Assessing Ethical Severity of e-Learning Systems Security Attacks

YAIR LEVY

Graduate School of Computer and Information Sciences

Nova Southeastern University

Ft. Lauderdale, FL 33314, USA

Tel: 954-262-2006

Fax: 954-262-3915

E-mail:

MICHELLE M. RAMIM

Huizenga School of Business and Entrepreneurship

Nova Southeastern University

Ft. Lauderdale, FL 33314, USA

Tel: 954-262-5000

E-mail:

RAYMOND A. HACKNEY

Business School

Brunel University

Uxbridge, UB8 3PH, UK

Tel: +44 (0)1895 265428

E-mail:

ABSTRACT

Security and ethical issues with information systems (IS) are important concerns for most organizations. However, limited attention has been given to unethical behaviors and severity of cyber-security attacks, while these instances appear to be critically important. Although managers have been embracing e-learning systems for training and virtual-team collaborations, little is known about motivations for cyber-security attacks on such systems.

Our research includes quantitative and qualitative study of 519 end-users who rated the ethical severity of five common cyber-security attacks. This study investigated five types of security attacks for differences in perceived severity according to gender, academic level, and age. Our findings reveal that the majority of users (90%) reported their sense of severity as unethical across all five cyber-security attacks, while only a small minority of users (3.24%) reported these cyber-security attacks to be ethical. This study also presents a further grounded analysis through follow-up interviews.

Keywords: perceived ethical severity, ethics of cyber-security attacks, unauthorized Internet activities, severity of unethical behaviors

Assessing Ethical Severity of e-Learning Systems Security Attacks
Yair Levy1, Michelle M. Ramim2, and Raymond A. Hackney3
1Graduate School of Computer and Information Sciences, Nova Southeastern University, Ft. Lauderdale, FL, USA
2Huizenga School of Business and Entrepreneurship, Nova Southeastern University, Ft. Lauderdale, FL, USA
3Business School, Brunel University, Uxbridge, UK

ABSTRACT

Security and ethical issues with information systems (IS) are important concerns for most organizations. However, limited attention has been given to unethical behaviors and severity of cyber-security attacks, while these instances appear to be critically important. Although managers have been embracing e-learning systems for training and virtual-team collaborations, little is known about motivations for cyber-security attacks on such systems.

Our research includes quantitative and qualitative study of 519 end-users who rated the ethical severity of five common cyber-security attacks. This study investigated five types of security attacks for differences in perceived severity according to gender, academic level, and age. Our findings reveal that the majority of users (90%) reported their sense of severity as unethical across all five cyber-security attacks, while only a small minority of users (3.24%) reported these cyber-security attacks to be ethical. This study also presents a further grounded analysis through follow-up interviews.

Keywords: perceived ethical severity, ethics of cyber-security attacks, unauthorized Internet activities, severity of unethical behaviors

“A man's ethical behavior should be based effectually on sympathy, education, and social ties.”

- Albert Einstein (1879-1955)

INTRODUCTION

The seriousness of unethical behavior in today’s society is overwhelmingly documented, especially with regard to IS management and security [1]. Moreover, rapid technological developments have generated much attention in the news and other media outlets. Reports of unethical behaviors, such as identity theft and cyber-attacks, are highly sensationalized. In the U.S. alone the Federal Bureau of Investigation (FBI) reported, from a survey of 2066 organizations in 2005, that cyber-attacks cost businesses some $67.2 billion annually in security expenditures [2] and in the UK, Telewest reported that individuals spend over $3 billion annually on cyber-security [3] – the enormous impact of these IS breaches is well documented. As a consequence, these emerging unethical behaviors need to be investigated and contained. Himma [4] argued that cyber-security attacks are totally unjustified on ethical grounds and perpetrators must be identified and appropriate sanctions be imposed. An earlier study attempts to achive goes some way towards achieving this objective through a consideration of how recipients of information may behave with regard to their ethics, supervisory level, and legal requirements [5]. However, it appears that very limited attention has been given to investigating the ethical severity of cyber-security attacks and emerging employees’ unethical behaviors within the context of growing organizational Web-based systems.

