Cybersecurity isn’t just a technical concern... it’s a community issue that spans generations and disciplines. In this episode, Dr. Aunshul Rege, Associate Professor at Temple University, shares how human-centered outreach, storytelling, and hands-on learning can redefine cyber awareness and inclusion at every level.
⬥GUEST⬥
Aunshul Rege, Director at The CARE Lab at Temple University | On Linkedin: https://www.linkedin.com/in/aunshul-rege-26526b59/
⬥CO-HOST⬥
Julie Haney, Computer scientist and Human-Centered Cybersecurity Program Lead, National Institute of Standards and Technology | On LinkedIn: https://www.linkedin.com/in/julie-haney-037449119/
⬥HOST⬥
Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com
⬥EPISODE NOTES⬥
Cybersecurity Is for Everyone — If We Teach It That Way
Cybersecurity impacts us all, yet most people still see it as a tech-centric domain reserved for experts in computer science or IT. Dr. Aunshul Rege, Associate Professor in the Department of Criminal Justice at Temple University, challenges that perception through her research, outreach, and education programs — all grounded in community, empathy, and human behavior.
In this episode, Dr. Rege joins Sean Martin and co-host Julie Haney to share her multi-layered approach to cybersecurity awareness and education. Drawing from her unique background that spans computer science and criminology, she explains how understanding human behavior is critical to understanding and addressing digital risk.
One powerful initiative she describes brings university students into the community to teach cyber hygiene to seniors — a demographic often left out of traditional training programs. These student-led sessions focus on practical topics like scams and password safety, delivered in clear, respectful, and engaging ways. The result? Not just education, but trust-building, conversation, and long-term community engagement.
Dr. Rege also leads interdisciplinary social engineering competitions that invite students from diverse academic backgrounds — including theater, nursing, business, and criminal justice — to explore real-world cyber scenarios. These events prove that you don’t need to code to contribute meaningfully to cybersecurity. You just need curiosity, communication skills, and a willingness to learn.
Looking ahead, Temple University is launching a new Bachelor of Arts in Cybersecurity and Human Behavior — a program that weaves in community engagement, liberal arts, and applied practice to prepare students for real-world roles beyond traditional technical paths.
If you’re a security leader looking to improve awareness programs, a university educator shaping the next generation, or someone simply curious about where you fit in the cyber puzzle, this episode offers a fresh perspective: cybersecurity works best when it’s human-first.
⬥SPONSORS⬥
ThreatLocker: https://itspm.ag/threatlocker-r974
⬥RESOURCES⬥
Dr. Aunshul Rege is an Associate Professor here, and much of her work is conducted under this department: https://liberalarts.temple.edu/academics/departments-and-programs/criminal-justice
Temple Digital Equity Plan (2022): https://www.phila.gov/media/20220412162153/Philadelphia-Digital-Equity-Plan-FINAL.pdf
Temple University Digital Equity Center / Digital Access Center: https://news.temple.edu/news/2022-12-06/temple-launches-digital-equity-center-north-philadelphia
NICE Cybersecurity Workforce Framework: https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center
⬥ADDITIONAL INFORMATION⬥
✨ More Redefining CyberSecurity Podcast:
🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/
Interested in sponsoring this show with a podcast ad placement? Learn more:
👉 https://www.itspmagazine.com/purchase-programs
⬥KEYWORDS⬥
sean martin, julie haney, aunshul rege, temple university, cybersecurity literacy, social engineering, cyber hygiene, human behavior, community engagement, cybersecurity education, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
[00:00:00] Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new episode of Redefining Cybersecurity here on ITSP Magazine, and more specifically, the Human-Centered Cybersecurity Series that I'm thrilled to co-host, uh, with the one and only Julie Haney. Julie, good to see you.
[00:00:17] Julie Haney: See?
[00:00:18] Sean Martin: It's been, uh, it's been a few days
since we've, uh, connected and a, a lot is going on.
A lot has happened and, uh, one thing stays the same. We're, we're all human and, uh, we continue to be at the center of, of a lot of things at the business and certainly in cybersecurity. It's important to keep, keep us at that center. 'cause I think, uh, we need to stay sane. We need to help participate in what a secure organization is and looks like. And, uh, that doesn't happen, uh, by magic. That happens from a. Thought and action and driven by research, which, uh, you're, you're so kind enough to, uh, bring some amazing [00:01:00] people to the conversation, to help, help us understand what that research is and what the outcomes of that research can be. And, uh, so I'm gonna leave it there for you, Julie, to kind of introduce this topic and our guest.
And, uh, then we'll, we'll have some fun. I'm excited for this one.
