Getting their Hands Stuck in the Cookie Jar - Students’ Security Awareness in 1:1 Laptop Schools

Fredrik Hellqvist, Samir Ibrahim, Robin Jatko, Annika Andersson, Karin Hedström


This paper presents results from an ongoing research project studying schools that have implemented one-to-one-laptops (1:1). The research is interpretative and builds on interviews and survey-responses from students and teachers in two public 1:1 schools in Sweden. We are focusing on the students’ security awareness and compliance by researching into whether the students in 1:1 schools comply with the school’s information security policy (ISP). Theoretically, a security awareness perspective is drawn up  based on three parts - formal, cognitive and behavioral awareness - that should be in parity with each other. This means that the students’ psychological perception and actual behavior should be in parity with the schools’ ISP. Our findings show that the schools have communicated their ISPs well and that the students’ security awareness in most areas is equivalent to the schools’ ISPs. However, we also found many instances where it was not the case that the formal, cognitive and behavioral security awareness were  in parity with each other. In the analysis of the students’ behavioral security awareness we found that despite the fact that they were aware of the rules they occasionally violated them – most notably when file-sharing and the downloading of software were involved.  We conclude by arguing that non-compliance can only be understood based on an understanding of the students’ underlying reason for following or not following the policies and regulations, and that in order to create a secure information environment, school managers must  talk to the students to understand their reasoning.  In a situation where 1:1 is spreading rapidly among schools, studies regarding  students’ security awareness and behavior are urgent, but so far the field is under-examined.

Full Text:



Andersson, S. B. (2006). Newly qualified teachers’ learning related to their use of information and communication technology: a Swedish perspective. British Journal of Educational Technology, 37(5), 665-682. doi: 10.1111/j.1467-8535.2006.00563.x

Atkinson, S., Furnell, S. M., & Phippen, A. (2009). Securing the next generation: enhancing e-safety awareness among young people. Computer Fraud & Security, July, 13-19.

Bebell, D., & Kay, R. (2010). One to One Computing: A Summary of the Quantitative Results from the Berkshire Wireless Learning Initiative. The Journal of Technology, Learning, and Assessment, 9(2), 5-59.

Bjelvenmark, J. (2011). One to One - a student perspective on computer use in Swedish high school. (Bachelor), Linköpings universitet, Linköping. (LIU-LÄR-L-EX--11/34--SE)

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. [Article]. MIS Quarterly, 34(3), 523-548.

Dhillon, G. (2007). Principles of information systems security: text and cases: John Wiley & Sons.

Fried, C. B. (2008). In-class laptop use and its effects on student learning. Computers & Education, 50(3), 906-914. doi: 10.1016/j.compedu.2006.09.006

Gaunt, N. (2000). Practical approaches to creating a security culture. International Journal of Medical Informatics, 60(2), 151-157.

Hadeed, L. (2000). Effects of using the anytime, anywhere learning model (laptop program) for the enhancement of problem solving and critical thinking skills. Retrieved from

Hedström, K., Kolkowska, E., & Karlsson, F. (2011). Value Conflicts for Information Security Management International journal of Strategic Information Systems, 20, 373-384.

Hedström, K., Kolkowska, E., Karlsson, F., & Allen, J. P. (2011). Value conflicts for information security management Journal of strategic information systems, 20(4), 373-384.

Herath, T., & Rao, R. H. (2009). Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems, 18(106-125).

Inc, L. C. C. (2009). One-to-One Mobile Computing - Literature Review. In A. Education (Ed.), (pp. 65). Alberta: Department of Education and Training.

Johannesson, L. (2011). Poängen med en-till-en? Sex lärares uppfattningar av den personliga datorns roll i lärprocessen (In English: What is the point with one-to-one? Six teachers perceptions of the role of the personal laptop for the learning process). (Master), Högskolan i Jönköping, Jönköping.

Liginlal, D., Sim, I., Khansa, L., & Fearn, P. (2012). HIPAA Privacy Rule compliance: An interpretive study using Norman’s action theory5. Computers & Security, 31, 206-220.

Magklaras , G. B., & Furnell, S. M. (2004). The Insider Misuse Threat Survey: Investigating IT misuse from legitimate users. Paper presented at the Proceedings of the 5th Australian Information Warfare & Security Conference, Perth Western Australia.

Merriam, S. B. (2009). Qualitative Research: A Guide to Design and Implementation: Jossey-Bass.

Nash, K. S., & Greenwood, D. (2008). The global state of information security CIO Magazine, PriceWaterhouseCoopers.

Oates, B. J. (2008). Researching Information Systems and Computing. Cornwall: Sage.

Peck, K., & Sprenger, K. (2008). One-to-One Educational Computing: Ten Lessons for Successful Implementation. In J. Voogt & G. Knezek (Eds.), International Handbook of Information Technology in Primary and Secondary Education (Vol. 20, pp. 935-942): Springer US.

Puhakainen, P. (2006). A design theory for information security awareness. (PhD Doctoral), University of Oulu, Oulu. Retrieved from (A 463)

Rezgui, Y., & Marks, A. (2008). Information security awarenes in higher education: An exploratory study. Computers & Security, 27, 241-253.

Rogers, E. M., Kincaid, L., & Barnes, J. (1981). The convergence model of communication and network analysis. In E. M. Rogers & L. Kincaid (Eds.), Communication Networks: Toward a New Paradigm for Research (pp. 31-78). New York: Free Press.

Silvernail, D., & Lane, D. (2004). The impact of Maine’s One-to-One Laptop Program on Middle School Teachers and Students. In M. E. P. R. Institute (Ed.), (pp. 59). Maine: Maine Education Policy Research Institute.

Siponen, M., & Mahmood, M. A. (2010). Compliance with Information Security Policies: An Empirical Investigation. Computer, 43(3), 64 - 71

Sipponen, M., Wilson, R., & Baskerville, R. (2008). Power and Practice in Information Systems Security Research. Paper presented at the International Conference on Information Systems 2008 (ICIS 2008), Paris, Farnce.

Stanton, M. J., Kathryn, S. R., & Mastrangelo, J. J. (2005). Analysis of end user security behaviors. Computers & Security, 24(2), 124-133.

Valcke, M., De Wever, B., Van Keer, H., & Schellens, T. (2011). Long-term study of safe Internet use of young children. Computers & Education, 57(1), 1292-1305. doi: 10.1016/j.compedu.2011.01.010

von Solms, R., & von Solms, B. (2004). From policies to culture. Computers & Security, 23, 275-279.

Williams, P. A. H. (2008). When trust defies common security sense. Health Informatics Journal, 14(3), 211-221.


  • There are currently no refbacks.