Leslie Corbo is an assistant professor of cybersecurity and the associate director of the cybersecurity programs at Utica College.
Her research areas include data privacy, cyber risk management, and malicious emails. LinkedIn profile
Key takeaways from the interview
- Research interests: Corbo focuses on social engineering, consumer fraud, and the psychology behind phishing emails. Her research aims to understand why people click on malicious links or attachments, with a particular interest in how different generations interact with these threats.
- Importance of human behavior in cybersecurity: A significant aspect of Corbo’s research is the role of human behavior in cybersecurity. She emphasizes that training and education need to be tailored to individual personalities and generational differences to effectively mitigate risks.
- Developing a standardized taxonomy for cybersecurity: Corbo is working on creating a standardized taxonomy for digital evidence and social engineering. This effort addresses the lack of standardization in cybersecurity terminology and practices across different organizations.
- Phishing emails and data breaches: Over 90% of data breaches start with a phishing email. Corbo highlights the evolving sophistication of these attacks and the challenges in preventing them, especially as they often exploit human vulnerabilities.
- Cybersecurity education at Utica College: Corbo discusses the various cybersecurity programs at Utica College, including specializations in cyber operations, criminal justice, fraud, and electronic crime. She emphasizes the importance of integrating technology and human factors in cybersecurity education.
- Career advice for cybersecurity students: Corbo encourages students from diverse backgrounds to pursue cybersecurity. She stresses the importance of communication skills and the need to stay updated in this rapidly evolving field.
How did you first become interested in cybersecurity?
So, I was working as a human resource director, and we were in this period of time where corporate wanted us to cross train. So we had to cross train with other departments, and nobody wanted to cross train with the IT department.
So I ended up cross training with the IT department as the ambassador to the organization, and I fell in love with it. I started doing a lot of systems admin work. Someone went out on leave, I started doing all of that stuff, backups and applying permissions, and learning all of the behind-the-scenes things, and it became something that I loved a lot.
Where did you take it from there?
Finally, I just decided, “I’m going to go back to school and learn this stuff.” So, I did that. Actually, at the time, Utica College was one of the only schools who had a cybersecurity program. And I graduated from Utica College with my degree in computer forensics.
Cool. That’s great. When you did that, was that another bachelor’s degree, or was it a master’s degree?
It was a bachelor’s degree, and back then I worked in defense. I worked for a defense contractor, and I started doing a lot of different intelligence type positions. So, within a year of me graduating, Utica College started their master’s in cybersecurity, so I went back and got that degree.
And I started adjunct teaching there while I was working, and I’ve really enjoyed teaching. And I liked the research aspect. I went back and got my doctorate in information assurance, which is really cybersecurity.
Maybe you could just walk us through some of your current research interests, or talk about the evolution of your research.
Okay, so I do a lot of research on social engineering. I’m writing a book right now on social engineering, and I’m trying to develop a standardized taxonomy for that, that pertains to digital evidence, a digital footprint, that kind of thing. I also do research, which is outside of cyber, but if you picture it as a Venn diagram, it’s really part of it, which is consumer fraud.
So I’ve had some articles published there. My research is primarily phishing emails, and how different generations view them, and what makes somebody click a link or open a malicious attachment. I’m interested in the psychology behind it. My doctoral dissertation was on generation Z, and how they interact with malicious emails, and what they consider malicious emails.
The psychology behind it…can you elaborate on that?
One of the things that came out of that research was that we’re still not training people correctly. We’re still not teaching them correctly, because depending on what their personality is, and the way they see the world, is going to depend on how they interact with their email.
And it’s interesting the ways that the different generations do it, but also how personality plays a big part in whether or not someone will open an email, or click on a link, or enter data — that kind of thing. So to me, that’s really interesting. I think I can make a lot of headway in that area.
So, it’s almost like there’s this behavioral component.
I guess they describe me as a career changer. Which is not a bad thing, because you’re bringing a whole new aspect into cybersecurity…So if you bring in a different perspective, I think it makes a big difference when we’re trying to figure out how to solve a problem instead of focusing on just our own research, or our own degrees, or what we’ve learned.
People say the biggest weakness in cybersecurity — or any security system really — is the human component. And it sounds like that’s the same issue here.
You can solve for the technology piece, but getting inside, trying to figure out how somebody’s going to interact, or when we look at information — we all make different decisions about that, right?
That’s really interesting. Maybe just delve a little bit more into the idea behind your book. You were talking about developing a taxonomy for social engineering. It sounds like naming things is an issue in cybersecurity right now.
