=Paper=
{{Paper
|id=Vol-2861/paper_34
|storemode=property
|title=Information Security Risks of Distance Learning Software in the Sphere of Education as an Element of Critical Information Infrastructure
|pdfUrl=https://ceur-ws.org/Vol-2861/paper_34.pdf
|volume=Vol-2861
|authors=Yuriy Sosnovskiy,Veronika Ilyina,Victor Milyukov
}}
==Information Security Risks of Distance Learning Software in the Sphere of Education as an Element of Critical Information Infrastructure==
https://ceur-ws.org/Vol-2861/paper_34.pdf
Information Security Risks of Distance Learning Software in the
Sphere of Education as an Element of Critical Information
Infrastructure
Yuriy Sosnovskiy a, Veronika Ilyina a and Victor Milyukov a
a
Institute of Physics and Technical Sciences, Crimean Federal V. Vernadsky University, 265007, Russian
Federation
Abstract
A number of software tools, that can be used in the organization of distance learning
interaction via the Internet, has been studied in the paper. The tools have been analyzed
against basic conditions of information security accreditation, such as a secure data transfer
protocol, personal data transfer to a third party, cases of hacking, and sanctions restrictions to
date.
Information security risks of a teacher’s digital tools have been evaluated taking into account
the broad scope of the educational process and the number of its participants. The damage
from the use of such tools has been related to the one from critical information infrastructure
control objects.
Keywords 1
Information security, a teacher’s digital tools, distance learning
1. Introduction
The global economy is rapidly going digital. The patterns of interaction between economic and
legal entities and, which is of utmost importance, educational institutions activities that can be
converted into electronic format are also undergoing digital transformations. As a result, distance
learning is becoming increasingly popular. Such distance form of educational interaction is cheaper
for all the parties of the educational process, and there also appear more and more teacher’s digital
tools (TDT) that facilitate such interaction.
2. Purpose and objectives of the research
Today, the typical forms of interaction between an educational establishment and a student in the
Russian Federation imply the following:
An educational organization must have an electronic information and educational environment
(EIEE). Its main objectives are set out in the Federal state educational standards, and it should provide
[1]:
free access to the curricula, work programs of the modules, internship and courses, as well as
to educational publications in the electronic form and educational resources on the Internet;
saving the student's completed assignments and the grades [1].
If a training program is implemented using e-learning or distance learning (if it is licensed), the
EIE should additionally provide [1]:
SLET-2020: International Scientific Conference on Innovative Approaches to the Application of Digital Technologies in Education,
November 12-13, 2020, Stavropol, Russia
EMAIL: sosnovskiy.yv@cfuv.ru (Yuriy Sosnovskiy); nika.ilyina@mail.ru (Veronika Ilyina); milyukov.vv@cfuv.ru (Victor Milyukov)
ORCID: 0000-0003-3807-5297 (Yuriy Sosnovskiy); 0000-0003-4165-5620 (Veronika Ilyina); 0000-0002-0429-8540 (Victor Milyukov)
©️ 2020 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
292
� recording of the educational process events and keeping track of the students’ progress in the
course of mastering the educational curriculum;
asynchronous and synchronous interaction between students and teachers.
Federal state standards for secondary education [2] contain more detailed requirements for the
information and educational environment of the organization (IEE), which should provide:
information and methodological support for educational activities;
organization of various forms of individual and group activities;
monitoring and recording the progress and results of educational activities;
modern procedures and tools for creating, searching, collecting, analyzing, processing, storing
and presenting information;
interaction between all the participants in the distance learning process.
It should be noted that the requirement that the EIEE should ensure the interaction between the
participants in the educational process is only stipulated for the educational programs that include
electronic or distance learning forms of the educational process, which is not often common practice.
But unfortunately, EIEE does not always have enough tools to meet all the needs of the educational
process participants in terms of electronic interaction.
As practice shows, in a considerable number of cases, EIEE is implemented so as to meet the
requirements of the regulatory authorities. At the same time, such limited tool set does not provide
convenient instruments for communication and, as a result, progressive teachers have to look for their
own methods of transmitting and distributing electronic educational materials, and to use the TDT
that are more suitable for them.