[00:01:15] Julie Haney: Yeah, thanks Sean. Great to be back. Um, so today I'm, I am really excited 'cause this topic really centers around the fact that cybersecurity is for everyone, right? Regardless of, you know, where you are in life and what your background is, it is relevant. To all of us. Um, and, um, I'm very to have Dr. An Rege here to about, um,
kind, different experiences and backgrounds and perspectives. Um, so an is. Uh, [00:02:00] professor in the Department of Criminal Justice at Temple University. Um, she's doing some really exciting work, um, and I, when I met her, I just knew that, uh, she had a lot of good things to share with this audience and wanted to have her on the podcast.
Um, so, um, a, a big warm welcome to you Ancho. Thanks for being on today.
[00:02:20] Aunshul Rege: Thanks so much for having me, Julie, and, and Sean. You know, I'm always excited to talk about, um, oh, my work and I'm a professor, so I love to profess so, uh, super, super excited to be here today.
[00:02:32] Julie Haney: Great. Great. Um, so I mean, just to to start off, I know that you originally didn't start off in cybersecurity and you've had kind of an interesting career path. Can you, can you tell us like, how did you land into cybersecurity?
[00:02:48] Aunshul Rege: Yeah, so actually my first degree was in computer science, and this was way, way back when cybersecurity wasn't even taught, not even as an elective. Forget, you know, [00:03:00] at the core center topic. Um, and I graduated. My first job was, um, I was a software engineer and I had to do quality assurance, quality control, and about a year into my job.
Uh, the company that I worked for experienced a breach and we were trying to figure things out and that's when I first experienced what it's like being in an organizational setting, um, where cyber attack has occurred. And, uh, I realized very quickly that I was unprepared for something like this. Uh, and that's when I started asking questions like, well, who's behind it?
Why did they target us? Was it an individual? Was it an organization and you know, those types of things and things that computer science couldn't really answer because it's actually outside the disciplinary domain. And so, um, I then said, all right, well I think these questions would probably be better understood through.
Liberal arts through disciplines like [00:04:00] criminology, sociology, or psychology. And so I quit my job, something that I thought I'd never do. I went back to school and I studied criminology and I really liked it. Um, I stuck with it all the way and I did some cool projects along the way. So for my master's thesis, I looked at cyber crimes at online gambling sites, which was a lot of fun.
And then, um, for my PhD I looked at, um, cyber tax against the power grid with an emphasis on adversarial decision making. So how do they make decisions on which, which systems to target? Um, how are they, uh, making decisions as they work through, uh, you know, as a cyber attack and unfold? So those were, you know, sort of, um, the educational experiences and I really enjoyed the research side of all of it.
And one place where I know I'm gonna get to do that is an academia. And so that's how I ended up to, you know, where I am today. And it's, uh, it's been [00:05:00] challenging in many ways. Uh, because when I started there still really wasn't a cybersecurity department or school per se, so it's very hard to figure out where you fit.
Uh, and I still, I still think for the most part, you know, it's still very siloed. Um, computer science, which isn't cybersecurity, criminology, which is also not cybersecurity. So. Yeah, I'm trying to work at the intersectionality of spaces and take the best of all of these worlds and experiences in my, in my work.
So yeah, so that's little bit of.
[00:05:35] Julie Haney: Awesome. Yeah, I, I love bringing those different perspectives together is, um, is so important in, in cybersecurity. Um, so, so let's talk about. Some of the things that you're doing, um, and we'll start with your work in cybersecurity literacy and, um, community outreach, um, which I think is. It's so important because there's so [00:06:00] many people who aren't exposed to cybersecurity training because they don't have a, perhaps they don't have a job where they, they have that type of, you know, security awareness training.
Um, so how do they get that training in the first place? So can you tell us a little bit about, you know, what you're, what you're doing with cybersecurity literacy?
[00:06:21] Aunshul Rege: Yeah, so, um. I love the research side of things as well, but the education piece is just as important, right? Be it in my classroom or sort of outside of the classroom in the community. And, uh, you know, I, I think, um, you know, one of the things that we have to do as educators also change the way that we teach.
Uh, I think, um, when I started, uh, I taught, you know. My classes, the way I was, um, the experience based on the experiences that I had as a student, right? So here, go read these materials, take the exams, write a paper, do a presentation, but they [00:07:00] don't really have, uh, applied and practical value. And I also wanted to design something where, uh, I could give back to the community where Temple University is housed, and that's in Philadelphia.
Uh, so this actually, uh, came about through a couple of different pathways, uh, as is usually the case. Um, so I was reading the, uh, 2022, uh, digital equity plan that the city of Philadelphia had produced. Uh, and there's, at that time there were approximately 96,000 households in the city that didn't have.
