Secure information system for international distance education Oxana N. Romashkovaa , Ekaterina D. Romashkovaa and Irina A. Gudkovab a Department of international information security Institute of information sciences, Moscow State Linguistic University, 38, Ostozhenka St., Moscow, 119034, Russia b Department of Applied Probability and Informatics, Peoples’ Friendship University of Russia, 6, Miklukho-Maklaya St., Moscow, 117198, Russia Abstract This article analyses the problems related to distance education in native universities as well as problems encountered in the development and operation of information systems in general and distance education information systems for universities. Modern higher education is subject to close merging of high-quality educational content and advanced educational information technologies. Distance learning enables studying in an individual educational trajectory with a convenient location, time and form. Network and international forms of training programs are taking particular significance and becoming widespread, especially at higher educational level. Fundamentally new priorities are formed in the field of higher education and science: cross-cutting informatisation of management and scientific activities in educational organizations. The increasing requirements to the volume, quality and pace of the educational process lead to the development of the distance and online learning in higher education, which is the most vital trend in the Russian educational system. Purpose: Analysis of the usefulness of distance education, ways and means of its development and implementation, identification of problems and threats. Scientific novelty: Presented an example of a model for a remote education information system based on threats, issues and risks. The authors analysed the situation of distance education in Russian Federation, researched one of the distance education information systems and examined the threats of information systems and ways to prevent them. Keywords information security, security assessment, distance learning, distance education Workshop on information technology and scientific computing in the framework of the X International Conference Information and Telecommunication Technologies and Mathematical Modeling of High-Tech Systems (ITTMM-2020), Moscow, Russian, April 13-17, 2020 Envelope-Open ox-rom@yandex.ru (O. N. Romashkova); e.d.romashkova@gmail.com (E. D. Romashkova); gudkova-ia@rudn.ru (I. A. Gudkova) Orcid 0000-0002-1646-8527 (O. N. Romashkova); 0000-0002-6451-6554 (E. D. Romashkova); 0000-0002-1594-427X (I. A. Gudkova) © 2020 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings http://ceur-ws.org ISSN 1613-0073 CEUR Workshop Proceedings (CEUR-WS.org) 22 Oxana N. Romashkova et al. CEUR Workshop Proceedings 22–34 1. Introduction Relevance: The processes of informatization affected the development of educational technical systems. The usage of modern telecommunication technologies in the educational process made it possible to make learning as accessible, open, mobile and relevant as possible, for a significant part of society. At the same time the learning process itself contributes to the development of new services and accomodations, and to the enhanced managerial, communication and information capabilities in the course of the performance of its tasks. Distance education technologies improvements allow to develop and disseminate educational information with use of distribution technologies [1, 2, 3, 4]. The introduction of computer systems in education has led to a review of all technological components of the learning process. The visualization of thoughts, information and knowledge is now the basis for distance education. However, stable and quality access to system’s re- sources and providing of large number of users’ access without overloading telecommunications channels used, remain a key challenge. The authors’ task is an implementation of the proposed algorithms and organizational models of distance training programs in higher education, and remote access information security and management [5, 6, 7, 8]. The object of the study is the information processes within University’s structural unit respon- sible for distance learning. The subject of the study is the development process of the information system, which is designed for information distribution, processing and protection in distance training programs in higher education. 2. Setting Goals The following tasks were solved to achieve the goal of scientific research: • an information infrastructure and the state of information security of a university that implements distance international educational programs have been analyzed; • a model and information security system for international educational programs have been developed; • a study on the activities of the university structural units implementing international educational programs has been carried out; • requirements for the developed information system for international educational programs were formulated; • a prototype of the information distribution, processing and protection system for interna- tional educational programs has been developed; • a system of organizational, technical and technological measures for international educa- tional programs’ information security has been developed [9, 10, 11, 12]. 