Skip to content
ADVERTISEMENT
Sign In
  • Sections
    • News
    • Advice
    • The Review
  • Topics
    • Data
    • Diversity, Equity, & Inclusion
    • Finance & Operations
    • International
    • Leadership & Governance
    • Teaching & Learning
    • Scholarship & Research
    • Student Success
    • Technology
    • Transitions
    • The Workplace
  • Magazine
    • Current Issue
    • Special Issues
    • Podcast: College Matters from The Chronicle
  • Newsletters
  • Virtual Events
  • Ask Chron
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Professional Development
    • Career Resources
    • Virtual Career Fair
  • More
  • Sections
    • News
    • Advice
    • The Review
  • Topics
    • Data
    • Diversity, Equity, & Inclusion
    • Finance & Operations
    • International
    • Leadership & Governance
    • Teaching & Learning
    • Scholarship & Research
    • Student Success
    • Technology
    • Transitions
    • The Workplace
  • Magazine
    • Current Issue
    • Special Issues
    • Podcast: College Matters from The Chronicle
  • Newsletters
  • Virtual Events
  • Ask Chron
  • Store
    • Featured Products
    • Reports
    • Data
    • Collections
    • Back Issues
  • Jobs
    • Find a Job
    • Post a Job
    • Professional Development
    • Career Resources
    • Virtual Career Fair
    Upcoming Events:
    An AI-Driven Work Force
    AI and Microcredentials
Sign In
Technology

As Cyberattacks Roil Colleges, Many Look to Faculty Members and Students for Help

By Taylor Swaak February 10, 2022
A hacker steals computer data.
Getty Images

A virtual escape-room challenge at the Rochester Institute of Technology opens with the dramatic flair of a James Bond movie.

“Every single Gizmo employee here is about to get robbed,” the prompt states. “One team of special agents, from their remote security-operations center, is feverishly working to find the source of a massive insider breach. … You are that team.”

The college in New York, known as RIT, is one of many nationwide tackling an increasingly pressing question: How can we get our employees and students interested in helping strengthen campus cybersecurity?

To continue reading for FREE, please sign in.

Sign In

Or subscribe now to read with unlimited access for as low as $10/month.

Don’t have an account? Sign up now.

A free account provides you access to a limited number of free articles each month, plus newsletters, job postings, salary data, and exclusive store discounts.

Sign Up

A virtual escape-room challenge at the Rochester Institute of Technology opens with the dramatic flair of a James Bond movie.

“Every single Gizmo employee here is about to get robbed,” the prompt states. “One team of special agents, from their remote security-operations center, is feverishly working to find the source of a massive insider breach. … You are that team.”

The college in New York, known as RIT, is one of many nationwide tackling an increasingly pressing question: How can we get our employees and students interested in helping strengthen campus cybersecurity?

The last two years of the pandemic, which prompted unprecedented transitions to remote work and schooling, have been checkered with cyberattacks against American colleges. At least 26 were attacked with ransomware in 2021, the same number recorded by Emsisoft, a software company, in 2020 — double the 13 it reported in 2019.

And while there are hosts of tests and types of software every college should have in its arsenal, those tools may leave out the largest piece of the equation: people. Verizon’s 2021 Data Breach Investigations Report found 85 percent of breaches involved a human element, including errors like stolen credentials and downloaded malware.

When it comes to effective prevention strategies, “the whole pie is people, with the processes and technology sprinkled on top,” said George Finney, chief security officer at Southern Methodist University, in Texas. Yet, at least in his experience, only a small fraction of security resources are devoted to training.

“Training” can be a loaded word in academe, though, said several information-security administrators. Faculty and staff members have training “fatigue,” they said, and mandated, rehashed sessions can be especially unpopular and ineffective.

Instead, colleges are trying to take a subject that can be at once confusing, dull, and intimidating, and make it engaging. To reach broader audiences, they’re offering bite-size media content on cyber-topics that apply to people’s lives. They’re gamifying their instruction, offering phishing challenges and cybersecurity-themed escape rooms that mimic the popular puzzle-based game. To engage those already specializing in cyber-related fields, some are offering courses that further hone career skills while benefiting campus security.

The hope is to shift the culture from “your boss is making you be here” to “you want to be here” and be part of the solution, said Amber Buening, associate director of disaster recovery and security outreach at Ohio State University. Once people have adopted cybersafe protocols in their own lives, the thinking goes, they’re more likely to carry those habits into the workplace.

Real-World Applications

While Ohio State does require all employees to spend one hour a year learning safe cyber-practices, they can meet that obligation in various ways. Thousands have chosen the C4U platform.

