Security in e-learning

Even though e-learning has much in common with in-class teaching, there is one fundamental difference in how the process is often organized. In-class teaching has evolved over many years and the task of teaching is a routine job for faculty. Clearly, lectures are periodically updated and revised and new topics are added but the underlying process is still routine.

In contrast, e-learning is often introduced as a project. A project has a clearly defined schedule, goals that need to be met and, in most cases, a limited budget. As every project is exposed to some risks, risk management is an essential task in project management.

Some years ago most e-learning projects were research projects and proofs-of-concept that focused on various aspects such as integrating multimedia components, synchronous communication or content management. In order to explore the feasibility of these aspects, security was not relevant. Today, however, e-learning systems are production systems used by many people. Therefore security becomes a fundamental requirement. As e-learning increases in popularity and reach, the need to understand security will also increase.

According to Lisa Neal (2004), using electronic systems in an area also entails additional security and privacy issues. For instance, wireless transponders used for toll collection on roads may endanger the drivers' privacy by creating electronic traces of their routes. Similarly, participation rates and reaction times of students are recorded by e-learning systems.

In many cases security is considered a technology that increases the complexity of processes and makes everyone's life harder. However, one has to take into account that people only use a system if they trust it. Thus security is an enabling technology.

In brief, security in E-learning is relevant because:

1. E-Learning systems are introduced as projects and all projects have security risks
2. E-Learning systems are no longer research prototypes but production systems that need to be secured
3. All new electronic systems add new threats
4. Trust in an electronic system is a prerequisite for user acceptance

Generic Requirements

There are four basic security requirements to which all real-world (composite) requirements can be traced:

Secrecy: Users may obtain access only to those objects for which they have received authorization. They are not granted access to information they must not see.

Integrity: Only authorized users or processes are permitted to modify data (or programs).

Availability: Availability is a requirement that is often neglected when thinking about security. However, productivity of users decreases dramatically if network-based applications are not available or too slow because of denial-of-service attacks. If, for example, a web-based e-learning system is slow, users do not only require more time to do their work, but they also become frustrated, increasing the negative effect on productivity.

Non-Repudiation:Users are unable to (plausibly) deny having carried out operations. For instance, whenever grades of students are changed, it must be possible to reliably trace who has performed the modification.

Security Risk Analysis

As previously mentioned, a risk analysis needs to be part of each project. It will cover all risks that are relevant to a project including also non-security risks. Typical non-security risks are uncertainties concerning the budget or personnel planning. To systematically analyze security risks, it is essential that a security risk analysis is performed.

Information is a central asset for universities without which faculty could neither teach nor conduct research. Nonetheless, budget and time constraints impose a limit on security-related expenditures. To wisely use the resources on security measures, it is necessary to estimate the value of the assets accurately.

Even though there are many different ways of conducting a security risk analysis, the following five steps are common to most approaches:

1. Identification of assets
2. Estimation or calculation of threats and risks
3. Setting priorities
4. Implementation of controls and counter measures
5. Monitoring of risks and of the effectiveness of counter measures

The first step is to identify what might be worth protecting. In this step it is not necessary to consider whether the asset is really valuable enough to protect. The goal is to simply create a list of all assets.

In the second step we identify the threats and risks that are related to the assets. For instance, fire is a threat to the asset "computing hardware." Once threats are identified one tries to estimate the probability that a threat will turn into a real problem and the damage that it will cause. For small projects it will be too tedious to calculate precise figures so that a qualitative approach is typical: For example, the risk of fire might be 1 on a scale 1-10 (i.e., small) and the damage to the servers could be 8 out of 10 (i.e., high)

Once all the probabilities and damages have been estimated, the third step is to set the priorities. Simply multiplying the values gives an impression of their relative importance. In the penultimate step, risk controls are implemented. The final step is to evaluate whether these controls really work and to record incurred costs in order to improve future estimates.

Typical Requirements for E-Learning

It is important to know the requirements of and the threats to e-learning projects so that they can be addressed in a security risk analysis.

Unauthorized Use of Digital Content: There are basically two different groups of people who might use digital content in ways not intended by the author: (1) People with legitimate access (2) People who access the content without authorization.

