Costello Research Cybersecurity

Costello Research Data Analytics

Costello Research Digital Platforms

A.I. & Innovation - Costello

Research

impact fall 2024

George �鶹��Ƶ faculty are tackling cybersecurity’s talent pipeline problem

Jennifer Anzaldi — Fri, 10 May 2024 17:01:06 +0000

George �鶹��Ƶ faculty are tackling cybersecurity’s talent pipeline problem Jennifer Anzaldi Fri, 05/10/2024 - 13:01

If you’re a cybercriminal, the latest news on cybersecurity talent shortfalls should put a smile on your face. For example, the majority of cybersecurity leaders report that their teams are understaffed, and they have problems retaining qualified professionals.

But for Nirup Menon, a �鶹��Ƶ professor of information systems and operations management (ISOM), and Brian Ngac, an instructor in the ISOM area, this workforce challenge is a golden career opportunity for the young people of Northern Virginia and the Washington, D.C., area.

Nirup Menon and Brian Ngac

The pair recently won a two-year award from the National Institute of Standards and Technology (NIST), an agency within the U.S. Department of Commerce, to create unique experiential learning opportunities and workshops designed to enhance cybersecurity education and workforce development.

Working closely with industry partners Mobius Consulting and Institute for Defense Analyses (IDA), Menon and Ngac will recruit and help select students to work on actual cybersecurity projects. “They need to have taken some fundamental cyber class ahead of time,” Menon clarifies. “We want students with a commitment to the field. It allows you to get experience but it’s also competitive.”

Throughout the 12-week projects, students will receive mentoring both from the industry participant and from business faculty. “We run it in an agile scrum-like manner,” Ngac says. “Every week, we ask ‘What did you do?’ ‘What are you going to do?’ ‘What are the challenges that are impacting your work?’” If students run into trouble, faculty mentors can work with industry managers to help them get back on track.

“We’re trying to build not just the cyber workforce but the skills as well,” Ngac says.

Menon and Ngac have developed a specialty in this type of hands-on learning, which they have dubbed the Professional Readiness Experiential Program (PREP). More than 100 Virginia-based undergraduates and 20 industry participants have participated in PREP, which includes projects funded by two Commonwealth Cybersecurity Initiative Experiential Learning grants in collaboration with Mobius and IDA.

“PREP not only focuses on cybersecurity projects, but also works on many business process improvement projects,” says Ngac. "Honors and high-performing ISOM students work on real-world projects with industry participants on identifying technical solutions to business challenges through rigorous research, modelling, analysis, quantification, risk management, implementation planning, and, at times, execution.”

The NIST award also incorporates workshops for students who are new to cybersecurity but interested in exploring it as a career option. Workshops will be launched in collaboration with Trinity Washington University (TWU), a PBI (predominantly black institution) and HSI (Hispanic-serving institution) whose College of Arts and Sciences is women-only. For a field such as cybersecurity, which continues to face diversity challenges, the participation of organizations such as TWU is essential.

“We want to bring in students who have not thought of cybersecurity as a field, because they think it’s all engineering, hacking and coding,” Menon says. The workshops will emphasize the variety of functions that are integral to the space, such as management and auditing, in addition to engineering.

Students and industry participants in the current CCI Experiential Learning Projects

“It’s not just tech, there may be creativity involved in anticipating scams and threats,” Ngac explains. “These are different things we’ll be bringing up in the workshop in terms of roleplaying what cybercriminals might do, or how someone might try to socially engineer an attack.”

Unlike a standard grant, the NIST award is structured as a cooperative agreement in which the funding agency will collaborate in shaping and delivering programs as they evolve.

“The advantage of working with NIST is that top people work there. They are the standards body, so they have seen and surveyed a lot of industry,” Menon says. He also lauds NIST’s high-level view of cybersecurity and its implications. “They’re not just looking at technology but also public policy, human factors, etc. It’s a holistic approach.”

Organizations interested in being an industry participant (whether they have cybersecurity-focused or business process improvement-focused projects) with PREP are encouraged to contact Brian Ngac.

