David DellaPelle: Thank you everyone for being with us today. Really excited to have this conversation. This webinar is titled Securing Education: How Adaptive Security Can Protect Students, Faculty, Staff, and Research. I am joined here today by three of the foremost CISOs within the United States: Lorna Koppel, who is the Director of Information Security and CISO at Tufts University; Marc Scarborough, who is the CISO of Rice University; and Steve Safranek, who is the CISO of West Chester University of Pennsylvania.
Really excited to have this conversation today. I think educational institutions face a unique set of challenges — a diverse mix of faculty, staff, and students that is quite different from the archetypical workforce within large enterprise companies. There are also somewhat open networks, as you have a large student base accessing systems, which can leave higher education institutions more exposed compared to other industries. Today we are going to explore the unique challenges faced by higher education and talk about how user adaptive risk management can help solve some of them.
My first question is for Lorna. At Tufts University, you have a diverse population of students, staff, and faculty. How does that variety of people and personas create unique security challenges?
Lorna Koppel: There are so many different things that complicate the picture. It starts with the fact that we have so many different personas. You can easily be a staff member who teaches a class or two and is also taking classes — right there you have three different personas — and you may work across different schools. So there is always the question of: who exactly are you at any given time?
The other challenge is that there are so many systems that track some piece of information about a person and their role, and those are not necessarily well-maintained, partly because of how frequently faculty come and go. We are a prevalent BYOD environment. Students bring enormous amounts of IoT devices onto campus, and faculty and staff have personal devices as well. What do you do in an environment like that?
People also come and go at very unusual times. Someone may teach a class as adjunct faculty for one semester and then not return for two more. So who is actually active in our environment at any given time, and who may be engaging in risky behavior that could cause problems?
And then there is the open network question. Everybody wants to collaborate and work across boundaries, so a lot of the segmentation you might think would be straightforward is not — either architecturally or in terms of the financial resources required to do it. The idea of having adaptive ways to adjust to the risk an individual poses, with a real-time approach, is very exciting to me. We have so many situations where we cannot get reliable triggering signals. But if we can get a lot of real-time data to inform those controls, that is a game-changer for what we are trying to do.
Steve Safranek: You made a great point about how critical the identity aspect is to every dimension of security, and how uniquely challenging that is in higher education because of the varied and multiple roles users have — adjunct faculty in particular. That is a constant challenge: how we manage the lifecycle of an adjunct at our campus, how we apply different access retention models to them. Like you said, they could be present for half a semester in the spring and planning to return, but may not know until the following spring whether they will. There are a lot of very specific identity challenges in higher education, and I think it is an open, ongoing discussion among colleagues across the sector.
David DellaPelle: I think you are right — segmenting those networks cannot be easy. And Lorna, you brought up a great point: sometimes a professor is also a student, and the lines between personas blur. At a bank it is pretty clear who has access to what. At a university, it may not be at all.
Lorna Koppel: Most definitely. And the authoritative systems you might rely on to understand who someone is will not necessarily have clear or current enough information to help you judge what roles they should have. You have to rightsize your security approach and think about where your risks actually live in ways that are quite different from a corporate environment, because you have so many personas.
Marc Scarborough: I think one thing worth adding is the lifecycle dimension, and it can be a very long one that you simply would not see in a corporate environment. In higher education, we have students who become staff. They finish their undergraduate degree, we have had records on them for years, and now they are joining us as employees. The gap between being a student and being a staff member could be years — but we still have those student records that we need to properly merge with their staff account, so that person has a single identity rather than multiple ones tied to different roles.
The other challenge is that higher education often retains access for certain affiliations beyond active employment. Alumni, Emeritus faculty, retirees — they frequently maintain some level of access to institutional resources, largely for development and alumni relations purposes. But they also often retain access to sensitive resources for a period beyond their formal affiliation, and that complicates things considerably.
And to complicate the situation further: we are a tier one research institution, and we collaborate with a large number of external individuals on research projects. Those collaborators need to be able to work together and share data, but how do you support them without granting excessive access? Supporting researchers effectively while not introducing significant risk is a real challenge.