Users who have legitimate access to the content may copy or modify it without permission and hand it to friends or make it available on the Internet. Addressing this threat is very difficult. The music industry has been struggling for years to fight the spread of MP3 files. One approach that currently still does not work well are systems that enforce digital rights management. Another option is to distribute only the content in formats that make illegal reuse more difficult: for instance, PDF files cannot be modified easily compared to PowerPoint.

It is much easier to prevent people without authorization from accessing content. Almost all e-learning systems provide mechanisms of access control that limit access to content. Nonetheless, even if the e-learning system prevents unauthorized use, underlying layers such as the operating system or the database system on which the e-learning system is installed may allow unauthorized users to gain access. It is therefore necessary to ensure that access control is enforced on all layers. This also includes physical access to the servers.

Trust: In the context of learning, trust is essential. Since undergraduate students tend to trust all sources of information and accept whatever they read as true (Graham 2003), the integrity of content, including the author's identity, is of paramount importance.

The essential security requirements in this context are that students must be able to rely on the accuracy of the content and they want to read unobserved. It is therefore relevant to protect the content of an e-learning platform against unauthorized modifications (Weippl 2004).

Students also need to confide in both the e-learning system and other the participants in order to openly contribute to discussions. Particularly in arts subjects and the social sciences, discussions are an essential component of courses. Newsgroups for asynchronous discussions are very important to keep participants involved in e-learning. However, all contributions are stored electronically and may be retrieved a long time after the course. For example, considering anti-terrorism legislation in many countries, foreign students might not openly discuss their views.

Students legitimately have concerns that their contributions to a discussion might be stored and quotations might be published out of context. The implementation of security mechanisms and a policy that clearly states what will be stored for how long can reduce this risk for students. A good approach is to openly state how long a discussion will be archived (including backups) and which measures will be taken to delete the content. In some cases, synchronous discussions such as chats that are not stored or the use of pseudonyms can be helpful to ensure free discussions.

Exams: When the term "security" is mentioned in context of e-learning, everyone thinks of exams. Clearly, security considerations are extremely relevant to exams because the involved stakes are high. Students have a lot to gain from cheating and their drive to sabotage the system might be much larger than in e-learning systems which they use to learn.

All exams start by checking students' identities, a process referred to as authentication. In this special context the users (i.e. students) might collaborate with other people who help them cheat. They will happily pass on their password, ID card or insert their finger into a fingerprint-device and then let their friend answer the exam for them. This is the major difference to other application scenarios where the user usually does not collaborate with the "bad guys" (e.g. theft of ATM cards). Therefore establishing the true identity of a student cannot work without physical contact between the student and a trusted person (or the teacher herself). This can be achieved by using test centers.

Additional security requirements include availability of the examination system and non-repudiation of assessments. Denial-of-service attacks by students during exams are often not seen as a major issue, perhaps because they rarely ever happened in the past. However, if a student realizes that she will fail the exam she might try to crash the whole system in order not to be graded.

Organization: Security is not so much a technical issue but mainly an organizational one. By using simple procedures that everyone understands and that impose little additional effort, the compliance of users can be significantly increased. Non-compliance is the greatest security risk, and it is likely to occur if complicated security concepts are enforced. For instance, implementing a public-key infrastructure in a small college will not be worth the effort in many cases. If the security requirement is that the registrar's office should only accept grades submitted by authorized faculty and that it should not be possible to modify the grades while they are being sent, there are other ways to achieve this. Simply confirming each email via telephone might be the most efficient and also secure way to do it. If, however, the institution is not an 800-students college but a 30000-students university, the "telephone-based approach" would not be a good idea.

Additional Information

The Security in E-Learning website contains a tutorial on security in e-learning that offers additional information to interested readers.

References

1. Graham, L., Metaxas, P.T. (2003). Of Course It's True; I Saw it on the Internet!: Critical Thinking in the Internet Era, Communications of the ACM, 46:(5), 2003, pp70-75.

2. Neal (2004). Neal, L., Expectations of Privacy, eLearn Magazine.

3. Weippl, E. (2004). Improving Security in Mobile E-Learning, Proceedings of EDMEDIA 2004, pages 2034-2039, Lugano, Switzerland, June 2004. AACE