Total Security Advisor
Practical Security Tips, News & Advice.
Updated: Nov 28, 2022
“The No. 1 cybersecurity issue always is the human factor,” said Dr. Lorie Faith Cranor, whose work has had a major impact on industry standards.
Cranor is Director and Bosch Distinguished Professor of the CyLab Security and Privacy Institute and FORE Systems Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University. She has been at the Pittsburgh, Pa.-based private research university for almost 19 years.
“I wear many hats,” Cranor explained. “I teach classes, advise students, supervise research projects, write papers, apply for funding, and a lot more. In addition, I am director of the CyLab Security and Privacy Institute, co-director of the Privacy Engineering masters program, and co-director of the Collaboratory Against Hate.”
Cranor noted she is also a proud Fellow and long-time member of IEEE, the world’s largest technical professional organization dedicated to advancing technology for the benefit of humanity.
Cranor previously worked at AT&T Labs-Research for 7 years, served as the Chief Technologist at the U.S. Federal Trade Commission, and co-founded a security awareness training company, Wombat Security, which was later acquired by ProofPoint. She received her doctorate degree in Engineering & Policy from Washington University in 1996 and also holds an undergraduate degree and two masters degrees.
To learn more about Cranor and her take on the cybersecurity industry, please check out her “Faces of Security” interview below:
I was interested in internet policy issues in graduate school, and privacy was emerging as a big issue. Then when I started working at AT&T Labs I was invited to participate in a W3C working group to develop an internet privacy standard. I thought I would work on that for a few months, but it ended up becoming my main work for my entire time at AT&T. Somewhere along the way, I transferred into the Secure Systems Research group at AT&T and started collaborating on other security-related projects, too.
I joined IEEE when I was a graduate student, largely because my friends were joining, I think. That was a long time ago! I have enjoyed reading IEEE publications, attending IEEE conferences, and serving on various conference and editorial committees. Now I co-host an IEEE security and privacy podcast, which is a lot of fun!
As a researcher, it’s fun to do research on areas that people can relate to. I’ve spent a lot of time doing research on how to improve password policies and how to make privacy interfaces more usable. These are both topics I can talk to anyone about. Everyone loves to tell me about how much they hate changing their passwords. Sometimes they try to tell me their passwords too, but I try to stop them before they get too far. When I talk about privacy interfaces and cookie consent, I also get a strong response.
I would like to see the industry pay more attention to consumer needs for security and privacy and to actually test security and privacy user interface components with consumers. If you have an informed consent experience, you really need to test it with consumers if you want to claim that consumers are actually informed.
The No. 1 cybersecurity issue always is the human factor. For years, everyone focused on finding bugs and locking things down, and of course these things are important. But if you don’t think about how people are going to use security systems, you may be shooting yourself in the foot. For example, we’ve made access control systems very complicated, so in many situations, people just share credentials rather than getting their access permissions updated. And when people change roles or leave the company, nobody remembers to update their access.
With passwords, we’ve added all sorts of requirements to make it harder and harder to create and remember your password. So now people just use the same password over and over again so they don’t have to bother coming up with new ones, and when they have to change their password, they just increment a digit at the end or something like that.
Back in 2009, my research group at Carnegie Mellon University started doing research on password policies, and we found that even the National Institute of Standards and Technology (NIST) guidance had very little empirical data behind it. We spent a decade gathering empirical data on how humans create passwords and the impact of various password policies, password meters, and instructions. This gave us a lot of insights into ways that we could actually improve password security, and in the end, NIST updated their password guidance taking into account our research.
There are a lot more companies in the cybersecurity industry focused on privacy than ever before. I think we’ll be seeing more of that over the next five years. Privacy is becoming less of an afterthought.
I’m always most proud of my students. It is exciting to work on research with them and see them blossom in their careers. It is also exciting to see work that we do in my lab have an impact on the world. Over the years we’ve impacted the design of web browser phishing warnings, secure awareness training methods, password policies (including NIST’s password guidance), and privacy interface design. We also designed the icon that the State of California uses for “Do not sell my personal information.”
I think people should realize that cybersecurity is a very broad field and there are a wide range of opportunities to explore depending on their interests.
Are you or a colleague interested in being profiled for the new “Faces of Security” series? Please contact Editor Joe Bebon at JBebon@BLR.com
Download this free report to learn seven steps to protect your facility from workplace violence.
This report is sponsored by the Total Security Summit, an event specifically organized for VPs, Directors, and Managers of Security who are directly concerned with their facility’s security and safety operations.
The Security Industry Association (SIA) announced a major milestone in its SIA OSDP Verified initiative – that over 100 device models have been named OSDP Verified through the comprehensive program, which validates device conformance to the SIA Open Supervised Device Protocol (OSDP) standard. SIA OSDP standard is an access control communications protocol standard maintained by SIA to improve interoperability, add […]
GXO Logistics, Inc., the world’s largest pure-play contract logistics provider, announced that it has deployed advanced air and ground security robotics at one of its major distribution centers in Clayton, Ind., and plans to significantly increase deployment of automated security systems across other sites within the next year. This would be the largest air and […]
The Security Industry Association (SIA) is pleased to announce the first members of its Utilities Advisory Board Steering Committee. SIA created the Utilities Advisory Board to offer insight and education to security practitioners, members of the security industry and other stakeholders about emerging security trends, regulatory compliance issues, and recommended practices for protecting utility infrastructure. The steering committee members, […]
SILVER SPRING, Md. – The Security Industry Association (SIA) has named Alice DiSanto the 2022 recipient of the SIA Committee Chair of the Year Award, which recognizes individuals for excellence in leading SIA committees and advancing member objectives. SIA will present DiSanto with the award at The Advance, SIA’s annual membership meeting, which will be held March 22 during […]
ISC West, in collaboration with premier sponsor Security Industry Association (SIA), continues to experience steady growth for the upcoming event, and will be taking place just less than two months away on March 22-25, 2022 at the Venetian Expo in Las Vegas (SIA Education@ISC: March 22-24 | Exhibit Hall: March 23-25). After initial reports of […]
Our world is full of threats both external and internal. This whitepaper encourages looking at life safety and security measures on your campus from another perspective. Most facilities have addressed access control and the securing of main doors, but those should be measures of last resort. There are steps you can take — some that you may not have considered — to mitigate the threat before it arrives at your front door.
The 2019 Total Security Salary Guide is here to help physical and technical security employers and employees understand where they stand in today’s security job market. This Salary Guide includes not only salary and wage data from 2017 to 2018, but also certification information as it applies to 20 benchmarked exempt and nonexempt security positions.
A proliferation of cameras has resulted in an overwhelming amount of video available to security operators, analysts and investigators. Technology that used to be prohibitively priced, is now cheap and readily accessible.
Learn how to protect your people, assets and physical spaces better with AI-powered solutions that deliver whole-building security.