Broadband internet access. Uh, and a lot of them were low income residents, so they were less to have access. And at Temple. There's, uh, a unit called the Digital Access Center, and, uh, it's actually a workforce development center for the North Philly community. And what it does is it provides [00:08:00] residents access to technology and help desk support and free education in the areas of digital navigation and, and digital literacy.
So a lot of the, um. Centers. Clients are, uh, seniors, sometimes they're first time computer users, and so a lot of their time is just spent on understanding the basics of using computers. And this is sort of where we kind of. Uh, bring our, uh, experiences to help assist the work that the center is doing. Uh, and the students in my cybersecurity class come into the picture.
So we worked with the center, uh, and we added on, if you will, to the, um. Digital literacy programming by offering a cyber hygiene curriculum. So we worked with the center and we designed a class project where students had to raise awareness about cyber hygiene, and they had to develop a 10 minute presentation on a cybersecurity [00:09:00] topic of their choice.
But sometimes the center would tell us, Hey, can you really focus on these, you know, specific topics? And the presentation would just have to cover. Three main parts define the topic, uh, justify why it's relevant, and offer three clear ways, uh, to protect against or mitigate the issues or practice good cyber hygiene.
Um, and they had to do this in a way right, that was easy to digest for, uh, the elderly population. Um, and I, I, we started this, uh, a couple of years ago. Uh, and it's come a long way and I think projects like this are really, really wonderful because everybody wins, right? Um, seniors get to learn about, for instance, the latest scams and how to keep themselves safe.
And they've actually told us that they go home and share this with their family and their friends. So I love the fact that in a way they're serving as cyber ambassadors. Right. Um, students really feel great about their work because they're giving back to the community. [00:10:00] And from a career prep, uh, sort of perspective, they're building their presentation skills, learning how to communicate like maybe complex jargony topics, right, in an informal way, in an informal setting to an older population while treating them with respect and dignity.
Uh, so it often starts as a presentation. But it ends up becoming a conversation and there's lots of stories and experiences that are shared both by the senior citizens and the students from my classroom. So, uh, it's really, really cool because you end up creating these shared experiences and safe and judgment free spaces for everybody.
So it's been, it's been a fun project and it's continuing to evolve.
[00:10:44] Sean Martin: Sounds super cool. And, uh, the first thing that I think of is how can you scale that? Uh, so it's only so many students, only so many programs, and obviously you're in the, in the particular part of Philly. Um, how do we do that broader scale? And I, I [00:11:00] immediately go to the organizations that are. Doing awareness training. And, and so I have two thoughts here. I know we want your perspective on it. So the first is there's this awareness training and tools are implemented. Let's say we're, we're gonna, we're gonna educate you on, uh, phishing and that, and also we're implementing MFA or multifactor authentication. The, the employee may or may not connect those two, but they are connected, right?
So, um, depending on how the awareness training is delivered, they might understand we're getting MFA to help combat the impacts of, of phishing. Um, but without that connection, without the context, they see the tool. It, it inhibits their work. They, they see their awareness. They, they, they hopefully do things differently.
Um, don't put the organization risk, but. Very seldom in my experience, they bring that home. Very
seldom do they share that with others around them, which you've been able to accomplish [00:12:00] by the literacy part. Being able to describe it in a way, make the connection, make it understandable. And so I'm wondering how your thoughts on how we can perhaps build a broader program beyond the, beyond the one that you're doing, and is there a way to leverage. I dunno, cross curriculum stuff at universities, tap into the awareness training and organization. I dunno, just thoughts on, on all that.
[00:12:26] Aunshul Rege: Yeah, yeah. Um, you know, uh, most of the organizations, like now I'm at Temple, but even before when I was, um, you know, working as a student right in, in different settings. Um, so my exposure to training has primarily been what have academic institutions offered their employees. And it's typically once a year, uh, an online module.
You go through it and it's a quiz, or you know, you complete it, if you pass, that's good. Or they have the phishing simulations where if you accidentally click on something, you have to now go do [00:13:00] some additional training. Um, and there's, you know, of course those are, those are good. But I, I think the way, so it's the content side of it.
Of course, we wanna cover those topics. And as you said, Sean, you know, we wanna make sure that folks understand the connections between these topics. But I think an equally important part is delivery. How it's delivered, how often it's delivered. Um, you know, what is the tone, what is the setting, how is it structured?
Is it a quiz? Or you know, is it again that simulation type of exercise or is it something that's more hands-on, uh, pro proactive? Um. Is it more interactive? Is it through storytelling? I've found when it's presented in that way, uh, it, it's more relatable. Uh, and we realize that we had this, this is actually a very, you know, integrated part of our everyday lives.
