CoSN Conpendium on Cyber Security

Executive Summary

CoSN publishes an annual Compendium of white papers relating to education technology policy and practice. What follows is a summary of the Compendium paper on Cyber Security. CoSN members can get the full paper at no charge. To order a copy, please go to http://cosn.org/resources/compendium/index.cfm on the CoSN site.

Central to the Cyber Security project is the belief that technology is a necessary but insufficient part of the solution. The most important element of any security process is people – users, staff, policy-makers, and other stakeholders. No security system will succeed if its own users do not support it and don’t believe that the IT system as a whole is contributing enough value to their teaching and learning goals to justify maintaining its integrity by accepting the inconveniences required to follow secure practices. No security plan will be properly implemented if the IT staff doesn’t have the resources and skills needed to make it work. No system will be maintained over time if policy makers and stakeholders are not convinced that it is important enough to warrant their attention and absorb a portion of their limited funds.

The second most important aspect of a security program is policy. The best protection against security risks comes from having the best possible set of Standard Operating Procedures, which are shaped by the values and beliefs of the district and its community and given concreteness through the policies that impact IT administration. These start with data privacy policies, go on to operational policies concerning the frequency of back-ups and other day-to-day issues, and extend through the full gamut of Acceptable Use Policies governing user behavior including the question of who has the right to load what software on which machines. We need to always remember that the goal is increased student learning, and that while security is one of the preconditions, it is never an end in itself.

A Shared Responsibility

Cyber Security is more of a systems architectural issue than an individual responsibility issue. When it comes to automobiles, the driver is responsible for stopping at red lights. The industry is responsible for creating engines that don't explode. In terms of cyber space, we need to increase the education community’s awareness and improve general practice. Expecting millions of individuals to remember to do all the things that even rudimentary security currently requires is a useless strategy. Educators need to do their part in raising awareness and keeping our own house in order, but the government needs to work with industry in making a better overall architecture.

Technology provides the tools that allow IT professionals to implement the policies that serve the people’s efforts to meet their district’s educational goals. Without good tools, it is impossible to do the job. But the tools are simply the tools.

Furthermore, education is a special field of activity. Students learn through inquiry and exploration. Teachers often have to take advantage of unforeseen "teachable moments". Learning is often motivated by students' desire to deal with dramatic, meaningful, contemporary issues that require access to an incredibly broad variety of information and an enormous amount of communication among people all around the world. It is vital that K-12 leaders be concerned and careful in protecting their students’ safety and their system's security. It would be a disaster if they became paranoid and defensive. The last thing we need in schools is a "culture of security" that sees a terrorist hiding behind every electron. We cannot be stupid or unprotected; but neither can we over-react in ways that undermine our primary mission of encouraging student learning and growth. Instead, we must adopt straightforward security practices that recognize risks and deal with them proactively, providing our children with access to information and ensuring their freedom to learn.