acm-header
Sign In

Communications of the ACM

Communications of the ACM

Piracy, Computer Crime, and IS Misuse at the -niversity


"Professor, can you help me? I installed software on my computer from my friend's CD and it doesn't work anymore. My friend is gone and I don't have the original CD. What should I do?"

Does this statement sound familiar? If so, you are not alone. Many students openly admit to illegally installing software on home computers or otherwise misusing computer information systems. Other studies have examined characteristics of students (and non-students) who admit to committing information systems misuse, piracy, and computer crime. We used a survey to examine demographic characteristics of students as well as their awareness of university computer usage policies.

Thirty-four percent (34%) of students responding to this survey admit to committing some form of software misuse or piracy and 22% admit to committing data misuse during their lifetimes. Knowing that students commit information systems misuse is not new [10]. However, today's students are tomorrow's professionals. As such, an understanding of the demographic factors common to those students who commit misuse could help both university information systems departments and organizations better protect their information systems.

An amazing number of students in this study report committing some form of information systems misuse or computer crime. As mentioned, 34% and 22% of respondents admit committing software misuse and data misuse during their lifetimes, respectively. Software misuse in this study means destroying or copying software, using copied software, or distributing copied software without permission. Data misuse means accessing, modifying, or copying data stored on a computerized information system without authorization. Behaviors characteristic of misuse were located in the literature and condensed into these two areas. This study examines these responses by years of experience with computers, academic classification (underclassmen, upperclassmen), major, gender, and age.

Familiarity with computers. As expected, students who are more familiar with computers report committing more misuse. Upperclassmen, students with more experience, and students in computer-related majors all report committing more misuse than others. An interesting trend appears (Table 1) when broken down by academic classification. Underclassmen (freshmen and sophomores) report the least amount of software misuse (18%), while upperclassmen (juniors and seniors) report notably larger amounts (37%). Overall, 34% of respondents report software misuse; 7% report 10 or more occurrences. A similar pattern also is observed for data misuse, although fewer incidents of misuse are reported (underclassmen, 12%; upperclassmen, 25%). Overall, 22% of respondents report data misuse; 3% report 10 or more occurrences.

Further, of greater concern, individuals who indicate reading the computer usage policies also report more software misuse and data misuse. For example, of underclassmen who read the computer usage policies, 39% committed software misuse and 8% admit 10 or more occurrences. Of underclassmen who had not read the policies, 15% committed software misuse and 2% report this level of misuse. This unexpected and troubling result can be observed for both software misuse and data misuse in most academic classifications.

Years of experience with computers also are thought to influence misuse [10]. As seen in Table 2, respondents with greater experience report greater numbers of misuse. For example, all individuals with less than one year experience indicate no software misuse during their lifetimes, whereas 41% of individuals with more than 14 years experience make the same claim. Also, 78% of individuals with less than one year experience indicate never engaging in data misuse. This percentage drops to 61% for individuals with more than 14 years experience.


Upperclassmen, students with more experience, and students in computer-related majors all report committing more misuse than others.


Misuse by major is presented in Table 3. As one might expect, computer information systems (CIS) majors report the most software misuse with 24% of CIS majors performing 10 or more instances within their lifetimes. This percentage does not exceed 8% for another major. Examining the percentages of individuals who report no misuse presents a similar view. Forty-nine percent of CIS majors indicate they never committed software misuse, while 57% of arts and science majors and 71% of business and economics majors make the same claim. Further, 73% of CIS majors, 78% of business and economics majors, and 83% of arts and sciences majors deny ever committing data misuse.

Gender and age. Other factors examined by this research include gender and age. As anticipated, males commit more misuse than females, while individuals in their twenties and thirties commit more misuse than other age groups. Gender often is associated with increased misuse [10]. Fifty-five percent of males and 76% of females report no instances of software misuse, and 13% of males and only 2% of females report committing 10 or more software misuses. Further, 69% of males and 86% of females never committed data misuse, while 6% of males and less than 1% of females report committing 10 or more data misuses. However, the aforementioned percentages change dramatically when broken down by familiarity with computer usage policies. For example, of respondents who read the policies, the percentage committing 10 or more software misuses increases to 18% of males and 5% of females. Whereas, of those who do not read the policies, only 10% of males and 2% of females report this much software misuse. And, of those who read the policies, the percentage committing 10 or more data misuses increases to 7% of males and 2% of females. Of respondents who do not read the policies, these percentages are 5% of males and less than 1% of females.

