On paper, programs and tools can offer as much protection as they like, but if used incorrectly or if people do not trust them, they are useless. Therefore, the human factor must always be taken into account when developing technical solutions. After all, users are the first and last defenders against cyberattacks. That's why psychologist Dr. Michael Schilling says, "Why not ask those who know about human behavior?" Schilling, who lives in Saarland, Germany, has already been working at the intersection of cybersecurity and psychology at the center since 2019. He recently started building a group at CISPA to support researchers in the future. As part of the EU-funded Cysec4Psych project, he wants to inspire psychologists in Europe to pursue a cybersecurity career. CISPA, Saarland University, Leiden University, and Tallinn University of Technology are also working to equip psychologists with the expertise to work in cybersecurity in the future.
His journey into cybersecurity research began at a time when few are likely to have a mind for additional input. In 2014, Michael Schilling was in the middle of his doctorate in industrial and organizational psychology at Saarland University when he decided he wanted to dive deeper into programming "on the side." "I've always been interested in technology and IT, and even studied business informatics for a year initially after graduating from high school," Schilling explains. To be allowed to attend courses and seminars in computer science, he had to enroll somewhere. He decided to enroll in the Cybersecurity program introduced that same year by CISPA and its founding director and CEO, Professor Dr. Dr. h.c. Michael Backes and attended the introductory lecture. "That ended up being much more interesting than just programming."
From then on, it wasn't long before Schilling was offering what he calls "method consulting" for the first time in usable security research at CISPA. Together with CISPA researchers Sanam Ghorbani Lyastani, Professor Sascha Fahl, Dr. Sven Bugiel, and Professor Michael Backes, Schilling worked on a large-scale study of whether and in what way password managers influence the strength and frequency of password use. "We already have some explanations, theories, and methods in psychology that can also be applied to data sets generated in computer science," Schilling says, adding, "After all, other scientists don't have to travel the same rocky road we've already traveled." For him, it is crucial to also bring along an awareness for mistakes and possible pitfalls: "Often, only what is considered a groundbreaking new finding, but cannot be replicated at all, is published. But then nothing is written about the failures in the attempt. One should be careful there," says Schilling.
Too few psychologists find their way into cybersecurity research today, even though their expertise is urgently needed. The EU-funded Cysec4Psych project, which Michael Schilling initiated together with Dr. Markus Langer, Dr. Nida Baiwa, and his former doctoral advisor Professor Cornelius König, aims to change that. One goal is to create awareness among psychologists that security research could be a future field of work. Besides, university lecturers are to be given a concept with which they can prepare psychologists for their work in the field of cybersecurity. For example, the topic could be incorporated into teaching methods without major hurdles by examining data sets from cybersecurity. "This is not only interesting for people in research, but also for psychologists working in clinical practice. After all, they often work with highly sensitive patient data." Schilling and Markus Langer have already offered the first seminar - the prototype, so to speak - in the summer semester of 2020 at Saar University. When the feedback from students and teachers on the event has been evaluated, it is supposed to be offered again.
If you are a psychologist and are worried that you don't have enough knowledge of computer science, Schilling can reassure you: "The most important thing is to think methodically and to know how to approach new problems in a structured way. It is also important, he says, to be open-minded and to embrace ideas from other departments. "I'm sure that we psychologists can make a decisive contribution to advancing empirical research in cybersecurity."
This text was translated by: Oliver Schedler