The ethical problems of teaching information systems security at undergraduate level

Dave Chadwick, Phil Clipsham, G. Windall and A. Stanley


With the growing usage of the internet for commerce and the expanding use of computers of all kinds in organisations in all countries, I.T professionals globally are becoming aware that maintaining the security of data and information systems is of paramount importance. The teaching of security issues at an early stage in the careers of I.T professionals is, therefore, presumably to be desired. However, much research on ethics amongst computing professionals has concluded that younger people are more inclined to have a differing set of ethical principles to those who are older. The young are more inclined to take risks, more inclined to occasionally ignore the law and to sometimes act for the benefit of their own careers rather than for the benefit of their client or employer. This becomes an issue at undergraduate level where studies particularly concern computer and information security. The research described in this paper concentrates on the particular ethical problems which have arisen during the four years of teaching Information Systems Security as a specific unit in undergraduate computing studies at the University of Greenwich.

The research looks into the central questions of how ethical behaviour and awareness develop amongst students and to what extent such behaviour is influenced by a student: forming his/her own code of ethical conduct in isolation, being given knowledge of how unethical acts could be perpetrated without detection, being told how unethical acts could be punished by society, being taught a code of conduct derived from professional bodies in the I.T industry.

The first question was approached by researching how students would react when personally confronted with a number of situations where ethical decisions were required. This further investigated how, if at all, students formed their own ethical standards based upon their own principles and possibly derived from their unique student viewpoint.

The second question involved the problem of the choice of topics that should be included as content of a taught unit on Information Systems Security. For instance : if students are taught how hacking and fraud incidents are perpetrated then is there not a possibility that they may do likewise? However, if they are not taught these things at all then is there not a danger that their usefulness as security professionals may be compromised? How much of what should be taught before behaviour is influenced?

To answer the third question, research was undertaken to determine whether , in order to promote behaviour that was ethically acceptable to society, it was sufficient to teach students solely about the legal penalties for acting unethically. This approach also begged the question of whether changing outward behaviour also changed thoughts and attitudes.

In answer to the last question, research was undertaken to determine whether the teaching of a set of ethics drawn from accepted codes of professional conduct had any effect on a students ethical stance.

This research at the University of Greenwich has attempted to answer these four very pertinent questions regarding the education of future I.T professionals. In may ways, the findings of this research are pertinent to how the teaching of computer security issues to young people is to be conducted.