The CERIAS K-12 Outreach Program mission is threefold: To raise parent and community awareness of privacy, security, and safety issues related to the use of the Internet, to increase the security of K-12 information systems, and to integrate information security topics into the K-12 curriculum. Building upon existing work, the program will continue to grow and fulfill its mission through collaboration with K-12 schools, outreach entities on the Purdue University campus and nationwide, and CERIAS partners. This section of our website highlights current and future outreach initiatives. If you are interested in using our materials in the home or classroom, pilot testing new materials, partnering, or if you would like to learn more about the CERIAS K-12 Outreach Program, please visit the rest of our website at www.cerias.purdue.edu/education/k-12 or email us at k-12@cerias.purdue.edu.
Goal 1: Community Awareness: Strengthening the Home Connection
A recent study by the CERIAS Outreach Program highlights the growing knowledge gap between children and their parents when it comes to the Internet. Fifty-eight percent of the teenagers, when asked if their parents used parental controls, responded that they did not have any sort of technology-based parental controls for accessing the Internet. Likewise, thirty-eight percent of the respondents indicated that their parents had no rules of any sort governing their use of the computer. These responses are chilling, considering the fact that, of these same students, 55% have illegally downloaded copyright-protected music, 32% have been harassed online, 56% have been sent inappropriate material while online, and 47% chat regularly with strangers online. Whereas a typical parent imposes rules regarding ethical conduct and personal safety in the real world, there seems to be a gap concerning the world of the Internet.
To address this need, CERIAS has developed a collection of resources to educate parents about information security and privacy basics. Topics such as identity theft, computer security, cyber ethics, cyber crime, and more are discussed in our 15-article newsletter series, our group presentations for parent-teacher organizations, and our Indiana Information Security Week Initiative. This section describes our efforts in this area and concludes with a description of future work.
Group Presentation & Self-Instructional Document
The Internet is a powerful tool that offers many opportunities for recreation, growth, and learning, but it also presents many security threats to children and to their families. Some of the main threats can be categorized into two groups: privacy and safety issues, such as identity theft, child predation and harassment, and inappropriate online behavior, such as hacking, harassment, and viewing of pornography or other offensive material. While these threats will always exist, parents can work with their children to reduce the risks of becoming victims—or perpetrators—of cyber crime.
This presentation, which has been delivered to several PTA/PTO groups, familiarizes parents with information security issues and introduces the idea of creating a contract with their children to help manage their family’s use of the Internet. This contract can help protect families against Internet dangers by helping parents communicate with their children. Creation of the contract can also reduce family conflict concerning Internet use by setting clear guidelines for use and establishing consequences for lack of observance of guidelines.
Delivered by CERIAS personnel experienced in information security issues and K-12 education, this presentation can be modified to fit any specified time frame from 30 minutes to 2 hours. In addition, this presentation is also available in the form of a self-instructional document, which is available in PDF format.
Newsletter Articles
The information security newsletter article series is a collection of fifteen short, informative articles intended to quickly explain the major security risks and responsibilities associated with home users and parents. The articles can be read online at www.cerias.purdue.edu/education/k-12/community_awareness or downloaded in PDF format for print. For K-12 schools, the information security newsletter article series is an effective way to inform parents about the basics of information security. Topics include information security goals, risks and threats, passwords, spam, safe online shopping, and cyber ethics, to name a few. Our newsletter articles can be included in a school corporation’s newsletter to parents, free of charge. To date, over 20,000 homes have received the CERIAS Information Security Newsletter Articles.
Future Work
The Internet-related problems facing parents and communities will continue to evolve in the future. To combat them will require that parents have an increased awareness of key issues and are equipped with the knowledge necessary to keep their children and their homes safe from cyber-threats. CERIAS plans to expand existing work in this area by pursuing dissemination partnerships with national organizations such as the American Association of School Administrators and the Computer Security Industry Alliance as well as Indiana organizations such as Techpoint and Women in HighTech. In addition, CERIAS will continue to expand its repertoire of materials by expanding the newsletter series and creating case studies, tutorials, and awareness initiatives revolving around IISW and the National Cyber Security Awareness month.
Goal 2: Securing K-12 Information Systems: Keeping Information Private and Schools Safe
As schools become more dependent on information technology to facilitate data-driven decision-making and enhance learning and discovery, the security of the schools’ information systems, the data that resides on those systems, and even the safety and privacy of the systems’ users is becoming a growing concern. Federal regulations, due diligence, and student safety are only a few of the motivating factors that serve to illustrate the importance of information security.