David DellaPelle: That leads me into my next question for Marc. Universities like Rice store vast amounts of sensitive data, and as Lorna noted, researchers may be collaborating with people outside the university — sometimes outside the country. How do you balance security for sensitive research data against reducing friction?
Marc Scarborough: One thing people may not realize is that universities are like small cities. Students live here, eat here, sleep here, do everything here. We have clinics and hospitals, restaurants, bars, theaters, concert venues, and major sporting events. Each of those functions carries its own data and its own regulatory requirements. We are required to protect student data, health data, banking data, and credit card data under their respective regulations.
The challenge that is growing most complicated is research data. Each research project potentially has its own contract with its own data requirements, which makes compliance quite challenging. We are always trying to ensure only the right people have access, but each contract may have slightly different requirements — this particular researcher needs to protect this set of genomic data in this particular way — and those requirements change fairly frequently.
And as has been pointed out, research actually gets done through collaboration, and that collaboration almost always extends well beyond our institutional borders. We have to support that, minimize friction, and be honest that most of our researchers and staff are not thinking about information security. They are not worried about nation-state attacks or ransomware. They are here to get their research done. Having an awareness platform that can really address people based on where they are working and what their actual risks are — that is one area where we can meaningfully reduce friction by providing training that is relevant and targeted to their specific work.
Lorna Koppel: I would add that another area researchers are even less familiar and comfortable with is rapidly changing global privacy laws. We conduct a lot of international research. How do we help researchers design their protocols and handle data properly, given that there are many overlapping legal frameworks depending on jurisdiction? And with rapidly changing federal regulations pushing requirements to lower and lower classification levels, universities — which move slowly — struggle to adjust fast enough to support researchers when the regulatory environment shifts faster than our capacity to respond.
Steve Safranek: On the speed point — security is not at the forefront of researchers' minds. They want to be empowered to do their research and collaborate with who they need to. The evaluations we need to do to ensure compliance with data use agreements are usually things we get brought in on at the very last minute. Their focus is on enabling the work, securing the right materials, and getting contracts in place — and then we are left with very little time, if any, to review whether the environment and processes that have been established are actually going to meet the requirements of the contracts they signed. We have to be flexible and effective in what we are teaching and sharing in those moments. But a lot of the time, security is seen as impeding the process rather than helping protect anything.
Marc Scarborough: It is an important point. I joke at Rice that our research cybersecurity team is the Last Mile team — the last hurdle a researcher needs to clear. But one of our goals has been to educate on those evolving requirements proactively. One challenge we see frequently: a project has a set of resources that were perfectly adequate when it started, but the regulations have changed since then, and those resources can no longer be used for a new phase of the research. Our role has become helping researchers understand the new requirements and find a path to compliance — because the last thing they want to hear is that they need to stop what they are doing while we sort out the technology.
Lorna Koppel: And we have a lot of static training materials that we cannot adjust quickly. We do not have the staff to maintain and update training content on an ongoing basis, so it falls behind. We do not have a fast way to get new training in front of people as things emerge. That is another challenge: how do we move quickly to support the training needs of what is actually happening?
David DellaPelle: Let us change gears — that is a perfect segue. Traditional training models often fall short. At Dune Security we work with a lot of large enterprise teams that have robust security awareness functions, and universities may be a bit under-resourced in some of these areas. Steve, my question for you is about the technology on the market — how does it fall short? Lorna set it up well by describing content that can be stale and not institution-specific.
Steve Safranek: There are a number of reasons why legacy security awareness training really does not meet the current needs of a higher education institution, but it probably comes down to two primary factors.
The first is the typical lack of resources. A lot of higher education teams do not have a dedicated group of information security analysts whose job is to go through available content, find what is appropriate for their platform, figure out what each user needs, and monitor progress. For a long time, most organizations were really just looking to check a box — achieve some plausible deniability for an insurance evaluation or local compliance requirement. And too many vendors were happy enough to create a product that fit just that need, offering generic modules that hit the high points of phishing and common threats. If universities wanted to go beyond that and offer training that was truly customizable and applicable to varied roles, different access levels, and different data sensitivities, it became very difficult to find. The one-size-fits-all content available from too many vendors will be applicable and useful to some users, while far too many find it redundant or irrelevant to their jobs.
