ÍÃ×ÓÏÈÉú

Skip to Main Content
Across the Quad

Across the Quad: Cybersecurity challenges in our community

Computer science and business colleagues – James Walden and Joseph Nwankpa, respectively – head a collaborative cybersecurity initiative preparing a diversity of majors for local and global threats

James Walden, director of the Center for Cybersecurity and professor of Computer Science, and Joseph Nwankpa, Farmer School of Business director of cybersecurity initiatives and associate professor of Information Systems and Analytics
James Walden, director of the Center for Cybersecurity and professor of Computer Science, and Joseph Nwankpa, Farmer School of Business director of cybersecurity initiatives and associate professor of Information Systems and Analytics, have pulled together their expertise to run a cybersecurity clinic benefiting ÍÃ×ÓÏÈÉú University students and the surrounding community. (photo by Scott Kissell)
Across the Quad

Across the Quad: Cybersecurity challenges in our community

James Walden, director of the Center for Cybersecurity and professor of Computer Science, and Joseph Nwankpa, Farmer School of Business director of cybersecurity initiatives and associate professor of Information Systems and Analytics, have pulled together their expertise to run a cybersecurity clinic benefiting ÍÃ×ÓÏÈÉú University students and the surrounding community. (photo by Scott Kissell)
Arts, sciences, humanities, research, business – each separated by academic degrees and often distance on campus, but these disciplines do not exist in a bubble. ÍÃ×ÓÏÈÉú University’s interdisciplinary education lets students, faculty, and the community come together to simulate real-world collaboration, creating connections across the quad.

In this edition of Across the Quad, hear from James Walden, director of the Center for Cybersecurity and professor of Computer Science, and Joseph Nwankpa, Farmer School of Business director of cybersecurity initiatives and associate professor of Information Systems and Analytics. The pair, with additional faculty and staff support and collaboration, including Computer and Information Technology professor Anthony Rose, pulled together their expertise to run a cybersecurity clinic benefiting ÍÃ×ÓÏÈÉú University students and the surrounding community.

What is the cybersecurity clinic, and how did it come together?

James Walden: I just started at ÍÃ×ÓÏÈÉú last year and came in as the director of the newly created Center for Cybersecurity. I met with Joseph and a number of our faculty to look at ways where the community needs help with cybersecurity; how can ÍÃ×ÓÏÈÉú reach out and help organizations in the community? Historically, small organizations and governments haven't paid much attention to cybersecurity, but when ransomware became a big thing, suddenly cybersecurity was something everybody had to worry about.

Cybersecurity clinics are a fairly new idea within the last few years, but the idea is similar to dental clinics, law clinics, or tax clinics at a university.

Joseph Nwankpa: As the director of the center, James was the one who orchestrated this; it’s his initiative. The cybersecurity clinic is really a way, on the one hand, to be able to reach out with the community and find a way to partner with them and be able to provide some services, but on the other hand, it gives our students experiential learning capabilities while trying to help us build a partnership.

How are students involved in this initiative?

Walden: We're currently doing it as a class project. We don't have a clinic class yet, but that's our plan for it as we expand; we want to create a class that's accessible to majors from all of the colleges at ÍÃ×ÓÏÈÉú. Right now, we are focusing on students from College of Engineering and Computing, Farmer School of Business, and ÍÃ×ÓÏÈÉú University Regionals.

Our students had the clinic in the spring, and we want to bring it back for sSpring 2025. The students in my class were actually really excited about it. They really liked the idea of getting hands-on experience with an actual operating network as opposed to labs and things in the classroom. They were getting out there and helping and experiencing working on production networks.

On the employer side, there's a high demand for security personnel, but employers still really want to see work experience for an entry-level position, which frustrates students for understandable reasons. You can get that work experience in a variety of ways, like internships and co-ops, but the clinic offers another way for students to get that work and that real-world experience.

Nwankpa: I totally agree with that. My students were really excited about the opportunity to work with an actual firm, and in this case, the City of Oxford. I think it gave them that practical knowledge that they needed. And being able to talk to real people, that was very beneficial to them.

As we move forward, the business school alumni have lots of startup companies and students who are trying to go into startups. And those are other areas as well that we feel we can be able to play a role in with this clinic, given that they may not necessarily have all the resources to be able to deal with cybersecurity challenges as a startup or as a small business. It allows us to be able to create good partnerships with industry while helping underserved business communities that might not necessarily have the resources to be able to create a more robust cybersecurity defense.

How does the clinic work with the community?

