Sowing the seeds of eSafety

Child using a laptop The amount of data that children are happy to post about themselves online is shocking because they are unaware of the risks. Andy Phippen, Steven Furnell and Ben Richardson look at what should be done in schools to improve the eSafety of children.  

Back in 2007 we presented some worrying findings from a dialogue with young people, suggesting a generation completely comfortable with using online services and social applications, but rather less informed when it came to using them safely.

From our findings at the time, it seemed that young people often had a patchy appreciation of the threats that they might encounter and, in some cases, a lack of concern about the possible repercussions of Internet abuse.

Such findings should obviously be a serious concern for IT professionals. If our young people are not developing effective internet awareness, and are not capable of protecting themselves against online threats, then we are potentially failing to provide the next generation of adults with the skills to engage with online services in a safe manner.

Our work investigating young people's attitudes toward online services is ongoing and this article presents some further evidence of the problem, as well as considering whether our educators are equipped to foster safe internet behaviour among their students.

A generation still at risk

Unfortunately, our experiences since the last article do not suggest any improvement in young people's e-safety awareness. For example, at the invitation of a local school, we carried out a social networking survey for some of their year 10s (15 year olds), based upon a class list that the school provided. The class list proved to be of little use; none of the young people used their full names on their social networking profiles. However, they were happy to tell strangers which school they attended, so this provided a useful route into the class.

Consequently, within two hours, using nothing more technically advanced than a Bebo profile, we collected all manner of information about this class, including many photographs that perhaps 15 year olds shouldn't post online for public consumption, a long list of likes and dislikes, several email addresses, and some fairly detailed personal information. For example, one girl provided the following as the opening paragraph on her Bebo profile. To protect the identity of the young girl, we have removed the specific details she provided on her profile.

'Heya my name is CENSORED, and i live in CENSORED i am single, and go to CENSORED (i am not a snob). i work in the CENSORED and i love animals.'

In this single profile, this girl had provided us with details such as her name, where she lives (it was a small village with a small population), which school she goes to, and where she works (a small village pub). In addition, she had posted a number of photographs identifying herself and her friends.

And while there was little evidence of effective online protection, some had seemed to adopt their own mechanisms for ensuring strangers do not collect information about them from their profile pages:

'First an important message: please no pervs, murderurs, rapists, racists and just plain wierdos off limits,no comments no lukin on my profile.fullstop....f off!'

It should be stressed that this was actually a school that viewed eSafety as important. The head of ICT at the school invested significant extra-curricular effort in raising awareness of online threats. However, this was done in addition to, rather than within, the regular curriculum.

Equipping young people with the right skills

At the end of our 2007 article we called for more to be done in educating young people about the risks of unsafe online behaviour as our investigations into current curriculum had shown little coverage of online safety.

In March 2008 Dr Tanya Byron produced an excellent independent view of eSafety and young people's online behaviour, 'Safer Children in a Digital World', which produced a high profile call to educators and policy makers to put eSafety on the agenda for young people and address it effectively.

Encouragingly, this review was picked up by both media and government and there have been commitment to implement the calls from the review in addressing the concerns of eSafety. Within the review, Dr Byron called for eSafety to be addressed at a whole school level, becoming a mainstream strategy that is delivered in each school's teaching, learning and support practices. At the very least, the review called for:

  • Adoption of Becta's self review framework to consider eSafety at a school level,
  • The implementation of an acceptable usage policy that is regularly reviewed with students and parents,
  • The effective implementation of filtering services from an accredited supplier.

The review also proposed that it was the school that was also responsible for education of eSafety within the wider community (i.e. parents and carers) to ensure continuity of care between school and home life.

In providing both a carrot and stick to encourage the integration of effective eSafety practice within schools, the review recommends the Ofsted inspections should consider such as part of the regular inspections carried out across all schools.

We find the Byron review an incredibly encouraging report that has the potential to change policy regarding eSafety in schools so that, in time, internet awareness and safe practice will be viewed as core parts of the school mission, rather than something that might be done on a piecemeal basis without the support of the local authority or central government.

However, we would question how effective this policy change will be without significant investment in education for the educators themselves. Anecdotal discussions with a number of teachers in our region have demonstrated an extremely disjointed perception of online threats and an awareness of their pupils' online behaviour.

It would seem that Marc Prensky's oft-quoted distinction between digital natives and digital immigrants is extremely apparent within our schools.

Teaching the teachers?

In order to investigate the anecdotal findings more fully, we decided to conduct a more formal examination of internet safety awareness among school teachers. After all, it would be upon the shoulders of teachers that the implementation of Byron’s vision for an eSafe future would reside.

We conducted a survey disseminated via local authority agents to teachers engaged in ICT teaching at either primary or secondary level. We acknowledged from the outset that this would almost certainly introduce bias into the survey - ICT teachers would, one might assume, have a higher level of internet awareness than teachers of other subjects.

However, we wanted to increase the potential of response by targeting ICT teachers who are, nominally, the ones viewed at being responsible for anything ICT related in a school.

