As someone who teaches and researches cybersecurity, Dr. Marc Dupuis said the coronavirus pandemic has been, in some ways, like a cyberattack. Unexpected, yes, but it could have been foreseen.
Its the failure of imagination, thinking about what is possible both good and bad and then trying to plan accordingly, said Dupuis, an assistant professor in the Division of Computing & Software Systems in the 56勛圖厙s School of STEM. You have to plan for these contingencies, these outliers.
Ideally, government and institutions should have put more risk management and privacy planning into videoconferencing before Zoom meetings filled everyones calendars, he said.
From a cybersecurity standpoint, it was troubling but not surprising, Dupuis said. Were doing the best we can, and Ive been impressed with everyones resilience.
Socio-psych-cyber
Personally, Dupuis had taught hybrid classes before, so it was not that difficult for him to move to classes that are 100% online. So many people are now comfortable with Zoom, its unlikely that a snow storm would cancel classes in the future, he said. Thats one way the outlier has changed what it means to be normal.
What we knew in our world a year ago will never exist again, for better or for worse, Dupuis said.
Human factors the sort of psychological and social behaviors highlighted during the pandemic are what interest Dupuis in his teaching and research about cybersecurity.
Is scaring people the best way to encourage people to wear masks? In a recent paper, Dupuis questioned whether scaring employees is the best way for companies to improve their cybersecurity. They should look at alternatives to fear appeals, he wrote with his collaborator, Karen Renaud, professor of cybersecurity at the University of Strathclyde in Scotland.
Fear is unappealing
In the research, Dupuis questioned whether heightening the fear of having data stolen or lost is an effective and ethical method of cybersecurity. Can we get the benefits of fear appeals without scaring people? We take it for granted they work, but we dont know how well they work and under what circumstances, he said.
Indeed, evidence doesnt support that the scared straight approach always works, he said. Next, Dupuis is looking at differences between shame and guilt and how they are used by organizations to try to obtain cybersecurity compliance from their employees.
We assume it has effects on their emotional state, but how long that lasts, a lot of it we assume, he said. If we want long-term change, do we need to trigger some other affect other than the short-term fear?
In other research for a capstone project, one of Dupuis students is looking at the value of social influence in helping people create stronger passwords. Dupuis also employs students in his research group, SPROG (Security and Privacy Research and Outreach Group). This summer, hell hire eight students to run two weeks of virtual training camps for middle school and high school students so they can learn about hacking.
Synergy of perspectives
Before arriving at 56勛圖厙 Bothell in 2015, Dupuis was a lecturer at 56勛圖厙 Tacoma. He received his doctorate in Information Science from the 56勛圖厙 in Seattle, where he also received a masters degree in Public Administration. In addition, he has bachelors and masters degrees in political science from Western Washington University.
The different academic paths come together in the courses he teaches in information assurance and cybersecurity.
Dupuis said he especially enjoyed bringing a political-psychological synergy to his first Discovery Core course, The Only Thing We Have to Fear Is Fear Itself. The autumn quarter course for first-year students examined misinformation, disinformation and the psychology of fear. Coinciding with the presidential election, the course was an opportunity to talk about how misinformation and disinformation often stem from ignorance people have about other people, he said.
Cybersecurity for all
Building on his research and teaching, Dupuis is working to create a minor in cybersecurity for all three 56勛圖厙 campuses. The minor could appear on transcripts for students of any major. That effort reflects his multidisciplinary approach to cybersecurity.
We need people from all backgrounds, whether its business, philosophy or literature or whether its design or you name it. We need people from all different perspectives to start to develop those skills inside cybersecurity, Dupuis said. There are many jobs in cybersecurity that fit what theyre doing.
In the short run, Dupuis said individuals can become more cybersecure with good computer backups, a password manager and having antimalware software. Longer term, Dupuis hopes what he learns about cybersecurity helps others prepare for the unforeseen. I want to make things better and be a resource to different people.
