Cyberbullying Information = Protection and Prevention

cbfinal

I think that the discussion about cyberbullying is undergoing a tremendous transformation.  The idea of cyberbullying was originally a campaign to identify the concept, but now it is almost solely focused on the prevention of bullying in any form.

I recently had a discussion with a group of middle school students about cyberbullying and they had some great questions about what it entailed.  They asked questions like: “Can I go to jail for cyberbullying?”  and “What is cyberbullying?”

I found through some research that there is an entire web site dedicated to the discovery and definition of cyberbullying called www.cyberbully.org.  The site is not a secure site (HTTPS), but it does not ask for any identifying information, so the information is still useful.  The site has so much information that it would be impossible for me to list everything here.  However, some of the main topics include state legislation that has been passed, or scheduled to be reviewed, in each state, which was a great way for me to answer the questions posed to me by these students.  The very nature of cyberbullying makes it a mandatory topic for discussion at school and at home.  I had to explain that calling a fellow student a jerk one time would not necessarily be cyberbullying, but to enlist others to jointly and consistently call this student a jerk (or comment on their looks, their clothing, etc.) would be considered a bullying incident according to their state law.  I recommended that they discuss this topic with a parent and/or trusted adult to ensure that they are not wandering into illegal activity.

I also went into other cybersecurity issues like not sharing passwords, passcodes, or user ids with other students or other people (other than your parents of course).  The idea of protecting the password helps to protect your information, which if in the wrong hands can cause a problem with identity protection causing possible identity theft.  It also leaves you open to cyberbullying since an individual can make it seem as if a message is coming from YOUR account when in actuality it is THEIR message but they have access to your account!

When asked about cyberbullying, I told the students that ANYONE can be a cyberbully.  You do not need to be stronger, bigger, or smarter, just start a campaign to put the other person down.  By showing the other person in a “low light” it makes the bully feel stronger.  Protecting your information and ensuring you are aware of what cyberbullying entails can help to prevent you becoming a victim.  I urged the student not to focus on the punishment, but to be aware of what they were doing online and stop any online action that could be taken as bullying.  I also gave them the cyberbully.org web site.  In my opinion, that site is one of the best I have seen.

On thing I did not tell them — if you are being bullied, block or defriend these individuals.  No reaction from you means that their messages are meaningless.

Talk to your children (texting does not count).

Learn, Offer, Value, Educate (LOVE)

What If We Taught People to Drive Like We Teach People to Use A Computer?

drivers computers1I want you to teach a person to drive a car using the following outline:

  1. Teach them where the accelerator is and how to use that
  2. Teach them where the brake is and how to use that
  3. Teach them where the mirrors are and how to use them
  4. Teach them how to turn on the car, how to turn off the car
  5. How to fill the car with gas and where to put it
  6. Where the light switch is and how to turn it on and off
  7. Where the radio switch is and how to operate that
  8. How to read the speedometer

I am sure that I skipped some steps, but you get the drift.  What you want to teach the potential driver is the “buttonology” of the car.  You fail to tell them about the dangers of driving, the rules of the road, how to be courteous and otherwise how to have consideration for others.  What is the probability this “driver” will have an accident the first day they are driving?  I am a statistician and I would take odds on this one!

Let’s segue to computers.  That’s right, computers!

How do we teach computers today? We teach buttonology, how to associate functions with pressing of the buttons.  Want email?  Do this combination of buttons.  Get an app, or get on the internet?  Push this series of buttons.

There are no classes on the rules of the road, the ethics of using a computer or the dangers associated with using a computer.  If that were compared to diving a car, basically what you are saying is that we should all go out to our car and cut the brake lines and then drive the car.  We may make it to our location, but chances are we will crash and burn.  The same is said for operating a computer without the guidance necessary in the area of cybersecurity.

Cybersecurity.  The very name raises images of dark figures hiding in the shadows, plotting the overthrow of a computer network.  Yes, the black hatted individual that spends their days planning to attack a network for a variety of reasons, whether they be money, fame, or maybe rationalization that the attack will right a wrong.  Ah, cybersecurity.  It is meant for people who are the target of the attacker, not for normal people like you and me.

Hmmm.  Then maybe none of us need driver training but the people who operate commercial vehicles, or maybe we can all get pilots’ licenses, after all only commercial airline pilots are meant to REALLY learn about flying a plane!

