SPRITE+ Expert Fellow Spotlight – Karen Renaud

This article was edited by SPRITE+ Research Associate Dmitry Dereshev, with responses and edits from Professor in Cyber Security Karen Renaud.

The spotlight today is on Karen Renaud – Professor in Cyber Security at the University of Strathclyde, visiting Professor at the Abertay University, visiting Professor at Rhodes University in South Africa, Scottish Informatics and Computer Science Alliance (SICSA) Cyber Security Theme Leader, Full Member of the Chartered Institute of Information Security (CIIS), member of the CyanNetwork, and a SPRITE+ Expert Fellow. Some of Karen’s latest publications include:

• Age-appropriate password "best practice'' ontologies for early educators and parents
• Moving from a 'human-as-problem' to a 'human-as-solution' cybersecurity mindset
• How does intellectual capital align with cyber security?
• Is the responsibilization of the cyber security risk reasonable and judicious?

A bit about you and your role

How would you describe your job to a 12-year-old?

I teach and do research to make it easier for people to secure their systems against cybercriminals. I study why it is difficult for people to implement cybersecurity measures and find ways to correct that. I am now trying to convince governments to provide more support to their citizens with respect to cybersecurity.

For many years I have been trying to come up with alternatives to passwords. Text-based passwords are inaccessible to large sectors of society. People who are not literate, people who are becoming older and have difficulties with their memory, and dyslexics who find alphanumerical strings difficult – that is a large percentage of our society who cannot use a password properly. I have come up with alternatives like musical passwords, and picture-based passwords.

People in cybersecurity think that they need to scare users into behaving securely – I do not believe that it is effective. You can scare people into choosing a strong password once, but if you want long-term commitment, the short-term measures can backfire. We can help people behave more securely, but a lot of measures that the industry and governments use are short-term. We need to start thinking longer term to get that commitment from the end-users.

We are not doing any cybersecurity training for young children right now, and that creates a problem. The fact that my parents, who are now retired, do not understand cyber is perfectly understandable; the fact that we now have teenagers who do not understand cybersecurity – that is our fault as a community. Take littering, for example: when you have a child, you teach them very early not to throw litter on the floor, but to put it in a bin. By the time they get to teenage years, it is already well established – you do not have to keep reinforcing that. If that has not been done, the child might put litter in a bin when prompted by others, but they will still throw rubbish on the floor when nobody is watching them. It is the same in cyber: my organization can try to force me to use a complex password, but if I am not committed to cybersecurity, I might find ways to weaken it, perhaps by writing it down or reusing it.

I believe that if you teach the right principles to children while they are still young – you get commitment. The real difficulty comes when you are trying to change an existing habit, so we must stop kids from developing poor password habits in the first place.

My colleagues and I have recently published a website with password education videos. This is a free resource available to any teacher. These videos describe the password-related principles that children should be taught at different ages. We have aligned this resource with the Scottish curriculum (because we got the money to do this from the Scottish government), but it could be used throughout the UK.

Another area where we could do more in cybersecurity is to work with senior citizens. I feel like society almost patronizes them, and we do not realize how many life skills they have. They understand very well what it means to be fooled, but they feel very inadequate when it comes to information technologies and cybersecurity.

I am a member of the Graduate Women South East group in Dundee. When the lockdown came, we were meeting twice a month for talks and study groups. We have now set up Zoom. I called and talked a few of them through the installation individually, and what you realize is how quickly they learn. There is a perception that older folks cannot learn, but that’s nonsense! All they need is a bit more support than younger people. That support should not be patronizing – you should be willing to talk them through it and reassure them if they start getting panicky. We are leaving these incredibly motivated people behind, we treat them like children, and they are not! They have been inspirational during this pandemic.

Senior citizens (70s and up) grew up with technology that broke very easily. When I was growing up, no one in my house could use the phonograph to play vinyl records, apart from my father. He said we (as children) were going to scratch them, and maybe we would have. The very first watch I got was a wind-up watch. That probably sounds like the dark ages to you, but if you wound it too much – you could break the winding mechanism, and if you did not wind the watch enough – it would die before the end of the day. That is what it was like in that generation. Senior citizens always blame themselves when something goes wrong, when it is often the fault of a poorly designed system.

The senior citizens are at risk. They are unbelievably targeted by hackers. This is where my work calling on the government comes in – I feel the government needs to do more, especially for that sector of society. You and I get a lot of cybersecurity training at work, but what about those who have already retired? Technology moves fast, cyber moves faster, and people get out of date very quickly. Knowledgeable individuals can only help a handful of their personal contacts – that does not make a dent on the situation. More help must come from the government.

Could you describe what you do during a typical workday?

I spend about half of my day writing, and half on other things. I would say, if you do not like to write, do not become an academic. I read a lot. I spend at least an hour a day just keeping my finger on the pulse of cyber, reading about the latest events.

