It's no secret cybersecurity researchers approach Internet security problems much the same way hackers do.By role-playing bad guys, cybersecurity researchers are better equipped to sniff out weak spots in software and hardware systems than someone who thinks less, well, opportunistically.

"It may be that the best detectives are those who would have been -- under other circumstances -- the best thieves," says IU School of Informatics Associate Professor Markus Jakobsson.What distinguishes hacking from some cybersecurity research is intent.

"Both hackers and cybersecurity researchers are looking for vulnerabilities," Jakobsson explains. "Hacking sometimes hurts people but is usually done for fame alone. Sometimes it is done with criminal intent. Cybersecurity researchers seek to understand flaws in systems and promote improvements. Even when cybersecurity research is done in the real world with real people, no one is hurt."

But that doesn't mean cybersecurity researchers aren’t misunderstood.

"If I tell you what an easy mark you are, that does not make you feel comfortable and thankful," says Filippo Menczer, also an IU associate professor of informatics. "It makes you resent me."

Not all identity theft occurs because of vulnerabilities in software and hardware, however. Sometimes the vulnerability isn't technological, it's behavioral. In other words, sometimes the problem is us.

"People still pick weak passwords, and they do so for accounts that have elevated privileges," says Mark Bruhn, IU's chief information technology security and policy officer. "So, if someone manages to crack or guess that password, they have complete control over that computer, which may be a computer where personal information -- even credit card numbers -- is stored. People put too much personal information about themselves on the network, on Web pages, or in their e-mail signatures."

Bruhn urges users to assume that any financial or similar institution would not send unsolicited emails asking for a password or account information. "Always be suspicious of these types of unsolicited e-mail requests, or any other e-mail that is unexpected or doesn't seem quite right, even messages that appear to originate from friends and family," he says.Bruhn and Jakobsson are members of the IU Center for Applied Cybersecurity Research (CACR), a service-oriented center directed by IU School of Law Distinguished Professor Fred Cate. CACR examines security problems presented by clients and presents solutions to those problems.

Other members of IU's burgeoning cybersecurity contingent include Menczer as well as Assistant Professors Minaxi Gupta, Steve Myers, XiaoFeng Wang, and Kay Connelly. Associate Professor of Informatics L. Jean Camp studies trust and risk on the Internet and Rudy Professor of Informatics Bill Aspray studies the historical, political, and socioeconomic aspects of information technology.

For more information, see:

CACR http://cacr.iu.edu

IU School of Informatics http://www.informatics.indiana.edu

"What is email fraud, and what should I do about it?" http://kb.indiana.edu/data/afvn.html

General information about keeping personal information secure: http://kb.iu.edu, search for "personal information"