Finding something that is adaptive without requiring a large dedicated staff to source the right content, assign it to the right users, and track progress is very difficult with what is available today. Some industries have teams large enough to pick through vendor offerings and find value, but in higher education, in my experience, I have never worked in a shop that had even a single person dedicated to that. It gets spread across analysts, leadership, and others in IT — taking time away from everything else. Finding something that integrates with your identity management system and genuinely reduces that load is critically needed in higher education and largely absent outside of a few options.
David DellaPelle: Just to follow up on that — not just on the training side, but the phishing simulation side. Most security awareness platforms include phishing simulation capability. What are the challenges you have experienced there?
Steve Safranek: My biggest complaint is the lack of customization. You have a catalog of templates, a lot of it is outdated — the platforms we currently use still have a large catalog of COVID-related templates sitting in the main catalog, not retired or rotated out. That is where you can find the most value for users — in phishing simulations — but the value has to be clear to them. Especially in higher education, there is a large population that feels like they are being targeted or tricked. You do not get many chances to prove that this is for their benefit and not just the organization's. So the lack of customization and the lack of quality, current template content are my biggest complaints.
Lorna Koppel: I would add another challenge that affects the effectiveness of phishing testing and training: getting people to open the emails in the first place. There is so much email in higher education — you are on so many different lists, receiving so much cross-institutional information — that many people simply do not open them. So you are only training a portion of the people you intend to reach.
And then there is the other flip side: when someone does open it and clicks on something, if you want that real-time coaching moment, some people simply cannot absorb it in that moment because they are panicked. How do you get people to receive and retain that training when they are in a state of distress? Phishing testing, while valuable, plateaus and does not necessarily give you a reliable indicator of who actually has risky behavior.
David DellaPelle: That might be a good segue to quantification. What we have done at Dune is really tried to turn this on its head — security awareness training as a sub-industry is, in our view, no longer sufficient. The core of our platform is quantification. It is hard to solve a problem if you do not know where it lies in real time, with broad data sources. Large institutions like West Chester, Rice, and Tufts have a lot of data — the problem is how you correlate all those streams.
Lorna, if you could understand in real time the role a person is in, what they need access to, and their current risk profile — how would that change your day-to-day and improve security at Tufts?
Lorna Koppel: I think it would be very helpful, and what I would want most is to couple it with real-time data on what people are actually doing — not based solely on their title, not solely on their last handful of phishing test results, but also on the environment they are working in, what they are clicking on, how they have managed their security hygiene. All of those things together give us a much better picture of how to work with somebody. Being able to have that coalesce, alert us, and help us adapt to what each person needs — to help them be more secure — would change a lot. It would hopefully cut down on the amount of handholding we have to do during and after incidents, and on the coaching conversations where we know they are not actually retaining what we are saying because of the emotional state they are in.
Marc Scarborough: I want to add one thing. Steve mentioned the one-size-fits-all problem, and our campuses do not like that — and frankly, I do not think people in general respond well to checkbox security awareness training. It is actually much easier to explain to someone why they are receiving targeted security awareness training when you can say: it is because you are in the finance operations team, or because we have evidence that your account has been actively targeted — and while we have been able to defend it, you are a current target based on signals from other tools or your role. That approach is much easier for people to understand and accept, and they find the training far more relevant as a result. Selling the value of targeted training to our communities is a real challenge, and intelligence makes it much more achievable.
Steve Safranek: Without that intelligence, you almost have to fall back on the generic one-size-fits-all approach, because when you do not have that information you have to cast the widest net. Most of the population will get limited value from it, and that is not a good way to mature a program. There was actually a Wall Street Journal article recently about how phishing testing and training can be counterproductive if it is too broad — I think about a researcher studying molecular biology at Tufts receiving training that was designed for a clerical employee in accounting. It does not make sense. If you can see within your environment that this is a heavily targeted user, run an access and permissions analysis to understand what they have access to, and use AI to understand what risk that role actually carries — that is quite powerful.
