IS Ethical Attitudes Among College Students: A Comparative Study Albert L. Harris Dept. of Information Technology & Operations Management Appalachian State University Boone NC 28608 (828) 262-6180 harrisal@appstate.edu Abstract The latest rash of virus and worm attacks has increased public awareness concerning unethical and criminal actions that result from the use of computers. To increase ethical behavior when using computers, educators have to raise the level of ethical awareness of professionals and future IS professionals. This paper reports on a study to compare the attitudes regarding IS ethics among college students. The results are based on the responses of 712 students toward ethical situations of 20 individual situations in 16 scenarios. They show that there is a difference in attitudes as students mature through the educational process in 12 of the 20 individual situations and between genders in 8 of the 20 individual situations. Keywords: IS Ethics, Privacy Issues, Ethical Conduct 1. BACKGROUND Computer ethics has been a familiar research topic in the 1990s, but the latest rash of virus and worm attacks, specifically the ILOVEYOU worm, has seen the interest in computer ethics rise dramatically. While other business functions (marketing, accounting and finance) developed ethical codes many years ago, the Information System (IS) function is still very young and has little historical precedent for dealing with ethical issues (Vitell, Scott, & Davis 1990). The recent ILOVEYOU worm has highlighted the fact that there are serious ethical problems and issues being faced by all computer users, and especially with IS professionals. Initially, the areas of concern were software piracy, viruses and misuse of information, but laws were enacted in the 1980s and 1990s to address these issues. Now, due to the technological changes of the last few years and the far-reaching impact of the Internet, new ethical issues include, but are not limited to, the malicious release of worms and viruses, electronic fraud, extortion and espionage. Estimates of damage of the ILOVEYOU worm range up to $10 billion worldwide, mostly in lost work time (Winston-Salem Journal 2000). The cost to businesses, governments, and individuals as a result of all computer crime is hard to calculate since approximately 11% of all computer crimes are actually reported (Flanagan & McMenamin 1992). Yet, the FBI estimates that losses due to computer crimes in the United States are in the billions of dollars (Flanagan & McMenamin 1992). The Internet has compounded the problem greatly. As more corporate resources become directly accessible through the computer, opportunities multiply for access, both in number of computers that can be affected and in the speed in which unethical actions can spread. It is evident from these numbers and the severity of these crimes that there is a continuing need to increase students' awareness to the ethical dilemmas they may face during the tenure of their careers. AITP and ACM, two computer professional organizations, have recognized the need for ethical standards and have had Codes of Ethics for their members for many years. In both sets of codes there are three common principles: 1) to maintain competence, 2) to disclose conflict of interest and 3) to maintain confidentiality of information (even after employment ceases) (Cohen & Cornwell 1989). Yet not every computer user and IS professional is a member of either of these organizations, and therefore does not necessarily follow these codes. Because of the tremendous amount of data one can have access to and the interconnect ability of computers due to the Internet, more opportunities for ethical abuse are created. As a result, there is a greater need to promote ethics and ethical guidelines to computer users. A perfect place to start is in the college and university setting. Previous research in the area of computer ethics (Cohen & Cornwell 1989, Cougar 1989, Kallman 1992) has resulted in many different ideas of how to teach ethics, how to measure attitudes toward ethical situations and how to promote ethical behavior. In his groundbreaking research, Mason (1986) highlighted four major issues of information ethics for the information age. These issues, often referred to as PAPA, are: Privacy, Accuracy, Property and Accessibility. Of all ethical situations encountered, each one can be categorized in at least one of the four areas. Several studies have been performed over recent years to address these and other issues. Parker (1980) discussed the role of ethics in information systems and presented a set of ten steps for promoting ethical behavior in an organization. Cougar (1989) presented an approach to teaching IS students to deal with ethical issues that require students to determine how they would act in various ethical scenarios. Solomon and O'Brien (1990) looked at the effect of various demographic factors on students' attitudes toward piracy. Wood (1993) examined the relationship between years of computer usage and the ethical attitudes of IS managers and users. His survey also used ethical scenarios and was presented to professionals only. Paradice (1990) examined the differences in attitudes between MIS and non-MIS majors using a survey with twelve ethical situations presented. Kini et al. (2000) looked at software piracy and moral intensity among university students. Im and Koen (1999) examined the effects of software piracy in an educational institution. Gopal and Sanders (1998) looked at the broader issues of international software piracy. The issue of ethical decision-making and its role in both academic and business worlds is still of great concern. Before we can begin to address how to improve ethical actions in both academia and business in today's Internet-driven world, we must first understand the attitudes of those people that will be faced with ethical decisions. 