Right. There’s not a lot of standardization. I mean, NIST has their information security standards, and their 800 series, but we don’t really have anything like that for cybersecurity. And every organization looks at things differently. The closest thing we really have is NIST’s vc cybersecurity framework. But depending on the culture of the organization, people are calling things by different names, and it can get really confusing when people are going from one place to another, to try to fix a problem.
So I think if there was a standardized language, and a standardized output…of course, it would have to be elastic, it would have to be flexible because no organization is the same. And I think that’s where the biggest challenge is.
Okay. Before we move on from this question about your research and your work, I was wondering, could you give us an overview of phishing emails? Is it the same, or have the tactics changed as people become more aware?
Over 90 percent of data breaches start with a phishing email. That’s how they’re getting in. And they’re getting in again, by the human. So when they’re getting into the network, then they’re pivoting from one network to the next, or one system to the next. Look at ransomware right now. It’s a serious problem, because think about healthcare. Healthcare, somebody who needs surgery or something like that, they’re having their networks closed down.
What are the implications of something like that?
Their networks are shut down. They’re being essentially held for ransom until they either pay, or recover from their backups or something like that, and it’s become a really big crisis in the healthcare industry. And I see more and more of that happening, especially as IoT develops. I don’t think we’ve even scratched the surface.
I really think that we’re going to see so much more of that, and it’s frightening because it all happens from that human level. I shouldn’t say it all happens, but most of the time it’s happening from that human level. And how do you mitigate that? How do you stop that?
Right. It sounds like from the way you’re describing it, as long as we have email, phishing attacks will probably persist, right? There’s no way really to stop that. It comes down to the individual user opening when they’re in their inbox. Am I going to click on this or not, right?
I honestly don’t know how we survived without email. There was a time, and I was in business then, when businesses ran without email.
One of the things that everybody worried about back then were the printer scams. So the receptionist would be asked about the manufacturer of the printer, something like, “Can you tell me the brand of your printer?” And they’d tell whoever was on the phone the brand of the printer. The call would disconnect, and then a week or so later, a box of print cartridges would show up with a bill for a thousand dollars. That was the big social engineering scam then.
It’s certainly a different world now!
It’s hard to remember back to how we communicated before email, but that’s one of the main ways that the attacker gets in. They have you click a link, open an attachment. You’re downloading malware. It’s really frightening, and there hasn’t been any headway other than training people to try and correct this.How’s that for doom and gloom?
That’s really the amazing thing. I don’t know how to fix this. Companies are always trying to provide solutions, but I know that there’s a better way to do it. We just haven’t figured that out yet. I hope one of my students is behind it.
Yeah. And do you teach a course, or any courses, specific to phishing? Or is that a more of a broader piece of what you’re teaching?
Yes. So it’s really ingrained. I just created a special topics class which will probably encompass phishing, but what I’m trying to do is get them to find tools that are out there, to play with, so that you can think about how the bad guys work, right? That’s part of cyber operations—attack and defense. I think that we in cybersecurity have spent way too much time on the defense.
We don’t spend enough time on offense, because companies don’t want to spend money that they don’t necessarily need to spend, and I think that we’re just not doing enough proactive searching and things like that. If we don’t find anything, we find it to be a waste of time, money, and resources, and we’ve got to stop thinking like that.
Because that’s exactly what cyber criminals are doing. They’re looking at other resources out there, and trying to figure out how to get in, and we’re just not doing enough of that. Almost like that black box testing.
So, when you’re just going into a network blind, you’re going in, just trying to see what you can find, that’s basically what a cyber criminal is doing. If they can get access to the network, they start looking around. What am I finding? Organizations don’t do a lot of that. They’re really doing a lot of defensive monitoring, and that kind of thing.
Yeah, that makes sense. We are more reactive than proactive.
Well there hasn’t been a breach, so why spend money?
Yeah, right. Has there been a thread or through line over the course of your career that you keep coming back to?
So, phishing emails and data breaches have been a constant theme. Cyber criminals are getting better. It used to be where you could really look at a phishing email and say, “Well, the grammar and spelling aren’t great.” Sometimes the links are broken. In the case of RSA where the employee went to the junk email folder and pulled out something that was in junk…it seems like it’s always the same things.
There’s the phishing emails, there’s the data breaches, and every time we think we’ve fixed something, the bad guys figure out a way to circumvent any controls that we put in place. So we’re always playing catch up, and that hasn’t stopped.
