Colleges go above and beyond for cybersecurity training

by Arthur · November 3, 2022

When Whitworth University was hit by a cyber attack earlier this year, it faced a public relations nightmare, significant financial burden and a data breach that may have affected thousands of past and present students and staff. The incident was one of a growing number of cyber attacks against colleges since 2020. Such attacks have more often succeeded against higher education than other sectors, including business, health care and financial services.

Although college information technology offices have long worked behind the scenes to strengthen institutional defenses, their countermeasures, such as installing network threat detection and risk mitigation systems, are often invisible. Meanwhile, students, faculty and staff—end users—who remain unaware of security threats pose significant risk.

Mandatory cybersecurity awareness training helps, but is often top-down and requires email nudges from managers, according to Chas Grundy, director of IT strategy and transformation at the University of Notre Dame. As a result, community members are often slow to engage.

This year, Notre Dame decided to do something different: a cybersecurity festival intended “to reach people’s hearts and minds in a way that would stick and draw them into it as a counterpart to mandatory education,” Grundy said.

Notre Dame is one of several institutions experimenting with unconventional cybersecurity education in the form of festivals, art installations and role-playing games. Here’s an example of serious online security training in fun formats, including some lessons learned and rewards along the way.

Cyber Security Festivals

Cyber threats are “No. 1 risk” to Notre Dame, the institution’s board of trustees told Grundy.

“End users are risk vectors for all of this — gift card fraud, job scams, phishing, research compromise, compliance,” Grundy said in a session on the topic at the 2022 Educause Annual Conference. “It is very important that end users are trained in cyber security.”

Grundy and his team understand community members’ blind spots, which include poor-quality passwords, inability to recognize phishing scams, and inaction in securing home networks and devices. To enhance knowledge, the team envisioned a highly visible and inviting cybersecurity carnival that would house a variety of engaging activities. They paired their idea with 1,600 balloons, 9,750 candies, 1,500 bags of popcorn, 1,300 cotton candy, 50 volunteers, 19 art parodies, five skits and eight carnival games on cyber security themes.

A start to Vermeer's Girl With a Pearl Earring, of the girl looking at the painter and away from an open laptop. The Cybersecurity strongman game, for example, asked carnival participants to choose the strongest password from a range of options. A “go phish” activity asked participants to spot indicators of a phishing email. A “slam the spam” trivia event quizzed attendees on security trivia. A lock-picking workshop allowed participants to consider locks from a bad actor’s point of view and discover inner motivation to better protect themselves.

Art featured prominently at the event held last month. In an exhibit titled “Museum of Mishaps,” famous works of art were altered to depict cybersecurity flaws. Johannes Vermeer Girl with pearl earring was parodied as Girl with open webcam. Salvador Dali’s The persistence of memory transformed into Protection of memory. Caravaggio’s Boy bitten by a lizard became Boy bitten by a fish. The students also performed live sketch comedy in an event called Security Night Live.

Notre Dame’s Cybersecurity Carnival attracted 1,000 members of the community, slightly skewed toward faculty and staff (43 percent students and 57 percent staff and faculty). Almost all (96 percent) reported that they would recommend the event to a friend or colleague.

The core information technology team did not have the capacity to plan, deliver and finance the event on their own, said Elizabeth Lankford, an IT services manager at Notre Dame. By necessity, the event was a community effort.

“Tap into people, give them room to flourish, tell them ‘Here’s a way for you to be a leader,'” Lankford said. The team also recruited student workers, who then recruited their friends to attend the event.

A painting titled The Screen, Casey Kiel. Based on The Scream, Edvard Munch. This tortured character responded to a pop-up warning that his PC was at risk unless he downloaded free antivirus software immediately. Instead of protecting his data, this malicious malware actually blocked his computer from using legitimate antivirus solutions and opened him up to attack. The team sought funding from suppliers. Chris Daugherty, a field representative for Google, considered the company’s sponsorship a victory, as the two most scanned QR codes of the day were: “How do I get a job at Google?” and “How do I secure myself in a Google environment?”