2. QUESTIONNAIRE DEVELOPMENT AND DESIGN Previous research efforts have been based on the use of surveys that capture respondents' attitudes toward various ethical situations or scenarios (Cohen & Cornwell 1989, Cougar 1989, Forcht 1992, Kievit 1991, Paradice 1990, Parker 1980, Wood 1993). It was decided that the survey methodology would be an appropriate approach for current research. Several different approaches have been used in the development of a survey instrument to measure respondents' attitudes toward various ethical situations. Paradice (1990) used a survey with 12 scenarios. He developed his scenarios around 3 general ideas: obligation, opportunity and intent. These seemed to be aimed at the individual making the decision. Mason (1986) developed his ideas around the impacted issue. Kievit (1991) used seven scenarios dealing with corporate-type property and data in her study. The survey instrument used in this study was created using 16 scenarios that could be categorized in one of four categories, roughly developed around Mason's PAPA (Mason 1986). However, the categories have been modified to express the interests in the current IS environment. The categories are: data access, changing data, software use, programming abuses, and illegal use of hardware. These categories seem to include the many ethical areas of particular concern to IS and business professionals today. One additional variable that was added to the design of the instrument was the phrasing of the scenarios. Paradice (1990) and Wood (1993) used the impersonal approach in each of their scenarios (ex. A student gives out a password or an engineer needed a program to perform . . .). Forcht (1992) and Kievit (1991) used the personal approach (ex. You give out a password or you need a program . . .). To measure the affect of the phrasing, two versions of the questionnaire were developed, one using the personal approach and the second using the impersonal approach. Analysis could them be one to see if placing the subject in the scenario would reflect a different attitude toward the severity of the action. Responses to the questionnaire are recorded using a 5-point Likert-type scale. Previous researchers (Paradice 1990, Wood 1993) used 3-point scales. Wood (1993) used Ethical, Unethical, and Computer Crime, as his choices while Paradice (1990) used Acceptable, Questionable, and Unacceptable to measure his respondents' attitudes. The survey instrument used in this study was based on a 5-point scale that included the following choices: * Ethical - There is no question that the action is correct in every sense of the word. Ethically, morally, and legally, this is proper behavior. * Acceptable - The action is acceptable to you, although you may have some doubts due to morals or other beliefs. * Questionable -There is some question as to the moral or ethical aspects of the action. The action truly belongs in the "Grey area" of human behavior. * Unethical - The action is contrary to your moral and ethical standards, although not a crime. This is truly unacceptable behavior. * Computer Crime - The action is unethical and illegal and the person responsible should be prosecuted for a criminal act. This scale was chosen to more accurately reflect the respondent's sensitivity to each scenario. 3. METHODOLOGY The survey was administered to 712 college students over a wide variety of classes. Included in the sample were graduate and undergraduate students, Computer Science majors, Criminal Justice majors, Information Systems majors and liberal arts majors. Each time the instrument was administered approximately one half of the subjects randomly received the impersonal (a student) version of the questionnaire and the other half randomly received the personal (you) questionnaire. The analysis in this study is centered around three research questions: 1) Does the sensitivity of ethics change as students mature and progress through various academic levels? The research hypothesis tested was: Ho(1): µ1(1) = µ2(1) = µ3(1) vs. Ha(1): The means tested were: µ1(1) = Freshmen/Sophomore attitudes µ2(1) = Junior/Senior attitudes µ3(1) = Graduate Student attitudes 2) Is there a difference in sensitivity between males and females? The research hypothesis tested was: Ho(2): µ1(2) = µ2(2) vs. Ha(2): The means tested were: µ1(2) = Female attitudes µ2(2) = Male attitudes 3) Is there a difference in sensitivity if the subject is made a part of the scenario? The research hypothesis was: Ho(3): µ1(3) = µ2(3) vs. Ha(3): The means tested were: µ1(3) = Responses from Impersonal form of questionnaire µ2(3) = Responses from Personal form of questionnaire The subjects were categorized by academic level, gender and into the personal or impersonal category based on the responses to the questionnaire. Various statistical analyses were performed using the SAS statistical procedures. Since sample sizes of the various groups differed, the General Linear Model (GLM) procedure was used to test the difference among group means. The results of that test are shown in Exhibit 1. Duncan' Multiple Range test, Scheffe's, and Sidak's T test grouping procedures were used to differentiate group means. All tests were performed using both .05 and .01 significance levels. To increase the sensitivity of the analysis, all results are shown using a .01 significance level. 