Security awareness programs are an important aspect of the training offered at universities, schools, organizations and the like. While you certainly know the reasons why security awareness programs exist, the truth is that some people don’t stop to think about what is required to build a security awareness program, let alone those specifically for online education.
This article will detail why online education needs security awareness, what some of the unique challenges are, what the current landscape of online education security looks like, and where to begin when building out a SA program for online education.
Please note: This article is intended to address online security awareness programs for online educational institutions. Some may have arrived at this article thinking that it will focus on online security awareness programs — programs such as these are (relatively) long-established and agreed-upon as trustworthy paths toward security awareness certification.
Why Does Online Education Need Security Awareness?
Online education needs security awareness even more so than traditional classroom education, because of the very nature of online education. Being entirely online not only entails that all of the learning is done online, but also that the administration process (such as applying to the online school) is done online as well. As will be discussed later in this article, another problem is that this centralization of information leads to just one or two points of attack, such as an online learning portal, makes information security all the more important for online learning.
Flying in the face of this is the fact that many online educational institutions currently provide insufficient security awareness programs due to unaddressed information security weaknesses in online education itself.
What Are Some of the Unique Security Challenges Faced by Online Education?
All institutions of learning face heightened information security challenges (especially when the students are minors, as they often are), but for online institutions of learning there needs to be an even more heightened information security standard. Learning online is truly a unique way of learning, and as such comes with some unique challenges. Below is a list of some of these challenges.
Consolidation of Points of Attack
If you had to pick the most unique (or even simply the most important) security challenge faced by online education, consolidation of points of attack would be it. The general trend across the online education industry is that there is heavy consolidation down to one or two points of attack. This consolidation most often comes down to a login portal that all too often lacks appropriate information security measures. When attackers find a single point of attack, all it takes is a successful attack and the user account that was attacked can be taken out with one fell swoop.
Use of Personal Devices/Social Media
The personalized nature of online education gives way to clients who use their own devices to access/login to their online educational institution’s interface. A lack of security awareness of clients opens up the institution to viruses and other nasties. Devices are not the only threat vectors — clients often use social media which can be riddled with threats. The best way to handle this particular challenge is for clients to tighten up security on their devices and to be more careful to avoid threats within their personal social media accounts.
Weaknesses Within Online Education Frameworks
Despite the growing popularity of online education, most major frameworks used by the industry have glaring information security holes. Some of the major framework specific risks include:
- Availability: One of the most common attack types is DoS
- Authentication: Broken session authentication and session verification
- Information confidentiality assaults: Examples include shaky cryptographic storage, leakage of information, unreliable direct question reference, improper error handling
- Information integrity assaults: Examples include cross-site scripting, buffer overflow, injection flaws, failure to confine URL get-to, malicious record execution
Protection Against Manipulation of Data, User Authentication and Confidentiality
Without the use of proper information security management tools, technologies and policies, the following risks will remain the status quo for many online education institutions:
- Brute-force attacks
- ARP cache poisoning
- IP spoofing
- Cross-site scripting
- Cross-site request forgery
- SQL injection
- Denial of service
- Session prediction
- Session hijacking
- Stack smashing attacks
What Does the Online Education Security Landscape Currently Look Like?
There is a strong paradoxical trait that runs through online education. While growth has been steady to strong in online education enrollment numbers and technology has improved greatly since the early days of the industry, the information security end of online education has not kept up with the pace of growth.
As a matter of fact, this growth in the use of online education is being hampered by the information security landscape itself. Noted experts in the field hold strongly that the weaknesses present in online education information security is currently a major barrier to the expansion of online education as learning method.
The current information security landscape with regard to online education has the following main weak areas that need to be addressed by the information security community as a whole (or just those working to improve online education). These areas of weakness are:
- Integrity of information
- Identification and authentication
Building a SA Program for Online Education: Where to Begin?
Taking the current online education information security landscape and coupling it with the areas of weakness listed above, we need to evaluate this situation in light of any underlying changes that can be made initially that would touch, and ultimately help solve, these areas of weakness.
The simplest way is often the best, and in this case, there is one change which, if implemented, will go miles in helping solve most of these areas of weakness. This simple change is encryption.
Encryption is one major area that the information security end of online education has not incorporated into its arsenal of information security tools and technologies. By incorporating encryption as a main method of data protection in security awareness programs, online education employees will have a much better understanding of the information security issues facing them. Encryption could have the following impact on these areas of weaknesses as listed below, complete with necessary hypotheticals:
- Availability: This refers to the availability of the learning environment for clients/online education students. If encryption is used in this case, attackers would not be able to determine what page is the portal and would be shut down from launching a DoS attack
- Integrity of information: If data is encrypted then hackers and attackers cannot tell what the data is, as it will appear as scrambled characters and therefore would not be able to alter the data
- Confidentiality: Information confidentiality would be protected because the encrypted information would not be able to be revealed to unauthorized users
- Authorization: If an attacker is trying to see which user accounts have elevated privileges, encrypted data systems will be unusable to them, thus stymieing their attempts
Despite improvements in technology, information security is severely lagging behind in the online education industry. Online education definitely has its unique challenges to consider, but thankfully the information security problems have been boiled down to just a handful of issues. The good thing about this that simple changes, such as adding encryption to the process of building security awareness programs for online educational institutions will add much-needed buttressing of currently ineffectual security awareness programs.
- Adetoba B., Awodele O. and Kuyoro S.O., “E-learning security issues and challenges: A review,” Journal of Scientific Research and Studies
- Cyber Threats to Online Education: A Delphi Study, Phillip Davidson and Kenneth Hasledalen
- Security Concerns and Counter Measures in E-Learning Systems, Academia