23 Oxana N. Romashkova et al. CEUR Workshop Proceedings 22–34 3. Theoretical Research In the course of their activities educational institutions use various information systems to process large amounts of data: the ones directly connected to the educational process as such and different types of sensitive data as well, for example, students and employees information (Figure 1). Figure 1: Interaction scheme of the process “Conduct classes” The process of distance learning includes theoretical training and practical work. Information technologies used in the process of distance learning organizing can be divided into three groups: • technologies providing educational information; • technologies transferring educational information; • technologies processing and storing educational information. Together they form distance learning technologies. The learning process is always based on the process of information transfer from the teacher to the student. In an inherent traditional education model of full-time education, teacher (or professor) is the interpreter of knowledge. In distance education, the interpreter is a student himself. Because of that, educational information and its quality are subject to strict requirements. Educational information should be collected with usage of the distribution technologies. Furthermore, educational information’s distribution should provide students with remote access without the network load increasing. Educational technologies in the technical field are characterized by the forward-looking nature of the development. For example, the introduction of computer technologies led to revised components of the learning process. Visualization of thoughts, information and knowledge become the basis for distance education [13, 14, 15, 16, 17]. Educational technologies used in distance education include: 24 Oxana N. Romashkova et al. CEUR Workshop Proceedings 22–34 • video lectures; • interactive lectures and laboratory work; • electronic textbooks; • computer training and testing systems; • simulation models and computer simulators; • remote consultations and tests; • video conferencing. It is important in the educational process that the use of information technology helps to achieve educational goals. Learning outcomes depends on the quality of courses’ development and provision. The main role played by IT technologies in distance education is ensuring educational dialogue. Communication technologies can be divided into two types — on-line and off-line. The first ones provide a real-time information exchange. Received messages are stored on the recipient’s computer when using off-line technologies. The user can view them using special programs at a convenient time. Unlike full-time study where the dialogue is conducted only in real time (on-line), in distance education it might take place in delayed mode (off-line). Network distance learning technologies could be particularly valuable in the joint degrees programs organization as they allow to implement the principle of educational recourses distribution. Distance learning programs in higher education institutions are implemented in a specialized unit – the Institute of Distance Education. The Institute of Distance Education is an independent structural unit of the university, and report directly to the rector and vice-rector for academic affairs. In general, the main tasks of the Institute of Distance Education are: • distance education organizational and methodological support; • university distance learning system software and hardware support, and its development; • educational process organization and support; • providing services for the distance education introduction. To perform the above tasks, the Institute of Distance Education was entrusted with the following functions: • provision of distance learning services; • provision of services for the introduction of new courses in the university distance education system; • provision of teacher training for distance education technologies. Departments related to the Institute of Distance Education, as well as positions whose activities need automation, are shown in Figure 2. It is necessary to have a good understanding of the organization of work within the Institute to develop a prototype of a current distance education information system. For this purpose, it is necessary to develop corresponding algorithms of interaction in BPMN notation. According 25 Oxana N. Romashkova et al. CEUR Workshop Proceedings 22–34 to this notation, the process interaction diagram