cybersecurity clinic teaching

Zoom Inside: The Case for Cybersecurity Clinics and What They Can Teach Your Firm

Indiana is known for several things – the Indy 500, Hoosiers basketball, Notre Dame football, and corn. Cybersecurity does not typically make that shortlist, but perhaps it should. Owing to a vibrant cybersecurity startup scene, the cutting edge supply chain cybersecurity work being done at the Naval Surface Warfare Center Crane Division (the third largest naval installation in the world), and innovations at Indiana University (IU), to name a few, Indiana institutions are beginning to make some important progress on thorny cybersecurity risk management topics with practical relevance.

Recently IU has embarked on a series of interdisciplinary cybersecurity initiatives. These include an array of cybersecurity certificate programs, and a new MS in Cybersecurity Risk Management, which features required coursework from Secure Computing, Enterprise Risk Management, and Law, as well as an applied capstone consulting project (or cybersecurity clinic) for a real world client.

How a Cybersecurity Clinic Works

There are many varieties of cybersecurity clinics being tried around the world – Malaysia, for example, is already experimenting with this notion at the national level—but here a cybersecurity clinic may be defined as an interprofessional team of computer science, law, and business students that conduct a supervised cybersecurity consulting project for a client focused on instilling technical, legal, and managerial cybersecurity best practices. These clinics are principally concerned with enhancing the cybersecurity preparedness of underserved clients, including local governments, small businesses, K-12 school corporations, and critical infrastructure providers. This approach stands in contrast to existing stand-alone legal clinics focused on particular issues such as privacy or cyber law. Instead, the type of interdisciplinary cybersecurity clinic on which IU is focusing recognizes that effective cybersecurity risk management requires considering cybersecurity from a more holistic perspective.

In 2015, IU, in partnership with the Indiana Office of Technology, launched a pilot program with the town of Speedway, Indiana (home of the Indy 500). In Speedway, an interdisciplinary team of IU graduate Law, Business, and Informatics students assessed our client’s supervisory control and data acquisition (SCADA) vulnerabilities, generated a more comprehensive incident response plan, analyzed Speedway’s potential liability exposure in the event of a data breach, and revised their employee handbook’s privacy policies. In particular, the students:

  • Assessed the privacy and cyber risk to Speedway, including general cybercrime and terrorism risks, couched within cyber attack data for Indiana organizations using a risk assessment built on top of Microsoft’s Damage, Reproducibility, Exploitability, Affected Users, Discoverability (DREAD) system.
  • Analyzed Speedway’s SCADA systems, role-based password security, password policy, work station policy, disaster recovery protocols, single points of failure, remote access, “Bring Your Own Device,” and general privacy policies.
  • Investigated the state and federal privacy and cybersecurity laws and policies related to SCADA and employee technical use applicable to Speedway; and
  • Suggested a host of technical and managerial best practices ranging from the specific (e.g., codifying all procedures related to Speedway’s SCADA systems and improving employee cybersecurity training) to the general (g., creating a mobile device management policy for lost or stolen phones, and including an email privacy trailer in official correspondence) using the NIST Cybersecurity Framework as a baseline. Further suggestions and tactics are listed below:


1. Protect Your Administrative Accounts

  • Lock down your wireless network with a strong password and encryption
  • Connect to your router to see which devices are connected to your network
  • Ensure all updates and patches are applied to the devices connected to the network
  • Your SSID (Service Set Identifier) is the name of your network. Change this default name to a unique, robust name, preferably a longer one with both letters and numbers
  • Minimize targets of opportunity by making it more difficult to login as an administrator

2. Restrict Remote Access

  • Disable default file and print sharing
  • Disable Remote Desktop (RDP) and Remote Assistance, unless you require these features. If you do, enable the remote connections when needed, and then disable them again when the job is done.

3. Use Security Software

  • Install and run Identity Finder or another a tool to help you search for, protect, and dispose of personal information stored on your computer, file shares, or external media

4. Remove Unnecessary Programs or Services from Your Computer

  • Uninstall any software and services you do not need
  • Remove files or data you no longer need to prevent unauthorized access to them

As one real world example of an organization that has put these practices to the test, the Australian government has reportedly been succcessful in preventing 85 percent of cyber attacks through following three common sense techniques: (1) application whitelisting (only permitting pre-approved programs to operate on networks), (2) regularly patching applications and operating systems, and (3) “minimizing the number of people on a network who have ‘administrator’ privileges.”

The Speedway pilot validated the diverse skill set required for cybersecurity risk management, which includes:

  • Computer science
  • Network security
  • Cryptography
  • Enterprise Risk Management
  • Ethics
  • Law
  • Policy

Such an interdisciplinary approach is vital given the overwhelming evidence that cybersecurity students need not only a bedrock technological grounding, but also a wider skill set incorporating related areas to succeed in addressing the technical, managerial, and legal questions posed by clients. Professionals with such a broad cybersecurity skill set are also able to communicate more effectively across groups to effectuate change and produce positive security outcomes.

Practical Relevance for Your Business

Any interested research university or community college with relevant cybersecurity expertise can help boost the preparedness of diverse local and regional stakeholders. Such efforts should be supported by both the public and private sectors, given the dual benefits of fostering immersive, interdisciplinary learning that will help address the shortage of trained cybersecurity professionals, while also providing help to those who need it most. In particular, managers interested in developing a cybersecurity clinic should:

  1. Identify local educational institutions with technical, managerial, and/or legal cybersecurity expertise;
  2. Contact your firm’s government affairs and public relations specialists to reach out to local and state government entities that may be interested in partnering to establish a cybersecurity clinic; and
  3. Provide internships and seed funding to create the new courses and program architecture at community colleges and research institutions necessary to launch a cybersecurity clinic.

Firms should take note of the success that these interdisciplinary teams of students have had across a diverse array of contexts. Given the diverse needs of stakeholders at every level of government, and the limited federal and state funding available to achieve cybersecurity improvements, interdisciplinary cybersecurity clinics can help fill a vital need helping local governments, school corporations, small businesses, and critical infrastructure providers enhance their cybersecurity preparedness. Firms of all sizes should support, and even help create, clinics of their own, while also learning the lesson that—just as in academia—it is important for the private sector to break down artificial barriers between specialties to better meet the multi-faceted cyber threat. This could help jumpstart a bottom-up approach to societal cybersecurity risk management across the nation. You never know, the road to cyber peace might just begin at the crossroads of America.

Scott Shackelford is an associate professor at Indiana University, a Research Fellow at the Harvard Kennedy School’s Belfer Center for Science and International Affairs, and a Senior Fellow at the Center for Applied Cybersecurity Research. His research is available here.