People-Centric Security
Getting software, not its users, to work harder
People are at the enter of technology. We tend to focus on RAM storage or the signal strength of our wireless networks, but phone calls bring us together. The Internet of Things triggers the thermostat to warm up our homes.
However, like most human endeavors, technology remains remarkably susceptible to human error. As Matthew Wright ’99 puts it, “many security problems in practice are due to people.” An expert in cybersecurity, Wright has made pioneering contributions to the field precisely because he’s kept Harvey Mudd’s mission statement firmly in mind: to better understand the societal impact of the technology we create.
Appointed in 2016 as director of the Center for Cybersecurity at Rochester Institute of Technology, Wright will have many opportunities to keep people at the center of his research. He describes cybersecurity as protecting computers and networks against attacks that would gain access to the information they contain. This information ranges from personal health records to military secrets.
Wright says, “We are studying new password designs where the system generates random passwords and then provides tools based on lessons from cognitive psychology that help the user remember them.” However, there are other parts of society in this equation: those who attack computer networks. Thanks to Wright’s direction, the Center is focusing on both of these angles. Researchers are working on user-centered issues but also exploring the tools cyber attackers can use through a process that simulates attacks on networks to find and eliminate vulnerabilities.
Wright’s work to thwart attackers involves contributing to and optimizing an online anonymity system. This system encrypts and fragments your private information and the information you send over the internet like the pieces of a jigsaw puzzle. It’s difficult for attackers to find all the pieces, decrypt them and get the whole picture. The anonymity system also breaks the puzzle into differently interlocking pieces every 10 minutes. Prateek Mitall, Wright’s longtime colleague and an assistant professor and head of the Security and Privacy Lab at Princeton University, considers this effort “groundbreaking work [that] has laid the foundation for the next generation of secure and privacy-preserving systems.”
As for the rest of us who are trying to remember those strong passwords to preserve our privacy, Wright explains the motivation for his human-centered research: “We’re asking users who are not security experts, who are not skilled in memorization techniques, for [a password] that is both secure and memorable.” Wright thinks that the software should work harder, not the user.
He has upgraded memorization techniques for graphical passwords to incorporate visual, verbal and spatial cues to aid all types of learners. This novel approach opens up new avenues to solving complex problems, such as keyboard sniffing and shoulder-surfing.
But Wright is also very conscientious of the students he’s shoulder-to-shoulder with at the Center. His goals include “high-quality, hands-on education of the next generation.” And when he looks for examples of that type of teaching, he pulls from his experiences at Harvey Mudd. He’s grateful to many of his professors for their passion and their commitment to active learning, especially professors Ran Libeskind-Hadas (CS) and Arthur Benjamin (mathematics).
He says, “My time at Mudd helped me to understand how to be successful without being the smartest person in the room and to recognize what others can bring to the table and how it can help the team. My goal in this leadership position is to help some similarly talented [people] be as successful as possible by mentoring them and helping them in any way that I can.”