Interesting. Yeah, the incentive isn’t changing, it’s just the barriers we’re putting in front of the incentive is changing.
Yep. You use that defense in depth model, and every time you put a barrier, they figure out a way to get around the barrier. So it seems like it’s always been that cat and mouse game, and as good as we think we’ve gotten, we’re just not there yet.
Can you tell us more about the cybersecurity programs at Utica College?
We’ll start with the bachelor’s degree program. We have a traditional cybersecurity program in cyber operations, where you’re studying attack and defense. And I’m really proud of this, because I think that we’re one of the very few schools who have this – we have a cybersecurity specialization in criminal justice for people who want to go into some kind of law enforcement aspect, but learning about cybersecurity as well.
We’ve got that degree path for them. We’re one of the few schools that have the DC3 designation — that’s the Department of Defense Cyber Crimes Center. And we’re a CDFAE designated school – the National Centers of Digital Forensics Academic Excellence. So we have that certification. We’re one of a handful of schools. I think there’s 13 or 14 schools nationwide who have that designation. Our cybersecurity roots are in our forensics program, which I think was one of the very first forensics programs in the country. And then we have a specialization in fraud and electronic crime as well.
Is that a certification?
It’s an undergrad program. But that specialization (fraud and electronic crime) is really good for people who want to go work in the financial industry. So that’s our bachelor’s degrees. At the graduate or the master’s level, we have digital forensics of course, and cyber operations.
We also have electronic crime…,we have an intelligence specialization, and we have a malware analysis specialization, which is cool because it gives you that way to really dissect the malware, and look at how it’s written, find the similarities and strains. I think they’re very innovative, but in our programs, we’re always bringing the human back to the forefront.
Is there anything else we should know about your academic programs?
I like to refer to it as a Venn diagram where you’ve got the technology component, but you also understand cybersecurity is a human problem, and we spend a lot of time working with students to get them to a level where they can communicate well, because we’re not the programmers.
We’re not software developers. We’re the people who are actually overseeing how to build security into the product. How to build security into our network. And as companies are global, we have to understand global concepts, norms, laws. So we bring a lot of that to the table for our students, which I think puts them at a real advantage.
Yeah, that’s interesting. To put it in context, going back to what we were talking about earlier, it’s not just a simple problem of okay, go in and change this and everything is fixed. There’s that human dynamic.
Can you talk about the students who come to you looking for a master’s degree? Do they typically already have bachelor’s degrees in computer science or cybersecurity?
I’ve had people come to us with bachelor’s degrees in psychology, film making, English, political science. They’ve gone on to do amazing things with their master’s degree, because they’ve got that other component as well.
And I think it makes you a really well-rounded person when you’ve got that other experience to bring along. So we encourage that career changers. We bring them up to speed. We do have a pre-course for them to take, and it’s intensive, but it does bring them up to speed to get into the master’s program.
And it’s all built in as part of the degree. I encourage career changers, because they bring a completely different perspective to the field itself.
Excellent, yeah. And then what’s the format? Are most of the courses on campus? And do you imagine, given everything that’s going on now, will there be more of a shift to online education? What’s that looking like?
Our master’s degree is entirely online. Even our residency is virtual. And we do that because we understand, most people getting a master’s degree already have a very busy life. They probably are juggling work, family, and especially given these times, there’s always added responsibilities.
So, with that, everything is 100 percent online. That doesn’t mean that there’s no communication between you and the professor. Our classes are relatively small. There’s probably 15 students per class, in some of the more heavily loaded classes. So you get that one-on-one time with your professor. They do have meetings like this using the dreaded Zoom, or Google Hangouts.
Tell us more about the professors.
The professors that we have, both on campus full time as well as our adjunct faculty are very hands-on. And they get to know their students. You get to know us, and we get to know you. It’s not so big that you’re swallowed by the sheer number of students. Our undergrad program is designed so you can either take courses online, or you can take courses on campus. Everything that we teach on campus can be taught online in cybersecurity.
What about people who have associate’s degrees under their belt?
So, most people who have a two-year degree and want to get that four-year degree, I encourage them to come try this program. If you’re interested in cybersecurity but you don’t want to dive right in, we have a lot of cybersecurity certificate programs and classes that can easily be transferred over to the undergrad or graduate programs. It’s really a nice blend depending on where you live, and your work schedule.
What kind of career advice that you find yourself giving students or any kind of guidance, really.