The aim of this study was to investigate teachers' own internet awareness and their perceptions of school curricula and the responsibility of the education system to protect the current generation of young people. The survey elicited responses from 71 teachers, the majority of whom taught at secondary (11-16) level. Therefore, we decided to focus from a secondary perspective, as the primary responses we too low to be representative.
 
The start of the survey considered teachers' awareness of a variety of online threats and their confidence in protecting against them. The findings showed that while established threats such as viruses scored highly (with 85 per cent being fully confident to protect against them), more recent threats such as botnets and pharming were significantly less recognised, with far smaller proportions of the respondents (26 per cent and 27 per cent respectively) being confident in how to guard against them. Identity theft was also a cause for concern, with just over 50 per cent being confident in protection.

Nevertheless, even in cases where the threats were well-known, there were still notable proportions of ICT teachers who claimed to know of the problems but not how to protect themselves (e.g. 10 per cent said this for Trojans and 9 per cent for worms). Moreover, the fact that there was varying confidence over dealing with worms, viruses and Trojans, when in reality they would likely be relying upon the same technology safeguard, suggests that teachers' understanding of the threats was not well-defined.

As noted earlier, our aim was to try to gauge base knowledge prior to exploring issues around education, and while the majority of responses demonstrated some awareness of online threats, there was a clear lack of awareness of others which presented an interesting foundation for the rest of the survey.

In developing our line of questioning, we continued by examining coverage of security issues within curriculum at the teacher's schools. There were some encouraging results here in that mainstream issues such as viruses, safe internet practice, and identity theft were all covered in more than 60 per cent of respondent's teaching.

In addition, when questioned on practices for promoting awareness of the various threats, all of those who covered phishing used visual examples of fraudulent emails and fake websites to get the issue across. Respondents who dealt with safe online practices all shared similar views on what should not be disclosed when going online (addresses, telephone numbers, personal pictures, meeting up with strangers). 

The final section of the survey asked respondents for their views on internet security and teaching responsibilities.

The teachers were asked how security-focused they feel the current ICT curriculum is. The majority response here, in more than 60 per cent of cases, was that security and online protection were not adequately covered in the curriculum. In some cases, even though the curriculum does not demand it, teachers did develop materials themselves to help develop Internet awareness; 46 per cent of respondents said they worked outside the curriculum to achieve this:

'The Key Stage 3 curriculum does not have a dedicated unit about security, perhaps it should?'

'The National Curriculum and our exam spec (DiDA) do not require us to address these issues. We teach personal protection as part of our own take on duty of care, but we’re so pushed for time to cover everything else that if it is not required we don't do it'.

As a final point of interest, respondents were asked who should be responsible for developing internet awareness among young people. While the majority (70 per cent) believed that it was a school responsibility, a significant minority (25 per cent) believed it was a parental one. The latter is likely to present a challenge in many cases, with parents themselves having grown up before internet access was an issue at all and often having less knowledge

than their offspring. Clearly, we need to break this cycle, and if we can address awareness amongst the current generation of children, then parental knowledge will automatically improve amongst the next generation of adults.

Our findings present some encouraging news - there is some coverage on internet security issues in schools, and there are some teachers who admirably go beyond the call of duty in addressing security issues because they believe it is the right thing to do. However, the results also show, once again, a fragmented, inconsistent approach to the development of Internet awareness and protection among our young people.

Yet the blame for this fragmented view cannot be laid at the feet of teachers. To use Prensky's terminology, teachers are typically digital immigrants, coming from a generation where the internet was something new. Therefore, unless they come from one of the rare IT degree programmes where security and internet protection do enjoy wide coverage, even those who are IT graduates will most likely have developed their awareness in a similar manner to their pupils - via their peers, self education, and such like.

The Byron report calls for the government to make eSafety a priority for teachers' CPD and we would agree with this - indeed, we are in the process of working with local education partners to support the development of knowledge around eSafety.

However, the vision of Byron seems a long way off. If we are expecting schools to become the hub of eSafety knowledge within the community, our research suggests a significant amount of effort needs to be invested even before a baseline of internet awareness is prevalent in our schools.

We would suggest the sector as a whole has a part to play in this. While each local authority would normally have eSafety advisors, and each region has a grid for learning organisation, for example, in our own region, the South West Grid for Learning provides excellent for schools in the area of eSafety, which provides support for all manner of internet related practice, these individuals and groups have limited resource trying to protect against a growing, and ever changing problem.

This sector, from HEIs through IT suppliers to ISPs, have much to gain from informed, internet-aware young people, not least the future talent that will be the next generation of internet service developers and suppliers. If we are to move from the perception of an industry with somewhat dubious ethical practice, and a doubtful record for security and information leaks, then a good starting place would be an up-and-coming generation who are aware of the potential harm that ICTs can cause, and have consistent views on how to address these threats.

We have a responsibility to contribute to this education, rather than sitting back as saying it is the job of the school system. Our own experiences working with both local schools and the South West Grid for Learning, is that there is great potential for partnership, but there is still much to be done if we are to ensure consistent, in depth eSafety education on young people and the wider community.

Andy Phippen, Steven Furnell and Ben Richardson, Centre for Information Security & Network Research, University of Plymouth, Plymouth, United Kingdom.

cisnr@plymouth.ac.uk

November 2008

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.