displays the main events, actions, and logi- cal connections in the business process control flow. This notation is characterized by such components as: the start of a process; current events; notifications; rules; the end of a process. Figure 2: Distance education Institute organization structure The interaction algorithm of the process “Organize work within the institute” is shown in Figure 3. Figure 3: The interaction algorithm of the process “Organize work within the institute” In figure 3 following main elements of the business process are shown: • data warehouse — elements of a future information system database (tables, list of equip- ment, curriculum, etc.); • start and end events; 26 Oxana N. Romashkova et al. CEUR Workshop Proceedings 22–34 • processes and tasks; • data objects — future forms of the information system client part prototypes (guidelines, plans of activities). Below is an example of one of information system created for one of the institutes of distance education. This system involves collaboration with all types of data listed above (Figure 4). Figure 4: The interaction algorithm of the process “Organize work within the institute” The “Monitor Students’ Level of Knowledge” tab of distance education information system is shown in Figure 4. This information system automates the following Institute of Distance Education’s processes: 1. “Organize work in the Institute of Distance Education”. 2. “Create distance learning tools”. 3. “Manage the databases”. 4. “Organize courses”, etc. Modern tools for distance learning organizing used by the Institutes of Distance Education can most often be divided into the following groups: • Learning Management Systems; • Content Management Systems; • Authorial Software Products; • Learning Content Management Systems. 27 Oxana N. Romashkova et al. CEUR Workshop Proceedings 22–34 The authorial software products provide the lecturer with the opportunity to develop educa- tional content based on visual programming: it would be sufficient to just add the necessary information. Components of educational content in the form of text fragments, illustrations or video are placed on the screen using manipulators. Content management systems allow creating and managing file directories of various types. Such distance education system is a database with a keyword search that allows a lecturer or methodologist to perform a quick search. Content management systems are especially applicable in cases where a large team of specialists is working on the courses creation and needs to use the same fragments of training materials in different training courses. This reduces the time spent on training programs development. Such distance education systems are ideal for web sites, educational programs and materials portals development. Learning management systems provide the student with ample opportunities for creating an effective learning process, and provide learning process’ manager with tools for creating training programs, monitoring, generating reports on learning outcomes, and organizing various options of communication between students and lecturers. There are also learning content management systems (LCMS). Their basic difference from learning management systems is that they are aimed at managing the training programs’ content and not directly at the educational process. Also they are intended to be used by training programs’ developers, specialists in methodological support to courses, and heads of educational institutions. The basis of learning content management system is the concept of representing an education content as a set of permanently engaged learning objects with certain attributes of usage. However, it is becoming increasingly difficult to draw a clear-cut line between two classes of systems. This is due to most of manufacturers of learning content management systems, which are using general learning management functionality. Many of the modern solutions of the category of learning management systems are similarly implementing the key features of educational content management. However, it must be noted that any information systems, which are a technological base of distance learning systems, could be targets for various external and internal security threats, both malicious and accidental. That might impair not only distance learning process but also higher education institution functioning in general. In the conditions of increasing number of cybercrime, this factor entails need for organizing of the information security system [18, 19, 20, 21]. Therefore, the scope of such security system is set not only by the university decision but also by the requirements of the information security regulating institutions, such as The Federal Service for Technical and Export Control of Russia, The Federal Security Service of the Russian Federation, The Federal Service for Supervision of Communications, Information Technology and Mass Media, etc. 