The final demographic factor examined in this study is age. Thirty-five percent of respondents under 40 and 39% of respondents 40 and older report committing software misuse during their lifetimes, while 22% of respondents under 40 and 17% of respondents 40 and older report committing data misuse. However, the highest frequency of misuse occurs within the younger groups. Nine percent of respondents under 20 and 8% aged 21 to 29 report committing 10 or more lifetime software misuses, as compared to 4% each of respondents 30 to 39 and 40 and older. (Of the 509 usable responses to this question, only 23 respondents are 40 and older.) For data misuse, 3%, 3%, 2%, and 9% of respondents less than 20, 21 to 29, 30 to 39, and 40 and older, respectively, report 10 or more instances. However, these results must be interpreted with caution as this survey was administered to college students, and thus is biased toward younger respondents.

Back to Top

A Widespread Problem

Other studies have evaluated the prevalence of information systems misuse and computer crime by university students. A recent study notes 40% of students surveyed at two universities admitted to committing software piracy [3]. Further, none of these students were worried about punishment for their actions [3]. In a survey of 581 students at a southern university, 41% "knowingly used, made, or gave to another person a `pirated' copy of commercially sold computer software" at some time in the past, while 34% did so during the past year [10]. Further, 18% "accessed another's computer account or files without his or her knowledge or permission just to look at the information or files," while 7% "added, deleted, changed, or printed" information from another's files without permission. Finally, 21% guessed passwords in attempting to access another student's accounts or files. In another study, 10% of respondents committed software misuse during the prior semester [5]. These misuse figures are very close to those generated within the present research, which indicate 34% of respondents committed software misuse during their lifetimes, while 22% committed data misuse sometime during their lifetimes.

The demographic results of the present study are also very similar to the results of past research. For example, males over 22 years old, enrolled as seniors or graduate students, were most likely to report committing misuse [5]. Further, misuse was especially common among majors dealing with forestry, engineering, business, liberal arts, and the sciences [5]; and misuse was more prevalent among computer science and engineering students, especially those in upper-level classes [3]. As previously noted, this research suggests males commit more misuse than females, as do students majoring in CIS.

Although the three universities discussed within this article publicly post computer usage policies (two of the universities insist students read these policies before email accounts are activated), only 24% of the respondents report having actually read the computer usage policies. Of these, 62% indicate reading the policies more than one year before the survey. Also, respondents who indicate reading the policies report higher levels of misuse.

These findings present an interesting challenge to universities: should additional resources be expended to familiarize all students with the university computer usage policies? The majority of students are unfamiliar with the university computer usage policies; however, students who are familiar with the policies report committing more misuse. Although an explanation of this unexpected result is beyond the scope of the current research, some possible explanations can be identified. For example, students who commit misuse could be more interested in reading the university computer usage policies than students not committing misuse. A second alternative might involve the university computer usage policies acting as a challenge to students and thus increasing the performance of misuse.

Until further research clarifies this matter, university computer security administrators must reconsider the methods used to educate students as to acceptable and unacceptable uses of university computing resources. This research clearly demonstrates that the majority of students are unfamiliar with the rules guiding their usage of university computing equipment. Perhaps repeated exposure would be more effective.

These unexpected results challenge the long-held belief that university computer usage policies prevent or limit the performance of misuse. Since organizations also utilize computer usage policies, the concern generated from these findings must be extended from the university setting to the organizational setting.

Although the use of student samples raises questions of representativeness and generalizability, in this case the students are valid users of the computing resources of these organizations. Users are defined as "individuals who interact with the system regularly" [11]; students utilizing university computers meet this definition of a user. From a technological standpoint, universities and other organizations share the same types of technology and the same risk factors. Universities must utilize the same methods as other organizations to protect themselves. In addition, universities may face even greater threats than the typical business organization. Since the computers in a classroom or lab are open for public use, tracking an instance of misuse usually leads back to the computer rather than the user. Further, university networks are often more vulnerable than corporate networks due to the need for collaboration and easy access to data [8].

