Cybersecurity speaker offers tips for users 8 to 80

Whether it’s turning 8-year-olds into privacy revolutionists or helping 80-year-old women pick up a password manager for the first time, Jessy Irwin, head of security at Tendermint, lives up to “security empress,” one of her former job titles.

Irwin spoke to an audience in Fowler Hall on Oct. 11 about how people can integrate cybersecurity best practices into their lives regardless of their technical skill. The event was part of a partnership between ITaP and CERIAS, Purdue’s cybersecurity research and education center, for National Cybersecurity Awareness Month.

Irwin’s talk, “Communications + Code: Building Cybersecurity Strategies for Humans and Machines,” focused on how technical people can make cybersecurity more accessible to average users. Her background as a “liberal arts kid” shaped her approach to security, and she’s carried that with her throughout her career.

“I figured out a little bit what was going on with the computers and started stitching together pieces of information,” Irwin says. “One of my first projects was in educational technology. I went poking around the code and said ‘Hey, wait a minute, a teacher needs to know how to use this.’”

With degree in art history, Irwin likens today’s struggles with technical literacy to the Renaissance, a period shaped by burgeoning access to art and literature, which drove the need for an increasingly literate population.

“There’s a lot of things that go wrong when we throw people who aren’t literate in tech and security into this environment,” Irwin says. “The vast majority of people don’t engage in security behaviors simply because they don’t understand and it makes them feel uncomfortable.”

Through her training and awareness work, Irwin got to know a group of elderly women who she calls her “old lady gang.” This group of women suffered from the same issues that most people do online - getting phished, trying to adopt security solutions like password managers and a combination of distrust and confusion around new technologies.

She was also invited to teach a third-grade class a few cybersecurity tricks. She ended up converting the kids into privacy evangelists and fomenting an uprising within the elementary school, which used subpar filtering software that, among other shortcomings, removed the “s” in “https” secure websites, including the site where they did their homework.

“I told them that encryption is a superhero. An ‘s’ should always be next to http,” Irwin says. “The kids really wanted the ‘s,’ so the entire third grade refuses to do their homework. I only had 10 minutes with these kids and they launched a privacy revolution.”

Irwin emphasized that when regular people are given the tools, explained in appropriate language, to behave safely online, they become empowered. Her message to the security experts and software developers in the audience:

• Pay attention to the language and jargon used when talking to non-experts and make it accessible.
• Look for opportunities to improve messaging about security tasks and support for security technology such as password managers.
• Frame cybersecurity and its processes and procedures in a positive light. Don’t give in to the “users are dumb” mantra.
• Simplify user-facing security features and tasks.

“Describe what you want to accomplish and leave in contextual clues about what those things do,” Irwin says. “One of the most successful things we can do is make opportunities for the human beings we work with to understand what we’re talking about.”

For more cybersecurity tips, visit ITaP on Facebook and Twitter. For more information on cybersecurity and free anti-virus software, visit the SecurePurdue website.

Writer: Kirsten Gibson, technology writer, Information Technology at Purdue, 765-494-8190, gibson33@purdue.edu

Last updated: October 12, 2018