Maybe this is a little bit hyperbole, but I have talked to a number of people who believe that computer training is one thing, cybersecurity is another.  Ladies and gentlemen,  that is like saying that there are five unrelated fingers on your hand!  Every finger works as part of the whole hand.  The same can be said about computer training and cybersecurity training.  Did you know that your brand new computer comes configured so that ANYONE can have access to that computer from the internet?   A simple configuration change can eliminate that threat.  Did you know that you can be tracked through your cell phone; or that people can access your microphone and video camera from your phone?  Many people realize they can, but fail to correct that situation.  Do you have a passcode on your phone?  Do you have a privacy screen on your phone?  All of this is part of keeping yourself safe while using a device you know the location of buttons.  Without good cybersecurity education, you are putting yourself at risk every time you get online.

The sad part of this whole situation is that our children are using devices at very young ages and do not understand the consequences of their use.  Would you put them in a car without education and let them drive to the store?  Of course not!  Why are continuing to let our children learn functions without learning consideration of their actions?

I teach senior citizens cybersecurity and I wanted to get the word out so I contacted a local paper.  The editor responded that it sounded okay, but they just did an article on seniors learning computers and that it might take a while before something else was done on this subject.

Can you now see what I am discussing here in this article?  If we fail to protect ourselves, we are just placing more people “on the road” without seat-belts and brakes!  Worse than that, we are giving people the ability to get scammed because they “trust” the network they are on at any time.  We do not implement protections and thereby put our loved ones in harm’s way.  We do it inadvertently, but we do it nonetheless.

How can we start to turn around this spiraling of our computer users?  First, look toward the basic cybersecurity courses (there are plenty that are free on www.cybrary.it as well as other sites).  Yes, there are classes in hacking, but there are plenty that show defensive measures to keep yourself safe while using your computer, cell phone, or other technology.  If we fail to keep pace with safety and security, we are contributing to the increasing cyber crime.  After all, what better way to encourage cyber criminals than to place someone on the computer network that does not understand the protections necessary to be secure and safe.  If that is case, take your teenager and give them the car before they get their license and let them drive it wherever they want.

If that be the case, one more fact before I let you go on with your internet surfing.  There are approximately 3.6 BILLION internet users according to http://www.internetlivestats.com/internet-users/ and there are “only” approximately 1 BILLION cars on the road according to http://www.huffingtonpost.ca/2011/08/23/car-population_n_934291.html.  From these numbers, which of the elements – computers or cars – present the most threat?  If I were a criminal, would I want to steal a car or steal a computer network (without you knowing)?  You decide.

That last part made your anxious – admit it.  Let’s all start to educate our users better and keep cyber crime at bay.  Otherwise, you need to get off the grid, because it is about to get ugly (or uglier)!

 

Learn, Offer, Value, Educate (LOVE)

“Silver Hats” founder

Should We Certify Students PRIOR to Them Using Their Tech in Schools?

We, as law-abiding citizens and adults, would NEVER allow people to drive on our roads without being tested and certified.  And we set age limits on obtaining a driver’s license.

Why is that?  Cars can kill, and drivers are (at this point) solely responsible for that vehicle.  If you injure or kill a pedestrian or have a collision, the world is turned upside down for a long time.  Trauma, disruption of lives, hurt feelings, legal ramifications, etc.  So we would naturally take the precautions to ensure that the drivers would understand the rules of the road along with having the skill to drive defensively, understand the environment around them, etc.

What is the difference between that and using social networking while in school (or for that matter anywhere)?  If students were required to take a course and a test prior to working their technology in the school, there would be no more excuses like “I didn’t know that post would cause this?!” and similar phrases.

What?! Compare the driving of a multi-ton piece of steel (or plastic) to a social networking post?!  What kind of comparison is that?!

