Faces of Security

Faces of Security: Dr. Lorrie Faith Cranor from Carnegie Mellon University

“The No. 1 cybersecurity issue always is the human factor,” said Dr. Lorie Faith Cranor, whose work has had a major impact on industry standards.

Cranor is Director and Bosch Distinguished Professor of the CyLab Security and Privacy Institute and FORE Systems Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University. She has been at the Pittsburgh, Pa.-based private research university for almost 19 years.

“I wear many hats,” Cranor explained. “I teach classes, advise students, supervise research projects, write papers, apply for funding, and a lot more. In addition, I am director of the CyLab Security and Privacy Institute, co-director of the Privacy Engineering masters program, and co-director of the Collaboratory Against Hate.”

Cranor noted she is also a proud Fellow and long-time member of IEEE, the world’s largest technical professional organization dedicated to advancing technology for the benefit of humanity.

Cranor previously worked at AT&T Labs-Research for 7 years, served as the Chief Technologist at the U.S. Federal Trade Commission, and co-founded a security awareness training company, Wombat Security, which was later acquired by ProofPoint. She received her doctorate degree in Engineering & Policy from Washington University in 1996 and also holds an undergraduate degree and two masters degrees.

To learn more about Cranor and her take on the cybersecurity industry, please check out her “Faces of Security” interview below:

How did you get your start in the cybersecurity field?

I was interested in internet policy issues in graduate school, and privacy was emerging as a big issue. Then when I started working at AT&T Labs I was invited to participate in a W3C working group to develop an internet privacy standard. I thought I would work on that for a few months, but it ended up becoming my main work for my entire time at AT&T. Somewhere along the way, I transferred into the Secure Systems Research group at AT&T and started collaborating on other security-related projects, too.

Why did you decide to join the IEEE, and how has it benefited you professionally?

I joined IEEE when I was a graduate student, largely because my friends were joining, I think. That was a long time ago! I have enjoyed reading IEEE publications, attending IEEE conferences, and serving on various conference and editorial committees. Now I co-host an IEEE security and privacy podcast, which is a lot of fun!

What’s your favorite part about working in the cybersecurity field?

As a researcher, it’s fun to do research on areas that people can relate to. I’ve spent a lot of time doing research on how to improve password policies and how to make privacy interfaces more usable. These are both topics I can talk to anyone about. Everyone loves to tell me about how much they hate changing their passwords. Sometimes they try to tell me their passwords too, but I try to stop them before they get too far. When I talk about privacy interfaces and cookie consent, I also get a strong response.

What changes would you like to see in the industry?

I would like to see the industry pay more attention to consumer needs for security and privacy and to actually test security and privacy user interface components with consumers. If you have an informed consent experience, you really need to test it with consumers if you want to claim that consumers are actually informed.

What do you think is the No. 1 cybersecurity issue right now?

The No. 1 cybersecurity issue always is the human factor. For years, everyone focused on finding bugs and locking things down, and of course these things are important. But if you don’t think about how people are going to use security systems, you may be shooting yourself in the foot. For example, we’ve made access control systems very complicated, so in many situations, people just share credentials rather than getting their access permissions updated. And when people change roles or leave the company, nobody remembers to update their access.

With passwords, we’ve added all sorts of requirements to make it harder and harder to create and remember your password. So now people just use the same password over and over again so they don’t have to bother coming up with new ones, and when they have to change their password, they just increment a digit at the end or something like that.

Back in 2009, my research group at Carnegie Mellon University started doing research on password policies, and we found that even the National Institute of Standards and Technology (NIST) guidance had very little empirical data behind it. We spent a decade gathering empirical data on how humans create passwords and the impact of various password policies, password meters, and instructions. This gave us a lot of insights into ways that we could actually improve password security, and in the end, NIST updated their password guidance taking into account our research.

Where do you see the cybersecurity industry heading in five years? Are you noticing any major trends?

There are a lot more companies in the cybersecurity industry focused on privacy than ever before. I think we’ll be seeing more of that over the next five years. Privacy is becoming less of an afterthought.

What are you most proud of?

I’m always most proud of my students. It is exciting to work on research with them and see them blossom in their careers. It is also exciting to see work that we do in my lab have an impact on the world. Over the years we’ve impacted the design of web browser phishing warnings, secure awareness training methods, password policies (including NIST’s password guidance), and privacy interface design. We also designed the icon that the State of California uses for “Do not sell my personal information.”

Do you have any advice for people considering a career in cybersecurity?

I think people should realize that cybersecurity is a very broad field and there are a wide range of opportunities to explore depending on their interests.

Are you or a colleague interested in being profiled for the new “Faces of Security” series? Please contact Editor Joe Bebon at JBebon@BLR.com