26th Colloquium

15
Sep
2022
  • 15 Sep 2022
  • 16 Oct 2022
  • 345

The Colloquium is honored to have as part of the 26th Colloquium the following panel:

The Role of Education in Dispelling Myths and Misconceptions in Cybersecurity

Panelists:

  • Eugene Spafford, Ph.D. of Purdue University, Chair
  • Leigh Metcalf, Ph.D. of Carnegie Mellon University / SEI CERT
  • Josiah Dykstra, Ph.D. of the National Security Agency

Abstract

There is a significant body of knowledge required to be successful in the profession and application of cybersecurity. Knowledge is passed along in many forms, including formal education and experiential learning. Given the need for personnel in the field many people do not receive much formal instruction, often “learning through doing.”

A potentially dangerous pitfall is perpetuating traditional practices or beliefs as truth without evidence. While cybersecurity is an evolving discipline, many people still hear the refrain “that’s the way it’s done” when questioning an approach. Folk wisdom and folklore are sometimes used merely to justify what we already do or believe rather than as informed guidelines for action. Myths arise because of misunderstandings or by making poor analogies to other fields.

In this session, the panelists will discuss their observations and experiences of cybersecurity myths across academia, industry, and government. They will draw on their decades of experience to discuss pitfalls they've encountered and examples of folk wisdom including: Is the user the weakest link? Is more security always better? Is cyber offense easier than defense? This will also touch on some of the biases humans bring to decision-making, and how those may negatively influence good security practices. These include the action and conformity biases.

The panel will illuminate opportunities for education to help dispel prevalent and widespread myths that can be avoided or mitigated for the benefit of more effective cybersecurity. Portions of this presentation are drawn from personal experience and courses taught by the panelists, including a regular course offered at Purdue University as part of the graduate cybersecurity curriculum.