Building Effective and Meaningful Cybersecurity Policies

min read

Guest Blogger: Dr. Barbara Endicott-Popovsky, Director, Center for Information Assurance and Cybersecurity, University of Washington


Note: The following information is presented for students currently enrolled in MLIS programs, as well as teacher-librarians, and other educators in the K-12 and higher education communities.

Teacher-librarians, in addition to managing the application inventory on school computers, are often given the task of controlling computer access. Without specific education in online safety and security issues, putting any limitations on access could seem counter to what a librarian is trained to do.

Before a catastrophe occurs, it would be prudent to develop a clearly communicated Internet policy that will provide access controls and guide safe student Internet use. Below I provide suggestions for creating and establishing meaningful school policies, directing readers to online resources for cybersecurity literacy that teacher-librarians need to help build effective policies.

Student Online Safety

According to Baum (2006), there are five things that we can do as educators to ensure the online safety of students:

1) Initiate a cyber ethics/safety curriculum

Staysafeonline.org provides K-12 curriculum artifacts that guide development of programs for safe and ethical online behavior. The site also recommends other books and magazines that school libraries might consider adopting and provides links to a wealth of tools for assisting schools in the development of Internet safety curriculum. A similar site, i-SAFE, is another rich source of curriculum and readings, including a law enforcement section that lists community resources. Online training modules at i-SAFE can bring teachers current. Further, there are over 120 universities and colleges around the country that offer degrees and certificates in information assurance and cybersecurity. For anyone wishing to get more information, visit the National Security Agency's Centers of Academic Excellence website.

2) Teach cyberethics/safety in the classroom

Making students aware of their online vulnerabilities can be taught effectively. This engages students in taking responsibility for their own online safety, as opposed to relying on the imposition of filters and other restrictions which can be an incentive for some to work around! Cyberethics is ideally taught in the case study format, which engages student thinking about online behavior. By reflecting on, and verbalizing, what they may have regarded as anonymous activity, students are encouraged to confront the kids-only, secret world that some inhabit. Purdue University offers a good online resource for ethical case studies called “Your Guide to Safe Surfing: Learning About the Internet”. CyberSmart is another source offering cyber ethics lesson plans, including one on cyberbullying.

3) Use the Internet for Curriculum Delivery

Some sites deliver curriculum online: i-SAFE, Act Online [https://www.act-online.net/], Anti-Phishing Phil, Netsmartz, and Web Wise Kids, allowing students to practice safe and courteous behavior while learning about it. It is important for students to understand their actions online are observable and understood by adults. Behaviors from blind trust of online sites to cyberbullying should be confronted, challenged, and discussed.

4) Have students make a pledge

Having students help create and take a pledge to abide by safe practices and to demonstrate courteous online manners engages them in conscious commitment. The pledge should be informed by the latest research into online behaviors. There is something about the Internet that encourages behavioral changes. Suler (2004) calls it the online disinhibition effect consisting of: a) dissociative anonymity which can embolden anti-social actions--an example is the mother who impersonated a teenage boy to torment her daughter’s rival into suicide (Pokin, 2007), b) the asynchronicity of the Internet, meaning you do not have to deal with others’ reactions, which may encourage the practice of flaming—sending vituperative emails and cyberbullying, c) dissociative imagination, which contributes to a disconnect with one’s actions, d) thinking ‘this is just a game,’ which provides a convenient excuse for crime, e) solipsistic introjection—making up the other you cannot see—accounting for Internet romances that might be inexplicable otherwise, and f) the minimization of status and authority, “everyone is equal,” which causes challenges to authority.

5) Create an Internet Use Policy

Collaborative development of Internet use policy that engages students, administrators, teachers, parents and IT staff ensures that all stakeholders are involved and committed to successful implementation. Enforceable school policies can establish acceptable norms for online behavior and access. Policies are an established form of organization communication that provide a compliance baseline, a vehicle for standardized process and, in this case, a foundation for a solid online safety and security plan at the school. According to research, the most effective policies are driven by external forces—legal/regulatory imperatives, or oversight by an external body like a school board or Parent Teacher Association (Chan, Woon, & Kankanhalli, 2005). Furthermore, a policy should be well communicated, both initially and throughout the life cycle of the policy, to ensure awareness and understanding, and should be produced collaboratively with all stakeholders (Doherty & Fulford, 2005). Policies should be subject to review, audit, and update to ensure they are continually viable. Additionally, it must be visible that organization leadership is behind the policy and ‘walk the talk.’ It is also important that risks and sanctions for not following policy are made clear, otherwise compliance with policy fades.

As a facilitated process engaging students, parents and administrators in Internet policy development is an ongoing effort, involving continuous update that is appropriately led by teacher-librarians who have responsibility for access to school computers. The process should be viewed as a learning experience for all involved as a variety of perspectives are aired and discussed. This is particularly valuable for students who will gain insight into the challenges that school administrators face.

A comprehensive policy should cover Internet access, raise cybersecurity awareness, and focus on increasing safety and privacy online. To ensure resulting policy will be followed, development should engage all relevant stakeholders, including students and parents. Adults have a great deal to learn from young people. As Palfrey (2008) suggests, when dealing with Digital Natives, those born after 1980, “there is one thing you know for sure: These kids are different. They study, work, write, and interact with each other in ways that are very different from the ways that you did growing up” (p. 2) We need to learn what the world looks like to them while allowing them to take advantage of our collective wisdom and experience. We want what we produce to be relevant to them.

Getting Started

If you find yourself in the position of having to facilitate the development or advancement of Internet use policies at your school, the best first step is to engage administration, parents, and students in an informal dialogue. Filtering policies developed by a school board are not all that is needed. Children should be made aware of online risks in order to stay safe; malicious online behavior must be curbed and sanctioned; computer access should be conditioned on taking user awareness training; skills on how to determine the credibility of online information must be taught; accountability and responsibility must be emphasized; and issues surrounding intellectual property (piracy, sharing, etc.) must be communicated. If you facilitate the development of Internet use policy, remember successful policies should be:

  • Adequately communicated
  • Developed collaboratively with all stakeholders
  • Written in sufficient detail to communicate intent (but, not too detailed, or compliance will be negatively affected!)
  • Measurable
  • Visibly supported by school leadership
  • Perceived as mandatory
  • Tied to procedures
  • Paired with acceptable behaviors that can be observed and measured
  • Accompanied by awareness training, easy access to policy, and motivation to comply
  • Continually reviewed and updated.

The education resource sites mentioned provide excellent background for informing stakeholders of the unintended consequences of Internet use. Collaborative discussion, and adherence to best practices for policy development will ensure that whatever is developed for the school, will face willing acceptance and likely compliance.


Barbara Endicott-Popovsky, Ph.D. (University of Washington), Director Center for Information Assurance and Cybersecurity; Academic Director Masters in Infrastructure Planning and Management in Urban Planning; Research Associate Professor with the iSchool; Fellow Aberyswyth University, Wales; member American Academy of Forensic Scientists. Her 20-year career in industry encompassed executive and consulting positions in IT architecture and project management. Her research interests include enterprise-wide information systems security, forensic-ready networks, digital forensics, secure coding practices. She earned her Ph.D. in Computer Science/Computer Security (University of Idaho, 2007); MS in Information Systems Engineering (Seattle Pacific University, 1987); MBA (University of Washington,1985); BA (University of Pittsburgh).