This is part two in a three-part interview with Kelley Misata, a Ph.D. candidate at Purdue University’s CERIAS. In the first installment, Misata discussed privacy and risk communication and its relationship with security.
Question: At your Lonestar Application Security Conference (LASCON) keynote, you encouraged attendees to “reframe what we think we know” about privacy and to move away from “scary stories” and fear. How can we move from a place of fear to reframe the conversation?
Answer: There are a few things we can do on this front. First, we need to be patient with ourselves and others. This is all very complex, fast-moving stuff we are dealing with in security. For many veterans in this field, it is second nature to think a certain way about technology and security, but for average users, it is still very mystical and sort of scary. But there are ways to get information across that people can understand. For example, I have a way of teaching how Tor works by using envelopes and pieces of paper.
Fear is useful in some instances but harmful in others. It makes our hearts beat fast and we lose our breath, making it difficult to think clearly. What I tell people often is: Let’s first acknowledge there are bad people in the world. Right? OK, now that we acknowledge they are there and can even assess their motives, let’s get busy with learning about where we can control our own safety. Being afraid of the bad guys will not help us stay any safer. But what we can do is to think about what security and privacy means for us as individuals — learn what we have at risk and what needs to be protected to what level.
Last, we need lots of voices at the table when we are talking security. Though there are extraordinary experts in the information security and privacy field, where we can help reframe the conversation is to bring more voices into it. I’m fortunate that Dr. [Gene] Spafford and Dr. [Marcus] Rogers saw that an MBA like me would add value to the conversations of security at Purdue and that there is value in bringing nontechnical minds into the equation.
At the end of the day, we can all read about scary stories about information security, threats and breaches in the news every day. Where we have opportunity is to help people understand what it all means — not sugarcoat it, but make it easy for people to digest — and arm ourselves with better tools to manage it. And remind people to breathe! I was afraid for years at the hands of one person (cyberstalker) — I’m done being afraid and I want to helps others to stop being afraid, as well.
Kelley, what are you learning in your research at Purdue about how cybersecurity can help improve the ways crisis centers support people in crisis? Is this a tools problem? A process problem? A little of both?
Well, I’m just beginning the deep dive into this research, but from what I’m seeing at the surface, it is a combination of technology, policy and people that need to work in concert in order to provide the best possible security for the moment.
We have an opportunity to help these centers identify what is at risk (digital assets) and what systems they currently have in place to protect themselves. We also have an opportunity to assess what off-the-shelf security products or free technologies they are using and how. Are these tools providing the levels of privacy, security and anonymity the user is expecting?
Second, many of these crisis organizations are nonprofits or funded by government agencies. Examining policy, regulations and laws for these organizations as it pertains to information security and privacy should also prove to be very interesting.
The humans in the system can never be overlooked. There is significant research on bring-your-own-device (BYOD) and other employee- and employer-related topics in information security. I’m curious to see not only how this is the same/different in the crisis center environment, but also how education around security and privacy is discussed within these organizations.
In the end, it is a system of delicate connections between technology, policy and people I’m very curious to look into — in environments where safety is a top priority.
In the final part of this series, Kelley Misata discusses her experiences as in instructor on Surveillance and Privacy at Emerson College.
Get more great insights from Kelley Misata in this exclusive podcast
Executive Security Advisor, IBM Security