So I think when you start doing more of [00:14:00] that, so I think there needs to be a fundamental shift in the way training is done before we even think about scalability. Right. Um, so, so, um, and that requires, you know, investment, both financially bringing different, uh, perspectives into how to do this training, uh, doing a lot of research into what works and what doesn't work.
Uh, getting into those metrics and have had endless conversations with many, many people about metrics. Uh, and, and Julie is the latest person that I've been speaking with about that. Right? Like, what works. Um, and so the way we know. And a lot of times, especially when you're interacting with a community, which is my audience, I cannot frame it as a research project, right?
So I cannot truly measure these things because I have to worry about trust and I wanna form and maintain those relationships over time. I want them to keep coming back, bringing their friends, their families, uh, into these types of conversations. And I know that it's working [00:15:00] because. Uh, when they come back, they do bring their neighbor or they do bring their grandchildren.
So we had, part of this is in the classroom, well, we also have a cybersecurity day, right, where we just, everybody from the community comes together and it's literally, you see generations. So you'll see grandparents, their kids who are probably my age, and then their children who are, you know, uh, youth and they're all having conversations about it.
So I think normalizing. Is also something that's really, really important. Normalizing and, and changing the way we talk about it, making it relatable, making it conversational. I think those types of things I've found in my context to be very effective. Now, how would that map into, in an organizational setting, you know, is there truly a.
Um, a desire to move towards that, right? Go into that direction. Is there going to be a financial investment [00:16:00] in these types of things? That's, um, a separate conversation entirely, right? What, what is, uh, what are budgets allocated for and things like that. So I think a lot more needs to happen.
[00:16:13] Julie Haney: Yeah, I think I, I, I mean, I, I completely agree with you about the delivery, the, um, making things relatable, the building of trust, right? So coming across as, as, um, as credible as well. And, and I'm wondering, 'cause I, I know there's been a lot of research in the past looking at generational differences when it comes to.
Technology and cybersecurity more specifically. Um, and, and I know you've worked with different populations, so you mentioned, um, some of the seniors and, and I think you've worked with youth before as well. So how, what would be your recommendations for, you know, how these. How to approach these different generations to really tailor the message so that it really does, um, hit [00:17:00] home so that it is relatable so that it addresses their needs.
Like what are some of those kind of generational differences that, that you see? And, and how does that change your approach to, um, to just talking to people about cybersecurity?
[00:17:15] Aunshul Rege: Yeah. Yeah. And this is, you know, um, I always joke that nobody taught you, uh, or at least when I was in grad school, nobody teaches you how to teach. Um, they teach you how to do research, but they never teach you how to teach, and all of a sudden you're in academia and you have to figure out how to teach.
Um, and so I'm figuring things along as I go and I think that's step one, just realizing that it, it's, it's an evolving. Process dynamic, especially every time technology changes or the latest thing comes out, right. Um, you have to be able to adapt and realize that it's never gonna be perfect. Right? So I wanna, I wanna start with that.
Um, and I mentioned some of the work that we've been doing with seniors, but we do offer [00:18:00] separate. Youth programming. And again, we cater the topics, uh, obviously, you know, that are more appropriate for youth. Um, and again, we listen to our partners. So one of our partners, for instance, is a juvenile justice center of Philadelphia, and they offer an assortment of programming, one of which is ours, right?
Um, to at at-risk youth, right? And so they come and say, oh my gosh, we've got, uh, a lot of our youth are, uh, the latest thing we're seeing is sexting. And this is huge. Can you talk about it? And it's a very difficult topic to talk about, right? So how do we talk about this, um, in a safe way? In a fun way?
Because you have to keep them engaged, but you also have to get them to talk about this, right? And it's uncomfortable sometimes. So. You know, so that's been, uh, like a topic. Um, online gaming is another one that, you know, our partners have said, can you please talk about that? Uh, deep fakes and [00:19:00] disinformation, right?
So. So yes, in terms of the content, of course it's different. Um, and, but in terms of, you know, and again, this is anecdotal, uh, right, and again, I can't really do research when it comes to this because for me, trust and long-term partnerships take precedence over the metrics in this case. Right. Um, so what I've found and what my team has found is seniors are more likely to be cautious, uh, about, um.
Technology, uh, but they don't necessarily have the most up-to-date information on the current threats or trends. And a lot of times, uh, they may feel overwhelmed by all of this information, especially around security, uh, if it sounds too complex or if it disrupts the functionality that's offered by, by that technology, right?
