of the road, and obey traffic such as road rage (ethics), keeping tires in- laws. Security refers to additional items we flated and following laws (safety), and alarms have to do, for example adjust gears and (security). By detailing particular elements

9 under each domain, organizations can better Cyberethics design and address critical content. Teaching them as one, through branding such as digital Cyberethics is the discipline dealing with what citizenship or Internet safety curriculum is good and bad, and with moral duty and ob- makes it far too easy to check off the topic as ligation as they pertain to online environments “covered,” while only scratching the surface and digital media. of individual domains. Topics that might be included under this tenet The presence of a policy framework can are: strengthen the already positive directions of Internet safety providers and state attorney • Plagiarism general offices. Adopting a policy framework • Copyright adds potential to broaden the impact on stu- • Hacking dents, teachers, and parents in addressing ALL • Fair use areas determined by government, business and • industry, health agencies, and education to be • Online etiquette protocols of increasing importance. This model was • Posting incorrect/inaccurate informa- originally conceived in 2000, and has become tion increasingly embraced and is the framework • being adopted by the National Cyber Security Cyberbullying Alliance, and several Internet safety providers • Stealing or pirating software, music, and state educational agencies to guide the and videos design of their policies, recommendations, and • Online gambling content. • Gaming • Internet addiction What follows is a theoretical framework that can be used to inform a national, regional, or Cybersafety local agenda. It uses three dimensions, based on practical circumstances and experiences Whereas Cyberethics focuses on the ability to with educating students and teachers, with in- act ethically and legally, Cybersafety ad- put from multiple stakeholders including par- dresses the ability to act in a safe and respon- ents, students, educators, technology coordina- sible manner on the Internet and in online en- tors, media specialists, curriculum resource vironments. These behaviors can protect per- teachers, Internet safety providers, and indus- sonal information and one’s reputation, and try security specialists. The logo with its over- include safe practices to minimize danger— lapping rings of Cyberethics, Cybersafety, and from behavioral-based rather than hard- Cybersecurity indicates the subject areas have ware/software-based problems. Topics that common ground, but have significant content might be included under this tenet are: that is distinct and must be discussed on an individual basis. Under each subject area, spe- • Online predators cific topics must be addressed. A brief synop- • Objectionable content sis of each area and associated topics are pre- • Cyberstalking sented below. • Harassment • Pedophiles • Hate groups •

10 • Unwanted communications • Adware • Online threats • Malware • Online gambling • Trojans • Gaming • Phishing • Internet addiction • Pharming scams • Theft of identity • Spoofing • Cybersecurity The topics listed above cannot be stagnant. Cybersecurity is defined by the HR 4246, Cy- Technologies are dynamic and ever changing. ber Security Information Act (2000) as "the For example, cyberethical issues are expe- vulnerability of any computing system, soft- riencing vast transformation as a result of fac- ware program, or critical infrastructure to, or tors driven by the multi-media aspects of cell their ability to resist, intentional interference, phones and the vast reservoir of information compromise, or incapacitation through the mi- on the Internet. These factors include: suse of, or by unauthorized means of, the In- ternet, public or private telecommunications • The ease of cutting and pasting from systems, or other similar conduct that violates the Internet and the growth of “paper- Federal, State, or international law, that harms mills” interstate commerce of the US, or that threat- • Bullying taking on new dimensions ens public health or safety.” Cybersecurity is through text and instant messaging, defined to cover physical protection (both chat rooms, and postings on YouTube hardware and software) of personal informa- and social networking sites tion and technology resources from unautho- • New ways to cheat—pictures of rized access gained via technological means. tests/quizzes to forward to friends, text In contrast, most of the issues covered in Cy- messaging answers, and hacking into bersafety are steps that one can take to avoid the school’s computers to either down- revealing information by “social” means. load tests or change grades

Topics that might be included under this tenet Cybersafety, or the generic term Internet Safe- are: ty, has received more public attention lately due to media coverage. The To Catch a Pre- • Hoaxes datorxi series on Dateline NBC has hig- • Viruses and other malicious self- hlighted the problem of Internet predators and replicating code the dangers to today’s user. In the 2005 Pew • Junk email with links to malicious Internet and American Life report, Protecting sites Teens Online, 64% of online teens (ages 12- • Chain letters 17) stated that they do things online that they • Ponzi schemes wouldn’t want their parents to know about, • Get-rich-quick schemes and 79% stated that they aren’t careful enough • Scams when giving out information about themselves • Criminal hackers online. This has caused a recent movement of • Hacktivists state attorney general offices focusing on safe- • ty awareness programs, many partnering with outside Internet safety providers like iKeep-