4. RESULTS Overall, the results indicate sensitivity toward unethical conduct in various situations. The highest score (Q5: 4.37, where 4 = unethical and 5 = computer crime) regarded the selling of shareware by the individual. Other high scores were the changing of data others used (Q7: 3.97), changing of data to avoid payment of dollars (Q3: 3.91) and failure to report an error in a program (Q15: 3.78). The lowest score (Q1: 2.27) dealt with the manager looking at a subordinate's E-mail where there was a policy on the matter. Other low scores were copying software for backup only (Q8: 2.34) and giving an old version of a program to someone else when the person received the new version (Q6: 2.56). The results of the analyses as they apply to the three hypotheses are summarized in the following paragraphs. Sensitivity Change Through Academic Levels The first hypothesis dealt with the change of sensitivity of ethics as students mature and progress through various academic levels. Respondents were grouped according to academic level (Freshmen/Sophomores, Junior/Senior, or Graduate) depending on their academic standing. Exhibit 2 shows where there was a difference among group means for the actions in the scenarios. The results show that 10 of the 20 individual situations resulted in differences between at least two of the three groups tested. In all but 1 of the differences, graduate students had the highest sensitivity (i.e. rated the action of the individual higher on the scale rather than lower). The one area rated lower by the graduate students concerned the employee actions using E-mail with a policy. In this area, Freshmen/sophomores scored the highest sensitivity. These ratings seem logical and consistent since many graduate students have been in the work force and, therefore, realize the importance of ethics and questionable or unethical behavior. Working people might also relate with the employee's use of E-mail in the scenario, where Freshmen/ Sophomores have had little experience with E-mail, especially in a business environment. All groups believed changing data (questions 3 and 7) was generally unethical (group means were between 3.9 and 4.2) behavior. Surprisingly, all groups believed the release of a non-destructive virus and the creation of a potentially illegal database were only questionable (group means were between 2.8 and 3.1 for both actions). Also, Freshmen/ Sophomores believed the release of a destructive virus was only questionable (3.18) while the other two groups believed the action was unethical (3.66 & 4.00). It should be noted that the questionnaire was completed before the ILOVEYOU virus made news. Gender Differences The second hypotheses dealt with the difference in sensitivity between males and females? The results show that 8 of the 20 individual situations resulted in differences between male and female responses. Exhibit 2 shows where there was a difference among group means between gender for the actions in the scenarios. Analysis of the results shows two surprising findings. First, there was a difference between genders in all five of the actions regarding software use. In all cases, the female was higher than the male average. This seems to indicate a higher sensitivity to software issues by females. Second, five of the eight differences were on actions that showed no sensitivity differences among the academic levels. This seems to indicate that ethics sensitivity between genders is a very different issue than among academic levels. Further research is warranted to explore and explain both of these areas. Question Differences The third hypotheses dealt with the difference in sensitivity between a scenario that included the respondent (you) and a scenario that was impersonal (the student or Mary). The results showed there were no differences when using the two scenarios. This seems to indicate that the results of ethics research should not vary based on personal or impersonal scenarios. 5. CONCLUSIONS The objectives of this research were to test three hypotheses regarding sensitivity about ethics in various information systems scenarios. There is some evidence that sensitivity to ethical issues in information systems rises as academic levels rise. This occurred in half of the actions. In most of the differences (nine out of ten), the graduate students had the highest sensitivity. This is probably due to their experiences, both in the workplace and academic. Data is being gathered from IS and business professionals so that the sensitivity of this group can be compared to the academic levels. There seems to be some evidence that there is a difference in sensitivity between males and females in certain ethical situations. There was a difference in sensitivity in all five situations reflecting software use, with the females having the higher sensitivity all five times. This seems to be a good area for additional research and analysis. Overall, the area of sensitivity regarding ethics in information systems could use some additional research. It is not clear why or how individuals acquire a heightened (or reduced) sensitivity to ethical issues in information systems. This is an important issue to software houses, information systems managers, and users of technology. If we could understand the why and how, we can educate all users on ethical issues in information systems. 