Schools now use information technology for organizing and accessing data as well as to facilitate learning. In fact, K-12 schools have embraced information technology as an effective tool for engaging students in the learning process and streamlining teacher productivity. With increased federal legislation and funding in support of increased access to educational technology, American schools have seen an explosive growth of information technology in the classroom. The Telecommunications Act of 1996 expanded Internet access to K-12 schools; as a result 99% of K-12 schools use the Internet. (U.S. Department of Education, 2003). With increased access comes increased responsibility. For example, personally identifiable information of students and staff is made much more easily available through information technologies. However, academic records must be secured, and sensitive information must be restricted in its availability. Federal privacy regulations such as the Family Educational Rights and Privacy Act (FERPA) and the Children’s Internet Protection Act (CIPA), as well as school improvement initiatives such as No Child Left Behind, all serve to highlight the importance of protecting sensitive information.
To ensure the security of a school’s information, the availability of services critical to learning, and the safety of a school’s constituents, CERIAS takes a multi-level approach to solving the information security dilemma. We have developed several innovative approaches to assist these districts in creating a safer computing environment for our children, namely technology coordinator workshops, training for teachers, sample vulnerability assessments, and innovative service-learning courses offered through Purdue University’s Computer Technology Program. These initiatives are described in detail below.
Research and Scholarship
CERIAS faculty and staff have been actively engaged in studying the issues, problems, and relationships associated with information security and K-12 schools. Specifically, we have done extensive work exploring the perceptions and practices of teachers in regards to information security. The list of publications and conferences below highlights our recent efforts to raise awareness of these issues:
2004
Assessing Student Performance Outcomes in an Information Security Risk Assessment Service Learning Course. Conference Proceedings: ACM SIGITE Annual Conference. Author: M. Dark.
Civic Responsibility and Information Security: An Information Security Management, Service Learning Course. Conference Proceedings: Association for Computing Machinery Information Security Curriculum Development Conference. Author: M. Dark.
Information Security Training and Awareness for K-12 Schools: Implications and Recommendations. Conference Workshop: Hoosier Educational Computer Coordinators. Presenter: M. Rose.
Exploring the Intersection of Teacher Practices, Online Learning, and Information Security. Conference Paper: Association for the Advancement of Computing in Education ED Media. Presenters: J. Richardson, J. Alsup, M. Rose, L. Schade, and D. Yang. Available online at www.cerias.purdue.edu/tools_and_resources/bibtex_archive.
K-12 Information Security: The Current State. Symposium Presentation: CERIAS Annual Information Security Symposium. Presentation: M. Rose. Available online at: www.cerias.purdue.edu/news_and_events/events/symposium/2004/presentations/matt-rose-k12info.pdf.
How to Perform a Security Audit. Publication: Technology and Learning Magazine. Authors: M. Dark and A. Poftak. Available online at: www.techlearning.com/showArticle.jhtml?articleID=17602668.
Keeping Information Safe: An Exploration of Teacher Practices and Perceptions in K-12 Schools. Conference Paper: American Educational Research Association. Presenter: M. Rose and D. Yang. Available online at: www.cerias.purdue.edu/tools_and_resources/bibtex_archive.
School Safety and the Internet – Is Your Network Secure? Publication: Indiana School Board Association Journal. Authors: M. Dark, M. Iunghuhn, and L. Rausch.
2003
Information Security in K-12 Schools: Risk Management. Conference Presentation: Hoosier Educational Computer Coordinators Conference. Presenter: M. Rose.
Privacy Primer for Educators. Publication: In Fitzgerald, M., Orey, M., & Branch, R. (Eds.), Educational Media and Technology Yearbook, 28. Athens, GA: Libraries Unlimited. Author: J. Lewandowski.
Training for Teachers
CERIAS has been conducting teacher workshops on information security issues and best-practices in information protection since 1998. Because there is significant overlap between workshops on best practices in computing and workshops on best practices in teaching students fundamental concepts, these workshops are described under Goal 3 (below). In addition, CERIAS has developed a set of self-instructional multimedia modules, collectively titled “Keeping Information Safe: Practices for K-12 Schools,” which are intended for in-service and pre-service K-12 teachers, who are largely unaware of the threats to information and information systems. The overarching goal of these modules is to educate end-users on areas of information security basics, privacy, and legal issues related to information systems use, as well as the threats, vulnerabilities and countermeasures that exist. “Keeping Information Safe: Practices for K-12 Schools” is organized into six modules: 1) Information Security Overview, 2) Physical Security, 3) Software and Issues, 4) Email Security, 5) Password Security, and 6) Social Engineering. Content for each module was determined through focus group sessions, informal interviews with technology coordinators in Indiana schools, and industry standards. Additionally, a comprehensive instructional analysis was conducted to determine necessary content for compliance with FERPA regulations.