11 Safe,xii iSafe,xiii and NetSmartz.xiv In many All of these challenges, if not properly ad- cases, usually due to time constraints, the fo- dressed through a well-defined policy frame- cus has been on taking precautions while visit- work, can curtail the ability of all to effective- ing social networking sites, limiting sharing of ly and safely utilize technology to its fullest personal information, and an increase in potential in both the home and educational “stranger danger” campaigns. setting. The U.S. government has a National Cyber Security Divisionxvi within the Depart- Only recently has Cybersecurity awareness in ment of Homeland Security to work collabora- the educational setting made it on the radar tively with public, private, and international screen. Yet, the Federal Trade Commission groups to secure and America’s (FTC) reports that for the seventh year in a cyber assets. In order for the U.S. to remain row, identity theft tops the list of consumer safe and secure and not lose its competitive fraud and identity theft complaints received advantage in these fields, our youth must un- and affects more than 10 million people every derstand these issues and be informed about year, representing an annual cost to the econ- best practices. C3 topics and an informed citi- omy of $50 billion dollars. Key findings from zenry are also critical in increasing the IT the 2007 CSI Computer Crime and Security workforce of the future as the Department of Survey of IT security administrators (primari- Commerce has identified this area as one of ly government agencies) and large corpora- tremendous job growth, but predicts there will tions found one-fifth suffered one or more not be enough graduates in the requisite fields. kinds of security incident and most from a “targeted attack.” Financial fraud overtook Existing Initiatives virus attacks as the source of the largest finan- cial losses, and insider abuse of network or Although not including all C3 topics described email edged out virus incidents as the most above, the International Society for Technolo- prevalent security problem. SANS listed web gy in Education (ISTE) has taken a step for- browser security, phishing and pharming at- ward in the creation of its NETS standards. In tachments, and unencrypted laptops as just the summer of 2007, ISTE refreshed their stu- three out of twenty top security risks of 2007. dent technology standards. Their websitexvii For 2008, Georgia Tech’s Information Securi- states, ty Center’s top five emerging cyber threats included Web 2.0 and client-side attacks, tar- ISTE's National Educational Technology geted messaging attacks, Botnets, and threats Standards NETS have served as a roadmap to mobile convergence and Radio Frequency for improved teaching and learning by educa- Identification systems. Google has stepped up tors throughout the United States. The stan- its vigilance to report webpages that contain dards, used in every U.S. state and many malware. Google estimates that more than 1% countries, are credited with significantly in- of all search results contained at least one re- fluencing expectations for students and creat- xv sult that point to malicious content . Denial ing a target of excellence relating to technolo- of Service attacks, viruses, worms, Trojan gy. horses, and computer fraud cost the country billions of dollars each year. Our youth (and In 2006, ISTE began work on the next genera- educators) need to be informed about the dan- tion of NETS for Students,xviii which focuses gers of not securing their personal informa- more on skills and expertise and less on tools. tion. Specifically, they address:

