Youth Cyber Offending & Victimization: Implications for

Future Security Policy and Practices

Presented by Sam McQuade, PhD, Center for Multidisciplinary Studies

Dave Pecora, Information and Technology ServicesApril 4, 2007

1

Overview• Part 1 – RIT Research and Findings

• Part 2 – RIT Response for Preventing Campus Cybercrime

• Part 3 – Higher Education Leadership and Community Outreach

2

Part 1RIT Research and Findings

3

2004-2006 RIT Studies Asked College Students About:

A.Present computer use and while growing upB.Knowledge and use of computer security techniquesC.Computer crime victimization experiencesD.RIT computer security program services E.Relationships, expectations and ethicsF. Attitudes towards specific kinds of computer use and

abuseG.Computer/IT offending behaviorH.Likelihood of being caught and punishedI. Reasons for offendingJ. University computer policy and programsK.Demographics

4

Computer in Home

5

Primary User of Home Computer While Growing Up?

6

Age Started Using Computers

7

Supervision of Computer Use While Growing Up

8

Primary Computer User Role Model

9

Influence of Primary Role Model

10

April 2004 RIT College Student Findings

• 873 randomly sampled college students:

• 17% of respondents were harassed

• 8% were threatened

• 6% were cyber stalked

• 6% were victims of identity theft.

• One-in-four students reported being victimized multiple times

• One-in-three claimed they knew the perpetrator prior to the crime.

11

And they weren’t just victims . . .

– Pirating of music, movies and software was rampant. A substantial amount of academic dishonesty enabled by computers and other electronic devices was also reported with wide ranging student attitudes regarding these activities.

12

Key Findings From All Four SurveysStudents’ online and offline

behaviors and interactions are intertwined.

Inconsistent moral clarity involving use of computers and IT devices for certain behaviors.

Students are both offenders and victims of computer abuse and crime

13

Major Conclusion

Lacking Cyber EthicsEducation and Infosec Training

Cybercrime Victimization

Cyber OffendingBehaviors

Today’s under-educated and trained students are tomorrow’s naive employees, insider offenders and external attackers.

14

Part 2 RIT Response for

Preventing Campus Cybercrime

15

RIT Response consists of:

Technology

Education

Enforcement

Partnership

16

TechnologyAnti-Virus software (Students, Faculty, and Staff)

Host Intrusion Protection (HIPS) for RIT owned desktop computers

Network Scanning for Vulnerabilities and Compromises

Spam Filtering (to name but a few)

… Technical solutions are important, but they only go so far…

17

Education

Digital Self-Defense classes run by ISO

- 90 minute course designed to educate on cyber threats, how to protect themselves

- Integrated into First Year Enrichment (FYE) program.

ITS Technology Seminars

Additional programs in partnership with Student Affairs

18

Education / Enforcement

Security Standards process led by the ISO

- Standards developed in partnership between ISO, ITS, colleges, and others within the university.

- Security standards are an extension of university policy

- But are also valuable for educational purposes

19

Enforcement

ITS works closely with Campus Safety and Student Conduct to investigate cyber threats such as running malicious code, copyright infringement, and cyber harassment or stalking.

Each area plays a significant but different role:

- Campus Safety leads any investigations

- ITS and ISO provide technical support and policy interpretation support

- Student Conduct oversees the judicial process20

Partnership

Partnership between ITS-ISO-Student Affairs/ Student Conduct-Campus Safety - already discussed

Partnership with academic research:

- Evaluation of music service (CTRAX)

- Higher Education Leadership and Community Outreach Initiative

21

Music Service - Timeline

September, 2004: RIT offers CTRAX legal music service to students

March, 2005: ITS partners with Dr. McQuade to evaluate effectiveness of service, student attitudes on illegal file sharing

22

Research FindingsKey Findings:

Issues with CTRAX web interface, program rollout

Gained a better understanding of the student perception of service within the context of RIT student culture

Little change in student attitudes towards illegal sharing => even amongst CTRAX users

23

Do Ctrax Users Still Use P2P?

0 1

Q22: Have you ever downloaded music using the Ctrax music service?

0

5

10

15

20

25

30

Co

un

t

Q16: How often do you use

peer-to-peer file sharing

applications to share music?

Never

Less than once per month

Once per month

Once per week

2-3 times per week

Once per day

More than once per day

Count

Non-Ctrax Users Ctrax Users

24

Part 3Higher Education

Leadership and Community Outreach

25

Introducing the Rochester Regional Cyber Safety Introducing the Rochester Regional Cyber Safety and Ethics Initiativeand Ethics Initiative

26

Organizing to Address Cyber Dangers

• Employers, school officials, teachers and parents are becoming more aware and concerned– Warnings of NCMEC and emerging research – Instances of student cyber abuse/harm– Concern and desire for action

27

Initiative Mission• Provide business/parent training plus K-12 and higher

education in cyber safety, security and ethics• Driven by need to:

– Research the problem to confirm K-12 dangers plus level of worker, parent and teacher competencies

– Implement appropriate instructional interventions– Evaluate implementation impacts on schools and

organizations, along with learning, knowledge retention and behavioral changes

• Enhance community awareness• Invite regional participation and expertise

– Demonstrate success– Build lasting partnerships

28

Challenges• Maintain commitments while managing involvement –

bridge business and education interests and needs• Learn while doing

– Cyber incidences are happening now but we do not understand how best to implement prevention strategies

– Likely to choose from available instructional materials • Manage perceptions and comparisons

– Help businesses reduce liability and increase productivity– Incidences/prevalence of offending/victimization– Student learning, knowledge retention, behavioral changes

• Inform impending legislation– Virginia already has K-12 Internet safety law– Other states likely to follow – educators/research can inform

this process

29

The Ultimate Goal

• Create, pilot test, implement and evaluate research-driven Internet safety, information security and cyber ethics training for students, parents, educators and the adult workforce regionally.

30

Part 3 Comments and Part 3 Comments and DiscussionDiscussion

Samuel C. McQuade Professional Studies Graduate Program CoordinatorCenter for Multidisciplinary StudiesRochester Institute of Technology (RIT)31 Lomb Memorial Drive, Bldg 1, Suite 2210Rochester, New York 14623-5603Phone (585) 475-5230Samuel.McQuade@rit.edu / scmcms@rit.edu

Dave Pecora Associate Director, Customer Support ServicesInformation and Technology ServicesRochester Institute of Technology (RIT)103 Lomb Memorial Drive, Bldg 7B, Suite 1040Rochester, New York 14623-5608Phone (585) 475-7646Dave.Pecora@rit.edu / dlpits@rit.edu

31