Recently, I happened across the idea of Security Control Categories, which means that security should be spread across three basic categories: preventative, corrective, and detective.
As someone who has had more than their fair share of encounters with plagiarism and academic dishonesty, this idea struck me as providing a helpful framework for managing attempted intrusions into the integrity of the academic process.
So here’s a bit about what we can learn from the IT Security folks.
Preventative Security Measures
Preventative security measures are put in place to make sure that attacks never happen in the first place. They include things like password policies, firewalls, and security of physical assets like servers.
The biggest transferable idea to the classroom, though, would probably be user training. A common security notion is that the user of a system is often its greatest point of vulnerability, so it’s critical to make sure they use the system in the way it’s intended to be used.
In a classroom setting, here’s where plagiarism education comes in. Students need to be taught how to recognize plagiarism, where they’re most likely to encounter the opportunities or temptations to plagiarize, or the risks of engaging in dishonest conduct.
Since clear protocols for managing known risks are also critical to IT Security, it’s also important to have an accessible, documented policy for how cases of academic dishonesty–whatever their form–will be handled.
Detective Security Measures
In IT Security, detective measures are in place to identify when something might be amiss, and typically include threat monitoring practices like identifying suspicious emails or network traffic, regular audits, unknown hardware showing up on a network, or other such flags.
In academic dishonesty cases, most teachers are aware of the suspicious flags, like a sudden tone or font switch or a paucity of documented sources–and if you use a plagiarism detection software, you’re also aware of threat monitoring systems.
The more helpful transferable idea from IT Security is the forensic aspect of detective security measures. Once a breach has been identified, the next step is to ask what enabled the breach. What systems, if any, broke down? What were the vulnerabilities that have now been exposed?
For that matter, what were the motivations? Was this incident caused by a malicious actor or someone who was negligent or unclear about expected protocols?
And, in any case, what could or should be changed to prevent a reoccurrence?
Corrective Security Measures
After the detective phase, you’ve got corrective security measures. In a classroom setting, these could take several forms.
If plagiarism has slipped through the cracks, it might be time to reevaluate the detective measures. If plagiarism is discovered but can’t be prosecuted, it’s time to revisit and clarify policies, perhaps making consequences explicit. If there is a swell of documentation errors, it’s time to reconsider how much time is spent on conventions and best practices.
In any case, one of the foundational ideas of IT Security is that it’s in a constant state of re-evaluation. In a classroom setting, where the methods of research and expression are constantly changing, as is the idea of what a classroom even IS, it seems like there’s a lot of value in that model.
For that matter, as someone who teaches a lot of Technical Writing, I really liked the idea of framing an academic dishonesty deterrent policy up as something with a loose analog to concepts with which my students might be familiar.
Even if you don’t teach technical writing, though, it’s always helpful to make sure that, in terms of putting students in the best position to succeed, nothing falls through the cracks.