The target population for this study is university students. The sample consists of 519 students enrolled in junior- and senior-level business courses at three Midwestern U.S. universities. The universities (and courses) were selected based upon the willingness of colleagues to participate in the study. Although this sample does not represent all students enrolled at these universities, this sample was deliberately chosen to maximize the potential for reported misuse conducted by the subject students. Students from arts and science colleges, business and economics colleges, and engineering colleges commit more misuse than other students [5].

All three universities utilize computer usage policies that outline acceptable and unacceptable use of computer systems. Each university also posts the policies on its Web site; two universities require their students to read these policies before email accounts are issued. The use of such policies has been linked to lower levels of misuse, while failing to use them has been linked to misunderstanding of correct use and thus to misuse [12].

The survey questionnaire was constructed by combining Straub's Computer Security Model Victimization Instrument [12] and items from instruments focusing on Ajzen's Theory of Planned Behavior [1]. The items based on Ajzen's Theory of Planned Behavior were customized to two specific areas of interest: software misuse and data misuse.

Back to Top

Conclusion

Although concern with information systems misuse and computer crime is not new [10], it is of growing concern to commercial organizations [4] and the military [9]. Moreover, information systems misuse, piracy, and computer crime are international in scope. Reports suggest that the frequency of misuse is increasing rapidly [2]. Further, the cost of misuse is extremely high. A recent survey reports that respondents estimated losses of $141,496,560 during 2004. However, only 269 of 494 respondents were willing to report estimated dollar losses [4]. The actual loss is probably greater than stated since estimates only include recognized losses, and many organizations elect not to report losses for fear of negative publicity [4, 7].

Many organizations are so dependent upon their information systems that disruptions or failures often result in severe consequences that range from inconveniences to catastrophes such as complete organizational failure [6]. In addition, access to organizational information systems through networks and dial-in accounts leads to an extremely vulnerable environment [6]. This same situation may be found in universities around the country. Campus networks are becoming "an alluring target for hackers" and, possibly, terrorists [8].

Several researchers have reported that three-fourths or more of computer security violations by humans could be attributed to insiders or other trusted individuals, although current research suggests this trend may be changing. The 2004 CSI/FBI Computer Crime and Security Survey notes that about half of all reported incidents originate within the company, while half are external [4].

This research confirms past conclusions: students commit misuse and pirate software. Students possessing greater familiarity with computers report committing greater amounts of misuse. Individuals with certain majors, such as CIS, tend to commit more misuse than others. In addition, individuals with more computer experience tend to commit greater amounts of misuse than novices. Also, more misuse occurs by upperclassmen than by underclassmen. Finally, males commit more misuse than females, and individuals in their twenties and thirties report more misuse than other age groups.

However, the results of this research also suggest university computer usage policies are not effective in preventing students from committing misuse. First, the majority of respondents never read the computer usage policies at their universities. Second, students who read the policies report committing more misuses than those who do not read the policies. This unexpected result, which disagrees with past findings, suggests the need for continued research in this area.

Both of these results are particularly concerning as many organizations utilize written policy statements to explain proper and improper use of organizational information systems. It is thought such policies reduce the occurrence of misuse within an organization. Future research should address the issue of familiarity with computer usage policies. Given that the majority of respondents have not read the policies despite being required to do so by their respective universities, a method to enforce exposure to computer usage policies must be found.


The results of this research also suggest university computer usage policies are not effective in preventing students from committing misuse. These results are particularly concerning as many organizations utilize written policy statements to explain proper and improper use of organizational information systems.


