Decision Sciences Institute

 

In the Classroom

Computer Security: What Students Don't Know Could Hurt You

by Roderick B. Posey, University of Southern Mississippi; and Guy Posey, Alabama A&M University

According to the nonprofit Identity Theft Resource Center, loss or theft of Social Security numbers, credit card numbers, and other personal data reached an all-time high in 2008 with 79 million personal records compromised. That's almost a 400 percent increase over the nearly 20 million from the previous year. This trend is expected to continue into 2011 even though the overall amount companies are spending on security has increased. Computer and data security continue to be important for both small and large companies because companies must handle ever-increasing volumes of confidential data. In the current age of identity theft and online access, knowledge of someone's Social Security number and birth date are sufficient information for a thief to do extensive damage.

Alarmingly, the Identity Theft Resource Center and another watchdog group, Attrition.org, found that employees mishandling of sensitive data may contribute significantly to these rising numbers. "A lot of breaches are due to inadequate information handling, such as laptop computers with Social Security numbers on them that are lost," said Linda Foley, founder of the Identity Theft Resource Center. "This is human error, and something that's completely avoidable."

As professors of Accounting and Management Information Systems, we believe that computer security is not only important for Accounting and MIS majors, but for all business majors. All individuals who will handle sensitive data need to understand and follow computer safeguards.

We have investigated the computer behavior of business students and understand how their behavior make these users (and businesses who will employ them) more vulnerable to theft of personal and client information.

Phishing, Pharming, and Other Internet Frauds
Theft of information is one of the fastest growing types of consumer fraud. The Federal Trade Commission (FTC) has estimated that, during 2009, over 10 million Americans discovered they were the victims of identity theft, with a total cost to businesses and consumers of over $50 billion. Of special concern, making up 43 percent of all fraud in 2009, was the unauthorized access to checking accounts and credit cards. A 2009 study by the Privacy Rights Clearinghouse indicates that unauthorized access to checking accounts and credit cards are the fastest growing forms of identity theft. Another study by the Federal Deposit Insurance Corporation estimates that over two million U.S. adults have fallen victim to this fraud. Also, the average fraud amount per case has increased from about $5,250 to almost $6,400. However, it is a lesser known fact that the vast majority of identity fraud victims (68 percent) incur no out-of-pocket expenses. It is businesses that shoulder over 93 percent of identity fraud losses. According to a 2008 study by the Better Business Bureau, the average out-of-pocket cost of individuals in identify fraud cases is only $422, leaving the remaining $5,978 dollars for a business to absorb and pass along to customers. Credit card companies by law may hold cardholders responsible for only $50. Also, many banks routinely reimburse customers for the full amount of any losses incurred if reported in a timely manner.

As scam artists become more sophisticated, so do their methods of tricking users into revealing their information. For example, e-mail messages, pop-up windows, and fake websites often include information taken directly from legitimate websites such as logos, graphics, presentation format, and other identifying information. The more authentic looking the fake website or e-mail, the more likely users will believe they are on a legitimate site. Many accounts regularly receive spam messages similar to the one below. letter photo

Attackers use pop-up windows offering great bargains, free software, reporting fake security alerts, or reporting that the user is the winner of a prize. If the user clicks on the included link, they are taken to a website where an attempt is made to entice him or her to provide personal information. In addition, the website may automatically (without the user's knowledge) download spyware software to the user's computer. The attacker can then use this spyware to steal personal information from the user.

Pop-up advertisements began as an inexpensive means of online advertising by legitimate businesses. Hackers use pop-ups as another method to get the user's attention. Because of the increasing resistance of some users to pop-ups, some legitimate businesses have ceased to use them according to a report by Nielsen/NetRatings. However, because of their low cost, analysts predict the continued use of pop-ups. As long as pop-ups continue to be used by legitimate businesses, hackers will use them as a means to gain access to users' personal information.

Phishing is a type of deception designed to steal valuable personal data, such as Social Security numbers, birth dates, credit card numbers, passwords, account data, etc. Con artists send millions of fraudulent e-mail messages that appear to come from trusted websites, such as banks or credit card companies, and request the users to provide personal information to update their account or invite them to login to take advantage of a special offer. Per the Anti-Phishing Group, since the average phishing site is only active for four to five days, the message is always urgent and often reports that some type of security breach has occurred. Con artists try to get computer users to act quickly. They use e-mail subjects such as "Verify your account!" and "If you don't respond within 48 hours, your account will be closed." Phishing e-mail might even claim that your response is required because your account may have been compromised. Another form of identity theft occurs when e-mail accounts are hijacked or forged. E-mail spoofing occurs when a user receives e-mail that appears to have originated from one source when it actually was sent from another source. It is an attempt to trick the recipient into believing the e-mail is from a reputable source.

The chart below from the Anti-Phishing Group shows the continued problem with phishing sites. The number of phishing reports submitted to APWG reached an all-time high in August 2009 of 40,621. There was a decrease in the number of new sites reported in the fourth quarter of 2009, but the total numbers remained high.

chart

In pharming, hackers redirect Internet traffic from a legitimate site to a fake look-alike site. Again, the goal is to trick the user into supplying personal information that can be used to perpetrate identity theft. Pharming is more dangerous than phishing because the user does not have to do anything wrong or be careless to become a victim.

We studied user account information to determine the general exposure people might have if they were to fall prey to a single incident of fraud, perpetrated by phishing, pop-ups, or other methods. For future MIS technologists, CPA's, managers, and business professionals, the potential damage from the compromise of an account goes beyond identity theft for an individual. If attackers are able to gain access to a system using a legitimate account, they may gain access to client and firm restricted information without being detected.