Let’s take just one example.  A student posts a very unflattering post to their social networking page.  It trends and ends up destroying the fellow student.  You can call it cyber bullying, cyber libel, anything you want.  The other student at the crux of this post is not only mortified, but decides to either retaliate or else do self-harm.  Either way, we get back to hurt feelings, trauma, disruption of lives, legal ramifications, etc.  Sound familiar (see above)?  What about cybersecurity in all this?  What if I (Student A) decide that Student B is my friend.  Student B asks me for my password to my social networking site to “seal the deal” of friendship.  I, not wanting to ruin the friendship, give the password to Student B.  The next day, Student B tells Student C the password since Student C is Student B’s friend, but Student A’s enemy (my enemy).  Now I have someone that wants to do me harm having my password.  Bad news but something the certification course can address.

Ladies and gentlemen, we are trying to close the barn door after the horse is long gone.  We have programs to keep students safe, but they are sometimes disjointed and address problems in a non-mandatory form and format.  I remember the “anti-marijuana” movies when I was in middle school and high school and used to laugh at them (most of us did, openly).  Half of them were presented by known drug users, so what was the message here?

Give the courses as part of the beginning of every school year and make it stick.  Get the School Board involved and establish ground rules for using technology in the school (whether it is after class or on school grounds).  Establish a curriculum and make the student and parents sign a certification statement.  I am not sure if any school districts do this now, but it would do two things: (1) It would set the standards, and (2) It would serve as an ethics foundation for the future.  In other words, it would teach the would-be “black hats hackers” of the future some basic ethics that would help them in the future to understand their accountability in the world of cyber and cybersecurity.

There are those that will probably disagree with this post and that is fine.  Disagreement and refinement is part of what life is about.  If this helps just one child to be a better cyber citizen, then it is worth it.  My philosophy is L.O.V.E. (learn, offer, value, and educate).  I want to offer my ideas and learn in the process.

Are Insider Threats caused by Bad Management?

As a manager in a variety of workplace settings including the military, public service, private industry and academia, I know how management philosophy and application can affect the workforce for both good and bad.  Most bad managers are usually bullies, forcing their staff to perform unnecessary or repetitive work in order to exert control.  Most employees just take this abuse, or else look for employment elsewhere.  But what if these employees were not malicious, but just made human errors as a result of the work environment, where they were stressed and overworked?

I did some preliminary research on this subject and found a great article on Human Factors in Critical Infrastructure Security by Ayhan Gucuyener on LinkedIn (https://www.linkedin.com/pulse/human-factor-critical-infrastructure-security-insider-ayhan-gucuyener).  In this article, Ms Gucuyener gives some fantastic research data from several sources including Carnegie-Mellon University and the Department of Homeland Security on why individuals become an insider threat and what positions they have at the time they commit that threat.  The results are relatively predictable, with the majority of individuals stating that the commit the act out of financial gain, and the positions they possess are usually in the IT area of the company.  The recommendation that she gives are also very good, focusing on the Human Resources side of the company in the form of hiring practices and different security controls.

What does this have to do with the line management responsibility?  Everything!  I realize that Human Resources is the first line of defense when it comes to the insider threat, but the management is the consistent line of defense for employees once they enter the workforce.  I say that from decades of experience.  I know first hand what bad management can do to the workforce and how that workforce can strike back in ways that are both subtle and effective.  At several times in my management career I was a bad manager, expecting more than reasonable and demanding results, no matter what the cost.  The way that my workforce struck back was relatively low tech – following instructions to the letter, ensuring my documentation on tasks were thrown back in my face in a very respectful manner, and just basic stalling using my words and tasking against me.  As a workforce member with a bad manager, I did the same thing.  In a highly bureaucratic organization, this is done more than you  think, and is unpunished since the manager sets themselves up for the fall.  Of course, by expecting unreasonable goals, I also placed my staff in a stress mode, them wanting to satisfy my desires and spending more time in the office to do so, resulting in fatigue and more human error.  So, the conclusion is that you have insider threats already existing in the organization and now they have the technology to not only put a wrench in the works, they can do so with a machine’s ability to perform tasks in nanoseconds.

I was also in IT as a systems administrator and can tell you that systems administrators have the ability to place little bugs in the system that may not be found for months and in the meantime spread poison throughout the system.  Even when the mistake is not intentional, an IT systems administrator has great impact on the computer environment and as much impact on the security of that environment.  I see through some of my research that people do not always commit insider threat because they are being malicious.  A study completed by Carnegie-Mellon University for the Department of Homeland Security  in 2013 called “Unintentional Insider Threats”(http://www.sei.cmu.edu/reports/13tn022.pdf) notes that there are instances when an insider threat is not done out of retribution but are unintentional because of fatigue, incidental use of drugs or hormones, along with other factors.  On page 42 of this report, one of the main recommendations for mitigation of these unintentional insider threats (or UIT as in the report) is focused on “human error.”