Controlling misuse has been a concern in the MIS literature since the early 1960s [10], however, many organizations and critical systems are still vulnerable, especially as the modern computer environment incorporates ever-increasing amounts of networking and Internet connectivity. Existing research suggests organizations can defend themselves against such misuse by using computer usage policies. Unfortunately, the results herein, as well as simple observations of ever-increasing amounts of misuse, suggest these policies are ineffective. As a result, organizations need to consider other methods of protecting themselves. The first problem noted in the current research is a lack of familiarity with computer usage policies. Perhaps organizations need to enforce exposure, rather than relying on the user to read the policies. Further, repeated exposure could increase user retention of computer usage policies. The second problem noted in this research is the ineffectiveness of such policies at stopping misuse. While this could be a result of lack of familiarity with organizational computer usage policies, organizations must consider the possibility that such policies are simply ineffective in today's environment. This suggests other approaches should be explored, especially more active approaches, such as password protection and encryption.

It is clear that additional means are necessary for every member of an organization to develop greater appreciation of, to understand, and to comply with computer usage policies. Unfortunately, simply having a company-wide computer usage policy in place does not correspondingly lead to the practice that the policy will be observed (or even enforced by the organization).

Future research should examine the impact of multiple exposures to those policies and should explore the relationship between repeated exposure to computer usage policies and reported instances of misuse as well as the implementation, communication, and enforcement of such policies. In order to reduce the cost and frequency of information systems misuse, piracy, and computer crime in today's environment, the authors recommend that an organization's (university's) employee (student) orientation program must include discussion of correct and incorrect computer usage, penalties imposed for violations, moral appeals, and methods of enforcement along with tougher enforcement policies.

Back to Top

References

1. Ajzen, I. Attitudes, Personality, and Behavior. The Dorsey Press, Chicago, IL, 1988.

2. Anthes, G.H. Hack attack: Cyberthieves siphon millions from U.S. firms. Computerworld 30, 16 (1996), 81.

3. Carnevale, D. Software piracy seems rampant among students in a survey at 2 universities. The Chronicle of Higher Education: Daily News (March 4, 2002).

4. Gordon, L., Loeb, M., Lucyshyn, W., and Richardson, R. 2004 Ninth Annual CSI/FBI Computer Crime and Security Survey, Computer Security Institute, 2004.

5. Hollinger, R.C. Crime by computer: Correlates of software piracy and unauthorized account access. Security Journal 2, 1 (1992), 2–12.

6. Loch, K.D., Carr, H.H., and Warkentin, M.E. Threats to information systems: Today's reality, yesterday's understanding. MIS Quarterly 16, 2 (1992), 173–186.

7. McAdams, A.C. Security and risk management: A fundamental business issue. The Information Management Journal 38, 4 (2004), 36–44.

8. Olsen, F. The growing vulnerability of campus networks. The Chronicle of Higher Education 48, 27 (March 15, 2002), A35–A36.

9. Schwartz, K.D. Hackers are ubiquitous, malicious, and taken far too lightly, experts say. Government Computer News 16, 23 (1997), 81–82.

10. Skinner, W.F. and Fream, A.M. A social learning theory analysis of computer crime among college students. The Journal of Research in Crime and Delinquency 34, 4 (1997), 495–518.

11. Stair, R.M. and Reynolds, G.W. Principles of Information Systems: A Managerial Approach, 3E. Course Technologies, Cambridge, MA, 1998.

12. Straub, D.W. Deterring computer abuse: The effectiveness of deterrent countermeasures in the computer security environment. Dissertation, Indiana University Graduate School of Business, 1986.

Back to Top

Authors

Timothy Paul Cronan ([email protected]) is a professor and the M.D. Matthews Chair in Information Systems in the Sam M. Walton College of Business at the University of Arkansas.

C. Bryan Foltz ([email protected]) is an assistant professor in the computer science and information systems deparment, College of Business, at the University of Tennessee, Martin, TN.

Thomas W. Jones ([email protected]) is a professor of Information Systems in the Sam M. Walton College of Business at the University of Arkansas.

Back to Top

Tables

T1Table 1. Classification and familiarity with the university computer usage policy.

T2Table 2. Experience with computers.

T3Table 3. Misuse by major.

Back to top


©2006 ACM  0001-0782/06/0600  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2006 ACM, Inc.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account
Article Contents: