- Cybersecurity awareness rarely receives the attention from higher education needed to institute appropriate training and prevent security lapses, including those afflicting student works.
- University administration is responsible for ensuring that correct policies and procedures are in place, including information assurance awareness and periodic compliance training for everyone associated with the academic network.
- Four lessons learned in this case of a mistaken plagiarism charge can help others on campus, especially students, apply the security steps that will prevent confusion in ownership of data.
Standard airline emergency preparedness calls for oxygen masks to drop down in front of passengers when there are problems with cabin pressurization. Such applications of knowledge, policies, and procedures — enabled by technology — are all around us to offer various degrees of protection. Nevertheless, there are gaps. In higher education one such gap is the lack of cybersecurity awareness and the training necessary to protect a student’s work product, among other types of data. My authority to cite this security lapse stems from my career in information assurance combined with a plagiarism charge leveled against my daughter, a college sophomore.
Early Computer Training
She has had access to the MS Office product suite for all of her 20 years. In her early years we looked for letters on the keyboard and graduated to making small words such as cat, hat, and dog. Our family archives include dad-imposed assignments such as “What I Did on My Summer Vacation,” letters to Santa Claus written with MS Word, and thank-yous to grandma for birthday checks, completed with MS PowerPoint. This repeated exposure to MS Office and other personal computer applications made middle school and high school assignments technologically easy for her. Despite my background, the single area that I did not teach was the importance of data security beyond the selection of a username and a password. My daughter’s resulting predicament can serve as a lesson for students and for university faculty and staff who teach the next generation. Information assurance must be part of an education — and not just for those pursuing a degree in computer science or related disciplines.
Driving home from school at fall break, before all this erupted, we had discussed the assignment that would lead to her difficulty. She was preparing a paper on a social topic related to my own graduate work. She definitely had her own opinion and the research to support it. Her fall break was partially spent conducting more research.
What Went Wrong?
Back at school she began writing, creating the initial document on a university workstation in the library rather than on her own laptop. She saved the document under her own userID on the network drive and e-mailed a copy to her commercial e-mail account each time she edited the paper. These actions complied with my advice not to fall prey to the twenty-first-century version of “the dog ate my homework.” On the assignment’s due date her instructor rejected the hard copy, insisting that e-mail was the preferred method for submission. Subsequent to electronic receipt of the assignment, the instructor charged my daughter with plagiarism because another student’s name appeared in the MS Word preferences tab.
Unlike her instructor, I was accustomed to my daughter’s writing style, including grammar flaws and other nuances of expression. Indeed, we had discussed the paper in some detail. Plagiarism my ... foot!
I had covered important issues when she was much younger and thereafter looked to my daughter to educate herself and to society to provide periodic reinforcement of appropriate behavior. But as my daughter gained skills using the MS Office product suite, my failure to teach information assurance was not corrected in the academic environment. Information assurance begins with the end user and involves shared responsibility along the chain of command within the university and among computing staff and instructors. As with the airlines’ oxygen masks, university administration is responsible for ensuring that correct policies and procedures are in place. This should include information assurance awareness and periodic compliance training for everyone associated with the academic network.
Lesson 1: Establish Ownership
When using a publicly accessible workstation — for example, in a university library — or even when using your own laptop, the file preferences tab in MS Word and its related products requires attention, as it contains document ownership information. With the document open, click on File and then on the Preferences or Properties tab. Choose the option that shows the document’s author and title. At a minimum, modify the information to include your name. Course code, instructor’s name, university name, or other ownership information might be beneficial as well. Leaving the information blank — or worse yet not reviewing the default information — opens the door not only to charges of plagiarism but also to the possibility of your work being plagiarized. Additionally, this tab includes a wealth of possibilities for document management. In my daughter’s case, she did not change the default information, which attributed document ownership to a fictitious person. She has since modified normal.dot, the default MS Word template document on her laptop, to contain her student number. Security by obfuscation — that is, using a student ID rather than the student’s name — contributes to identity protection, but it’s not enough.
Lesson 2: Complacency Is Risky
In a networked environment, a student’s userID is attached to the document. Identification schemas tend to follow an easily discernible pattern — for example, first and middle initial followed by last name. Numerical suffixes are added in large environments to accommodate duplicative names. Because computers are as fallible as the humans who write the program code or who support the application, further preventive action is required. In my daughter’s scenario, she discovered that the university’s software had embedded her password in the userID field, a practice applied to all electronic documents created in the university library. Because the university uses a log-on credential that can be easily guessed by the university population, not to mention by those involved in cybercrimes, the embedded password in a document in plain text compromised her work and that of every member of the academic network. IT staff can and must do better. Where security practices are concerned, the user’s motto should be “Trust but verify.”
Lesson 3: Make Security a Habit
Information sharing demonstrates commitment to collaborative efforts. However, due diligence must be observed when sharing. Work products that are electronically communal must be write-protected. This setting lets a reader review the document but not alter its contents. Further, adding a password to the document encrypts the contents, making the document unreadable both during electronic transmission and at its destination unless the password is known. My daughter has now adopted the practice of encrypting all assignments, e-mailing the assignment, and then e-mailing the password as a separate message to her instructors. Because surreptitious screen printing remains a possibility in exploiting academic research, risk mitigation on every front is vital to academic excellence and integrity.
Lesson 4: Awareness and Training Are Essential
Many universities ensure academic integrity electronically. Applications in this arena act as a policing agent looking for incidences of plagiarism while simultaneously protecting and teaching students. By submitting the first draft of a paper, the student locks in his or her own knowledge and ownership. In a properly designed network, technology takes care of propagating the draft version to global databases, and the research is forever theirs. Even in an instance of unintended plagiarism — say, improper APA citation — the student has the opportunity to correctly construct and cite a reference.
The assumption of vicarious learning is irresponsible for all concerned. Beyond the initial exercise of learning about information assurance from IT-dad, my daughter should have had periodic training. This generation, although technologically astute, lacks the knowledge and skills to prevent or refute an accidental charge of plagiarism. The name that appeared in the preferences tab of my daughter’s paper was the default name assigned to every paper created at a workstation in the university library. The IT staff, if not the instructor, should have known about this false plagiarism indicator.
The velocity of change in technology and cybercrime combined with the pressures of achieving academic excellence are daunting. It can become increasingly difficult to cope without training upon entry into college and retraining in every class. My mantra is “Rehearsal enhances recall.” Many universities require a general preparation class as part of a degree program, and this seems like the place to address data security. Security awareness and compliance training in the professional workforce is an annual event for many companies. Universities need to be on the front line in preparing the future workforce.
Setting It Right
Parents designed the boogeyman of folklore as a compliance mechanism for their children’s own good. Cyberthreats, by contrast, are real and should be taken seriously. Because security audits, annual cyberthreat prevention training, and continuing education are requirements in my job, I was able to help my daughter defend herself from the plagiarism charge. The academic dean understood and quickly interceded, and the chagrinned instructor apologized. In addition, my daughter took the initiative to demonstrate to her dorm mates and friends the importance of the settings under the MS Word preferences tab. I’m glad that she’s taught others, but I remain concerned about the lack of security awareness among her peers. Not all students’ dads are IT professionals.