6. REFERENCES Cohen, E. & Cornwell, L. "A Question of Ethics: Developing Information Systems Ethics," Journal of Business Ethics, 1989, pp.431-437. Cougar, J.D. "Preparing IS Students to Deal With Ethical Issues," MIS Quarterly, Vol. 13, No. 2, June 1989, pp. 210-216. Flanagan, William & McMenamin, Brigid. "The Playground Bullies are Learning to Type", Forbes. December 21, 1992, pp. 184-189. Forcht, K.A. "Assessing the Ethical Standards and Policies in Computer-Based Environments," Dejoie, R., Fowler, G. & Paradice, D. (ed) Ethical Issues in Information Systems, 1992, Boyd & Fraser Publishing Co., Boston, MA. Gopal, Ram D. & Sanders, G. Lawrence, "International Software Piracy: Analysis of Key Issues and Impacts," Information Systems Research, Vol. 9, No. 4, December, 1998, pp. 380-397 Im, Jin H. & Koen, Clifford M. "Factors Affecting Software Piracy in An Educational Institution," Journal of Computer Information Systems, Vol. XXXIX, No. 3, Spring 1999, pp. 73-76 Kallman, E.A. "Developing a Code for Ethical Computer Use," Journal of Systems Software, Vol. 17, 1992, pp. 69-74. Kievit, Karen-Ann. "Information Systems Majors/Non-Majors and Computer Ethics," Journal of Computer Information Systems, Fall 1991, pp. 43-49. Kini, Ranjan, Rominger, Anna, & Vijayaraman, B. S. "An Empirical Study of Software Piracy and Moral Intensity Among University Students," Journal of Computer Information Systems, Vol. XXXX, No. 3, Spring 2000, pp. 62-72 Mason, R.O. "Four Ethical Issues of the Information Age," MIS Quarterly, Vol. 10, No. 1, March 1986, pp. 4-12. Paradice, David B. "Ethical Attitudes of Entry-Level MIS Personnel, " Information & Management, 18 (1990) 143-151. Parker, D.B. Ethical Conflicts in Computer Science and Technology, AFIPS Press, 1980. Parker, D.B. "Ethics for Information Systems Personnel," Journal of Information Systems Management, Vol. 5, No. 3, Summer 1988, pp. 44-48. Solomon, S.L. & O'Brien, J.A. "The Effects of Demographic Factors on Attitudes Toward Software Piracy," The Journal of Computer Information Systems, Spring 1990, pp. 40-46. Vitell, Scott, J. & Davis, Donald, L. "Ethical Beliefs of MIS Professionals: The Frequency and Opportunity for Unethical Behavior," Journal of Business Ethics, Vol. 9, 1990, pp. 63-70. Winston-Salem Journal, "New Bug Slowed by Virus Guards," May 20, 2000, Page A1; A11 Wood, Wallace A. "Computer Ethics and Years of Computer Use," Journal of Computer Information Systems, Summer 1993, pp. 23-27. Exhibit 1 PROBABILITY THAT THE GROUP MEANS DIFFER Accessing Data Pr:Ha(1) Pr:Ha(2) Pr:Ha(3) Q1 - E-Mail W/Policy (Manager) .1097 .0066** .3400 Q2 - E-Mail W/Policy (Employee) .0001** .2433 .2589 Q14 - E-Mail No Policy (Manager) .0024** .4937 .0452* Q18 - Access of payroll records .0001** .0189* .0898 Changing Data Q3 - Own Data to Avoid payment of dollars .0416* .2079 .0699 Q7 - Data Others Utilized .0903 .0009** .1401 Software Use Q4 - Does not Register shareware .0417* .0001** .0172* Q5 - Sells Shareware .0003** .0042** .1160 Q6 - Gives old version of program to another .0001** .0001** .9173 Q8 - Copies software for backup only .0190* .0001** .7340 Q16 - Loads program into two computers .1088 .0005** .0830 Programming Q11 - Non-destructive virus .0095** .0345* .3979 Q12 - Write program with inaccurate data (Programmer) .0001** .0811 .3324 Q13 - Write program with inaccurate data (manager) .0005** .0362* .2366 Q15 - Failure to report error in program .0062** .3233 .4143 Q17 - Destructive virus .0001** .0024** .5963 Illegal Use of Hardware Q9 - Student gives access to computer account .0003** .1077 .1616 Q10 - Student receives unauthorized access to computer account .0001** .0313* .4842 Q19 - Use of computer time for private business .0337* .0233* .7445 Q20 - Creation of a potentially illegal database .0473* .1191 .0216* * indicates significant at the .05 level ** indicates significant at the .01 level Exhibit 2 DIFFERENCE IN GROUP MEANS ---- Academic Levels ---- Gender Accessing Data 1 & 2 1 & 3 2 & 3 M & F Q1 - E-Mail W/Policy (Manager) *** Q2 - E-Mail W/Policy (Employee) *** Q14 - E-Mail No Policy (Manager) *** Q18 - Access of payroll records *** *** Changing Data Q3 - Own Data to Avoid payment of dollars Q7 - Data Others Utilized *** Software Use Q4 - Does not Register shareware *** Q5 - Sells Shareware *** *** *** Q6 - Gives old version of program to another *** *** *** Q8 - Copies software for backup only *** Q16 - Loads program into two computers *** Programming Q11 - Non-destructive virus Q12 - Write program with inaccurate data (Programmer) *** *** Q13 - Write program with inaccurate data (manager) *** *** Q15 - Failure to report error in program Q17 - Destructive virus *** *** *** Illegal Use of Hardware Q9 - Student gives access to computer account *** *** Q10 - Student receives unauthorized access to computer account *** *** Q19 - Use of computer time for private business Q20 - Creation of a potentially illegal database *** = Difference in group means (Duncan) at the .01 level Group 1 = Freshmen/Sophomores Group 2 = Juniors/Seniors Group 3 = Graduate Students ??