Figure 1: Typical electronic interaction between the educational establishment and the student
Thus, the importance of a teacher’s digital tools, used to ensure electronic interaction between the
teacher and the student, significantly increases.
3. Digital tools of the teacher. Overview and analysis
3.1. BigBlueButton webinar platform
BigBlueButton platform (BBB) is a free software system for web conferences. The major problem
with the system is that the BigBlueButton client works using the browser extension for Adobe Flash,
official support for which ends in 2020. Another disadvantage is relatively high pressure on the
server's computational capacity. The features of the BBB system are as follows [3]:
supports working simultaneously with a large group of students, for example, up to 100
people or more;
provides video recording function. You can also save images and notes that were created on
the electronic board during the lecture;
293
� the BBB platform can be integrated with Moodle due to a special module.
At the same time, the system is based on outdated technologies, and BBB does not work on Apple
computers and smartphones with iOS.
3.2. Discord messenger platform
Discord is a popular application that is used primarily for voice communication. It was
experimentally established that the optimal number of participants is up to 25-30 people. The
maximum number allowed by the system is 50 people.
The system has some features particularly useful for the educational process:
provides high-quality voice communication in the "General chat" mode. The minimum
computer system requirements are reasonable, and there are modes both for automatically turning
on the microphone and for using the dedicated button;
allows you to arrange a streaming broadcast of the desktop screen or selected windows on
your computer;
it is possible to work both in the application and directly from the browser, which is
convenient
At the same time, as the practice of using this software tool during the distance learning process
has shown, it is advisable to introduce a local administrator of virtual servers and platform channels to
correctly organize the interaction between the participants. The platform enables you to work
effectively when active oral interaction is required both individually and in small groups – for
practical work, collecting reports on laboratory work, and for lecturing in small groups.
3.3. YouTube as a platform for hosting online lectures
For a teacher YouTube has the following advantages:
provides storage and seamless access to video contents;
has convenient tools for analyzing users’ viewing, which allows you to identify fragments of
lectures or videos that arouse the greatest interest in the audience;
video materials can be distributed among the students and also in the public domain.
3.4. Programs for remote computer management
Sometimes when working individually students can come across the problems which solutions
require tutor’s assistance. In this case, it is convenient to use programs that provide remote computer
management. An example is the TeamViewer program.
The program provides not only computer management but also collaboration facilities. You can
work collaboratively on documents online in real time, work effectively on software codes and other
materials, and also – in the areas that don't have ready-made solutions.
All major operating systems are supported: Windows, MacOS, Linux, iOS, and Android. Among
the features of the program, there is also holding online conferences, which though has a limit of 25
participants. At the same time, it should be noted that this program poses a potential threat to the
information security of the user's computer due to the potential vulnerabilities of both the program
and the need to open port 5938 for external access via TCP/UDP protocols.
3.5. Online conference programs. ZOOM
ZOOM is one of the most popular programs for online conferencing. Unlike BigBlueButton and
many similar systems that use Adobe Flash technology for video transmission, ZOOM has
implemented a real-time video content transmission technology — WebRTC (Web Real-Time
Communication). You can set a password for the conference, invite participants by URL or email, and
broadcast audio and images from your computer. There is a 40-minute limit on the length of the
session for a free account.
294
� It is also worth noting that in some regions, the use of this program without additional software is
simply impossible due to various political issues and related restrictions. In addition, there is a
significant number of instances when critical vulnerabilities were discovered in Zoom: for example,
the MacOS user has to join a Zoom call with an activated video camera, what is more, there is no
request for the authorization of switching on the camera; unauthorized connections to the broadcasts
of strange people, password leaks, etc.
3.6. Programs for graphic illustrations. Online boards
In the process of distance learning, it is often essential to illustrate materials and get continuous
feedbackб just as a teacher often does in a traditional classroom using a board or a smart- board. A
teacher can arrange voice interaction via а convenient program, such as Discord, described above.