Join the �鶹��Ƶ Nation

Topics

Costello Research ICT

Commonwealth Cyber Initiative (CCI)

workforce

Students

National Institute of Standards and Technology NIST

Tech Talent Investment Program (TTIP)

Strategic Direction

Information systems and operations management profs awarded $100,000 Commonwealth Cyber Initiative Grant

Jennifer Anzaldi — Tue, 09 Aug 2022 04:25:50 +0000

Information systems and operations management profs awarded $100,000 Commonwealth Cyber Initiative Grant Jennifer Anzaldi Tue, 08/09/2022 - 00:25

In This Story

Brian Ngac

Nirup Menon

Brian Ngac

Brian Ngac and Nirup Menon, from the information systems and operations management area at the School of Business, were recently awarded a $100,000 grant from the Commonwealth Cyber Initiative (CCI) located in Arlington, Virginia. This Commonwealth Cyber Initiative Grant was awarded for their proposal to develop a new experiential learning program that will engage students and companies from the Commonwealth.

According to Menon and Ngac, there is a workforce and skills shortage internationally in the cyber security market across all sectors of the economy. Experiential learning can counteract this shortage.

“We are hoping to grow the cyber workforce to address the skills gap that currently exists,” says Ngac. Ngac and Menon propose providing students with hands-on training through real projects, with real industry participants. “With this grant, we will choose 24 cyber-interested undergraduates and graduate students from across the state to participate, along with eight industry participants over the spring 2023 and summer 2023 semesters. Each cohort will run for about 12 weeks.”

Ngac and Menon’s proposal for this program stemmed from the successful past performance of their experiential learning course titled MIS 491: Technology Analysis & Proposals with Clients. After three semesters of offering the course, Ngac and Menon have overseen 15 projects by students ranging from cyber to business process improvement. Working in teams, students planned and recommended technology solutions for solving business problems.

Nirup Menon

“Having run experiential learning courses since spring 2021, our team’s methodology has evolved to provide students an effective and enjoyable experience to be remembered, and leveraged for their early career years,” says Ngac.

The integration of industry participation is the key differentiator for Ngac and Menon. In addition to recruiting students interested in the cyber security field, the duo plans to recruit industry leaders interested in mentorship, and then work with these leaders to design the challenging and engaging cyber projects that will be used. Industry leaders will also guide the students through the execution of these projects.

“The experience benefits our industry participants by leveraging our talent pool for recruitment opportunities, and by providing a cost-effective method for attempting new/risky projects,” says the team.

“I am really excited about this grant as it will serve the dual purpose of training students across the Commonwealth using hands-on projects, and addressing the critical need of businesses in the area to find cyber ready individuals,” says Pallab Sanyal, area chair of information systems and operations management.

At the conclusion of the 12-week course, students will present their work and lessons-learned to the CCI community, and other business and academic leaders.

“By integrating business leaders from the industry into the students’ learning journey, our experiential learning efforts will prepare students with practical skills and theoretical understanding to be more marketable and effective in the workforce,” says Menon.

Topics

Tech Talent Investment Pipeline (TTIP)

TTIP

Tech Talent Investment Program

Commonwealth Cyber Initiative (CCI)

Research

The Cybercriminals Are Winning. Why Don’t Consumers Care?

Marianne Klinker — Fri, 11 Feb 2022 16:33:24 +0000

The Cybercriminals Are Winning. Why Don’t Consumers Care? Marianne Klinker Fri, 02/11/2022 - 11:33

In This Story

Nirup Menon

Pallab Sanyal

Despite the software industry’s rapid growth and deep pockets, tech companies are still engaged in bare-knuckles battle with cybercriminals. Hardly a week goes by without a high-profile cyberattack hitting the headlines.

Most recently, vulnerabilities in the Log4j open-source framework—used in hundreds of software products from IBM, Microsoft, Cisco, and others—handed hackers a huge opening, which has yet to be completely patched. While the fallout from the Log4j fiasco hasn’t been as grave as some feared, experts worry that cybercriminals are waiting for the frenzy to die down before launching major attacks in the coming months.

