UA Professor Teaching Students to Overcome ‘Weak Links’ in Cybersecurity
By DAVID MILLER
The idiom, “knowing is half the battle,” concluded each episode of the 1980s cartoon “G.I Joe.” Its message of making informed decisions is just as true in 2018.
But there’s a knowledge imbalance in cybersecurity, particularly in an enterprise setting, where each year relying too much on technology and not enough on user awareness causes billions of dollars to be lost and sensitive data stolen, according to Dr. Gregory Bott, assistant professor of information systems at UA. That knowledge imbalance can cost businesses the cybersecurity battle.
Bott spent more than 20 years in industry before joining the Culverhouse faculty in 2017. Throughout his career, from creating collaborative applications for Microsoft to building extranets for companies like Dr. Pepper, Bott has seen numerous instances where “the weakest link” in security has compromised networks.
“When I was consulting, I had a resort that had point-of-sale stations everywhere,” Bott said. “There was an employee that was head of food and beverage, and she opened an attachment in an email and it was game over – CryptoLocker ransomware had spread everywhere. Everything was locked up, and we had to restore every terminal. They were down for five or six hours, running off paper and giving food away. She had such access to the entire system that it went rampant. So what is it we could have done for her to prevent that?”
Employees are often the weak links for cyberattacks on businesses both large and small, Bott said. Understanding variables for why employees don’t comply with security policies and how to get them there is paramount to maintaining a secure network. “Behavioral information security” has a wide range of implications for security and business, and Bott is teaching Culverhouse students ways to lower liability and risk in an enterprise setting by better understanding threats.
“What does it look like for people in your company that do bad things?” Bott said. “And what drives them? And if you’re creating a training program, what resonates with people? Is it the threat? Should we really focus on the fact that the company could be damaged, or that your job could be at risk if you don’t do this? Or do we appeal to duty or common good? There are so many different aspects of security that deal with the person.”
In Bott’s “applied cybersecurity” class, students learn to defend by thinking like a hacker. They practice hacking techniques like “SQL injection” – a method used in the data breach of Sony – how to crack WiFi networks and implement “man-in-the-middle attacks.” The simulations take place in a controlled, virtualized environment where students play both offense and defense. The experiences create concrete understandings of attacks that will benefit students who plan to work as security analysts and in traditional roles in business, Bott said.
“They’re going to have to deal with security and have a voice somewhere, somehow,” Bott said, “and so they’ll be really well prepared to know about the kinds of attacks, even if they’re not the one directly responsible for defense. They’re going to have a deep awareness of what can be and what should be done, and that’s the thrust of the course.”