Given the news media hype about the global economic downturn, some employees face intense pressure to meet expectations from their organizations and various stakeholders [6]. Additionally, corporate social responsibility appears to be a façade rather than a sincere practice in most business organizations [7]. A surge in incidents of unethical behavior has been reported in the U.S. news media, for example, the Bernie Madoff Ponzi scheme, the 2008 Singapore Grand Prix crash, and the ACORN scandal. Legal investigations of these incidents revealed that employees were pressured to act unethically and illegally in order to reap personal gains. Despite the public attention paid to these scandals, it appears that unethical behavior still occurs in significant circumstances.

Nowadays, user misconduct is more likely to involve the use of IS resources. Furthermore, some individuals believe that IS misuse is acceptable. Rogers [8], Cronan, Foltz, and Jones [9], and Harris [10] found that individuals are using advanced information technology (IT) tools to engage in unethical behavior. Unethical behavior is defined as any behavior that “violates social norms, whether or not such behavior also violates the law” [11]. While measuring unethical behavior appears to be a daunting task, measuring individuals’ perceptions about the severity of various unethical behavior can provide indication about their ethical decision making. Furthermore, Rogers [8] and Harris [10] indicated that future managers are learning about specific technology breaching techniques in some IT courses (i.e. hacking skills, approaches for installing sniffing software and for the identification of passwords, developing denial-of-service (DoS) attacks, and learning how to manipulate weaknesses with Web connections). The number of cyber-security incidents has climbed sharply over the past two decades, though only a small percentage of such attacks is reported to the public [10]. It was reported that the majority of computer hackers are below the age of 30, pointing to the need to investigate users in that age group and their perceptions about unethical behaviors, specifically security attacks [10].

The motivation of future managers to engage in unethical behavior might be fueled by the temptation to graduate quickly in order to obtain a high-paying managerial position [12], availability of convenient IT tools [13], a sense of entitlement without consequences, and peer pressure, as well as a lack of understanding of the severity of their actions [14]. Research has shown that business students engaging in misconduct in their academic career are more likely to engage in unethical behavior during their professional managerial career [12]. Thus, the focus of this work was to investigate future managers’ perceptions about the severity level of key IS attacks in the context of e-learning systems, and to increase awareness for e-learning security issues, as well as their severity among IS managers and researchers. Following the philosophy set by Leonard, Cronan, and Kreie [15] on investigating IS related ethics, the nucleus idea behind our investigation posits that if individuals perceive the severity of key IS security attacks to be low, then they might be more likely to engage in or seek help to engage in such unethical behaviors.

E-learning systems originated from computer communication applications that were developed in the early 1980s. Such systems have shown tremendous growth over the past three decades, starting mainly in higher education and quickly moving into corporate organizations and government agencies. In 2010, more than 5.6 million U.S. students enrolled in at least one online course [16]. E-learning enrollment in higher education has proliferated steadily by about 13% annually or 758,000 students annually over the past few years [17]. Additionally, e-learning has captured about 32% of the adult education market [18]. However, e-learning systems have not just been the learning platform for educational institutions. E-learning has furthermore expanded significantly into delivery of various training modules for medical, corporate, and even military training units. In the medical field, physicians and nurses are taking refresher courses and certificate trainings via e-learning systems, while many businesses are offering their human resources (HR) training sessions via e-learning systems [19]. Within the corporate and the service sector, e-learning systems are used by most marketing, sales, and research and development units to train managers and employees yearly. In like manner, for over a decade the U.S. Government has been running an internal e-learning system to deliver learning modules and develop skills of its employees (www.usalearning.gov). In light of the fact that substantial evidence affirms the trend of e-learning system as a critical ingredient of the business model, organizations are faced with the challenge of providing a secure and accountable e-learning environment for their employees. Although there is a limited body of research on security attack prevention strategies for Web-based systems, cyber-security does pose a real concern [20, 21], so much so that the U.S. government has appointed a czar to help coordinate strategic efforts to reduce cyber-security threats (i.e. malware, spoofing, phishing, and botnets, to name a few) [22]. Cyber-security attacks were also found to have a profound crippling impact on the e-learning systems of higher educational institutions, while their implications for corporate organizations are vastly unknown [23]. Many scholars have demonstrated the significance of investigating cyber-security attacks on e-learning systems and the need to better understand their nature and ethical severity from the perspective of impostors [24, 25].