And as to visualization, it can be effected through, for example, the AWWApp service. It does not
require installation, you just need to go to the site, send your students an invitation to join the session,
and work with the screen just as with a real board. In the graphics space you can make drawings,
insert formulas, notes, etc. Due to the fact that the graphics space is shared, all participants can work
in it at the same time. Accordingly, the teacher can give graphic tasks to the students and monitor
their performance in the live mode.
The free version contains advertisements unlike the fee-based version. Also, with the paid version
you can create multiple pages and upload files in .pdf format to the graphics space.
3.7. Video broadcasts in social networks
Today, the vast majority of the educational process participants have accounts on social networks.
As an example, let us have a look at the Vkontakte network. It can be successfully used for distance
learning under the condition that so-called "broadcasts" are arranged. The advantages of providing
video content via social networks are the following:
• students just need to click on the link to the broadcast, there is no need to download any
special application;
• the broadcast record is saved on the author's page and can be viewed at any convenient time;
• the record can be viewed by all those who take interest in the subject, which is both a
disadvantage if you need to limit the number of viewers, and an advantage if you want to share the
information with a vast number of people.
At the same time, to organize broadcasting, the teacher needs to install video recorder software and
follow a certain algorithm for generating a unique broadcast key and making the broadcast itself.
3.8. Conclusions on information security of using a teacher’s digital tools
The basic criteria for evaluating the safety of using digital teacher's tools that can be useful to
ordinary users are shown in table 1.
Table 1
Basic criteria of TDT information security
Teacher’s Secure Personal data Administration Known Restrictions
digital tool protocol transfer to a difficulty instances of due to
(TDT) third party hacking sanctions
BugBlueButton TLS No High Unlikely No
(on your own
servers)
295
�Continuation of the table 1
Basic criteria of TDT information security
Teacher’s Secure Personal data Administration Known Restrictions
digital tool protocol transfer to a difficulty instances of due to
(TDT) third party hacking sanctions
Discord end-to-end: Yes Average Yes No
TLS, DTLS,
xsalsa20
YouTube Yes Yes Average Leakage of No
users’
passwords
TeamViewer 2048-bit keys Yes, when Moderate Leakage of Yes
RSA and 256- registering an users’
bit AES-by account passwords,
encrypting hacking
sessions through
TeamViewer
ID
ZOOM TLS * Yes, Moderate Multiple Yes
registration is reports
required about the
issues [4]
AWWApp, TLS No Minimum No No
basic version
Broadcasting in TLS Yes, Average Leakage of No
VK registration is users’
required** passwords
* end-to-end encryption was declared. However, in practice, it is the usual TLS and a video stream
is open to ZOOM servers
** Vkontakte is a Russian company. Website vk.com is listed in the register of information
dissemination organizers under the number 4-PP, the date of its entry is September 4, 2014.
The analysis of the table shows that the majority of the TDT have an extremely high vulnerability
from external cyber threats, as well as from the international restrictions policy, which also applies to
the software market, including access to information resources.
Table 2
Features of storing and processing user data
Teacher’s Compliance with regulatory Use of cryptographic Location of the
digital tools documents on storage and information security hosting (the Russian
processing of personal data tools (CIST) with up-to- Federation / not the
in information systems date Federal Security Russian Federation)
Service (FSS)
certificates
BugBlueButton Yes, no client registration is Technically possible RF (technically
(on your own required. possible)
servers)
Discord No, when registering a real No Not RF
full name
296
�Continuation of the table 2
Features of storing and processing user data
Teacher’s Compliance with regulatory Use of cryptographic Location of the
digital tools documents on storage and information security hosting (the Russian
processing of personal data tools (CIST) with up-to- Federation / not the
in information systems date Federal Security Russian Federation)
Service (FSS)
certificates
BugBlueButton Yes, no client registration is Technically possible RF (technically
(on your own required. possible)
servers)
Discord No, when registering a real No Not RF
full name
YouTube No, when registering a real No Not RF
full name, because the same
email address as in Google is
used.
