As Cyberattacks Roil Colleges, Many Look to Faculty Members and Students for Help

A virtual escape-room challenge at the Rochester Institute of Technology opens with the dramatic flair of a James Bond movie.

“Every single Gizmo employee here is about to get robbed,” the prompt states. “One team of special agents, from their remote security-operations center, is feverishly working to find the source of a massive insider breach. … You are that team.”

The college in New York, known as RIT, is one of many nationwide tackling an increasingly pressing question: How can we get our employees and students interested in helping strengthen campus cybersecurity?

The last two years of the pandemic, which prompted unprecedented transitions to remote work and schooling, have been checkered with cyberattacks against American colleges. At least 26 were attacked with ransomware in 2021, the same number recorded by Emsisoft, a software company, in 2020 — double the 13 it reported in 2019.

And while there are hosts of tests and types of software every college should have in its arsenal, those tools may leave out the largest piece of the equation: people. Verizon’s 2021 Data Breach Investigations Report found 85 percent of breaches involved a human element, including errors like stolen credentials and downloaded malware.

When it comes to effective prevention strategies, “the whole pie is people, with the processes and technology sprinkled on top,” said George Finney, chief security officer at Southern Methodist University, in Texas. Yet, at least in his experience, only a small fraction of security resources are devoted to training.

“Training” can be a loaded word in academe, though, said several information-security administrators. Faculty and staff members have training “fatigue,” they said, and mandated, rehashed sessions can be especially unpopular and ineffective.

Instead, colleges are trying to take a subject that can be at once confusing, dull, and intimidating, and make it engaging. To reach broader audiences, they’re offering bite-size media content on cyber-topics that apply to people’s lives. They’re gamifying their instruction, offering phishing challenges and cybersecurity-themed escape rooms that mimic the popular puzzle-based game. To engage those already specializing in cyber-related fields, some are offering courses that further hone career skills while benefiting campus security.

The hope is to shift the culture from “your boss is making you be here” to “you want to be here” and be part of the solution, said Amber Buening, associate director of disaster recovery and security outreach at Ohio State University. Once people have adopted cybersafe protocols in their own lives, the thinking goes, they’re more likely to carry those habits into the workplace.

Real-World Applications

While Ohio State does require all employees to spend one hour a year learning safe cyber-practices, they can meet that obligation in various ways. Thousands have chosen the C4U platform.

The platform features articles — sometimes with videos and transcripts of podcast episodes — that typically take about seven or eight minutes to digest. One, for example, discusses the risks of “oversharing” on social media and how to ensure photos don’t include location metadata. Another explores what happens with a loved one’s digital accounts when they pass away, and how to take steps ahead of time to ensure future access.

Each article presents an actionable step — a “‘what can you do about this thing’ rather than just ‘we’re going to tell you about something scary, so you’re aware of it,’” said Patrick Mahoney, a security engineer on the C4U project. Such awareness by itself is “not really helpful to anyone.”

The university offers small rewards as added incentives, such as hats with a customized insignia of Brutus, Ohio State’s mascot. Participants can also choose to exchange reward points for financial contributions to two designated funds, for cancer research and student scholarships. Completing all five levels of C4U — about five hours of work — would yield $34 for those beneficiaries, according to Daniel Roll, a security engineer. The rewards option has brought in nearly $3,200 for the two funds since March 2020.

About 8,500 employees, or more than 15 percent of all workers at the university, interacted with the platform in 2021. (The C4U team hopes to roll out the platform to students soon.)

Duane Wegener, a psychology professor, is one of those employees. He’s found that the short chunks of material work well with his schedule; if he has any time off during the day, it’s usually in increments of fewer than 30 minutes. Wegener finds himself drawn to articles on home-network tips, like how and when to update a router. The platform not only has made him feel more secure when he works at home, but also has helped him assist his aging parents when they run into tech problems.

“Being thrust into that role in my family … this gives you a go-to place” as questions and concerns arise, he said.

The Job’s a Game

While applying cyberlessons to life is generating interest, so is making them fun.