If you did have accurate user risk profiles, what else becomes possible? How could you increase security?
Steve Safranek: I think having that gives you the flexibility to build a genuinely maturing educational program that is personalized at the individual level. It is simply impossible to do that without it. Right now, if you try to address advanced threats or specific data regulations that have no bearing for most users, you lose people. They check out. You go over their heads. Having individualized intelligence that lets you mature a program on a user level is really the only way to bring an entire group forward without losing the majority along the way.
Lorna Koppel: I like the idea of being able to respond in near real time — putting data points together and being able to adapt quickly. Some of the things people have been trying to do in this space are adaptive authentication: when risk escalates, you escalate the authentication requirements. But I also think about what can be automated from a response perspective. Could you micro-segment quickly? Could you raise an alarm fast enough that we know something unusual is happening — something that may not be a large risk to the university as a whole but could be a very significant risk to that individual? Raising that flag so we can respond is critical.
David DellaPelle: That is a perfect segue. Question for Marc: how could adaptive security integrations improve security team performance and workload in this new world where you have accurate real-time employee risk quantification?
Marc Scarborough: It starts with what Steve and Lorna have already touched on. The one-size-fits-all approach does not really mature a program. You can achieve the compliance checkbox, but you have not really moved the needle. And as Lorna pointed out, the ability to quickly change your program based on what you actually observe is key.
The adaptive authentication analogy is a good one. In modern technology environments, we get signals from multiple solutions and make real-time decisions about someone's access — are they on a University laptop, on the University network, are they using multi-factor authentication correctly? If something changes, we can adjust one of those signal sources without changing the entire process. Similarly, if we know who has access to what, what threats we are seeing directed at them, and what level of training they have already received, we can act on that. We can reach out and say: we have seen these types of attacks against your role — the training you have been taking should prepare you for this, please let us know if you have any questions. That puts some of the trust back into an educated user community and lets them make some decisions on their own.
From that perspective, it really does reduce both the workload and the worry for our teams when threats come through. Knowing that our community has been specifically trained for this type of attack, and that they know to expect it in their role — that is significant peace of mind.
David DellaPelle: Steve, let us talk about proactive security culture. How have you built an effective security culture, and what are the best practices? I think higher education has some unique challenges in terms of actually having the leverage to enforce security training.
Steve Safranek: I think industries like healthcare and financial services have easy ways to draw lines in the sand — you take this training or there is immediate impact on your position or your ability to work there. That really does not exist in higher education, in my experience. You have to earn buy-in from your users.
And I think what we have been discussing is the most effective way to do that. Having that adaptive intelligence and being able to show a user not just a generic hypothetical, but: on this date, this message came in, here is what you did, and here is the training we are now giving you so this can be avoided in the future. Removing the boogeyman aspect and being able to show people: these are the actual attacks your account and the university face every day, at these times, through these vectors — and then tailoring the training and phishing simulations to mirror that — so they can see quantifiable improvements and protect not just the institution but themselves.
What has also been most effective in getting individual buy-in is showing users how these practices protect them in their personal lives. Tying security practices to: this is going to protect your own identity, your family's finances — you can teach your children how to protect themselves. The more real-world examples and the more quantifiable information we can show — that they have experienced this, and that they now know how to handle it — the better our buy-in. In higher education, if you come down with a heavy hand it is going to bounce back on you and you will lose whatever leverage you have. It has to be a collaborative effort, and you have to demonstrate value to get leadership support and grow the culture on campus.
Lorna Koppel: One thing that seems more unique to higher education is the payroll diversion attack. These attacks have been flowing through higher education for years and we tend to be more vulnerable to them. Getting people to understand what someone actually goes through when their paycheck gets diverted is powerful. When you make it real — what would you do if you did not receive your next one or two paychecks — people start to internalize why two-factor authentication is important to protect them personally. It is their responsibility to protect themselves. That tends to resonate very well: connecting security at work directly to impact on their personal lives.