The team missed some opportunities, Grundy said. The campus art museum, for example, loved and wanted to contribute to the Accident Museum when they found out about it – a day after the event.

To promote the event, students dressed in costumes to hand out flyers. Those dressed as police officers handing out “tickets” to advertise the event were popular. But others dressed as “cyber security clowns”, wearing T-shirts with slogans such as “my password is 1234”, were shunned.

“Most people met the clowns and it was like the magnetic resistance,” Grundy said. “Being in costume on campus as clowns was definitely a learning experience –not efficient.”

Stanford University also recently hosted a cyber security festival – one focused on secure cloud practices. The event, whose slogan was “cloudy with a chance of awesome”, featured high-profile speakers including former Secretary of State Condoleezza Rice, as well as engaging activities such as lock picking and hacking activities.

“When you think of cybersecurity, you might think of a hacker in a hoodie in a dark, mysterious room,” said Amy Steagall, chief information security officer, who believes students and staff are an institution’s first line of defense. “I’m trying to make the Office of Information Security not dark and mysterious to our community. The festival gave us a platform for people to come up and talk about cyber security with us.”

IT professionals may never know if their cyber awareness training averts a disaster that might otherwise have occurred. Nevertheless, many see signs of increased digital competence in their local communities.

“When I start hearing things like, ‘Hey, I don’t need to get these phishing campaign emails anymore because I recognize them every time,’ that’s when I know what we’re doing is working,” Steagall said.

Cybersecurity art installation

End users who experience a fatal denial of service attack often do so in the relative comfort of their home or college while staring at a silent screen loading an error page. That experience does not suggest a flood of traffic that, at the moment of an attack, crashes the victim’s computer.

To spur people to consider the “noise” of a denial-of-service attack, Tanner Upthegrove, a media engineer at Virginia Tech, created the Tesseract, an immersive audio experience.

“We’re all familiar with visualizing data, but we don’t take advantage of the incredible human ear, which has less fatigue than, say, if you look at a screen for many hours,” Upthegrove said. “The human ear can hear sounds coming from all directions and analyze these currents extremely well.”

When someone enters the Tesseract – a cube equipped with 32 speakers – they first experience an audio simulation of network security data in normal operation, followed by an audio simulation of a deadly denial-of-service attack.

“Say you have a constant tone – ooooh – and then the tone changes – whoa whoa whoa. It’s a pretty clear change to the human ear,” Upthegrove said, even when a collection of such changes comes from many speakers. “For someone who has never experienced an immersive auditory display like this tesseract system with 32 or 64 speakers around it, it’s new to just hear intentional sounds overhead, behind, even below, even though that’s how we always hear everything.”

Most people begin the experience in a state of conscious listening, reports Upthegrove. At first, ambient sounds are soft and low. As participants walk around inside the cube, the sounds change as they move. Over time, the sounds build to a cacophonous moment meant to depict the moment a cyber attack overwhelms a victim computer and the aftermath.

“It creates some empathy,” Upthegrove said of the sonification of data. “Using spatial sound to convey abstract things really resonates – no pun intended – with a lot of people.”

Cyber security role play

Louisiana Tech University put an interdisciplinary, murder-mystery spin on its cybersecurity awareness effort. Students, faculty members, and staff enter simulated environments to participate in Analysis and Investigations through cyber-scenario role-playing. There, they act as government officials facing real-world cyberattacks.

Participants are encouraged to think critically as they work to solve the scenario that was designed by faculty from computer science, history, engineering, literature, mathematics and political science. In the process, they increase their awareness of cyber security from social, political and ethical points of view.

The university has also extended the program to upper secondary school students in the community.

“It’s self-serving for the university, because we’re able to recruit a lot of really strong students, not only to the College of Engineering and Science, but also to the university,” said Heath Tims, an associate professor of mechanical engineering at Louisiana Tech. As a bonus, when former program participants later enroll in college, they come armed with a heightened awareness of cybersecurity.