As someone who teaches and researches cybersecurity, Dr. Marc Dupuis said the coronavirus pandemic has been, in some ways, like a cyberattack. Unexpected, yes, but it could have been foreseen.
鈥淚t鈥檚 the failure of imagination, thinking about what is possible 鈥 both good and bad 鈥 and then trying to plan accordingly,鈥 said Dupuis, an assistant professor in the Division of Computing & Software Systems in the 糖心vlog视频鈥檚 School of STEM. 鈥淵ou have to plan for these contingencies, these outliers.鈥
Ideally, government and institutions should have put more risk management and privacy planning into videoconferencing before Zoom meetings filled everyone鈥檚 calendars, he said.
鈥淔rom a cybersecurity standpoint, it was troubling but not surprising,鈥 Dupuis said. 鈥淲e鈥檙e doing the best we can, and I鈥檝e been impressed with everyone鈥檚 resilience.鈥
Socio-psych-cyber
Personally, Dupuis had taught hybrid classes before, so it was not that difficult for him to move to classes that are 100% online. So many people are now comfortable with Zoom, it鈥檚 unlikely that a snow storm would cancel classes in the future, he said. That鈥檚 one way the outlier has changed what it means to be normal.
鈥淲hat we knew in our world a year ago will never exist again, for better or for worse,鈥 Dupuis said.
Human factors 鈥 the sort of psychological and social behaviors highlighted during the pandemic 鈥 are what interest Dupuis in his teaching and research about cybersecurity.
Is scaring people the best way to encourage people to wear masks? In a recent paper, Dupuis questioned whether scaring employees is the best way for companies to improve their cybersecurity. They should look at alternatives to fear appeals, he wrote with his collaborator, Karen Renaud, professor of cybersecurity at the University of Strathclyde in Scotland.
Fear is unappealing
In the research, Dupuis questioned whether heightening the fear of having data stolen or lost is an effective and ethical method of cybersecurity. 鈥淐an we get the benefits of fear appeals without scaring people? We take it for granted they work, but we don鈥檛 know how well they work and under what circumstances,鈥 he said.
Indeed, evidence doesn鈥檛 support that the 鈥渟cared straight鈥 approach always works, he said. Next, Dupuis is looking at differences between shame and guilt and how they are used by organizations to try to obtain cybersecurity compliance from their employees.
鈥淲e assume it has effects on their emotional state, but how long that lasts, a lot of it we assume,鈥 he said. 鈥淚f we want long-term change, do we need to trigger some other affect other than the short-term fear?鈥
In other research for a capstone project, one of Dupuis鈥 students is looking at the value of social influence in helping people create stronger passwords. Dupuis also employs students in his research group, SPROG (Security and Privacy Research and Outreach Group). This summer, he鈥檒l hire eight students to run two weeks of virtual training camps for middle school and high school students so they can learn about hacking.
Synergy of perspectives
Before arriving at UW Bothell in 2015, Dupuis was a lecturer at UW Tacoma. He received his doctorate in Information Science from the UW in Seattle, where he also received a master鈥檚 degree in Public Administration. In addition, he has bachelor鈥檚 and master鈥檚 degrees in political science from Western Washington University.
The different academic paths come together in the courses he teaches in information assurance and cybersecurity.
Dupuis said he especially enjoyed bringing a political-psychological synergy to his first Discovery Core course, The Only Thing We Have to Fear Is Fear Itself. The autumn quarter course for first-year students examined misinformation, disinformation and the psychology of fear. Coinciding with the presidential election, the course was an opportunity to talk about how misinformation and disinformation often stem from ignorance people have about other people, he said.
Cybersecurity for all
Building on his research and teaching, Dupuis is working to create a minor in cybersecurity for all three UW campuses. The minor could appear on transcripts for students of any major. That effort reflects his multidisciplinary approach to cybersecurity.
鈥淲e need people from all backgrounds, whether it鈥檚 business, philosophy or literature or whether it鈥檚 design 鈥 or you name it. We need people from all different perspectives to start to develop those skills inside cybersecurity,鈥 Dupuis said. 鈥淭here are many jobs in cybersecurity that fit what they鈥檙e doing.鈥
In the short run, Dupuis said individuals can become more cybersecure with good computer backups, a password manager and having antimalware software. Longer term, Dupuis hopes what he learns about cybersecurity helps others prepare for the unforeseen. 鈥淚 want to make things better and be a resource to different people.鈥
