Researching the human factors in cybersecurity

Marc Dupuis
Marc Dupuis

As someone who teaches and researches cybersecurity, Dr. Marc Dupuis said the coronavirus pandemic has been, in some ways, like a cyberattack. Unexpected, yes, but it could have been foreseen.

“It’s the failure of imagination, thinking about what is possible — both good and bad — and then trying to plan accordingly,” said Dupuis, an assistant professor in the Division of Computing & Software Systems in the University of Washington Bothell’s School of STEM. “You have to plan for these contingencies, these outliers.”

Ideally, government and institutions should have put more risk management and privacy planning into videoconferencing before Zoom meetings filled everyone’s calendars, he said.

“From a cybersecurity standpoint, it was troubling but not surprising,” Dupuis said. “We’re doing the best we can, and I’ve been impressed with everyone’s resilience.”


Personally, Dupuis had taught hybrid classes before, so it was not that difficult for him to move to classes that are 100% online. So many people are now comfortable with Zoom, it’s unlikely that a snow storm would cancel classes in the future, he said. That’s one way the outlier has changed what it means to be normal.

“What we knew in our world a year ago will never exist again, for better or for worse,” Dupuis said.

Human factors — the sort of psychological and social behaviors highlighted during the pandemic — are what interest Dupuis in his teaching and research about cybersecurity.

Is scaring people the best way to encourage people to wear masks? In a recent paper, Dupuis questioned whether scaring employees is the best way for companies to improve their cybersecurity. They should look at alternatives to fear appeals, he wrote with his collaborator, Karen Renaud, professor of cybersecurity at the University of Strathclyde in Scotland.

Fear is unappealing

In the research, Dupuis questioned whether heightening the fear of having data stolen or lost is an effective and ethical method of cybersecurity. “Can we get the benefits of fear appeals without scaring people? We take it for granted they work, but we don’t know how well they work and under what circumstances,” he said.

Indeed, evidence doesn’t support that the “scared straight” approach always works, he said. Next, Dupuis is looking at differences between shame and guilt and how they are used by organizations to try to obtain cybersecurity compliance from their employees.

“We assume it has effects on their emotional state, but how long that lasts, a lot of it we assume,” he said. “If we want long-term change, do we need to trigger some other affect other than the short-term fear?”

In other research for a capstone project, one of Dupuis’ students is looking at the value of social influence in helping people create stronger passwords. Dupuis also employs students in his research group, SPROG (Security and Privacy Research and Outreach Group). This summer, he’ll hire eight students to run two weeks of virtual training camps for middle school and high school students so they can learn about hacking.

Synergy of perspectives

Before arriving at UW Bothell in 2015, Dupuis was a lecturer at UW Tacoma. He received his doctorate in Information Science from the UW in Seattle, where he also received a master’s degree in Public Administration. In addition, he has bachelor’s and master’s degrees in political science from Western Washington University.

The different academic paths come together in the courses he teaches in information assurance and cybersecurity.

Dupuis said he especially enjoyed bringing a political-psychological synergy to his first Discovery Core course, The Only Thing We Have to Fear Is Fear Itself. The autumn quarter course for first-year students examined misinformation, disinformation and the psychology of fear. Coinciding with the presidential election, the course was an opportunity to talk about how misinformation and disinformation often stem from ignorance people have about other people, he said.

Cybersecurity for all

Building on his research and teaching, Dupuis is working to create a minor in cybersecurity for all three UW campuses. The minor could appear on transcripts for students of any major. That effort reflects his multidisciplinary approach to cybersecurity.

“We need people from all backgrounds, whether it’s business, philosophy or literature or whether it’s design — or you name it. We need people from all different perspectives to start to develop those skills inside cybersecurity,” Dupuis said. “There are many jobs in cybersecurity that fit what they’re doing.”

In the short run, Dupuis said individuals can become more cybersecure with good computer backups, a password manager and having antimalware software. Longer term, Dupuis hopes what he learns about cybersecurity helps others prepare for the unforeseen. “I want to make things better and be a resource to different people.”

Read more recent news

See all news