From the very beginning, Jonas Hielscher was impressed by CISPA’s strong presence at international conferences. It was there that he was first approached and encouraged to apply for a Faculty position at CISPA. “CISPA is very well known in the community, and you see people from here at all major conferences," he explains. “Our work is widely published at conferences, and we have a strong presence across almost every field of cybersecurity research. Even before I started here as a postdoc, I had already built strong connections with CISPA.” Securing the Faculty position marked an important milestone in his career planning. “The center is a unique place, with more cybersecurity researchers than anywhere else. That’s what drew me here,” he says.
At CISPA, he values the spirit of new beginnings, the strong research community, and the drive for excellence. “Here you really feel that we are moving forward, that we are growing, that we want to make a difference,” Hielscher says. “I share a hallway with many other researchers in my field. You don’t find that anywhere else. And the ambition to be the best—that’s not something you encounter everywhere either. Being part of that is a lot of fun.” What drives him personally is the goal of making IT security evidence-based: “In science, we can show what actually improves the level of security as opposed to what intuition suggests. We try to spread this knowledge, but so far we haven’t managed to reach deeply enough. That’s a huge motivator for me, because I feel that here I can really make a difference.”
The Human Factor in Organizational Cybersecurity
Within cybersecurity research, Hielscher has specialized in how organizations—such as companies or public institutions—deal with information and cybersecurity. “In addition to the technical components, we focus primarily on the human factor,” he explains. “It’s about how organizations as a whole handle technology, and how people at every level, from regular employees to executives, practice IT security.” Although the field of human-centered IT security has been around for roughly 25 years, many organizations still do not follow the current state of research. “We are trying to find out why that is and what incentives are missing for organizations to design security in a way that employees can actually implement,” he adds.
In practical terms, this means understanding what IT security measures management or IT security departments provide to their staff. “Typically, people think of training, awareness programs, and so-called phishing simulations. But that is, of course, only a very small part of what is really involved," Hielscher stresses. “A major problem is that many organizations don’t do their homework when it comes to usability. If you have too many user accounts and require a unique password for each and every one, that’s simply not feasible from a psychological point of view. On top of that, in many organizations IT security is not implemented at the executive level, but rather through a staff office that has no real authority,” he adds.
Bridging Research and Practice: The CHESS Lab
To tackle the scientific challenges he describes, Hielscher founded the CHESS Lab. CHESS stands for “Cybersecurity, Human Factors, and Enterprise Security Studies.” Step one for him is building a strong team. His target size is three to five PhD students. “At CISPA, we have the privilege as Faculty of receiving a base allocation of fully funded PhD positions,” he says enthusiastically. “Of course, I want to make use of that. Additional positions can be financed through third-party funding. But during the tenure-track phase, the group shouldn’t become too large.” The reference in the name to chess is no coincidence. “I’m a passionate chess player, and so was my first office mate here at the center. That made the abbreviation an easy choice,” Hielscher recalls.
In shaping the work of the CHESS Lab, transferring research into practice plays a central role. This ties directly to Hielscher’s drive to work in an evidence-based way. “I’m an empirical researcher, and I want our research to have an impact in practice. I want what we can demonstrate with evidence to influence companies and organizations, as well as legislation. For me, that would be a clear sign, in the medium term, that we have done good work.” What matters most to him is the approach and mindset in engaging with organizations. “It’s absolutely essential to turn this into a dialogue. As researchers, we’re very good at going somewhere, presenting our results, and leaving again. But I want to understand why our knowledge has not yet been put into practice. That’s my motivation, even though it’s always a challenge,” Hielscher says.