A lot of times I have students who think, “I’m really not that good of a programmer, I’m really not that good with code and that kind of thing,” and one of the things that I always remind them [of is] how big cyber is. Most organizations now are really looking for people who not only can do, who can not only code, but that they understand how an operating system works, or risk management in cybersecurity, cybersecurity governance.
Understanding cybersecurity is a global issue for a lot of organizations. So I think that one of the things I tell them all the time is that they have to forget what they learned yesterday, because what you learned yesterday might not be true for today, but one thing always remains the same, and that’s being able to communicate well with people, both written and orally.
You have to be the one who explains to the organization, even if it’s your C-level people, you have to explain what you’re doing, why it’s important. That’s the big part of what we do. The planning and management and that kind of thing, sharing with the organization what our vision is and coming up with a clear vision, because they really don’t know.
If you don’t understand a lot of this, you can be talking to someone and their eyes start to glaze over, and what they need to be able to do is explain it and break it down into terms where you can talk to all different parts of an organization.
Right. Yeah, and just make it accessible and relevant for people.
Right, right. But communication is such a big thing, and I think that sometimes that gets lost. I mean, if you’ve ever read a help guide, or looked at, or even go on a discussion board to try to figure out how to fix something, you see that people are talking in levels way above what the person who’s asking the question is.
I’m not telling somebody to dumb something down, but I’m telling them to think about how they’re explaining something so that the person they’re talking to understands and can walk away and know what they should do next.
If we were to create this kind of crowdsourced cybersecurity reading list, I was curious about your top few picks of either things that you read frequently or listen to, or videos you watch or lectures or whitepapers…
So, because I like to read about data breaches and different things like that, I read Brian Krebs daily. I also watch “This Week in Tech.” Sometimes I stream that in my office. It’s with Leo Laporte. I don’t know if you’ve ever heard of it, but they call it TWiT.tv, T-W-I-T, “This Week in Tech,” and they have TWiG as well, they have “This Week in Google.” They have Security Now, [a podcast] with Steve Gibson — Kali Linux is a product from him. So I do read that. This morning, I was listening to Dark Net Diaries, a podcast.
Any other recommendations?
I’m a member of ACM, so I read a lot of those journals. When I’m doing research, or I’m trying to learn something about a topic, I’ll go out and start looking through journal articles and things like that, and I find I start, it’s kind of like going down the rabbit hole and I start going from one thing to the next, to the next to the next. I think that’s one of the most fun ways to spend a Saturday, which nobody understands really.
But it’s kind of to your point earlier about cybersecurity, is that it’s a field that’s kind of in constant motion and it’s very kinetic. So you have to always be reading or always be learning about what’s coming down next because the threats are constantly changing.
Right, and you can’t get that from a book. In one of my classes, I don’t even use a textbook. And that’s why, because the dashboard might change and a student who’s learning will look at it and be like, “Well, mine doesn’t look like this.” So it’s that everything changes so quickly…there’s no way that just getting something from a book, a textbook, it’s not going to be the same after it’s published. So it’s not a history lesson, because it’s being written and rewritten every single day.
If you were looking ahead, what kinds of things are you seeing or thinking about or discussing in your classes about the future of cybersecurity?
We’re talking a lot more about artificial intelligence. We’re talking about smart homes. So let me go back a minute, because one of the things as humans that we do is we want everything to be convenient, but as soon as something bad happens, like a security breach or something like that, we want it fixed yesterday. We want that immediate fix, and everything is automated.
Now we’ve got artificial intelligence, we’re going to have so many more IoT compromises. I just see these coming. There’s no such thing as the default anymore, but still, there’s going to be ways to get around that, and we want things to be simple. Not everybody who’s getting these are engineers. So we’re buying these products and we’re putting them in, and I see a lot of compromises coming down the pipe with the more IoT devices that we have.
The other thing is, I think we’re going to have to finally move to IPv6, instead of the IPv4, because I think we really will run out of IP addresses eventually. It’s funny, because I remember when I started doing this, I think in 2004, and everybody said, “The IPv4…don’t even learn how to do the math with that, because that’ll be gone soon.” That was in 2004. We’re still using it over 15 years later.
Anything else you expect to see coming down the line?
I think we’ll finally see the IPv4 turn into IVP-6, but it’s going to be a lot more Internet of Things compromises. We’re going to see a lot more artificial intelligence, that can probably bring some pretty big hacks. Some of the hacks are going to be massive. Which is why we’ll be a necessary component of every business.