Getting Personal About Cybersecurity

One institution shares how it put its students at the center of a cybersecurity-awareness campaign.

November 22, 2017

Today’s students may be digital natives, but that doesn't mean institutions can count on them to protect themselves from cyberattacks.

A recent survey by the technology firm CDW-G found that the No. 1 cybersecurity challenge facing IT professionals on campus is educating users about security policies and practices. Among students surveyed, just 25 percent dubbed the cybersecurity training or education efforts on their campus as very effective.

One institution, however, may have found a way to reach students -- by making them, and their pets, the stars of a cybersecurity-awareness campaign.

Speaking at the annual meeting of Educause in Philadelphia this month, representatives from the University of Massachusetts at Amherst shared how they leveraged students’ love of social media and personalized content to encourage them to up their cybersecurity game.

“There was a recognition that we needed to do something different, something fun,” said Iris Chelaru, web communications manager at UMass. While previous awareness campaigns had been informative, they failed to connect with students on a personal level, said Chelaru. Cybersecurity awareness is a bit like public health awareness, she said -- “things that we have to do but that we don’t want to.”

As students are both creators and curators of content online, who better than them to advise and help design an awareness campaign, Chelaru said. She and her team worked with the student government and other campus organizations to design an approach that was both informative and “warm and fuzzy,” said Chelaru.

Rather than presenting information on multiple security risks, as the university had previously, UMass officials decided to pick just one issue -- weak passwords -- as the center of their campaign. Pet names emerged as something that students regularly use as passwords, but that can be easily guessed, said Chelaru. With this in mind, the team created a website where students can create posters with pictures of their pets, underneath the tagline “My name is not a good password.”

“We were thinking about things that are familiar to students and that they know, maybe something from home that they miss,” said Chelaru. The posters, which could be easily shared on social media, saw much more engagement from students than previous campaigns did, said Matthew Dalton, chief information security officer at UMass Amherst.

Though the campaign started with posters of student pets, it quickly broadened, said Dalton. To make the campaign even more interactive, the team created giant photo frames that students could pose with in real life, under the same “My name is not a good password” banner. The team set up tables in areas with high student traffic at lunchtimes in October as part of National Cyber Security Awareness Month and offered prizes to encourage engagement. Soon the football team's mascot, Sam the Minuteman, and the university administration were in on the campaign.

While Dalton and colleagues hailed the campaign as a success, evaluating its impact has been tricky, he acknowledged. They have seen a decrease in student account breaches, but Dalton said he can’t be sure this campaign is responsible, as opposed to other security work the team has done. It would be difficult to track whether the campaign had actually resulted in behavior change without cracking student passwords to check if they contain pet names, said Dalton. But he is planning to look at whether password change activity has risen, he said.

Dalton said that the password campaign, now entering its third year, continues to have an impact because it doesn’t overload students with information. Where previously students might have been referred to the National Institute of Standards and Technology’s guidelines on how to create a good password (make them complicated, change them regularly, include numbers and special characters, etc.), now students are just being made to think about what makes a bad password. The details come later, when the students actually log in to change their passwords, said Dalton.

Though the impact on student behavior is not yet known, the institution views the campaign as a success for other reasons, said Dalton. First, all the posters and photos shared on social media had strong institutional branding. Second, the campaign had support and engagement from the university administration, including backing from the vice chancellor for information services. Third, students were able to take ownership of the campaign. “People were willing to become part of the message,” said Dalton. “With any participation event, that’s key -- especially with security awareness.”


We have retired comments and introduced Letters to the Editor. Share your thoughts »

Today’s News from Inside Higher Ed

Inside Higher Ed’s Quick Takes

Back to Top