“Human error plays a significant role in UIT. Countermeasures and mitigations to decrease UIT incidents should include strategies for improving and maintaining productive work environments, healthy security cultures, and human factors for increased usability of security tools to decrease the likelihood of human errors that lead to UIT incidents.” (page 42 of the report).
Human error in this case is associated with work environments, of which the manager is the lead observer of the workforce in this environment.  I postulate that trust is a major factor between the workforce and manager, so if the trust is absent, so is the observation of the environment.  One real life example of this was when I was a manager of IT project managers.  Because of the trust that I kept with that workforce, my staff brought problems to me prior to those problems being disasters.  It also helped that I did not punish them for mistakes, which helped keep that trust relationship solid.  Human error is not something that we can eliminate, but it is something that we can control through good communication and trust relationships, all an essential part of good management.
More articles on this in the future.  A quick note to the managers out there:  read my book “L.O.V.E. is the Answer” available through http://www.lulu.com.  It gives you some basic essentials for how to treat your staff and make you a better manager and person.

Should We Teach Cybersecurity Ethics to Children?

I have done some preliminary research on teaching cybersecurity ethics and have found articles written by academia, federal government agencies, and private industry.  But I have yet to find one written about teaching cybersecurity ethics to children attending middle or high school. In one article, by KQED news, there was a survey that showed that 91% of teachers felt that there should be instruction on on-line ethics but less than half believed their school was doing a good job of teaching those subjects (http://ww2.kqed.org/mindshift/2011/05/19/how-well-are-schools-teaching-cyber-safety-and-ethics/).  This is one concern that I share after teaching very briefly at the middle school level.  The facts and theories taught are not being associated with the ethical standards that surround them.  Teaching middle school and high school students basic programming does not address the idea of copyright laws and that, although copying modules of code to enhance your system is accepted, that does not make it correct.  The very idea of teaching students ethics is no more unorthodox than teaching them the rules of the road when taking drivers education.  I am positive that the drivers education instructor covers the proper way to park, the proper way to make a turn, signaling others, etc.  Although there is some foundation in the law, the fact that people do this is to be courteous to others, to give other consideration.  Is that not what ethics covers in the long run – consideration of others?  Why should being online be any different?

What types of subject matter should be taught when covering cybersecurity (or for that matter cyber) ethics?  The first, and most important, is to regard others information as private.  One would normally not break into a person’s home and steal anything, but somehow it is okay to break into their email and steal information, or to take a stolen password and steal a person’s bank account.  Teaching the student that this is not the right thing to do is the first step to getting them to think through the process.  What is happening now is what I call “enabling the bad.”  Basically, by TV shows and movies showing the glamour of hacking and stealing, we are endorsing the behaviors that we would not want our peers to possess.  By teaching the right/wrong aspects, we are no longer providing the plausible deniability that many hackers are using for their activities.  How many times have you heard that the hackers are “just equalizing the playing field” or “righting a wrong?”  It is this type of thinking that can at least be addressed with the ethics training.

The second part of the ethics training could be a series of simulations where the students interact in the scenario.  A few of these are included here:

  1.  The student is confronted by another student that says they posted something bad about them on social site.  The student has no knowledge of this but remembers giving someone else a password to his/her site.  How does the student address this problem?
  2. A student realizes that they copied code from another student which helped the first student to deploy an app that is making money.  The other student recognizes the app.  How would the student who copied the code address this problem?
  3. A student reads something bad about another student online that he knows is false.  What does the student do?
  4. A student is approached with the username and password of another student to use as he/she sees fit.  How would the student handle this situation?

Granted there are hundreds of scenarios, but these are important because young students do not think of strategy in terms of years but sometimes hours.  Unfortunately the decision they make now based on what they think will happen in hours do not seem to pass the test of extended time past that hour.  Ethics training should take this situations head on and show the student that decisions made now for their strategic outlook may affect them for years.  That is a big task, but one that has to be taught, not assimilated by other people who think that technology usurps human interest.