TeamViewer Does not require a full No Not RF
name, only a nickname and
an email address.
ZOOM No registration required on No Not RF
the client side
AWWApp No registration required for No Not RF
basic version basic functionality
VK broadcasts ** declared compliance with RF Average
the rules 152-FL on handling
of personal data
* linking the account to the e-mail address is required. In this case, the user's data can be
considered as personal data (PD)
** it is not explicitly stated in the user rules in VK that the requirements of the legislation of the
Russian Federation for storing, transmitting and processing personal data are fulfilled
(https://vk.com/privacy). The rules for protecting VK Connect user information are a part of the VK
Ecosystem and contain links to 152-Federal Law.
Despite that, the number of users of these and similar services is estimated as tens and hundreds of
thousands only in the Russian Federation. In the context of restrictions related to the spread of
coronavirus, the requirements for the stability of services, as well as the requirements for compliance
with Russian legislation in the field of personal data processing, become important [5].
Unfortunately, in most cases, these standards are not met. Table 2 shows the technical features of
storing and processing user data, which according to [5] can be classified as personal data.Having
analyzed the features of TDT in terms of storage and processing user data, and also the registration
requirements, we selected some TDT that can be used by tutors and educational establishments at
minimum cost and at low risk of violating the regulations of the Russian Federation relating to
personal data processing:
• BigBlueButton webinar system. It is possible to install the system on the organization's own
server or even on a teacher’s personal computer (as was performed at the Department of Computer
Engineering and Modeling of the Institute of Physics and Technical Sciences, Crimean Federal V.
I. Vernadsky University). Students are not required to register and submit their personal data – to
get connected they follow a link;
• AWWApp-interactive online whiteboard. Basic functionality (free illustrations, selection of
tools, background loading of images and pdf-files, etc.) does not require registration for both
teachers and students;
297
� • using the functionality of the social network Vkontakte. Registration and confirmation of the
phone number are required. At the same time, Vkontakte places its servers on the territory of the
Russian Federation and declares compliance with the norms of 152-FL.
However, the TDT being under consideration, and many others are subject not only to the personal
data information security threats but also to various other information security threats, which can
occur any time.
4. Information security risks and equivalent damages
If the upper segment of the TDT (servers), communication channels, or lower-level devices (user
devices) are affected by information and technical interference, there can occur a disruption of the
educational process for some time. The examples of real problems that the participants of the
educational process face are:
• inability to connect to the broadcast streaming;
• electronic services failure, lagging, etc.;
• indirect threats related to the leakage or deliberate misuse of the user's personal data by the
service.
For an individual participant of the educational process, the above-mentioned issues may not be
critical, but the number of people involved in the process can be substantial and can significantly (a
hundredfold or even thousands of times) surpass the number of those people who are negatively
affected by misfunctions of the automated control systems, classified as critical information
infrastructure (in the commonly used meaning of this definition).
Some of the indicators for assessing the security of the automated systems are the probability (or
frequency) of successful computer attacks (CA), that cause the transition of the system to a state of
misfunction or failure (PCAi), and the notional value of damage from a single CA ( ), where i is the
i
index of the CA kind and the damage corresponding to it. Risk is most often understood as the
product of the following parameters:
N (1)
RCA PCA,i i ,
i 1
The regulatory documents – All-Union State Standard and IEC on risks – contain a list of
methodology for assessing the risk, such as: RIA, HAZOP, HACCP, SWIFT, and others [6]. A
multidisciplinary approach can be applied to risk assessment, as risks can result from a wide range of
causes and have a large number of consequences. However, in practice they are all qualitatively
defined on the basis of brainstorming, expert experience, scenario analysis, etc.
As a result, in most cases in practice, the notion ‘damage’ is considered to be some notional value.
At the same time, in jurisprudence, the damage is almost always assessed from both sides: material
and moral, which, of course, have some financial equivalent [7].
