The New Crash-Test Dummy

Instilling a new 'security culture' in the hearts and minds of college students is no sure thing

4:00 PM -- Remember that little voice inside your head back in college? No, not the one that said, "drink, #$%@!, drink!" I'm talking about the reassuring voice that said, "that won't happen to me."

That voice of bravado may be a bigger threat to universities than any outside attacker trying to break into campus from the real world. (See Back to School: Backpacks, Books & Bots.)

Just as graphic films of accident aftermaths don't completely stop college drunk driving, even the most in-your-face campus security awareness training won't stop some students from meeting up with strangers from Facebook, or cluelessly clicking on a malicious link.

But that doesn't stop the educational institutions from trying. Universities and colleges are attempting to build a culture of security-mindedness on campus these days, just as they built an awareness of physical security in the wake of tragedies like the Virginia Tech shootings. That's the good news.

The bad news is that, when it comes to security on college campuses, there is always a conflict of interest between freedom/openness and safety. You can't completely seal off a campus from a physical threat, nor can you build a completely secure perimeter in an open, academic world.

"Security and the campus culture of being open are diametrically opposed," notes Brian Kelly, director of information security for Quinnipiac University. Quinnipiac has launched an aggressive physical- and IT security awareness campaign this fall which attempts to frame security in more personal terms for its students.

"We've tried to use the analogy that what you put in your body is like [what you] download to your laptop," he says. "Spam is getting more sophisticated, but there's always something about a spam message that doesn't seem quite right and gives you pause. It's like that leftover pizza in your dorm refrigerator that's been there for a while -- something tells you shouldn't eat this. [We say to] try to use that same innate sense when you get these emails."

Kelly admits that making IT security "real" for college students isn't easy. But preaching best practices just doesn't cut it -- nor does leaving them in the dark. Quinnipiac is looking at "what can we do culturally to change students' hearts and minds" about security, he says.

Awareness won't work for all college students. If they're hungry enough, they'll eat the old pizza. And if that stranger online sounds really hot, well... But even so, security awareness is a big first step, and it'll hit home for some students, especially if their AIM account is at risk of being compromised. OMG!

— Kelly Jackson Higgins, Senior Editor, Dark Reading