Technology Coordinator Workshops
To ensure the security of a school’s information, equipment, and services, administrators and technology staff need to be able to understand, plan for, implement, and evaluate best practices for managing the information security practices in the school corporation and for sound security decisions. To address this need, we have created and implemented a set of information security management workshops intended for technology coordinators and school administrators who are responsible for student safety as well as the availability, confidentiality, and integrity of a school corporation’s information and information systems.
Workshop topics include “Information Security Risk Assessment,” “Legal Issues and Regulations,” “Creating and Auditing Information Security Practices,” and “Creating an Awareness and Training Program.” Five cohorts have completed the workshop series. Workshop evaluations have been excellent, and participants have reported a significant change in their approach to security and privacy issues. Initial reactions from the workshops have been very positive. According to follow-up interviews from several previous workshop participants, the series has resulted in:
- Implementation of information technology risk analysis in stages
- 3rd-party consulting agreements for network evaluation and intrusion detection
- Revision of existing information policies to better address security and liability concerns
- Documentation and revision of existing information security practices
- Creation of new information security policies and practices
- Initiation of an information security communications/awareness program
Security Assessment Pilot Program
In general, there is little existing data about the security of K-12 school networks; in fact, the mainstream sources of data and statistics regarding security exposures, expenditures, risks, and challenges faced are based solely on corporations and businesses with very different sets of resources and goals. In the fall of 2003, CERIAS partnered with Infotex, an information technology consultancy, and five forward-looking Indiana school corporations to perform pro-bono security assessments in order to achieve a “snapshot” of the state of network and information security and the controls in place to maintain and protect our students and their personal information. The tests were performed using industry-standard methods and tools, and the focus of these assessments was to determine the external and internal exposure and penetrability of the school networks.
Results
The overall results of this testing process are troubling. To summarize the findings:
- Every network assessed was exploitable from the Internet.
- Two of the five schools tested were penetrated from the Internet, the remaining three had vulnerabilities that would have caused irreparable damage to systems if they were exploited and thus were not attempted.
- The testing team was able to easily obtain a complete list of all students and staff and some sensitive (FERPA protected) information from three of the five schools from the Internet, and from all schools once on the internal network.
- CIPA measures in place to prevent students from accessing inappropriate material could be easily circumvented in all of the schools using basic tools or techniques well within the grasp of the average student.
- Payroll and grade processing systems were relatively easily penetrated in four of five schools, although not actually penetrated due to their sensitive nature.
- The testing team’s attacks and compromises were not detected by any school IT staff without intentional disclosure where emergency changes were requested to protect the school’s systems from immediate threats.
Service Learning Graduate Class
In Spring 2004, Purdue University/CERIAS offered a service learning information security risk assessment class for graduate students. This was the first time the class was offered; 24 students were enrolled. These students studied information security risk assessment background and methodology in-depth and then performed a public service by actually conducting risk assessments for K-12 school corporations. Six school corporations in West Central Indiana were served. The impact of the class was that schools received an in depth analysis of their networks at no charge and students learned by actually performing the risk assessment. The class was offered again in Spring 2005 and will likely be offered in the future.
Future Work
Information security issues in K-12 schools are likely to receive increased attention in national media as well as in discussion of national educational policy issues. Schools cannot afford to approach security in an ad hoc manner, but without proper guidance and assistance, they will be unable to achieve their educational technology goals and address security and privacy-related issues. CERIAS plans to expand existing work under this goal by pursing the development of a publicly-accessible, web-based repository of digital and print-based educational materials for teachers, administrators, and parents, by expanding the teacher and technology coordinator workshops, and by pursing partnerships with other universities in order to replicate our service learning class.
Goal 3: Integration of Security into the Curriculum: Keeping Students Safe, Instilling Values, and Enhancing Learning
There is an alarming shortage of information security and information technology professionals in the state of Indiana and nationwide; a recent study by the ITAA (Information Technology Association of America) suggests that half of all high-tech jobs will go unfilled because of a lack of qualified workers. Clearly, K-12 students need to be able to explore career opportunities in the high-tech sector, and K-12 schools need to be able to provide students with the skills necessary to succeed in emerging industries such as bio-tech, advanced manufacturing, and cyber-security.
Likewise, as computer use continues to grow, it is crucial that students are taught how to use information technology in a safe, ethical, and responsible manner. Without a basic knowledge of information security issues, children can become victims—and perpetrators—of very serious and dangerous crimes. At CERIAS, we believe that the solution to these problems begins early. Integrating information security activities into the K-12 curriculum and aligning them with state and national standards will help alleviate the shortage by increasing the skills of the entire future workforce; likewise, it will promote cross-curricular studies and real-world problem-solving, skills vital to success in the new millennium. Integrating security topics into the curriculum will also help address issues of online safety, critical literacy, and transfer of ethical behavior to the online environment.
