EdTech Lessons in Privacy and Security: An Interview with Edgar Weippl, Host of EDIL 2023
‘Today IT is critical to a universities’ teaching’, Edgar Weippl
The EdMedia + Innovate Learning international conference will be held in Vienna, Austria in July 2023. The conference host at the University of Vienna is Professor Dr. Edgar Weippl, a renowned expert on privacy and cybersecurity. For AACE Review, he shares his thoughts on blockchain, artificial intelligence, and risk management.
Prof. Weippl, you are heading a research group for security and privacy at Vienna University. What are currently the biggest security threats to e-learning infrastructures at schools and universities, and how worried do we need to be?
The biggest security threats to e-learning infrastructures at schools and universities are
- phishing attacks,
- ransomware, and
- data breaches.
Phishing attacks involve malicious actors sending emails or text messages that appear to be from a legitimate source to gain access to confidential information. In many cyber-attacks phishing attacks are the first step stone to gain a foot hold in an organization; attackers then wait and try to move laterally within the organization slowly to avoid detection.
Ransomware attacks involve malicious actors encrypting files and demanding a ransom to decrypt them. Several universities in Austria were attacked recently: the University of Salzburg in early 2022, the Medical University of Innsbruck in Mid 2022, the Institute of Science and Technology Austria (ISTA) in fall 2022 and the University of Innsbruck in 2023.
Data breaches occur when hackers gain access to sensitive information. Universities are highly decentralized organizations and limiting the freedom of professors and research groups is often not an option. However, poorly maintained IT systems with little central oversight are an easy target for attacks. In many cases schools and universities are not specifically targeted but a simply automatically compromised by attack bots that roam around to find poorly protected IT systems.
We need to be very worried about these security threats because they can have serious consequences for schools and universities. Even a single incident can cause significant disruption to e-learning infrastructures and can have a long-term financial and reputational impact. It is important to take steps to mitigate these threats, such as implementing strong authentication measures and regularly updating software.
Similar to companies, schools and universities have conducted both business impact analysis (BIA) and privacy impact analyses (PIA). In many cases, using centrally maintained systems e.g., for standard teaching, is a good approach while not limiting the freedom of research and the local agility of small research groups.
It is very hard to get the average users, me included, to deeply care about security. In a recent article, you explore the role of stories for mental models and behaviors. How can campuses, companies and school districts improve their security advice?
In this aspect, universities are not so different from companies. Employees usually love their job, and for most people, security is not their main job. One common suggestion is to utilize storytelling as a tool for educating users about security. Narratives can be used to create an emotional connection with users and make security measures more tangible and relatable.
Moreover, I think it is essential to explain the consequences of not following security protocols. Many users may not understand the consequences of failing to follow security protocols, so it is important to explain the potential risks and consequences. Before Covid, many university courses used very little mission-critical software. While almost all fields did use IT to improve teaching, they could easily survive a few weeks without computer support. This dramatically changed. Today IT is critical to a universities’ teaching.
In my research, we not only look at the usability of security mechanisms for end users but – equally important – usability aspects for system administrators and software developers. This is particularly important for universities as we have many administrators that work in a decentralized way, reporting to their research group heads (professors) and not the universities’ central IT department.
You have written about blockchain privacy threats. Can you explain what your concerns are?
The main concern is that all data is distributed and – in most cases – cannot be deleted. This is a problem with regard to European privacy laws such as the GDPR (General Data Protection Regulation).
A decade ago you researched fake identities in social media and questioned the Facebook business model. Can you elaborate on how you see this market today?
We falsely predicted that fake identities might be a problem for social media; contrary to our beliefs, fake identities were very useful for social media platforms when they stirred controversy and tried to influence political discourse. As a society, this might be dangerous for us, but for social media, it probably made them a lot of money.
The research area of identity management will become more important as we rely more on digital communication. Establishing with whom we actually talked was not a difficult problem in face-to-face communication, and even faking video calls were not feasible a decade ago. Today, deep fakes make it hard to know to whom we are really talking, and several politicians have been fooled in the past by pranksters – in many cases not by deep fakes, but it does show that establishing one’s identity in digital communication is hard.
In an editorial from 2018 you predicted: “We are reaching a new AI spring”. What are some of the trends in machine learning that excite you? Do these advances come with particular security threats?
Security and privacy is a great research topic because whatever new technology or hype comes up, we can and need to investigate its security implications.
There are two different aspects:
- Attacking the AI system, and
- Using AI to attack sytems
The first area is generally described as adversarial machine learning, which attacks the training or the execution of the AI system. For instance, evasion attacks have long been used by phishing and spamming to avoid AI-based detection of suspicious emails. More recently, research has looked at how AI systems can be compromised by compromising the training data (data poisoning attacks). Another very timely research topic is model extraction, where an attacker tries to steal the model by asking the AI many queries to learn about its underlying model and training data.
The second area is simply using AI methods for known attacks, such as automated attacks AI-powered bots can be used to launch automated attacks, such as distributed denial of service (DDoS) attacks or brute force attacks, which can overwhelm or compromise a system. AI-enabled malware and ransomware can learn to evade traditional security measures, something that we referred to as polymorphic viruses in the past. With the wide publicity of systems such as ChatGPT, AI-enabled data manipulation and spoofing receives a lot of attention.
I am sure you are already excited about welcoming the international EdMedia community on your campus. What are some traveling tips you have for visitors to your campus and city?
The city of Vienna is obviously a very attractive venue for tourists and conference travel. I would recommend not only walking through the inner city but also visiting the Wienerwald and the traditional Heurigen (taverns by local winemakers). EdMedia’s social event will be in of those places. The best way to get around the city and to the Heurigen is public transport.
What are some technology trends and topics you are eager to learn more about from AACE conference attendees? What will make you say: ‘This was a great conference’?
I’ve always enjoyed EdMedia; we hosted the conference many years ago. What I really enjoyed is that the conference focuses on teaching at different levels, and this is beneficial for computer science teaching as we need more high school students to be enthusiastic about CS. A conference is great if all participants ask the organizers in which year it will be hosted in Vienna again.
Attend EDIl 2023
The EdMedia conference has contributed to the field since 1987. It spans all disciplines and levels of education attracting researchers and practitioners from 70+ countries. Most importantly: This is where you meet your friends!
The first call for proposals closes on February 10. Submit here: https://www.aace.org/conf/edmedia/call/
Edgar’s research focuses on fundamental and applied research on blockchain and distributed ledger technologies and security of production systems engineering. After graduating with a PhD from TU Wien, Edgar worked in a research startup for two years. He then spent one year teaching as an assistant professor at Beloit College, WI. From 2002 to 2004, while with the software vendor ISIS Papyrus, he worked as a consultant in New York, NY and Albany, NY, and in Frankfurt, Germany. In 2004 he joined the TU Wien and founded the research center SBA Research together with A Min Tjoa and Markus Klemen. In 2020 Edgar left TU Wien to accept a position as full professor at the University of Vienna, Faculty of Computer Science.