To be able to compare risks, their characteristics should be comparable. First, we are going to
consider automated control systems (ACS) and the impact that computer attacks have on them. We
are going to deal with the risks that do not lead to human death (in order to avoid interference with the
moral issue). All the same, such risks do damage to the health of the people involved in the critical
information infrastructure functioning. Financial damage, in this case, can be expressed as the sum of
the money paid off to each sufferer ( N O ) to cover the costs of treatment ci , temporary loss of labour
capacity d i , moral, or non-pecuniary, damage U i , which, as has been said, can also be assessed in
monetary terms, just as it happens in jurisprudence.
N0 (2)
0 ci di U i ,
i 1
Non-pecuniary damage may be translated into a financial equivalent with some margin of error .
Similarly, the harm done to the reputation and risks of the disruption of teacher's digital tools
functioning lead to a "moral damage" for state bodies and the system of education, since the number
of people affected is extremely large. Consequently, such reputational risks can also be assessed in
298
�financial terms. What is more, additional financial resources are required to organize explanatory and
other corrective work with the population in order to maintain the overall level of satisfaction at a
certain level. The formula (3) for calculating the financial equivalent of the damage IS caused by the
negative impact on the TDT is similar to (2):
N IS (3)
IS ci di U i ,
i 1
where the majority of i: сi , di 0 , however N IS No .
When comparing the damage magnitudes O and IS , it is possible to note the main difference,
which is the following: N IS No . This leads us to the conclusion that in case of computer attacks
on the information infrastructure used for educational purposes, the damage values O and IS ,
expressed in notional financial equivalent, are comparable in order of magnitude.
5. Conclusion
Based on the analysis of TDT, we can conclude that there is a wide range of such programs. At the
same time, in terms of their compliance with Russian legislation on personal data protection and from
the standpoint of so-called "digital sovereignty", the choice is significantly narrowed down to several
programs. The basic parameters of a teacher’s digital tools are presented in tables 1 and 2, but just a
few of the products can be recommended.
The damage, expressed in the notional financial equivalent, done to a typical information system
relating to objects of critical information infrastructure (CII) O and the damage to an information
system used for educational activities – a teacher's digital tool IS – are comparable in order of
magnitude.
Consequently, it becomes obvious that it is important to pay particular attention to TDT that
should be easy to use, have minimal system requirements and, at the same time, provide a high level
of protection from computer attacks and sanctions pressure.
6. References
[1] Federal State Educational Standard of Higher Education - Bachelor's degree in 09.03.01
Informatics and computer technology. Approved by order of the Ministry of Education and
Science of the Russian Federation on September 19, 2017 No. 929.
[2] Ministry of Education and Science of the Russian Federation. Order of October 6, 2009 No. 413
"On the approval and implementation of the Federal State Educational Standard for General
Secondary Education."
[3] Digital tools of the teacher. Experience of the Department of Computer Engineering and
Modeling of the Physics and Technical Sciences Institute. 2020. URL:
https://cfuv.ru/news/cifrovye-instrumenty-prepodavatelya-opyt-kafedry-kompyuternojj-
inzhenerii-i-modelirovaniya-fiziko-tekhnicheskogo-instituta.
[4] Zoom is Leaking Peoples' Email Addresses and Photos to Strangers / Joseph Cox // Vice, 2020.
URL: https://www.vice.com/en_us/article/k7e95m/zoom-leaking-email-addresses-photos.
[5] Federal Law "On Personal Data" of July 27, 2006 No. 152-FL.
[6] All-Union State Standard ISO / IEC 31010 - 2011 Risk management Risk assessment methods
Moscow Standardinform 2012. Approved and put into effect by the Order of the Federal Agency
for Technical Regulation and Metrology No. 680-st 4 of December 1, 2011.
[7] Ibragimova Aminat Ibragimovna Civil law essence and definition of the concepts of harm and
loss // Problems of Economics and Legal Practice. 2013. No. 5. URL:
https://cyberleninka.ru/article/n/grazhdansko-pravovaya-suschnost-i-opredelenie-ponyatiy-vreda-
i-ubytkov.
299