4. Overview of System Security Assessment Methods At present, there are numerous methods of information systems’ assessing and protection. However, more generally they are universal and do not take into account the specificity of narrowly targeted systems and their use. In this regard the problem of ensuring the information 28 Oxana N. Romashkova et al. CEUR Workshop Proceedings 22–34 security in the systems, which implement support for distance learning programs in higher education institutions, is of great importance nowadays. The solution to this problem is particularly important for international education programs, such as joint degrees programs and internships. The overall picture of how risks affect the organization is shown in Figure 5. Figure 5: Security risks To date the main threats to the university information security are: • malicious software (∼ 30%); • human errors (∼ 20%); • equipment failure (∼ 15%); • information system penetration (∼ 5%); • software failure (∼ 5%). An information security of educational organizations should be constantly improved due to the permanent risk of information leaking. This process should be continuous and should involve improved methods and ways of information security systems improvement, continuous monitoring, system’s weaknesses and potential information leakage channels identification. Continual improvement of such systems is strongly linked to the creation of new ways to gain an unauthorized access to a confidential and sensitive information. 29 Oxana N. Romashkova et al. CEUR Workshop Proceedings 22–34 The role of information security in the organizational system of safety measures is determined by the timeliness and accuracy of managerial decisions, taking into account available resources, information safeguards, and current laws and regulations. Information security should serve as an integrated system in which all components are designed to prevent possible leakage of confidential information, and to protect information carriers from an authorized access. Thus, all of this ensures confidentiality, integrity and availability of information in dealing with it. To date there are various information safeguards. These are legal, economic, technical, and organizational methods. Development of regulations and departmental regulations for ensuring information security refers to legal methods of information security. Organizational, and organizational and technical methods may include: • information security system development and improvement; • information protection facilities development, improvement and usage, and facilities performance monitor; • dangerous to information, information resources, information systems hardware and software identification; • user’s activity monitor; • information security monitoring system development. The technical methods of information security ensuring may include: • installation of security hardware and software ensuring protection from an authorized ac- cess, actions causing damaging impact on information system, destruction and distortion of information, unintended regular operation modifications; • identification of malicious hardware and software posing risk to means of processing and transferring information; • monitoring of technical means of transferring information, providing prevention of information leakage through technical channels; • technical supervision of technical measures’ for information security effective functioning. Economic methods include: • introduction of the information security policy and its funding determining; • information systems improvement. Modern information security is provided by the following methods: • cryptographic information protection; • information management, both in a local networks and in communication channels; • monitoring and tamper detection; • ensuring information and software integrity; • introduction of enhanced means of restoring information security; • equipment and magnetic media physical protection and accounting; • formation of special information security services. 30 Oxana N. Romashkova et al. CEUR Workshop Proceedings 22–34 Namely, the use of cryptographic methods help to address the electronic information protec- tion challenges. However, modern methods of cryptographic transformation retain an initial productivity of automated data-processing systems. Usage of cryptography is the most effective way to ensure information confidentiality, in- tegrity and availability. Cryptographic methods combined with technical and organizational methods provide with protection against a wide range of possible threats. There are poor performance of the traditional security mechanisms and the backlog in the implementation of advanced methods of protection due to large data flows existence within educational institutions. In this regard, applications of the advances of cryptography call for special attention. Thus, an employee responsible for the systems’ security may seek guidance from standard GOST R ISO/IEC 27002-2012 for system’s security self-assessment. According to that standard, it is recommended to carry out periodic conformity checks of the current level of security, required level, security policy, and technical requirements. However, the standard does not mention recommended methods for an implementation of checkups. Generally, an assessment procedure is performed by various interviewing techniques. This method is carried out in the following main stages: • using questionnaires based on the requirements of the standard; • formation of knowledge base of scientific experts in line with the requirements and the recommendations of the standard; • formulating the guidelines for analysis of the replies to the questionnaires. The application of the standardized approach only would allow to get a fast security assess- ment and to receive recommendations for a system being studied quite rapidly. However, the main drawback of such an approach is that the implementation of the recommendations received is nearly always difficult, if not impossible, because the standard does not take into account information collected by the system itself in its functioning. For that reason, in addition to the standard’s requirements, specific features of the system, information assets and statistics on the threats to information security or information security incidents, collected in the system’s functioning, is also to be considered. 5. Conclusion Using the approaches described above is accessible in the development of new information security systems, as well as in examining security systems, which already exist in higher education institutions, including whose providing distance education technologies [22, 23]. References [1] Y. Orlov, D. Zenyuk, A. Samuylov, D. Moltchanov, S. Andreev, O. Romashkova, Y. Gaidamaka, K. Samouylov, Time-dependent sir modeling for d2d communications in indoor deployments, in: Proceedings — 31st European Conference on Modelling and Simulation, ECMS 2017, 2017, pp. 726–731. 31 Oxana N. Romashkova et al. CEUR Workshop Proceedings 22–34 [2] I. A. Gudkova, O. N. Romashkova, V. E. Samoylov, Determination of the range of the guaranteed radio communication in wireless telecommunication networks of ieee 802.11 standard with the use of ping program, in: CEUR Workshop Proceedings 8. ”ITTMM 2018 — Proceedings of the Selected Papers of the 8th International Conference ”Information and Telecommunication Technologies and Mathematical Modeling of High-Tech Systems”, volume 2177, 2018, pp. 54–59. URL: http://ceur-ws.org/Vol-2177/#paper-08-1060. [3] O. N. Romashkova, Y. V. Gaidamaka, L. A. Ponomareva, I. P. Vasilyuk, Application of information technology for the analysis of the rating of university, in: CEUR Workshop Proceedings 8. ”ITTMM 2018 — Proceedings of the Selected Papers of the 8th International Conference ”Information and Telecommunication Technologies and Mathematical Modeling of High-Tech Systems”, volume 2177, 2018, pp. 46–53. URL: http://ceur-ws.org/Vol-2177/#paper-07-1010. [4] L. A. Ponomareva, P. E. Golosov, A. B. Mosyagin, V. I. Gorelov, Method of effective management of competence development processes in educational environments, Modern science: actual problems of theory and practice. Series: natural and technical 9 (2017) 48–53. [5] L. A. Ponomareva, M. I. Kumskov, E. A. Smolenskii, D. F. Mityushev, N. S. Zefirov, Method of computer aided formation of organic compound descriptors for quantitative structure- property relationships, News of the Academy of Sciences. Chemical series 8 (1994) 1391. [6] E. Prokhorov, L. Ponomareva, E. Permyakov, M. Kumskov, Fuzzy classification and fast rules for refusal in the qsar problem, Pattern Recognition and Image Analysis 21 (2011) 542–544. doi:1 0 . 1 1 3 4 / S 1 0 5 4 6 6 1 8 1 1 0 2 0 9 1 X . [7] M. I. Kumskov, S. E. Peshkova, L. A. Ponomareva, K. I. Rezchikova, Estimation of activation energies of thermal decomposition of nitro compounds based on structural descriptors, Russian Chemical Bulletin 45 (1996) 1840–1843. doi:1 0 . 1 0 0 7 / B F 0 1 4 5 7 7 6 0 . [8] E. Bobrikova, Y. Gaidamaka, O. Romashkova, The application of a fluid-based model for the analysis of the distribution time of a file among users in peer-to-peer network, in: Selected Papers of the II International Scientific Conference ”Convergent Cognitive Information Technologies” (Convergent 2017). CEUR Workshop Proceedings, volume 2064, 2017, pp. 55–61. URL: http://ceur-ws.org/Vol-2064/paper06.pdf. [9] E. I. Prokhorov, L. A. Ponomareva, E. A. Permyakov, M. I. Kumskov, Fuzzy classification and fast rejection rules in the structure-property problem, Pattern Recognition and Image Analysis: Advances in Mathematical Theory and Applications 23 (2013) 130–138. doi:1 0 . 