As more everyday objects, such as cars and even refrigerators, connect to the internet, new opportunities for cyberattacks open up. So, keeping our technology safe and secure is more important than ever. 

As a cybersecurity student and summer intern at NIST, I’m learning firsthand about the role people play in cybersecurity. 

You may think that most cybersecurity incidents result from technological errors, but this is a common misconception. As I conducted preliminary research for my internship as part of the Summer Undergraduate Research Fellowship (SURF), I was surprised to learn that human error accounts for more than 80% of cyberattacks. 

Human error can take various forms. Employees can ignore password requirements or create weak passwords. In other cases, staff members may accidentally put a system at risk, such as by clicking a link in a phishing email. 

These examples illustrate the need to consider human factors, specifically how people think and operate, in cybersecurity. Despite the significance of human factors, many organizations fail to address these issues when designing cybersecurity guidelines and procedures. As a result, they may miss opportunities to identify and prevent breaches. 

This summer, I am interning at NIST’s NICE Program, which promotes cybersecurity education, training and workforce development. I am conducting a case study on human factors in cybersecurity. This involves reviewing various research publications on these incidents and analyzing the human factors that may have caused them. 

To further narrow down my research, I’m emphasizing supervisory errors and their possible role. 

For example, I’ve researched the 2011 attack by the hacker group Anonymous on the technology security company HBGary. Top executives’ poor password management was among the issues that contributed to the attack. Soon after, the company’s security firm, HBGary Federal, went out of business. 

NIST offers the NICE Workforce Framework for Cybersecurity (NICE Framework), a nationally recognized resource that organizations use to educate and train their employees and to help prevent cyber incidents like the one that happened at HBGary. Within the framework, there’s a defined role for managers, called the Program Management Work Role. This work role and others offer guidance on how managers can strengthen cybersecurity in their organizations. 

I hope my research can be incorporated into the guidance for this work role. This would allow organizations to better educate their supervisors on how to reduce avoidable human errors and create a more robust cybersecurity workforce. 

Experiencing NIST as an Intern

As I write this a little over halfway through my internship, I can say it has been immensely enriching. 

I’m fortunate to work under a great mentor and a supportive team filled with bright minds. I’ve gained valuable professional experience and research skills that I will be sure to use as I continue my education. 

One of the most memorable experiences was attending NICE Director Rodney Petersen’s testimony before the House Homeland Security Committee. It was a very interesting glimpse into the inner workings of our government departments. 

Additionally, living on my own has allowed me to further develop important life skills, such as budgeting and time management. 

Pursuing a Career in Tech 

Having grown up in the 2000s and 2010s, I was surrounded by technology from a young age. I believe this was the catalyst for my growing interest in the field. 

I knew early on that I wanted to study a technology-related field in college and potentially pursue it as a career. This led me to pursue a computer science degree at Hampton University, a historically Black university in Virginia. 

However, after realizing that I didn’t enjoy the math aspect, I switched to cybersecurity. This opened my eyes to a new side of technology that I hadn’t looked at in detail before. 

After finishing my undergraduate education, I plan to pursue a master’s or law degree. After that, I’m keeping my career options open, but I know that I want to work in the technology sector. 

The SURF program has given me invaluable experience working a federal job. I hope to intern at Google, Microsoft or another tech company in the future to explore work in the private sector. In a perfect world, I’d love to work in the video game industry, whether it be in cybersecurity or a different role. 

Advice for Future SURF Students

My best advice for future interns is to keep an open mind. Don’t be afraid to explore a variety of topics and change course if needed. The path of research is never a straight line. 

Don’t feel like you need to know a ton about your topic to start either. The point of research is to learn and explore. 

You won’t always get the results you expect — or the results you want — but you’ll always come out of it learning something new.