12 • Creativity and Innovation • Demonstrate safe and cooperative use • Communication and Collaboration of technology. • Research and Information Fluency • Critical thinking, Problem Solving, Grades 3-5 (Ages 8-11) and Decision Making • Digital Citizenship • Practice injury prevention by applying • Technology Operations and Concepts a variety of ergonomic strategies when using technology. Digital Citizenship is fifth out of the six listed • Debate the effect of existing and National Educational Technology Standards on individuals, for Students (NETS*S). Specifically, ISTE’s society, and the global community. NETS*S Digital Citizenship addresses how students understand human, cultural, and so- cietal issues related to technology and practice legal and ethical behavior. To meet these Grades 6-8 (Ages 11-14) standards, students are to: • Use collaborative electronic authoring a. advocate and practice safe, legal, and tools to explore common curriculum responsible use of information and content from multicultural perspectives technology. with other learners. (2, 3, 4, 5) b. exhibit a positive attitude toward using technology that supports collabora- Grades 9-12 (Ages 14-18): tion, learning, and productivity. c. demonstrate personal responsibility • Analyze the capabilities and limita- for lifelong learning. tions of current and emerging technol- d. exhibit leadership for digital citizen- ogy resources and assess their potential ship. to address personal, social, lifelong learning, and career needs. Design a ISTE goes further to help guide state and local website that meets accessibility re- educational agencies create curricula by de- quirements. tailing a set of general student profiles de- • Model legal and ethical behaviors scribing what student behaviors should result when using information and technolo- from proper instruction in these areas. As xix gy by properly selecting, acquiring, ISTE (2008) suggests, and citing resources. • Create media-rich presentations for The following experiences with technology other students on the appropriate and and digital resources are examples of learning ethical use of digital tools and re- activities in which students might engage dur- sources. ing specific grade bands. While one must commend ISTE for develop- The following were suggested for the Digital ing suggested guidelines, for students, teach- Citizenship Standard: ers (pre- and in-service), and administrators, it is understood that, in general, state education- PK-Grade 2, (Ages 4-8) al organizations (state departments of educa- tion and local school districts) operate not necessarily in isolation, but definitely on their

13 own, some adopting ISTE’s standards as-is, topic, while missing large swaths of the C3 others creating their own based on ISTE’s landscape. Students are described as digitally general outline. While it could be argued that literate, but have only been informed of a these serve as “guidelines” and other themes snippet of what should be covered. and topics could be included,xx the general broad-stroke statements and lack of clarity The power and possibilities that technology listed in profiles addressing current topics affords students comes with drawbacks if in- have resulted in the omission of critical topics appropriately used, whether intentionally or in today’s curricula. Reinterpretation may be unintentionally. Improving student knowledge necessary. and awareness of Cyberethics, Cybersafety, and Cybersecurity (C3) concepts will provide Conclusion them with the means to protect themselves, and will enhance the safety and security of our The C3 Framework covers a number of criti- national infrastructure. Future economic and cal issues regarding the completeness and political stability will be dependent on a safe quality of Cyberethics, Cybersafety, and Cy- and secure technology platform, managed by a bersecurity curricula. This policy framework technologically-savvy workforce. addresses the gamut of C3 issues, and pro- vides examples of the topics to include. The ENDNOTE framework is for guiding the practice of the C3 movement nationally, within a region or even internationally. Unfortunately, expe- riences, literature, and the recent C3 Baseline xi Information on this series can be found at Survey indicate that most local education http://www.msnbc.msn.com/id/10912603/ agencies do not have policy frameworks on xii http://www.ikeepsafe.org/ C3 education at all. Where they exist, such policies are limited to interpretations of in- xiii http://www.isafe.org/ complete standards. AUP policies and student handbook guidelines are presented, but not xiv http://www.netsmartz.org/ explained, and as a result, students are told xv what not to do, but may not understand why. Niels Provos, Anti-Malware Team. Google Online Security Blog. Feb. 11, 2008. All your iframe are point to us. The C3 framework promotes the teaching of http://googleonlinesecurity.blogspot.com/ Cyberethics, Cybersafety, and Cybersecurity as a whole. They are pictured as overlapping xvi http://www.dhs.gov/xabout/structure/editorial_0839.shtm areas, with both intersecting and interrelated xvii regions, each with a unique focus, but spot- To read more about ISTE National Educational technology Standards see: lighting the importance of each component. http://www.iste.org/AM/Template.cfm?Section=NETS This provides the opportunity for more com- plete coverage. By spelling out particular ele- xviii To read more about ISTE’s NETS*S see ments under each domain, educational entities http://www.iste.org/Content/NavigationMenu/NETS/ForStude nts/2007Standards/NETS_for_Students_2007.htm (Internet safety providers, educational institu- tions, non-profits etc.) can better design and xix To read more about ISTE’s NETS*S see address critical content and ensure more com- http://www.iste.org/Content/NavigationMenu/NETS/ForStude plete coverage. Teaching C3 issues as one, nts/2007Standards/NETS_for_Students_2007.htm through branding such as digital citizenship or xx Indeed ISTE’s publication Digital Citizenship in Schools cyberawareness, has led to checking off the does touch on a wider interpretation.

14