I have done some preliminary research on teaching cybersecurity ethics and have found articles written by academia, federal government agencies, and private industry. But I have yet to find one written about teaching cybersecurity ethics to children attending middle or high school. In one article, by KQED news, there was a survey that showed that 91% of teachers felt that there should be instruction on on-line ethics but less than half believed their school was doing a good job of teaching those subjects (http://ww2.kqed.org/mindshift/2011/05/19/how-well-are-schools-teaching-cyber-safety-and-ethics/). This is one concern that I share after teaching very briefly at the middle school level. The facts and theories taught are not being associated with the ethical standards that surround them. Teaching middle school and high school students basic programming does not address the idea of copyright laws and that, although copying modules of code to enhance your system is accepted, that does not make it correct. The very idea of teaching students ethics is no more unorthodox than teaching them the rules of the road when taking drivers education. I am positive that the drivers education instructor covers the proper way to park, the proper way to make a turn, signaling others, etc. Although there is some foundation in the law, the fact that people do this is to be courteous to others, to give other consideration. Is that not what ethics covers in the long run – consideration of others? Why should being online be any different?
What types of subject matter should be taught when covering cybersecurity (or for that matter cyber) ethics? The first, and most important, is to regard others information as private. One would normally not break into a person’s home and steal anything, but somehow it is okay to break into their email and steal information, or to take a stolen password and steal a person’s bank account. Teaching the student that this is not the right thing to do is the first step to getting them to think through the process. What is happening now is what I call “enabling the bad.” Basically, by TV shows and movies showing the glamour of hacking and stealing, we are endorsing the behaviors that we would not want our peers to possess. By teaching the right/wrong aspects, we are no longer providing the plausible deniability that many hackers are using for their activities. How many times have you heard that the hackers are “just equalizing the playing field” or “righting a wrong?” It is this type of thinking that can at least be addressed with the ethics training.
The second part of the ethics training could be a series of simulations where the students interact in the scenario. A few of these are included here:
- The student is confronted by another student that says they posted something bad about them on social site. The student has no knowledge of this but remembers giving someone else a password to his/her site. How does the student address this problem?
- A student realizes that they copied code from another student which helped the first student to deploy an app that is making money. The other student recognizes the app. How would the student who copied the code address this problem?
- A student reads something bad about another student online that he knows is false. What does the student do?
- A student is approached with the username and password of another student to use as he/she sees fit. How would the student handle this situation?
Granted there are hundreds of scenarios, but these are important because young students do not think of strategy in terms of years but sometimes hours. Unfortunately the decision they make now based on what they think will happen in hours do not seem to pass the test of extended time past that hour. Ethics training should take this situations head on and show the student that decisions made now for their strategic outlook may affect them for years. That is a big task, but one that has to be taught, not assimilated by other people who think that technology usurps human interest.