We have developed a series of teacher workshops, lesson plans, and student activities designed to help teachers integrate information security concepts into the classrooms. As time is a critical resource for teachers, we have developed our educational materials to be very easy to use. Aligned with Indiana academic standards, our activities are complete with resource lists, entry competencies, intended learning outcomes, and step-by-step teaching instructions. Topics range from computer security basics and cyber-ethics to academic topics such as cryptography, signs and symbols, digital forensics, and viruses. Our activities are cross-curricular and can be used to demonstrate to students the real-world applications of the various disciplines. We are currently exploring funding opportunities to align existing curriculum with national academic standards and to develop additional activities that use information security topics—such as cryptography, digital forensics, and computer viruses—to address academic standards and achieve higher-order thinking.
Teacher Workshops
Based upon our research in teacher awareness and knowledge of information security and privacy issues (see Goal 2), we have developed face-to-face workshops for K-12 teachers and support staff. The same material was used in a course offered to pre-service teachers in the School of Education at Purdue, titled EDCI 591A: “Information Security for Educators,” which was also offered to K-12 teachers as an 8-week summer course. Topics covered in the teacher workshops include:
- File Management: Creating folders, using folders for organization, organizing your links, creating, scheduling, and maintaining back-ups.
- Email Protocol: Basic netiquette, identifying urban legends and e-mail hoaxes, e-mail security procedures, e-mail and privacy regulations such as FERPA.
- Privacy Primer: Discussion of privacy concerns, strategies to teach privacy concepts to students, FERPA, HIPPA, CIPA, and COPPA.
- Virus Protection and Firewall Basics: Definition of viruses and other malicious code, protecting your system, secure techniques, basic introduction to firewalls, using firewalls, etc.
- Cyber Ethics: Definition of cyber ethics, strategies for teaching concepts to students, using case-based instruction and analogies and debates for teaching ethics.
- Copyright: Understanding the four components of fair use, identifying appropriate use for video, print media, and web-based activities, case-based instruction using relevant teacher examples, peer-to-peer file sharing, strategies to model and teach copyright concepts to students.
- Site Credibility and Evaluation: Determining criteria to use to evaluate sites, finding and utilizing rubrics for evaluation, using critical thinking to evaluate claims and discern biases, and addressing credibility issues with students.
- Scavenger Hunt Development: Methods for using the Internet appropriately with students, developing locally-stored web sites, integrating scavenger hunts into the curriculum.
- Cryptography: Using cryptography to demonstrate the connections among English, math, social studies, and science; cryptographic problems as a motivational tool.
K-12 Curriculum
We have designed a series of scalable activities designed for students in grades K-12. Concerned with subjects such as ethics, password creating and usage, cryptography, viruses, and instant messaging, these materials are aligned with standards found in the current Indiana curriculum requirements for grades K-12. By introducing the topic of information security in the classroom, educators will be helping their students learn the skills that they need to succeed in the 21st century. It is important to open a dialogue with the students and engage them in activities that present the principles of information security in a relevant and fun forum.
CERIAS staff members, experienced in K-12 education and information security issues, are available to help facilitate the lessons or to work with groups of teachers on strategies for implementing the lessons. Our complete repository of activities can be found online at www.cerias.purdue.edu/site/education/k-12.
Middle School (6-8) Internet Safety Curriculum
Two surveys concerned with information security literacy were given to almost 500 middle and 9th grade students in three schools in Indiana—two rural middle schools and one urban high school. The results of this survey led to the creation of lessons and activities geared toward the needs of middle school students. The lesson plans and materials, “Your Guide to Safe Surfing: Learning about the Internet” is aligned with state and national science, math, history, technology, and language arts standards, and can be found in its entirety online at http://www.cerias.purdue.edu/education/k-12/teaching_resources/lessons_presentations/.
Impact & Future Work
To date, more than 6,000 educators have participated in CERIAS workshops and seminars, with the potential of reaching approximately 120,000 students in the state of Indiana alone. Additionally, instructional materials have been disseminated to college and university faculty members from over 30 institutions, many of whom plan on replicating the K-12 program.
CERIAS is working with key partners to pursue underwriting for the development and dissemination of additional initiatives in this area. We are currently exploring funding to develop additional activities that use information security topics, such as cryptography, digital forensics, and computer viruses, to address academic standards and achieve higher-order thinking.