Honorary doctorate to Lorrie Faith Cranor
Institutional Communication Service
7 May 2022
At the 26th USI Dies academicus, Lorrie Faith Cranor, Professor of Computer Science and Engineering and Public Policy at Carnegie Mellon University, was awarded an Honorary Doctorate in Informatics. The award was conferred “for her relentless pursuit of making privacy and security usable - including her pioneering work on privacy policies, her fundamental contributions towards understanding phishing attacks, the creation of the Symposium of Usable Privacy and Security as the premier forum for research in this area, and her active role in shaping public policy to better protect our privacy.”
Lorrie Faith Cranor is a Professor of Computer Science and Engineering and Public Policy at Carnegie Mellon University, where she is Director of the CyLab Usable Privacy and Security Laboratory (CUPS) and Co-Director of the MSIT-Privacy Engineering masters program. In 2016, she served as Chief Technologist at the U.S. Federal Trade Commission. She has authored over 150 research articles on online privacy, usable security, and other topics. She has played a key role in building the privacy and usable security research community, having co-edited the foundational book Security and Usability (O’Reilly 2005) and founded the Symposium On Usable Privacy and Security (SUPS).
Laudatio: Prof Lorrie Cranor
Dean of USI Faculty of Informatics
IT Security is one of society’s most pressing problems, as demonstrated by the many incidents of ransomware we have seen in the past year: these are attacks where, for example, all files are encrypted, and then a ransom is demanded to bring them back.
I teach the course Information Security here in our MSc program, and I always surprise my students when, after about six weeks, I tell them that the set of encryption algorithms we just finished learning are practically unbreakable. Technically, security is solved – no one can break modern encryption. So, for example, every chat message you send on WhatsApp is so well encrypted that only you and the recipient can read it!
So why is IT security still an issue? The short answer: PICNIC. The humorous acronym stands for “problem in chair, not in computer”. The user is usually the problem, not the mathematics of encryption. In fact, users in security are often called “the weakest link”. Most users cannot remember passwords, and thus they choose those that are easy to guess for an attacker. It is *users* who naively click on an email that claims to come from the IT department asking them to verify their password by re-entering it on this website.
If we want to solve IT security, we must look at ourselves, the users, and how we can avoid being “the weakest link”. For more than 25 years, Prof. Cranor’s work has been about creating solutions for online security and privacy that are *usable*. In fact, Lorrie created the first – and by now most prestigious – research forum for work on Usable Privacy and Security almost 20 years ago. Her well over 200 publications and her stellar citation record are equally testimony to the impact her work has had on today’s research into usable privacy and security.
Let me give you just one brief example of her research. I previously gave the example of a user falling for a fake email apparently coming from the IT department. Tricking users into giving out their passwords in this way is called “phishing” – a term that alludes to the act of manipulating people in order to “fish” for their sensitive information. We all have probably seen many such attempts sent to our inbox – most of them badly made and easily identifiable as being fake, but for companies, phishing is a huge issue as it is one of the main methods for breaking into a corporate IT system. In her work, Lorrie has, for example, developed tools that automatically alert users when they are about to click on fake links in an email or if they are about to enter sensitive information such as passwords into a fake website. She has also developed ways to train users to better identify such fake emails themselves, based on empirical studies that looked, for example, into why certain phishing attempts are more successful than others.
But Lorrie’s work not only had a direct impact on end-users by virtue of better user interfaces or training materials but also indirectly by helping policymakers to better understand and thus regulate technology. In 2016, Lorrie was invited by the U.S. Federal Trade Commission (FTC) to spend a year as their Chief Technologist. The FTC can be compared to the Weko (“commissione della concorrenza”) here in Switzerland. Still, due to the legal landscape in the US, it has a much more direct influence on regulating technology, in particular privacy. In their appointment, the FTC cited her “unique mix of technological prowess, scholarship and understanding of consumer attitudes toward privacy.”
As usual, there is no way a short laudation like this can adequately reflect the many achievements of a nominee. So let me try to sum it up as follows: Lorrie is a role model for all of us on how to do research that not only crosses interdisciplinary boundaries, but that also has an impact: academically, within the industry, and in society – by educating not only students but also citizens and policymakers.
By awarding an Honorary Doctorate, Università della Svizzera Italiana, upon the proposal of the Faculty of Informatics, wishes to honour Prof. Lorrie Cranor of Carnegie Mellon University in Pittsburgh “for her relentless pursuit of making privacy and security usable - including her pioneering work on privacy policies, her fundamental contributions towards understanding phishing attacks, and her active role in shaping public policy to better protect our privacy.”