We surveyed 595 students (freshmen to seniors) from four different universities, including 363 business majors. We compared the habits of the business majors to those from the general university student population. Our key findings are:

  • Business students on average had more online accounts than non-business students. Business majors had an average of about 8 (7.61) user accounts while non-business majors had slightly over 6 (6.05). The additional accounts increase their vulnerability because increased exposure means increased risk. Business majors wrote down or stored their account user-names 57 percent of the time. In addition, 88 percent of the business majors and 85 percent of other respondents never use encryption software to aid in the storage of account information. Hence, most of the business majors are writing their account information down but are not keeping that information in any encrypted format. Not recognizing the importance of encryption is particularly dangerous for business practitioners who may store sensitive information on a laptop computer which might not have all the security features of a computer maintained by the firm's network administrator. When students become practicing accountants, MIS technologists, salespersons, managers, etc., they will continue to have multiple online accounts but the accounts will be both business and personal.
  • The more online accounts a student had, the more likely he or she was to use one preferred user name and password. For business majors, 88 percent report using the same user ID at least sometimes or whenever possible. Overall, it seems that respondents have reached the point where memorizing different user IDs is not practical. This finding is significant since, if a user's password is compromised for one account, it increases the likelihood that the scammer will be able to use this information to compromise other accounts. Also, since the same user name and password are used on many accounts, there are more opportunities for the scammer to gain access to that particular name and password. Students who use one preferred username and password for personal accounts may be more likely to continue the practice for business accounts when possible. This means client and firm data are placed at increased risk of compromise.
  • Over 70 percent of our participants never changed passwords or only changed them when required by the website. Many sites recommend that users frequently change their password, but they do not require them to make the change. Changing passwords frequently reduces the time that an attacker can access a compromised account. It can be assumed that the habit of never changing account passwords unless required does not apply only to online accounts. These same students would likely retain business account passwords unless required to change them. If firm computers have Internet access, then the potential exists that a hacker can access these computers through the Internet. Thus the majority of business students are acquiring habits now that will increase the risk of compromised data for their future employers.
  • Business students were more likely than other students to have had some security training. However, the training did not adequately prepare them for the risks of a multiple-account environment.
  • Eighteen percent of business majors reported they had gained unauthorized access to another user's account, while 15 percent of non-business respondents had done so.

Conclusions
Because of the multi-account environment business college students now find themselves in, they are developing habits that might make them more susceptible to computer fraud. With the increase in number of accounts, business students tend to use the same user name and password on multiple accounts. Those who have had computer training have been taught not to write passwords down. This training has likely encouraged the use of a few favorite passwords. Because computer users now have many accounts, it would be better to record the passwords in an encrypted manner than repeatedly use the same user name and password. Since new business professionals will often be in charge of confidential data, they will need additional training to handle this data securely.

What should business professors of all majors do now to help our students learn the importance of computer security?

  • Point out areas where your students will be expected to handle confidential data in the future. For example, future accountants will handle income and tax return information; future MIS managers will control access to confidential databases; future salespersons will handle private customer data; future managers will handle sensitive company and employee data, etc.
  • Emphasize that different user IDs and/or passwords should be used on different accounts.
  • Let students know that encryption software is available which can be used to store account information for their multiple accounts. Stored user names and passwords should be safeguarded using strong encryption methods.

The next generation of business graduates will come to work with extensive knowledge of computers, computer software, and the Internet. They also might come with some insecure computer habits.

References
2009 Identity Theft Statistics. (2010). Javelin Strategy & Research Center.
http://spendonlife.com

Anti-Phishing Working Group. (2009). Phishing activity trends report, 4th Quarter 2009.
www.antiphishing.org

Better Business Bureau. (2008). New research shows identity fraud growth is contained and consumers have more control than they think. www.bbbonline.org

Dhamija, Rachna, Tygar, J. D., & Hearst, Marti. (2006). Why phishing works, CHI 2006.

MessageLabs. (2006). 2006: The year spam raised its game and threats got personal. 2006 Annual Report.
www.messagelabs.com

National Public Radio Morning Edition. (2007). Lost, stolen personal data quadruples.
www.npr.org

 

Roderick Posey photo

Roderick B. Posey has served as director of the School of Accountancy and Information Systems, associate dean, and acting dean of the College of Business at the University of Southern Mississippi, as well as Jerold J. Morgan Professor of Accounting. He received his bachelor's and master's degrees from the University of Southern Mississippi and his PhD in accounting from Oklahoma State University. He has over 100 publications on various accounting topics and is a recipient of the Elijah Watts Sells Award for Honorary Distinction (top 1 percent nationally) for his results on the CPA Exam. He is a College of Business Outstanding Faculty Member Award winner and a recipient of the Mississippi Society of CPAs Educator of the Year.

roderick.posey@usm.edu

 
guy posey photo

Guy Posey is an assistant professor in the Department of Management & Marketing at Alabama A&M University where he has been a faculty member since 2001. Posey completed his Ph.D. at the University of North Texas, his masters at Jackson State University and his undergraduate studies at the University of Southern Mississippi. His research interests lie in the areas of computer security and network management with a focus on small organizations. Posey served as the proceedings editor of the 2010 SWDSI annual meeting.

guy.posey@aamu.edu

 

Decision Line,
March 2011

Vol 42, Issue 2

FEATURES

Special Feature. Embracing Student Teams (Edward J. Schoen, Rowan University)

In the Classroom. Computer Security: What Students Don't Know Could Hurt You, Roderick B. Posey, University of Southern Mississippi, and Guy Posey, Alabama A&M University)

Research Issues. Decision Making: Patterns and Deviations in a Time of Financial Crisis (Joseph Gilbert, University of Nevada Las Vegas)

The Dean's Perspective. Life After Tenure, Part II (James A. Pope, University of Toledo; and William Carper, University of West Florida)