ADVERTISEMENT

The platform features articles — sometimes with videos and transcripts of podcast episodes — that typically take about seven or eight minutes to digest. One, for example, discusses the risks of “oversharing” on social media and how to ensure photos don’t include location metadata. Another explores what happens with a loved one’s digital accounts when they pass away, and how to take steps ahead of time to ensure future access.

Each article presents an actionable step — a “‘what can you do about this thing’ rather than just ‘we’re going to tell you about something scary, so you’re aware of it,’” said Patrick Mahoney, a security engineer on the C4U project. Such awareness by itself is “not really helpful to anyone.”

The university offers small rewards as added incentives, such as hats with a customized insignia of Brutus, Ohio State’s mascot. Participants can also choose to exchange reward points for financial contributions to two designated funds, for cancer research and student scholarships. Completing all five levels of C4U — about five hours of work — would yield $34 for those beneficiaries, according to Daniel Roll, a security engineer. The rewards option has brought in nearly $3,200 for the two funds since March 2020.

About 8,500 employees, or more than 15 percent of all workers at the university, interacted with the platform in 2021. (The C4U team hopes to roll out the platform to students soon.)

ADVERTISEMENT

Duane Wegener, a psychology professor, is one of those employees. He’s found that the short chunks of material work well with his schedule; if he has any time off during the day, it’s usually in increments of fewer than 30 minutes. Wegener finds himself drawn to articles on home-network tips, like how and when to update a router. The platform not only has made him feel more secure when he works at home, but also has helped him assist his aging parents when they run into tech problems.

“Being thrust into that role in my family … this gives you a go-to place” as questions and concerns arise, he said.

The Job’s a Game

While applying cyberlessons to life is generating interest, so is making them fun.

Southern Methodist, for one, has held hands-on activities like using the free Gophish platform to run a “Biggest Phisher” competition in late 2020. Each business day for a month, Finney sent a simulated phishing email — an adjusted salary-schedule notice, a new job posting, a survey-participation request — to about 80 employees, including deans, who’d signed up to participate. The person who clicked on the fewest total phishing messages won an extra vacation day.

Logo for biggest phisher

The employee who clicked on the fewest phishing messages in Southern Methodist University’s “Biggest Phisher” competition won an extra vacation day. See samples here.

Finney recalled how an athletics-department staffer had told him, “‘This game is the first time that I’ve enjoyed coming to work in the last, like, six months,’” he said. “And I was just blown away. I’d never had a security initiative that people loved.” (He hopes to run the competition again soon.)

RIT has also offered free in-person escape rooms — which, during the pandemic, moved to virtual escape rooms via a third-party vendor called Living Security. Now offered twice a week, each game, capped at eight participants, reviews skills such as creating good passwords and identifying phishing attempts, malicious websites, and physical security risks like a password scribbled on a Post-it slip.

ADVERTISEMENT

About 500 students and employees have participated in both types of escape rooms since the fall of 2019, estimated Ben Woelk, governance, awareness, and training manager in RIT’s information-security office.

Part of RIT’s strategy, he said, is “building the relationships and having positive engagements” with staff members and students so they feel comfortable reporting suspicious activity or mistakes, such as having clicked on a phishing email. Historically, offices like his have been “perceived as a negative by employees” — the people telling you what not to do, he said.

Stanford University has embraced gamification as well, albeit for a narrower audience. Its Bug Bounty program compensates people on campus — mainly students — who discover vulnerabilities on preapproved domains, such as the university’s active directory. Payment ranges from $50 to $1,000, based on the severity of the detected vulnerability. (Stanford avoids listing domains that contain employees’ or students’ private records, and payment is given only for vulnerabilities found on the approved domains.)

A lockbox from an RIT escape room game.
A lockbox in an escape-room game at RITBen Woelk, RIT

The most common submissions have been “broken access controls,” or instances in which users can see more information than they should be able to on a particular application. Since January 2019, Bug Bounty has drawn 109 submissions and paid out more than $13,000, said Carlos Ceja, associate information-security officer.

“We know that there is a wealth of [student] talent around the campus, and we wanted to tap into that potential,” Ceja said. Moreover, the assistance comes “at a fraction of the cost” that a third-party vendor would charge.

ADVERTISEMENT

One firm in the Bay Area, he noted, charges up to $40,000 for 10 days of ethical-hacking tests with two consultants.

Appealing to Career Interests

Some colleges are working to harness existing talent on campus with the allure of hands-on career training. The University of Arizona has taken a particularly novel approach, by letting students interested in careers as ethical “white hat” hackers get course credit for practicing.

The course, “Social Engineering Attacks & Defenses,” which began in 2021, most recently collaborated with nearby Sierra Vista, Ariz., with a formal agreement last fall permitting the more than two dozen enrolled students to conduct approved, nonmalicious attacks on city employees’ computers. The attacks took the form of broad-scope phishing, individually targeted spear phishing, phone calls, text messages, and “weaponized” thumb drives left on desks.