I also spend a lot of time talking to research collaborators. I work with several academics in the US, South Africa, Zimbabwe, Germany, the UK, and Denmark, so even before the lockdown I would spend a lot of time in online meetings. I also spend time in committees I am a member of and examining PhD vivas across the world. We are doing the vivas online now, which is quite nice. I also organise a monthly talk online, where I get someone from another country to come and speak about a cyber-related topic.

It may be difficult to do all that in a day, but I love what I do, and that makes it easy.

Could you describe a challenging project that you have recently worked on?

We were investigating when children were first given passwords in Scotland, and we discovered that that was at the age of 4. Some children can read at that age, but not all. Scottish children use a system called Glow. They are given passwords within the first 2 weeks of entering school, before they learn the alphabet. Teachers do not have time to go through the classroom full of children and enter individual passwords for each child, so they start the year by giving each child the same password, and when children need to log in, teachers simply write that password on the board. The kids get the message that it is okay for everyone to have the same password, and it is okay for everyone to know everyone else’s password – that is a bad lesson.

Once children recognise the alphabet, teachers give each child their own password, but because children forget passwords, teachers give each child a very predictable password, like a child’s surname followed by the year. And then because children still forget it, teachers write those passwords down, laminate them, and put these little pieces of paper in a box in front of the classroom. When kids need to enter their passwords, they go fetch them. These are bad lessons for the kids to be learning. None of this is the teacher’s fault – the problem is that children are being required to use a password before they are ready to do so.

How can we address this? We came up with the idea of “KidzPass” – a graphical password. Children need to provide 2 pieces of information to log in: an ID and a password. Remember, children cannot have an email address as ID – they are not yet literate. Instead, we got them to choose a picture of an animal which would identify them to the system. For the password, we asked parents to give us pictures of an adult that is familiar to the child but does not ever come to their school. So, we mostly got grannies and grandpas. The child would see pictures of faces on the screen, and they would swipe until they saw “their” familiar face.

The ethical approval for this project was challenging, but we eventually got it. We had to get parents to give us consent and had to apply for disclosure. We had to have a parent or a teacher in the room at all times, so we only managed to run the evaluation with 8 children. When you submit a paper where you say you only had 8 participants, reviewers say: “how can you call that an evaluation?”. What they do not realise is the extent of the challenges in evaluating a technology with children. Working with children is a bit like working with seniors: they are sometimes not comfortable with technology, and they are easily discouraged or become frustrated. We wanted to hear the children’s voices, so, we let them talk throughout the process. We need these voices to be heard, but that makes evaluating with a large number of children infeasible.

We ran the same project the next year, but asked children to draw pictures, and they drew little doodles for us. We used those instead of photos. This worked better because we did not have to use more of their busy parents’ time to provide us with photos. The kids really loved this login system, because once they logged in, they got to play a game. They did not want other children messing with their scores, so they understood the need to keep their picture passwords secret.

There are challenges in doing evaluations with the two ends of the lifespan: children, and seniors. Yet working with these groups is extremely rewarding.

What training/experience did you have at the start of your career?

I did a BSc (Honours) degree in Computer Science at the University of Pretoria in South Africa. I was in the very first year to do computer science at that university. In my final year, out of 35 students, only 3 were males – the field at the time was predominantly female. I managed to get a scholarship to pay for my education from my 2nd year onwards all the way through to my PhD.

After my Honours degree I worked in industry for a few years: I did programming, and then led a programming team. My employer did not offer maternity leave at the time, so I had to resign when I had my first son.

After having my second son, I contacted the University of South Africa (which is like Open University in the UK). The head of school there had taught me during my BSc, and he appointed me as a temporary lecturer (which meant I could work from home). After I had my 3rd son, I joined them as a full-time lecturer. In time I was promoted to senior lecturer and Associate Professor. I did a Master’s degree part-time while working.

After many years, I came to the UK on an Association of the Commonwealth Universities scholarship to do a PhD at the University of Glasgow as a mature student. I got my PhD at the age of 40.

At that point, I began my shift from computer science and software engineering to cybersecurity. It was like this: my father was complaining that he could not remember his personal identification numbers (PINs). How could I help him? We could not write the PINs down, because someone could find them – there were a lot of carers around. I came up with this grid and a plastic template with holes in it. We would agree which colour template he would use, put the numbers into the grid based on that template, and then populate the rest of it with some other random numbers. All he had to keep secure was the template, and he could put the grid up on the wall where he was living. People would see a grid full of numbers, but unless you had the template, you would not know which numbers constitute a PIN. That template was small enough for my father to keep in his wallet. This was a great solution for him.