So you have to think about those types of things. Whereas with the youth, it's been almost like. [00:20:00] At the other end of the continuum. So they're very tech savvy, but that doesn't necessarily mean they're cybersecurity savvy, right? So they do have a lot more comfort. And familiarity with technology, but they may be overconfident because of that, right?
And so they may engage in more risk taking behaviors. Uh, they may prioritize speed and convenience over safety. So I think that's sort of what we've been seeing in terms of these two groups. Um, but in terms of communication, right? There's. Uh, again, how do we deliver content? We found, uh, some differences.
So for seniors, again, being super clear, jargon free using visual aids trust building, right? So again, this is why we partner with the Digital Access Center, right? You need to find, um, entities that have those partnerships with the community and sort of jump on. Because they've established the trust and we benefit from that.
Um, for the [00:21:00] youth, we've had to do lots and lots and lots of hands-on activities, right? So it's very much, it's almost like solving puzzles or solving mysteries and those types of things, but Right. So these are two very different demographics, but for both populations. There's a lot of similarities in terms of how we offer the programming.
So again, for both, we wanna create safe judgment-free spaces, uh, use informal conversations through lots of, again, storytelling and hands-on activities. Um, not use fear-based approaches. For both groups, but framing it as a way to protect their independence, um, their reputation. That's been like, it's almost like, as opposed to fear, let's empower.
Right? So shifting the, the, the way it is again, the, the tone, the messaging of it, um, hearing the needs and experiences of the community and tailoring the content accordingly, right? It's very easy for us. Every semester I could just be like, yep, we have these set slides. Here you go. We're gonna [00:22:00] do this. But the access center will tell us, Hey, you know, can you really help us do this?
Or there was, when we went out into the hunting park community, they wanted something specific for their, um, community residents. Uh, so, so again, listening and tailoring. And it takes more time, but it's definitely the way to go and that helps build those trust relationships. Um, I think what's what I've been doing, and again, just like I said, they don't teach you how to teach.
They also don't teach you how to engage with community. Right. Um, so I found that having, um, uh, getting community outreach and engagement training is important. So in my classes I dedicate two classes where I bring in experts specifically on this, right? To talk with my students about this. So, um, how do you design the content?
How do you pick examples? How do you, you know, deliver the presentation? How do you have meaningful and thoughtful [00:23:00] conversations? So learning not just how to present, but present with community in mind. Um, and the last thing I'll say on this is I'm not a fan of phrases such as, you can't patch Stupid, or The human is the weakest link.
Uh. Do think the human is our strongest asset and we really need to normalize cybersecurity conversations and do this early. Right? So being mindful of tone, not framing ourselves as the experts, but rather immersing ourselves into conversations and truly being present and meeting people where they are.
So I think those are some of the things, regardless of the demographics that you're dealing with, uh, that you want to bring the table.
[00:23:45] Sean Martin: Oh, such, such good stuff. And I, you've mentioned metrics a couple times and, uh, so I'm gonna, I'm gonna say this. I think you can only measure something that you can see
[00:24:00] and, and hopefully we're measuring it in the context of what you want to achieve. Um. 'cause you can, you can measure a bunch of things in different ways and it doesn't really mean you're gonna get out of it or find the answer that you, that you want. So how do you, how do you define what success looks like and how do you measure, measure that, because I think this is generalizing, but I think a lot of the awareness training and organizations is measured by how many employees didn't click, or how many employees did the test, or how many employees, whatever.
And. It's very tech driven, very action driven. But it doesn't necessarily mean that they caught on, doesn't mean that they embraced, it doesn't mean that it actually impacts, uh, or reflects in the security program, uh, or the business outcomes overall. Um, so obviously you're, you're not inside the organization, but I think a lot of what you do can be applied to an organization based on the research you do.
So any thoughts on defining success, measuring success?
[00:24:58] Aunshul Rege: Yeah. Yeah. [00:25:00] Uh, so from a student, uh, perspective, one of the things we do, let's say with the community outreach projects is I get students to write reflections right? About what they got out of it. And you can ask specific questions to, and it's not necessarily a quantifying. Metric, but a qualifying. Right?
So it's more qualitative data, but what did you get out of it? And one of the biggest things that has always come out, ever since we've started, um, looking at the reflection pieces, I really had to know my stuff, for me to be able to go teach it to somebody else. Right? And so I can give them the content, I can quiz them on it, and that's one thing.
But when you are in the position of being responsible to now. Give that information to somebody else, right? So in a way they're taking on my role. Um, so they really have to know the material inside out. And they themselves are now doing the research to be able to handle, you know, any questions that they may get asked [00:26:00] of things along those lines.