Like Log4j, the 2014 Heartbleed bug involved flaws in widely used open-source software. A team of hackers took advantage of Heartbleed’s vulnerabilities to gain illicit access to the Community Health Systems network and steal the personal data of an estimated 4.5 million patients.

These lapses point to the lingering dangers inherent in tech companies’ reliance upon free open-source software that carries little or no security and community support. The Heartbleed bug went undetected for nearly two years. As late as November 2020, more than 200,000 machines were found to be still compromised by Heartbleed, even though fixes had long been available.

Nirup Menon (left) and Pallab Sanyal (right)

For Nirup Menon, associate dean for Arlington Ventures at �鶹��Ƶ, and Pallab Sanyal, chair of the Information Systems and Operations Management area at �鶹��Ƶ, the current cybersecurity morass is inseparable from economic incentives. Companies hesitate to invest enough in cybersecurity, not out of general miserliness but because they don’t see much ROI from those investments. At the end of the day, the end consumer is reluctant to pay for additional security, compared to extra features that improve user experience.

Menon and Sanyal’s recent paper in MIS Quarterly, co-authored by Mikko Siponen of the University of Jyväskylä, confirms the existence of this willingness-to-pay (WTP) dilemma. Instead of attempting to cover the entire software industry, their research focuses on mobile apps, a narrower area, but one with which most consumers are familiar. Menon and Sanyal sent surveys to 580 people recruited through Amazon’s Mechanical Turk platform, describing three hypothetical apps for which paid upgrades were being offered: a password manager, a home expenses and income manager, and a medical records manager. All three types of apps would presumably have access to sensitive user information, thus making security a higher priority than it would be for, say, a news aggregation or mindfulness app. Participants were presented with a usability-based and a security-based feature, each with a nominal price tag, and asked which, if any, they would pay for. They could choose to purchase both, one, or none (no actual money changed hands). For example, in the password manager condition, they were asked if they would buy auto-login capability (usability) and advanced encryption (security).

All else being equal, Menon and Sanyal found that customers were about 43 percent less likely to pay for security than usability, amounting to a wide and worrying WTP gap between the two categories.

Based on that figure alone, you might think that consumers simply don’t care nearly as much about cybersecurity. A deeper dive into the results reveals a more complicated situation. Women and participants who, in their answers to other questions in the surveys, said they tended to avoid risk were more likely than the rest to pay for mobile app security—older and less wealthy participants were less so. Surprisingly, those who were told about past security breaches affecting the hypothetical app were less likely to pay for security, perhaps because of the quirky human propensity to believe oneself immune to the misfortunes of others.

But the most significant difference concerned the issue of outside confirmation. In the surveys, the feature descriptions were framed as either verified by an independent third party or “according to the application producer.” Restricting their analysis to third-party verified features, Menon and Sanyal found the WTP discrepancy disappeared. People were just as willing to buy security features that had been vouched for by a credible source.

A separate survey provides clarifying context. Respondents were asked to rate all the hypothetical features for difficulty of verifiability, and the security features ranked significantly higher. This helps explain why, without third-party confirmation, cybersecurity enhancements face a WTP disadvantage: A moderately safe app will feel the same as an extremely safe one to the average consumer. A non-tech professional is not well-equipped to decide whether the upgrade is worth paying for, but if an outside authority endorses the feature, users will accept it as desirable.

Menon and Sanyal’s study suggests a number of ways software producers could monetize enhanced security features. Most obviously, companies could seek and promote verification from top security companies. In addition, they arguably need to work on improving communications about security so that ordinary users better understand the tech-speak, empowering consumers to make more informed buying decisions. By contrast, a communications approach emphasizing cautionary tales of past cyberattacks may well backfire due to the “it can’t happen to me” effect noted above. Theoretically, as more and more people start voting for enhanced security with their wallets, the internet would become safer for legitimate business and more dangerous for bad actors.

Topics

Costello Research Innovation Strategy

Tech Talent Investment Pipeline (TTIP)

Costello Research ICT

TTIP

Tech Talent Investment Program