I published that work, and when I came to the UK, I met Antonella De Angeli who worked at NCR in Dundee. They were working on picture-based authentication for their ATMs. We got together on this, and that is where I switched from being interested in software engineering (which is what I did for my PhD) to cybersecurity. I knew that area was going to become big, and I thought: “this is what I am going to do from now on”.

I was really interested in the human side of cybersecurity. I could have gone down a technical route, and I have great admiration for people who have done that, but that was not where my interests were. I saw problems in how people were asked to create passwords, and to spot phishing messages. The first phishing message I have ever received was in 2001. Back then it was new. There was a virus called ILOVEYOU, and I realised that this kind of thing was going to explode. That is why I switched to cybersecurity.

How did you get into your current role?

When I went back to South Africa after my PhD, the University of Glasgow contacted me, and asked me to apply for a position. I did, and then came back to work at the University of Glasgow. I stayed there for 16 years. I did a Fulbright programme in the US from 2016 to 2017. When I came back, I was contacted by Abertay University, and they asked me to interview for a chair position in cybersecurity. I accepted the position and worked at Abertay from October 2017. In January 2020 I moved to Strathclyde University.

What do you wish you had known when you started your career?

When I became a lecturer, South Africa was a very paternalistic society. I wish I had known how to stand up for myself. When I was working in the University of South Africa, I was expressing an opinion on a subject in a meeting, and one of the male lecturers turned around and told me to shut up. I did not react, and I kicked myself for days afterwards for taking that from him without protest. Society had conditioned me to accept put downs from men.

I wish I had had a mentor who would say: “if somebody does say something like this, this is how to deal with it in a very calm and collected manner”. I do not have that problem in the UK, it is much more of an equal society than South Africa back in the day when I started out. I also feel like because of my age people would not do that to me anymore, but I think a young woman needs to know how to react to this kind of thing.

I wish I had had a mentor all the way through my career. Mentorship programmes are very important. I am glad to see they are doing that now. I wish I had had a mentor from the outset to just say: “here are the journals to target, here’s how to go about it, and here is whom to talk to”, not even necessarily on technical or methodology stuff, but just some woman who has been through things and can give you some ideas, sage advice, and suggestions for moving ahead.

What would you recommend to people who want to follow in your footsteps?

When I was doing my first degree, I was interested in psychology, but it was considered (by my cohorts) something lazy people did. So, I did a very mathematical degree, which did not help me much in my career apart from training my mind to be more disciplined. If someone wants to do human-centric cybersecurity, I suggest they do a degree with a mix of computer science/cybersecurity, psychology, and sociology. The future is interdisciplinary – do not just focus on science subjects. Go to a university that will give you a good breadth of skills and understanding of different fields.

My greatest successes have come from combining insights from sociology, psychology, and other fields. Now I am delving into political science as well, to bring that into cyber. All these fields have something to teach us.

If you want to follow in my footsteps, get a good grounding, and make sure that you are open to looking for solutions outside your core field.

What troubles did you have progressing through your career?

Research funding has always been a challenge. I feel like getting funding in the UK relies very much on you knowing people with specific skills to put into your next grant proposal. I did not have those networks when I arrived. I have built up the networks now, but these days it is that much harder to get funding. Universities are also getting much better at supporting new staff in gaining funding. I did secure funding from Fulbright, the Royal Academy of Engineering, Cyber Nexus and the Scottish Government and I am very grateful for that.

What stereotypes would like to dispel about your job or industry?

That females have no place in cybersecurity. Women bring a different perspective, and that perspective is urgently needed because a lot of cyber systems that are currently in place have been designed by young technology-focused males. If we bring more females into the design process, we will have friendlier systems.

Another one is that people who are interested in cybersecurity are sitting in darkened rooms with hoodies on, never communicating with real people face to face. I have a social life; I have three wonderful sons; I have been married for 40 years. You do not have to be anti-social to have a rewarding career in cybersecurity.

A bit about your involvement with SPRITE+

How would you describe your research or business interest in relation to SPRITE+?

I became aware of SPRITE+ when the network received its funding, so I decided to join the mailing list to hear more about what was happening. I feel like we need to work together. We are not going to make a difference in cybersecurity until the “good guys” start collaborating, because the “bad guys” are collaborating already.

How do you hope to benefit from working with SPRITE+ network?

My biggest problem coming to the UK as a mature person was networking. A lot of people I work with are abroad. I do have some valued collaborations with several academics in the UK but would love to work with others too. I am keen to work with people in SPRITE+ on grant proposals and research of mutual interest.

Which of the SPRITE+ Challenge Themes can you relate to from the job that you do? How does it impact your role?

I most relate to the Digital Vulnerabilities theme. Passwords as a mechanism are quite strong. They become weak because they do not match human capabilities. So, systems become vulnerable not because of the technical aspects, but because the systems are not designed with the people using them in mind, and because people are poorly supported when it comes to cybersecurity.