Southern Methodist, for one, has held hands-on activities like using the free Gophish platform to run a “Biggest Phisher” competition in late 2020. Each business day for a month, Finney sent a simulated phishing email — an adjusted salary-schedule notice, a new job posting, a survey-participation request — to about 80 employees, including deans, who’d signed up to participate. The person who clicked on the fewest total phishing messages won an extra vacation day.

The employee who clicked on the fewest phishing messages in Southern Methodist University’s “Biggest Phisher” competition won an extra vacation day. See samples here.

Finney recalled how an athletics-department staffer had told him, “‘This game is the first time that I’ve enjoyed coming to work in the last, like, six months,’” he said. “And I was just blown away. I’d never had a security initiative that people loved.” (He hopes to run the competition again soon.)

RIT has also offered free in-person escape rooms — which, during the pandemic, moved to virtual escape rooms via a third-party vendor called Living Security. Now offered twice a week, each game, capped at eight participants, reviews skills such as creating good passwords and identifying phishing attempts, malicious websites, and physical security risks like a password scribbled on a Post-it slip.

About 500 students and employees have participated in both types of escape rooms since the fall of 2019, estimated Ben Woelk, governance, awareness, and training manager in RIT’s information-security office.

Part of RIT’s strategy, he said, is “building the relationships and having positive engagements” with staff members and students so they feel comfortable reporting suspicious activity or mistakes, such as having clicked on a phishing email. Historically, offices like his have been “perceived as a negative by employees” — the people telling you what not to do, he said.

Stanford University has embraced gamification as well, albeit for a narrower audience. Its Bug Bounty program compensates people on campus — mainly students — who discover vulnerabilities on preapproved domains, such as the university’s active directory. Payment ranges from $50 to $1,000, based on the severity of the detected vulnerability. (Stanford avoids listing domains that contain employees’ or students’ private records, and payment is given only for vulnerabilities found on the approved domains.)

The most common submissions have been “broken access controls,” or instances in which users can see more information than they should be able to on a particular application. Since January 2019, Bug Bounty has drawn 109 submissions and paid out more than $13,000, said Carlos Ceja, associate information-security officer.

“We know that there is a wealth of [student] talent around the campus, and we wanted to tap into that potential,” Ceja said. Moreover, the assistance comes “at a fraction of the cost” that a third-party vendor would charge.

One firm in the Bay Area, he noted, charges up to $40,000 for 10 days of ethical-hacking tests with two consultants.

Appealing to Career Interests

Some colleges are working to harness existing talent on campus with the allure of hands-on career training. The University of Arizona has taken a particularly novel approach, by letting students interested in careers as ethical “white hat” hackers get course credit for practicing.

The course, “Social Engineering Attacks & Defenses,” which began in 2021, most recently collaborated with nearby Sierra Vista, Ariz., with a formal agreement last fall permitting the more than two dozen enrolled students to conduct approved, nonmalicious attacks on city employees’ computers. The attacks took the form of broad-scope phishing, individually targeted spear phishing, phone calls, text messages, and “weaponized” thumb drives left on desks.

Students hoping to be hired as ethical hackers, known as penetration testers, after graduation are learning firsthand the tactics cybercriminals use to manipulate and exploit their victims, said Jason Denno, the university’s director of cyber, intelligence, and information operations. At the same time, the local government is getting friendly feedback on how to improve its security.

Attacks conducted during the fall semester, Denno said, succeeded 66 percent of the time — for example, getting city workers to click on phishing emails or eliciting information via a phone call “that you should never give up,” such as Social Security numbers and employee IDs. (Denno noted that past projects have seen attack-success rates of 80 percent, so the city “did a pretty good job” on its first go-round.) The next class is scheduled for this summer.

While the university itself may not seem like the main beneficiary, Denno said the lessons learned in the course — including about manipulation tactics — are helping inform and deepen faculty and staff training. It’s possible, too, that the course could eventually expand to test the university’s own systems.

Denno believes the program is replicable, but urges caution. “There is a level of professionalism and ethics” that needs to be there, such as professor expertise, rules of engagement, nondisclosure agreements, and trust among the university, its partner, and its students, he said. The course “could have the greatest intentions in the world … [but] if somebody goes Anakin Skywalker in the middle of this, it could be an epic fail.”