The modern learning theory for information security awareness emphasizes the need for collective, interactive and collaborative networked communities to facilitate knowledge and experience sharing among all members whereupon new knowledge can be constructed collectively (Anttila et al, 2007). Knowledge construction goes through Six (6) layers of mental processes namely: 1) Knowing, 2) Comprehension, 3) Application, 4) Analysis, 5) Synthesis and 6) Evaluation. Security Awareness should take into consideration each phase of the knowledge construction process when designing awareness and selecting tools for that. Web 2.0 tools such as wikis, discussion forums and blogs have proven effective in accommodating such learning needs (Anttila et al, 2007). Vasilescu, Tatar and Codreanu (2011) see the goal of implementing information security for E-Learning systems is to achieve the following information security objectives:
Confidentiality of content and users' data
Integrity of content, tools and teachers and students data processed by the system against malicious acts.
Availability of e-learning services
Identification and Authentication to eliminate identity thefts and impersonation
Authorization to limit access as needed to information to prevent data loss and leakage and unauthorized modification of information.
21
This goes in line with the goal of implementing information security in online learning in general which is meant for the protection from malicious or accidental misuse of resources (Chen and He, 2013). To do that, a robust security policy must be established to cover all potential risks and vulnerabilities in E-Learning systems including hardware, software, human resource and nature (Zuev, 2012). Second, organizations should conduct risk assessment to identify risks and prioritize them based on impact and develop an effective mitigation plan to mitigate each risk (Rjaibi et al, 2012). As seen in the literature review that most technical controls could be rendered useless due to the lack of effective security awareness. Information Security Awareness is as much culture as a corporate policy directive. Successful information protection strategies rely on information security awareness that focuses on culture and tries to instil the security sense in users’ practices and behaviours (Aljawarneh, 2011; Chen, Shaw and Yang, 2006). Security in E-learning is based on policy and technology where policy states how and what technology is used while technology assists policy by providing best practices in information protection. However, policy and technology cannot work alone without the support of people (stakeholders’ awareness of security risks and mitigation methods) to achieve security goals such as securing e-exams, eliminating cheating and resolving the identity verification issues in online assessment (Chen and He, 2013; Vasilescu, Tatar and Codreanu, 2011). Therefore, all society members need a level of awareness about information security risks according to their interaction level with the system (Anttila et al, 2007). While, end users need a basic level of awareness that qualify them to use computer networks, deal with critical information and authentication, be aware of cyberspace rules and have self-protection in privacy and sensitive situations, system developers of Information and Communication Technology (ICT) systems need awareness in more depth to be able to identify risks and apply appropriate security measures to mitigate them (Anttila et al, 2007). On the other hand, Security Managers should have the competence to manage their organizations to implement security in light of the security policy in place and motivate employees to comply accordingly (Anttila et al, 2007).
22
Although studies showed that many security and privacy measures are dependent upon human behaviours for being effective, not much research has been conducted to investigate the role of human behaviour factors in enabling security and privacy measures (Proctor, Schultz and Vu, 2009). As such, all stakeholders of E-Learning Systems from Administrators to Developers should be aware of this relationship and consider human behaviours in their designs (Anttila et al, 2007). However, users including online learners will not cooperate with these security systems unless they find them user-friendly and intuitive (Proctor, Schultz and Vu, 2009). Anttila, Savola, Kajava, Lindfors and Röning (2007) suggest that Information Security professionals at an organization should stay current on any changes to information security industry standards in order to be able to provide awareness to others on how to apply and conform to approved industry Information Security standards and guidelines. The International Organization for Standardization (ISO) 17799 security standard recommends that user security awareness should focus on Ten (10) major security domains (Chen, Shaw and Yang, 2006):
Information Security Policy
System Access Control
System Development and Maintenance
Personnel Security
Physical and Environmental Security
Security Organization
Asset Classification and Control
Communications and Operations
Business continuity Management
23
In the same way, Barroca and Gimenes, (2012) suggest that users who use social media and Web 2.0 tools should be aware of the potential security issues of privacy that are publicly available through dedicated awareness sessions. Security awareness sessions should address all kinds of human behaviours' vulnerabilities such as, but not limited to, demotivation, low self-esteem, technology incompetence, over-competence, lack of interest, lack of awareness, lack of responsibility and accountability and poor management (Zuev, 2012). One issue worth mentioning in the discussion of human behaviours-based awareness is the Online Trust (Beldad, Jong and Steehouder, 2010). Beldad, Jong and Steehouder (2012) see that people who are highly proficient with the web are more likely to have lower perceptions of the risks using the web and be inclined to trust online transactions and therefore need awareness to raise their sense of online potential security risks.
The biggest challenge facing Information Security Awareness is the changing nature of ICT and the agility of applications such as E-Learning systems which created a necessity for security awareness providers to use delivery methods that are more interactive and collaborative given the need for deepened security awareness for which traditional training methods have been proven ineffective (Anttila et al, 2007). Following are some challenges that Information Security Awareness programs need to address and focus on in order to instil security awareness into E-Learning Systems’ stakeholders’ culture.
Users should be aware of risks such as generating easy-to-guess passwords, while System Administrators should be aware of how to enforce complexity schemes to passwords. For example, a recommended awareness session should be given to educate users on how to use a passphrase as opposed to a password whereby the user generates a phrase and composes the password from the first initial letter of each word in the phrase after applying some character substitutions with digits/symbols where applicable such as converting the 'a' to an '@' and so on. Analysis of one password cracker revealed that 62% of passwords which did not contain a symbol or a digit were cracked as opposed to only 2% of passwords containing a symbol or a digit (Proctor, Schultz and Vu, 2009).
24
Users should be aware of how to determine when to reveal personal information in order to complete a transaction. Studies show that this practice could lead to identity theft (Proctor, Schultz and Vu, 2009). Users should be aware of how to read and understand web site privacy agreements and software certificates in order to securely accept them. Accordingly, system developers should be educated on how to make these technical documents more user-friendly and automated (Proctor, Schultz and Vu, 2009). Users should be aware of how to identify content that they should trust or ignore as this could be a type of Phishing and Social Engineering attacks (Proctor, Schultz and Vu, 2009). The common factor among all the above challenges is the requirement for raising awareness about information security risks for online learning systems’ users. Next, the role of Information Security Awareness in Online Learning is discussed.