There has long been something of a cultural turn in the world of cybersecurity, pushing cybersecurity teams to do the work of fostering a culture of security within their organizations, rather than simply policing the network and its users. Somewhat unsurprisingly, simply telling users what they cannot do has not proven nearly as effective as constructively supporting their work and changing perspectives about how that work takes place, building cybersecurity into the very fabric of an organization. This is no easy task, particularly for cybersecurity teams working within the centuries-old cultures and traditions of academia. So then, what might an academic culture of security look like?
Before getting to the answer, I want to talk a little more about what security culture means. While many authors are well meaning, I’ve seen and read far too many resources that miss the point. Fostering security culture goes well beyond simply raising awareness in order to prevent users from writing passwords down and falling victim to phishing attacks. Instead, this kind of cultural work fundamentally changes the ways in which security teams are perceived and interacted with, establishing a relationship that blurs the boundaries between the security teams and their organizations as a means to create a sense of shared responsibility and investment in security practice. As such, security culture is ideally less something that is imposed on users by security teams and instead collectively produced as the security team provides initiatives and opportunities for growth.
In the corporate world, few have created a security culture more effectively than Jennifer Lesser-Henley, director of security operations at Facebook. You can hear more about her Hacktober project in one of her lectures, but among the key points she makes is the need to establish a safe space for open dialogue around security issues. Within such a culture of security, users feel comfortable — and in some cases even look forward to — talking about their problems with the security team. This both allows users to act as a front line of defense and provides the security team with valuable information about the ways in which other members of the organization experience and conceptualize security problems. By maintaining an open dialogue and connection, the security team truly empowers members of the organization to protect themselves.
It is this concept of dialogue that perhaps holds the most importance for an academic culture of cybersecurity, both as an entry point and as a foundational principle. Ideally, academic institutions are meant to be spaces of dialogue, in which ideas are circulated freely in a relatively flat (if still hierarchical) structure. The very notion of tenure is founded on this model of the academy, allowing faculty to examine and circulate controversial topics without fear of reprisal. While academic structure is undoubtedly changing, the academy nonetheless remains compatible with the concept of a culture of security, which is grounded in community and dialogue.
However, there is something that sets apart what we might consider an academic culture of security — namely the critical literacy that academic institutions (again, ideally) strive to instill in their students and communities. These critical literacies allow students to closely examine educational content, moving beyond simple memorization of facts and development of technical skills, to understand underlying assumptions and potential implications. While many campus security teams are certainly making steps toward fostering a culture of security on campus, arguably much fewer are working to establish a more critical understanding of the concepts and techniques that they strive to raise awareness around. I never have to look far to find an ISO telling students that they’ll go to jail for unauthorized file sharing, for example, and truly critical discussions on data and privacy rarely go beyond the surface level of “don’t share personal information.” Of course, this is due in no small part to a lack of instructional time and resources — one can do little with 15 minutes to an hour of student or employee orientation time.
An increasing turn toward cybersecurity education at institutions across the nation has led those structuring academic programs to consider required basic cybersecurity coursework for all students. It is here that I believe an opportunity exists for stronger partnerships between faculty and campus security teams, both of whom are fundamentally engaged in the process of building an educational community around security issues beyond the standard shot-in-the-arm provided by orientation. I would encourage security teams to start finding out what, if anything, their faculty are considering from a curricula and research perspective, particularly as federal and state funding opportunities for cybersecurity education become more commonplace. These kinds of connections arguably serve to further promote a broader academic culture of cybersecurity, making security teams available as a resource for faculty and opening lines of communication.
Nathan W. Fisk is an assistant professor of cybersecurity education at the University of South Florida. Follow him at @nwfisk on Twitter.
© 2016 Nathan W. Fisk. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.