Interviewed by CFO Magazine

CFO Magazine is a monthly magazine that writes for chief financial officers and other financial executives in companies in the U.S. Some time ago, the magazine's deputy editor, David Katz, interviewed me. What started out as a general discussion about managing cyberrisk started to focus on the changing landscape of how cyberdefense influences system architecture. Specifically, we ended up discussing the BeyondCorp model that is often associated with deperimeterization and zero-trust.

Katz took these ideas and wrote them up in a very nice article that was published on February 26, 2019. The article, The Other Side of the Network is available online.

Research in 2019

At least three times during a tenure track, Adelphi University grants all tenure track faculty at the ability to reduce teaching load by three credits in order to focus on research.

This semester, I received my second research release. I intend to spend it on a few projects:

  • Phishing is commonly accepted as the most effective initial attack vector by which organizations are breached. There is much anecdotal "lore" as to how to improve the ability of human actors to recognize scams, but, in fact, not a great amount of research has been conducted in this field. I intend to develop a few ideas and field-test them

  • Conceptual modeling is a technique used to enhance our understanding of complex systems. In our world, Threat Modeling is a frequently recognized term. Can current threat modeling techniques be improved?

  • One of the foundational concepts of CSIRTs was that, through information sharing, threats would be identified early enough to be mitigated on time. Today, many vendors sell "Threat Intelligence". But, is there a good understanding as to what constitutes good threat intel? How can SOCs use threat intelligence more effectively?

  • What does a typical workflow of a SOC look like? How can those workflows managed more effectively?

In all of these projects, I hope to include students. If you are interested in any of these topics, please stop by my office!

Research at Adelphi University

My students and I were featured in the newsletter of Adelphi University's president, Dr. Riordan.

Jai and Mateusz at work

The article describes work I have been doing with Jai Punjwani and Mateusz Gembarzewski on electronic voting and blockchain approaches to maintain the votes register, and on work I have been doing with Vlad Verba, in which we dive into the world of speech-enabled devices, such as Google Home and Amazon Alexa.

CTF Paper Published

SIGITE 2017 has wrapped up and the conference proceedings have been published.

Our paper is available here, or in the ACM Digital Library.

Enhancing cybersecurity education using Capture-the-Flag

During the Spring semester of the 2016/2017 academic year, I collaborated with Salvatore Petrilli (Adelphi University, Mathematics) on a study that investigated if realistic gamified simulations of cybersecurity attack scenarios enhances outcomes of cybersecurity education. Such simulations are increasingly popular in cybersecurity training and are referred to as Capture-the-Flag (CTF) sessions.

Intuitively and anecdotally, the answer is affirmative. It only makes sense that playing a game based on realistic scenarios has a positive outcome of a player's abilities.

However, as important as intuition is, science looks for measurable facts. Our study was designed to look at a few criteria:

  1. Do students enjoy the subject matter more by participating in a CTF?
  2. Does participating in a CTF deepen understanding of theoretical cybersecurity concepts?
  3. Does participating in a CTF develop offensive and defensive cybersecurity skills?

While our sample size was relatively small, the study confirmed that participating in a CTF does indeed, through enjoyment and engagement, students are willing to spend more time on mastering the practical skills discussed in class. Our research were less definitive about deepening theoretical understanding, but we are currently designing a follow-up study that focuses on those aspects.

Based on our study, we wrote a paper that will be published in the conference proceedings of the Special Interest Group for IT Education (SIGITE) and Research in Information Technology (RIIT), which is part of the Association for Computing Machinery (ACM).

When the paper is published, I'll post full details here.