According to Shaw [26], “ethics deals with individual characters and moral rules that govern and limit our conduct”. He added that ethics “investigates questions of right and wrong, fairness and unfairness, good and bad, duties and obligation, justice and injustice, as well as responsibility and the value that should guide us” [26]. Cronan et al. [9], Leonard et al. [15], and Dorantes, Hewitt, and Goles [27] noted that ethical behavior is gender dependent, indicating significant differences between males and females in both their ethical perceptions and behaviors. They indicated that in general, males appear to be less ethically driven, whereas females appear to be more ethically driven. Moreover, age and academic level were also found to show differences related to perceptions about ethical behaviors. Kreie and Cronan [28] noted that “a person’s characteristics, such as gender, age, and education, may also affect one’s view of what is ethical” [28]. Although such investigations appear to indicate gender, age, and academic level differences with ethical perceptions, not much is known about such differences within the context of cyber-security attacks, especially in popular Web-based systems such as e-learning systems.

The aim of this study was to investigate individuals’ sense of ethical severity of e-learning security attacks and unauthorized activities. Although there are several specific techniques of cyber-attacks, as noted, the focus of this work is about the general sense of ethical severity of engaging in such an attack, rather than a specific cyber-attack technique. The three key objectives of this study were:

a)  To assess the extent that individuals perceive the severity of attacking an e-learning server and unauthorized activities as ethical

b)  To assess the demographics of those who perceive the severity of attacking an e-learning server and unauthorized activities as ethical and as unethical

c)  To assess if there are any significant differences on such ethical perceptions based on gender, age, and academic level

The significance of this research is substantial for institutions and businesses as it provides evidence on how individuals perceive the severity of attacking an e-learning server and unauthorized activities.

Background

Ethical Severity of Attacks and Unauthorized Activities

A substantial rise has been observed in cyber-attacks over the years [29]. However, the required level of sophisticated technological skills to unleash such cyber-attacks appears to have fallen over time. Saydjari [30] reported that cyber-attacks are mainly attributed to the ease of committing such attacks, due to newly available toolkits that are freely downloadable over the Internet. Ramim and Levy [23] documented a case of a devastating cyber-attack that crippled an institution’s e-learning operations and caused substantial damage to their reputation. Such an incident implies that businesses and organizations must be aware of the threats to their e-learning systems from cyber-attacks in order to avoid damages, loss of confidence, and legal liability. As such, the first e-learning security attack selected for this study was a general ‘attack on the server,’ and the aim was to assess individuals’ sense of ethical severity about such an attack.

The second unauthorized activity in this study deals with the interception of e-mails. Although e-mail interception is a general issue, most e-learning systems have internal e-mail systems to enable specific communication between the individual learner and the module or course instructor. The focus of this investigation was the interception of such internal e-mails. Intercepting e-mails is defined as reading, altering, blocking, and/or deleting e-mails sent to someone else. E-mail interception has also been easier than ever, due to rising surveillance applications provided to businesses seeking to intercept employee communications, and others seeking to intercept domestic communications of their spouses or partners [31]. We must emphasize that for some e-learning modules, such as training on proprietary product development or new corporate innovations, intercepting internal e-learning systems e-mails may provide additional knowledge or solutions that are not known otherwise, or be an exercise in corporate espionage. This study targeted the individuals’ sense of ethical severity associated with e-mail interception within e-learning systems.

The third unauthorized activity in this study deals with unauthorized file sharing. There has been substantial work on unauthorized file sharing, where the vast majority of such research investigates the distribution of music files over the Internet via peer-to-peer applications [32]. Unauthorized file sharing can be done by individuals during various e-learning activities. However, unauthorized file sharing during exams appears to be one of the most common unethical violations during e-learning exams [33]. We must emphasize that file sharing during exams may provide personal gains for employees who are required to complete e-learning exams for the purpose of certifications or other corporate requirements. For example, employees who are taking HR training exams for certifications or medical professionals taking refresher exams may be tempted to request and share files. As such, the focus of this investigation was on assessing individuals’ sense of ethical severity related to unauthorized file sharing during e-learning exams.