Walden: The idea with a clinic is that we can do a security assessment of local organizations’ systems and find where they need to make improvements and offer our advice on those improvements. We wanted this to be a broad assessment, so that's why we worked across disciplines.

How is the cybersecurity clinic made better by interdisciplinary collaboration?

Nwankpa: Partnering together really allows us to build a strong synergy and also bring perspectives that do not necessarily converge, but can really create a more tangible solution to the problem. Working with computer science and engineering provides that degree of synergy, but also provides a much broader base expertise. Coming from a business background, we are looking at business processes and policies. For engineers, they're looking at businesses to assess the complexities of how the systems operate.

Walden: There's really a lot of perspectives on security from a variety of disciplines, like psychology, for example, is important. The number one way that a hacker gets into your organization is that they send an email or other message that somebody responds to and opens an attachment that gives the attacker their foothold inside the firewall.

Nwankpa: When I think about cybersecurity, there's always that behavioral aspect; cybersecurity deals with people, and so in terms of behavioral psychology, there's been a lot of research within the cybersecurity domain championed by people that have that expertise. Challenges of cybersecurity today have to do with people; people continue to be the weak link in cyber defense. Being able to understand people and why they take action or don't take action will always be a critical aspect of cybersecurity defense.

What are the greatest challenges to cybersecurity both in our community and in the global village?

Nwankpa: People continue to be vulnerable to data breach incidents; these databases lead to people's information being compromised, and people are worried about their privacy. They're worried about situations which may lead to identity theft or potential problems in the future. We've seen a lot of increase in data breach incidents that typically involve personal, identifiable information of people, which continues to be a threat and a challenge for businesses as well.

Walden: Ransomware really is the biggest criminal business out there. It is a multi-billion dollar global business. There's individual ransomware gangs that pull in hundreds of millions of dollars a year, and they work pretty much like corporations do. They have their own buildings, they have HR departments to recruit people, they have a financial team that researches the target's finances to try to estimate ransom, and they have a negotiation team.There’s also the broader space of business email compromise, of which ransomware is an example.

AI offers a lot of help to criminals, too. A lot of them aren't native English speakers, and you can usually tell there’s a threat because of spelling or grammar; it's terribly obvious that it's not real. But now with ChatGPT, Grammarly, and tools like that, they can write (in English) just as well as most Americans can. Then you add voice cloning and video cloning so the human aspect is there. We are experiencing sort of unprecedented threats because of that.

How do you talk to and prepare students for threats on that grand, often freighting, scale?

Nwankpa: From a business perspective, these threats are different across industries. Some industries are much more threatened than others. We are seeing a lot of increasing cyber threats in the healthcare sector; that was not necessarily the case in the past. So the threats evolve a little bit, and the tools evolve a little bit. For our students in the business school, what we do teach them is how to do a lot of risk assessment to be able to identify where the risk is or identify where you have those vulnerabilities. When it comes to cyber defense, the issue is not to eliminate the risk. The issue is knowing how to mitigate the risk, and how to put yourself in a position to protect yourself. Cyber incidents are something that is going to happen; you're not trying to eradicate it, but you're trying to mitigate it by putting some measures in place to limit the extent of your exposure to these threats.

Walden: That is one of the difficult things about the field, and at least on the technical side, it is sometimes a little hard to convince the students that there really aren't perfectly secure systems and that you do have to think in terms of risk. We try to help organizations identify what their biggest risks are and help find ways to mitigate those in a cost effective fashion. Certainly for social engineering types of attacks, training is always good.

We do have 10 Cybersecurity classes for the Cybersecurity major in the College of Engineering and Computing. So, we try to teach it across different areas. There's a human, societal, and organizational security course, a network security course, and a data security course. At the higher level, we've got both defensive and offensive security courses. You need to understand offensive techniques to do security assessments yourself and check things from an offensive perspective before a criminal does it for you. But, you also have to understand the attacks to be able to defend against them

New technologies bring up new potential threats, but we can really teach our students about the fundamentals of defense and what they need to know. When they graduate, they should know the principles and how to apply them to the new threats that come as they enter the workplace.

Any final thoughts?

Nwankpa: It’s always a great thing when you can partner across your discipline. It just provides additional insights that we might not necessarily have because we are always bounded by our own ecosystem and the things that we do. By moving across the aisle a little bit, it allows you to gain additional knowledge and also build up a great synergy that will lead to more problem solving. So, I think the clinic is a great initiative.

Walden: Nicely said.