Security: a Complicated Business
Engineers and computer scientists have established cryptographic protocols to hide data from prying eyes. They have invented techniques for shielding wireless networks from intrusion. And they’ve developed guidelines for limiting access to sensitive information.
But every measure and countermeasure comes with its own costs and its own inherent weaknesses. Some of the weaknesses stem from the human factor: the fact that people use technology in ways that can lead to inadvertent leaks or attacks by malicious actors. WPI’s Cybersecurity Program draws together experts from computer science, electrical and computer engineering, mathematical sciences, and the social sciences to find new and innovative approaches to protecting digital data — approaches that take the human factor into account in one way or another.
“People are the weakest link in just about any security system,” says Kathi Fisler, associate professor of computer science and the founding director of WPI's Cybersecurity Program. That’s why students in the program are required to take at least one class that deals with human factors. It’s also why Fisler says it’s important “to not bug users with stuff they don’t want to think about” (and might, therefore, ignore), but instead bug them just enough so they will avoid compromising their own security.
Fisler herself has been building tools to help users understand the implications of their own security and privacy settings, and to help developers understand the security limitations of the systems they design. One of those tools, an application called Margrave, grew out of work she did with her husband, Shriram Krishnamurthi, a professor of computer science at Brown University, her WPI colleague Dan Dougherty, and Tim Nelson, a 2013 PhD recipient who is currently a postdoctoral research associate at Brown.
Margrave interrogates and compares access control policies, the sets of rules that govern who can see and manipulate the various data in a given system. Access control policies specify who can view patient records at a hospital, for example, or who has permission to change student grades in a university database. Such policies can be quite complicated, and are typically managed by human resources personnel who might not understand their full implications — or the unintended consequences that can ensue when they are altered.