So I think centering. The human, in this case, my student, right? Where, where it's um, they have to now really know their materials. So that's been one way of, for me, assessing are they really getting it right? So not just understanding it, but also delivering it. And through that then, you know, they've come and said, 'cause I've met some of my students later on, and they've come and said.
I still have conversations with people, you know, I still tell them, you know, be careful what you do. You know, you could get shoulder surfed or you could get this right. So that's been sort of one way of measuring that in my setting. Uh, the other issue that we have, which is not going to be in an organizational setting, not necessarily is the turnover rate, right?
So students take my class one semester and then they're gone. They never have to see me again for that class or do that project or anything like that. So is the metric that I've [00:27:00] used or how do I know that they've retained information? I don't really have a way of measuring that. Right. But I know like right in the, in the few cases where they come back and tell me that, or when I see.
Um, are the elderly folks bringing their friends or when they, you know, um, or the students who've taken our youth programming, they go and tell other youth at the juvenile justice center, Hey, next time this is offered, you should totally do it right. So it may not necessarily be an indication of. You know, what did I learn?
But at least there's the hook that gets them intrigued and they wanna know more about it. And that to me is a good starting point. Or when we have celebration ceremonies for either the seniors or the youth and their families come. I can hear through the buzz, right? Where it's like, oh yeah, I remember when you guys covered disinformation.
And then my son [00:28:00] came home and we were having a giant conversation at dinnertime about this, right? So to me, those few instances, uh, do demonstrate that something is working. And for me, even if it's just a conversation about it, that's, uh, a win. So that's how I again, have looked at it as, as not, maybe not, um, necessarily a success per se, but certainly, you know, moving in that direction, right?
Like where we're normalizing having conversations about cybersecurity.
[00:28:35] Julie Haney: Awesome. Great, great stuff. Um, so I wanna, I, I wanna. Change, um, gears a little bit because, um, I really wanna get some of the work that you've done with your, um, your social engineering cybersecurity competitions, because I think it's, it's so interesting. Um, and, and we mentioned before when you were telling us about your background, um, how cybersecurity is very [00:29:00] interdisciplinary.
Right. And I think sometimes that. Folks coming from other disciplines have a difficult time seeing themselves in cybersecurity, um, because it's so tech focused. And I know you've been, um, you've been working on these competitions as a way to bring in students who are not in kind of the, you know, quote unquote traditional cybersecurity fields, um, into cybersecurity so that they get more of that experience.
So, c can you tell us, tell us a little bit more about what you're doing.
[00:29:38] Aunshul Rege: Yeah. Yeah, for sure. Um, so, and I think Julia had mentioned this before, and Sean, you, you've mentioned this too, is I think cyber, the way I've looked at it now, cybersecurity is no longer optional. Right. And it's not going to, um, only, uh, be something that matters to students or working professionals in the tech fields.
[00:30:00] It's gonna target everybody like this is cyber attacks can target anyone. Uh, and so I think this gets into just a basic understanding of this especially, and what makes it relatable, at least like a stepping stone, if you will, or the bridge that connects cybersecurity to all these other domains, right?
The way to make it relatable is through, I've found, anyways, one of the ways to do this is through that social engineering work that we've been doing, and we look at diversity in a couple of different ways here, right? So it's diversity in terms of the theme of the competition every year. So we do run, um, international competitions virtually, uh, every year.
We've been, we just finished year five, which.
Open to high school, undergraduate and graduate students from all over the world and um. So we have a different theme every year to demonstrate the various ways that social engineering can manifest, [00:31:00] right? So in our first year, for instance, we had, uh, it was just a classic social engineering penetration test.
Um, the second year we had, uh, the students pose as ransomware negotiators. When, uh, my lab. This is all hypothetical, of course. Right. Or simulated, I should say. When my lab was subjected to a ransomware attack, so now students had to come and play the role of a negotiator, which is an actual role, right? And social engineering comes into that space.
So it's, it's um, very different sort of a way of demonstrating how. It, um, might occur. Uh, then the year after that, uh, we had romance scams in social engineering. So they had to, um, interface with a potential victim, and the victim was talking to a potential scammer. And so they had to figure out, well, is this really a scam?
And how do we let the victim know this? Uh, while demonstrating tactical [00:32:00] empathy. Right. So again, a different way of looking at social engineering. Um, last year we looked at employment scams and social engineering, and this is something that's actually impacting a lot of young adults, uh, in general who are coming out for the first time with their degrees and they're looking for jobs, right?
Uh, so we centered it around the young adult demographic and, um, just this past year. We did critical infrastructure and social engineering. So it was a transportation company, um, that was, uh, the target. Uh, and uh, students had to do a social engineering penetration on a test on that. And so this is also the first year that we brought AI into the mix, right?
