Advancing Security and Privacy Education

Shortly after joining Northwestern Computer Science (CS) as an assistant professor of instruction, Northwestern Engineering’s Sruti Bhagavatula seized the opportunity to expand course offerings aligned to her research in security and privacy.

Bhagavatula launched the department’s first data privacy course — COMP_SCI 397, 497: Data Privacy — in winter 2022, her first quarter teaching at Northwestern. The class introduces students to privacy topics and the mechanisms and protocols employed in practice to preserve data privacy.

Dovetailing with her research interests in CS education and pedagogical research, Bhagavatula introduced a new course this quarter — COMP_SCI 396, 496: Security and Privacy Education — focused on the role and effectiveness of cybersecurity and data privacy education in the context of everyday life and across various computing fields.

Bhagavatula investigates the intersection of security and privacy with social networks, human factors, and the Internet of Things. She earned an MS and PhD in computer science from Carnegie Mellon University.

We asked Bhagavatula about her experience working with the Northwestern community, her short- and long-term research goals, and her motivation for and approach to teaching.

What excites you about working with the Northwestern community?

The department is very excited about growing and building new classes. I’ve received the support and resources to create these spaces for security and privacy and topics that I think are important and that students care about.

The structure of my two classes is very different. The data privacy course is a lecture-based survey of privacy topics. We talk about anonymization, differential privacy, privacy in machine learning algorithms, fairness, privacy policies and usability, web privacy, and computational limits to privacy. Until now, there has not been a class like this at Northwestern where students get to learn all of this in one place, and it all connects to building trustworthy systems.

The class showed me that people are very interested in this field and are passionate about its relevance. I learned that students really engage with these topics and have a lot to say about their experiences with privacy mistakes and aspects of privacy important to them.

My security and privacy education class is an interactive, discussion-based seminar; the contribution of students’ opinions and views are crucial to this discussion. Effective and accurate security and privacy advice has been shown to not be available to everyone. Therefore, the ultimate goal of this class is to systematically generate research-based guidelines for different topic areas or related to everyday computer usage and potentially distribute it online as a starting-point one-stop resource intended for people without a security and privacy background or who are looking for advice in a specific domain.

What are some key questions you seek to answer with your work, both in the short-term and the long-term?

You don't have to be a security person to care about security. If you use computers, you should care about security. It is embedded in everything. I want to bring awareness to more aspects of security and privacy beyond the core understanding how attacks and defenses work and involve users in creating secure systems.

Short-term, I’m examining security and privacy education through social networks and studying quantitatively the ways in which the popularity of security advice and content can be increased.

What type of security advice is on social networks? What are the topics of discussion? What is the distribution? How available is the information? What channels can we use to make this advice spread further? Within a social network, how well are different communities receiving this information? Are only tech-savvy people receiving it, or is everyone receiving it? If the former, how can this be changed?

My long-term research goal is to leverage wide-reaching online platforms and approaches to reach larger groups of people with security and privacy advice. If this information can be propagated to different social groups and communities within the network, we can start to reach more people. How can the guidelines be designed in an effective way to encourage or incentivize people to understand security and privacy topics and then to incite action?

What’s one project you’re currently working on that you’re really excited about?

I do a lot of measurement research — studying security or privacy phenomenon and measuring prevalence and impacts. Based on these measurements, we can determine measures that need to be taken to improve security and privacy in systems and for users.

For example, I’m working on a project whose ultimate goal is to further the spread of security and privacy advice on social media. In particular, to spread information further, we first need to measure the current spread. The goal here is to understand whether only certain communities or circles are receiving this information or if this information is only accessible to people with certain predispositions. Based on this measurement, we can assess how this information can be spread further than it reaches now, i.e., if it needs to jump across communities or be visible to people whose interests don’t align with the information. If we can leverage wide-reaching social media to educate more people on security and privacy best practices, everyday computer users have a higher chance of being able to protect themselves from cyber threats.

What motivated you to pursue your field of research?

I got into the field of security and privacy as an undergraduate student when I took a computer networks class with Professor Chris Kanich at the University of Illinois at Chicago. I was looking for a research opportunity at the time, so I joined his team for a quarter to get some solid research experience. I built a tool to crawl web pages and compile data with the goal of doing some security measurement. We had a lot of data, and we thought, wouldn't it be cool if we could make predictions using this data? Using historical ad blocking data, could we predict when to block an ad on future URLs instead of using ad blockers that required regular filter updates?

I really enjoyed the whole process, so I started learning more about the field. When I got to graduate school, I started looking at machine learning security and the vulnerability of algorithms. And I also started examining the security of social networks and how security information is spread.

One of my papers was about how people’s security behaviors change after a data breach. We studied whether people changed their passwords after a database breach. If people did change them, how much better were the new passwords? Are people changing passwords they have re-used? And what does a situation like the Yahoo data breach tell us about how companies are encouraging and enforcing changes? Measuring the prevalence of this type of phenomena tells us where we need to be doing better, where user education needs to be improved, where system design needs to change, and where regulation needs to be higher.

Security and privacy as a field of study is very broad — it pervades everything — which opens up a lot of opportunities to build better systems and understand vulnerabilities. There are so many important aspects to study, you can find an area that has a need, and then try and work on it to make it better.

How do you approach the mentorship of your students, and how are you inspired by your interactions with students and trainees?

This quarter, I’m working with two undergraduate students and a high school student. I'm keeping my research group small to keep it very manageable, so that I can give them my full attention.

From a faculty perspective, advising undergraduates on research is not just about completing tasks to finish a project — rather, the goal is to provide a good mentoring opportunity. I have specific goals. I know what our outcome should be, but I also try to teach my students about the research process, the process of building something, the process of failure. These are equally important.

When I start advising a student on research, I am very upfront with my them that what they're doing is open-ended and may not always work out as planned.

By giving them a full understanding of the process, my students are very productive. My students get really motivated when they get to think critically and do something that's their own. They know where to look. They know what to find, and they know when to ask questions. They are independent to a degree that they are thinking much more big picture.