1 1 3 4 / S 1 0 5 4 6 6 1 8 1 3 0 1 0 1 0 0 . [10] E. Prokhorov, L. Ponomareva, E. Permyakov, M. Kumskov, Fuzzy Predicting Models in ”Structure — Property” Problem, in: Proceedings of the International Workshop on Soft Computing Applications and Knowledge Discovery (SCAKD 2011), Moscow, Russia, June 25, 2011., 2011, pp. 89–93. [11] G. V. Gorelov, O. N. Romashkova, Influence of russian, spanish and vietnamese speech char- acteristics on digital information transmission quality, in: IEEE International Symposium on Industrial Electronics Proceedings of the IEEE International Symposium on Indus- trial Electronics, ISIE’96. Part 1 (of 2). sponsors: IEEE, Warsaw University of Technology. Warsaw, Poland, 1996, pp. 311–313. [12] O. N. Romashkova, Y. V. Gaidamaka, L. A. Ponomareva, I. P. Vasilyuk, Application 32 Oxana N. Romashkova et al. CEUR Workshop Proceedings 22–34 of information technology for the analysis of the rating of university, in: CEUR Workshop Proceedings 8. ”ITTMM 2018 — Proceedings of the Selected Papers of the 8th International Conference ”Information and Telecommunication Technologies and Mathematical Modeling of High-Tech Systems”, volume 2177, 2018, pp. 46–53. URL: http://ceur-ws.org/Vol-2177/#paper-07-1010. [13] O. N. Romashkova, L. A. Ponomareva, I. P. Vasilyuk, The process of automating the rating of russian universities, in: CEUR Workshop Proceedings 9. ”ITTMM 2019 — Proceedings of the Selected Papers of the 8th International Conference ”Information and Telecommunication Technologies and Mathematical Modeling of High-Tech Systems”, volume 2407, 2019, pp. 109–117. URL: http://ceur-ws.org/Vol-2407/paper-12-121.pdf. [14] G. V. Gorelov, N. A. Kazanskii, O. N. Lukova, Communication quality assessment in speech packet transmission networks with random service interrupts, Automatic Control and Computer Sciences 27 (1993) 62. [15] L. A. Ponomareva, S. V. Chiskidov, O. N. Romashkova, Instrumental implementation of the educational process model to improve the rating of the universities, in: CEUR Workshop Proceedings 9. ”ITTMM 2019 — Proceedings of the Selected Papers of the 8th International Conference ”Information and Telecommunication Technologies and Mathematical Modeling of High-Tech Systems”, volume 2407, 2019, pp. 92–101. URL: http://ceur-ws.org/Vol-2407/paper-10-120.pdf. [16] O. N. Romashkova, E. N. Pavlicheva, Resource management in distance and mobile education systems, in: CEUR Workshop Proceedings 9. ”ITTMM 2019 — Proceedings of the Selected Papers of the 8th International Conference ”Information and Telecommunication Technologies and Mathematical Modeling of High-Tech Systems”, volume 2407, 2019, pp. 102–108. URL: http://ceur-ws.org/Vol-2407/paper-11-119.pdf. [17] L. A. Ponomareva, V. L. Kodanev, Development module of the corporate information system ”educational environment of the university” based on cloud technologies, in: Computer science: problems, methodology, technology the collection of materials of XVII international scientific conference: in 5 t., 2017, pp. 393–398. URL: https://elibrary.ru/item. asp?id=28952199. [18] A. I. Kapterev, O. N. Romashkova, Challenges for russian ecosystem of higher education for on board communications, in: 2019 Systems of Signals Generating and Processing in the Field of on Board Communications, volume 1, 2019, pp. 227–232. doi:1 0 . 1 1 0 9 / S O S G . 2019.8706719. [19] L. A. Ponomareva, P. E. Golosov, Development of a mathematical model of the educational process at the university to improve the quality of education, Fundamental research (2017) 77–81. URL: https://elibrary.ru/item.asp?id=28800201. [20] E. N. Pavlicheva, O. N. Romashkova, Model of functioning of information system for institute of distance education of specialists of onboard communications, in: 2019 Systems of Signals Generating and Processing in the Field of on Board Communications, volume 1, 2019, pp. 382–386. doi:1 0 . 1 1 0 9 / S O S G . 2 0 1 9 . 8 7 0 6 7 8 3 . [21] O. N. Romashkova, L. A. Ponomareva, Model of educational process in high school using petri nets, Modern information technologies and IT education 13 (2017) 131–139. URL: http: //sitito.cs.msu.ru/index.php/SITITO/article/view/244. doi:1 0 . 2 5 5 5 9 / S I T I T O . 2 0 1 7 . 2 . 2 4 4 . [22] G. V. Gorelov, O. N. Romashkova, Influence of russian, spanish and vietnamese speech char- 33 Oxana N. Romashkova et al. CEUR Workshop Proceedings 22–34 acteristics on digital information transmission quality, in: IEEE International Symposium on Industrial Electronics Proceedings of the IEEE International Symposium on Indus- trial Electronics, ISIE’96. Part 1 (of 2). sponsors: IEEE, Warsaw University of Technology. Warsaw, Poland, 1996, pp. 311–313. [23] L. A. Ponomareva, V. L. Kodanev, S. V. Chiskidov, Model of management of process of development of competences in educational organizations, in: New information technolo- gies in scientific research materials of the XXII all-Russian scientific-technical conference of students, young scientists and specialists. Ryazan state radio engineering University, 2017, pp. 20–22. URL: https://elibrary.ru/item.asp?id=30521104. 34