So students had to use AI to understand how cyber criminals are using AI to really, um. Uh, polish their social engineering campaigns, uh, to increase the scale and [00:33:00] scope of their campaigns. Right? So getting again, students to think about this. So what we do through these is look at different themes to get students to understand that cybersecurity and social engineering looks different in.
Settings, um, that it's not just something that bad folks do, right? When they're, um, Desi, you know, sending those phish campaigns or trying to issue, but it's also something that defenders can use as a defense mechanism, right? So how can you social engineering back against your attacker, right? And also then how do you, um, demonstrate that when you are engaging with potential victims?
So. It's diversity in terms of the theme and how it manifests in, you know, understanding adversarial defender and end user victimization, those types of components. Um, but then there's also diversity in terms of disciplines. Now, when I had started creating these competitions, it came from a space where I was [00:34:00] envious of the, uh, hard sciences or the computer science folks who had the.
Um, CTFs that they've been doing for years. And I said, what would that look like, um, in, in liberal arts because we don't really have anything, uh, that is just as fast-paced or dynamic. And that's where this came from. So it was something that I wanted to do for liberal arts students. Uh, but surprisingly our biggest, uh, student base has actually been from computer science.
And cybersecurity. Uh, but we do have students from business, uh, liberal arts. Of course media and communication was an interesting one that we've seen. Uh, my personal favorites, theater, music and performing arts, um, who are actually very talented social engineers. Uh, but we've also seen, uh, students from nursing and, and medicine, uh, consider our events, right?
So there's this recognition. Because of the [00:35:00] various themes that we've had that people are starting to realize, Hey, maybe I can get into this, or I understand this, oh, it's romance scams that targeted my, you know, friend, or it targeted my grandma because she's lonely. Right? So these types of. Things become, again, more relatable, more every day.
And that also is part of the draw, right from different disciplines who have considered our competition. It's also the cost of entry in terms of skillsets is zero, right? So you don't need to know how to code, you don't need to know, uh, networks. You don't. You need to know how to talk to people, right? You have experienced phishing.
So it's something that you can understand, right? So that's the relatability that I was talking about. How do you make the event itself relatable, understandable, easy to comprehend so that you draw the audience in, um, and get them to [00:36:00] think about ways that I can do this too. And that's what we've been trying to do.
[00:36:07] Sean Martin: And I want to, I know, Julie, you have, uh, the the point on the new program. That, uh, on show that the university's launching? Correct. And it's not just a bachelor's in cybersecurity. Uh, what's it, it's a, yeah, batch of arts, cybersecurity, and human behavior, which is exciting to me. I mean, not, I think every organization, every university should have a cyber program. Yours includes the human behavior part of it. Um, what, what does that mean? How does that shape what the program is? Who? Who joins the courses and what they get out of it at the end beyond a traditional cyber only program.
[00:36:51] Aunshul Rege: Right. And, um, the, you know, Sean, you hit it right there, right? It's the human behavior piece. And, uh, that's to [00:37:00] start. Sending the message that liberal arts does play a role and actually has a lot to offer. So when we were deciding to create this program, um, one of the things, and I sat down, you know, with the College of Liberal Arts and the deans and all of that, it was a lot of fun.
But we wanted to bring those quintessential liberal arts skills and expertise to cybersecurity. So. Classic skill sets, right? Like critical thinking, problem solving, um, conducting research, uh, communication, creativity, thinking outside the box, right? All of those types of things. How can you bring that into this world of cybersecurity?
And so, um, you know, so we have some new classes. Um, and some of them, again, you know, based on my own sort of experiences with the social engineering competition or the community work that we're doing. These are now actual classes, which are really, really cool, right? So there's a class on social engineering.
There's a class, a required class on community [00:38:00] engagement where students are gonna have to rotate, right? So one month they might do programming for the elderly. The next month they're doing programming for youth. The next month they're doing programming for local, uh, small businesses and nonprofits, right?
So again. Um, these are the different demographics that you have to be able to communicate with, um, classes on ethics and ai, surveillance and privacy, right? Cyber politics. So these are just some of the courses, um, and for at least the courses that I'm going to be responsible for, uh, I'm actually borrowing the trade school mindset.
Uh, and by that I mean the first one. Third is just about understanding the concepts. Right, but the majority of the classes and applying those concepts, so through practical, uh, hands-on projects, so, uh, social engineering penetration tests, right? Community outreach and engagement, developing a governance risk compliance assessment for local community [00:39:00] organization.