Students hoping to be hired as ethical hackers, known as penetration testers, after graduation are learning firsthand the tactics cybercriminals use to manipulate and exploit their victims, said Jason Denno, the university’s director of cyber, intelligence, and information operations. At the same time, the local government is getting friendly feedback on how to improve its security.

ADVERTISEMENT

Attacks conducted during the fall semester, Denno said, succeeded 66 percent of the time — for example, getting city workers to click on phishing emails or eliciting information via a phone call “that you should never give up,” such as Social Security numbers and employee IDs. (Denno noted that past projects have seen attack-success rates of 80 percent, so the city “did a pretty good job” on its first go-round.) The next class is scheduled for this summer.

While the university itself may not seem like the main beneficiary, Denno said the lessons learned in the course — including about manipulation tactics — are helping inform and deepen faculty and staff training. It’s possible, too, that the course could eventually expand to test the university’s own systems.

Denno believes the program is replicable, but urges caution. “There is a level of professionalism and ethics” that needs to be there, such as professor expertise, rules of engagement, nondisclosure agreements, and trust among the university, its partner, and its students, he said. The course “could have the greatest intentions in the world … [but] if somebody goes Anakin Skywalker in the middle of this, it could be an epic fail.”

We welcome your thoughts and questions about this article. Please email the editors or submit a letter for publication.
Tags
Technology Teaching & Learning
Share
  • Twitter
  • LinkedIn
  • Facebook
  • Email
swaak-taylor.jpg
About the Author
Taylor Swaak
Taylor Swaak is a senior reporter at The Chronicle of Higher Education, covering how institutions are harnessing technology to innovate. She focuses on college partnerships with ed-tech companies and the growing use of artificial intelligence across different administrative functions of higher ed, aiming to hold colleges accountable as well as highlight success stories.
ADVERTISEMENT
ADVERTISEMENT

More News

Photo illustration showing Santa Ono seated, places small in the corner of a dark space
'Unrelentingly Sad'
Santa Ono Wanted a Presidency. He Became a Pariah.
Illustration of a rushing crowd carrying HSI letters
Seeking precedent
Funding for Hispanic-Serving Institutions Is Discriminatory and Unconstitutional, Lawsuit Argues
Photo-based illustration of scissors cutting through paper that is a photo of an idyllic liberal arts college campus on one side and money on the other
Finance
Small Colleges Are Banding Together Against a Higher Endowment Tax. This Is Why.
Pano Kanelos, founding president of the U. of Austin.
Q&A
One Year In, What Has ‘the Anti-Harvard’ University Accomplished?

From The Review

Photo- and type-based illustration depicting the acronym AAUP with the second A as the arrow of a compass and facing not north but southeast.
The Review | Essay
The Unraveling of the AAUP
By Matthew W. Finkin
Photo-based illustration of the Capitol building dome propped on a stick attached to a string, like a trap.
The Review | Opinion
Colleges Can’t Trust the Federal Government. What Now?
By Brian Rosenberg
Illustration of an unequal sign in black on a white background
The Review | Essay
What Is Replacing DEI? Racism.
By Richard Amesbury

Upcoming Events

Plain_Acuity_DurableSkills_VF.png
Why Employers Value ‘Durable’ Skills
Warwick_Leadership_Javi.png
University Transformation: a Global Leadership Perspective
  • Explore Content
    • Latest News
    • Newsletters
    • Letters
    • Free Reports and Guides
    • Professional Development
    • Virtual Events
    • Chronicle Store
    • Chronicle Intelligence
    • Jobs in Higher Education
    • Post a Job
  • Know The Chronicle
    • About Us
    • Vision, Mission, Values
    • DEI at The Chronicle
    • Write for Us
    • Work at The Chronicle
    • Our Reporting Process
    • Advertise With Us
    • Brand Studio
    • Accessibility Statement
  • Account and Access
    • Manage Your Account
    • Manage Newsletters
    • Individual Subscriptions
    • Group and Institutional Access
    • Subscription & Account FAQ
  • Get Support
    • Contact Us
    • Reprints & Permissions
    • User Agreement
    • Terms and Conditions
    • Privacy Policy
    • California Privacy Policy
    • Do Not Sell My Personal Information
1255 23rd Street, N.W. Washington, D.C. 20037
© 2025 The Chronicle of Higher Education
The Chronicle of Higher Education is academe’s most trusted resource for independent journalism, career development, and forward-looking intelligence. Our readers lead, teach, learn, and innovate with insights from The Chronicle.
Follow Us
  • twitter
  • instagram
  • youtube
  • facebook
  • linkedin