So not only would, um, students learn through the application. These actually become line items on their resumes. They will have concrete deliverables, right, like a pen test report or a community, uh, training and awareness presentation slide deck or a GRC assessment document. These become actual deliverables that they can present to potential employers, so it's really training them.
To apply the concepts to produce deliverables, and of course, we're baking, um, into each of these, the, uh, NICE frameworks, the cybersecurity framework, uh, TKs, right, the tasks, knowledge and skills while we're designing the assignments. So again, it's built from the core outwards, uh, in a way that it's practical, has application value is meaningful, uh, and gets our students ready, uh, for the workforce.
[00:39:58] Julie Haney: Oh gosh, that's, that is really [00:40:00] exciting. It almost makes me wish I was young enough to go back and get another bachelor's degree. Yeah. Um, so I mean, this is, this has been fascinating anal Thanks, thanks so much for, for sharing, um, the work that you've been doing. Um, so, so really the last question for you is, you know, what, what are, what are the last thoughts you wanna leave with the audience?
Um, you know about how. They can take kind of this more holistic approach to cybersecurity and really engage, um, everyone in cybersecurity that they, they see their place, um, and their responsibility in that.
[00:40:43] Aunshul Rege: Yeah. Um, I, I, I think there's a couple of things, right? So, um, I want cybersecurity awareness to, uh, move from being reactive or punitive to being more proactive and. Where [00:41:00] again, humans are viewed as assets, right? Not vulnerabilities. So I think building trust, uh, even, you know, in your employee, uh, in your employees so that they feel comfortable reporting things or, uh, asking questions without fear.
And, you know, of course that's not possible in all environments, depending on the nature of the work, but if it's possible, you know, shifting that mindset I think is, is important. I don't think security should feel like, um, an extra burden. Or a checklist item, right? It's not just performative. Um, it's, it's, the messaging has to be that this is part of our daily tasks.
It is, again, that no longer optional. It fits naturally into your work environment. Uh, and I think when you start doing that, it's more likely to stick with people. Um. You know, just realizing that, you know, uh, again, it's a human right. We, we are shaped by habits, uh, [00:42:00] social norms, incentives, cognitive biases.
So are we really bringing in psychology and social sciences and, and liberal arts right into these conversations? Um, and designing programs, uh, that are not just those once a year training or those click, you know, and go get training. Um, so I would, my hope, uh, again, as an educator, but also as a, as a liberal arts, um.
Faculty is, I would love, love, love to see students from liberal arts fields bring their unique perspectives in these types of areas. So I'd love to see more internships, um, and early career roles for students who have just graduated. Right. Um, and, and start again, embracing these fields as opposed to saying, oh, you don't have the certification.
Sorry, you can't get the job because you may not necessarily need the certification for that kind of stuff. [00:43:00] Right? So, um, just recognizing these different skillsets, welcoming these and valuing these and integrating these into existing structures, into your work environments, I think would be, uh, a wonderful message to send to the next generation.
[00:43:20] Sean Martin: So, so cool.
[00:43:22] Julie Haney: Awesome. Awesome. Well, thanks so much again, ancho. I mean, that, that's great advice. There's been, uh, lots of, of, of great, um, tidbits throughout that, that I hope our, our audience takes to heart. Um, and I'll turn it over to you, Sean,
[00:43:39] Sean Martin: Yeah, I mean, uh, I'm so appreciative for you to, to, uh, join us here and share all the cool things you're working. I wanna, I wanna work on stuff like that too. Look, sounds fun. And, uh, alright, I'll see if that's possible. That, that could be good. And, uh, Julia, you're amazing as always to, uh, bring really [00:44:00] cool people to, uh, to the show and, and shed some light on this important part of keeping the human in the center of.
Of cybersecurity and like understanding behavior and, and trying to achieve the outcomes we want with the human right there in the middle and, um. Yeah, so I'm, I'm always thrilled to have these conversations. Anan, I'm thankful for you to joining us. Julie, good to have you on again. Hopefully it won't be so many days between the now and the next one and everybody listening, I'm, I'm sure you're thinking about how this might impact you and maybe some changes you might make in your personal life, perhaps in your career.
If you're a security leader or a practitioner listening, many of you are, um, perhaps this has a, a, way for you to think differently about your own. Security awareness programs are broader security programs as well where the human is at the center. And I think, I think the call to action here is universities do more like Shils doing and, and, uh, temple is doing, and temple keep up the good work, [00:45:00] continue to expand and, and everybody listening contribute to, uh, to the community so that those things can actually succeed on a broader scale.
So with that, I will say thank you all again and, uh, appreciate you all joining. Do subscribe and share. Connect with Julie and uh, we'll see you all the next redefining Cybersecurity and Human-centered cybersecurity suber here on IS.