David DellaPelle: A fun one now for the broader panel — thank you all, this has been fantastic. What about AI and deepfakes? It is a moving target. You could have the president of the university delivering a video message to all employees that is a complete fabrication — something as simple as asking employees to go buy gift cards and send the codes. Students may be a bit more tech-forward and might catch it faster, but how do you educate for a threat that is constantly evolving?
Marc Scarborough: I think it ties into everything else we have discussed. You tell the campus what is currently happening and what is currently possible, raise awareness of emerging threats, and educate people on the normal ways leadership communicates with the institution. The other piece is making sure senior leadership — including presidents — are themselves aware of this threat, so they can work with their teams to ensure that the way they communicate is recognizable and harder to mimic. We know deepfake technology is going to keep improving, but letting the campus know it is coming, helping leadership understand it is happening, and working through strategies for more consistent and verifiable communication — and leveraging training platforms to include these examples so people become familiar with them — that is the response.
Steve Safranek: One challenge I come back to with emerging threats like this is that they are hard to integrate into your communications when your program is not yet at a level where you feel comfortable with the basics. Communication with your users is almost like a limited resource. If you pepper people with security alerts too frequently, it becomes white noise — they stop reading. So you have to be careful about which topics you surface publicly and how often you do it. Something like deepfakes is a huge threat, but you have to weigh: if I send this out instead of reinforcing a more common, foundational threat, am I going to start losing user engagement?
Without a solid baseline program and a user community that is already engaged, those conversations are very difficult to have effectively. Filtering major emerging threats through leadership and having them cascade down through individual departments — rather than sending a mass communication — is often the right move. You want to make sure that when you do communicate broadly, people are genuinely paying attention.
Marc Scarborough: And one of the key things we try to do is keep the message simple: stick to approved processes. If you receive an unusual request, even by email, do not go around the process. If you do not do that, a large category of problems simply does not occur. Getting people to pause for a moment when they are reading something — is this triggering an emotional reaction, am I making a decision not based on what is actually in front of me but on a sense of urgency — that pause is the most valuable behavior we can build. AI makes it much easier for attackers to replicate the signals people used to rely on to evaluate legitimacy. So rather than training for the latest specific threat, we try to teach basic principles that apply across all threats, even though the speed at which AI enables new attack variants is certainly a challenge.
Lorna Koppel: There is also an opportunity for us to use the same technologies offensively. We are exploring internally how to help people triage these decisions. If I can insert a moment of pause before action occurs, I have moved the needle. But we can also use AI tools to help our email systems go beyond traditional signals like DKIM and SPF records and evaluate the actual content and context of a message: does this seem normal? Does it seem relevant? Does something feel anomalous? And then alert the end user: this does not appear to be a typical message from your president — please use caution.
David DellaPelle: I think we covered quite a lot today. The main takeaways I have are that securing higher education is incredibly difficult. There are so many different types of roles, and how do you manage risk for roles that are so dissimilar from most other industries — professors, researchers, adjunct faculty with irregular schedules? You have an industry where a significant portion of users may not open half of their emails. And you have a heavily regulated industry requiring constant compliance. The combination of all of this means that security awareness training as it exists today is insufficient — and I think that is even more true for higher education than for any other sector based on this conversation.
That is precisely what we are building toward at Dune Security: adaptive security that ensures role-specific protection, pulls in all the different signals about individual risk, and correlates them to build highly accurate, real-time employee risk quantification.
Thank you so much to Marc, Lorna, and Steve — thank you for joining today. We really appreciate your time and are proud to be part of this solution.
Marc Scarborough: Thank you.
Lorna Koppel: Thank you for having us.
Steve Safranek: Thank you.
Higher education is a small city: clinics, restaurants, research labs, IoT-saturated dorms, and a workforce of faculty, staff, students, alumni, and international collaborators who all hold some kind of access. That mix of personas, BYOD, open networks, and decade-long lifecycles makes traditional one-size-fits-all security awareness a poor fit.
In this session, Marc Scarborough (CISO, Rice University), Lorna Koppel (CISO, Tufts University), and Steve Safranek (CISO, West Chester University) unpack why higher education is a high-value target, how to bring exposure prioritization to an environment where risk is unevenly distributed across different user-types, what securing sensitive research data looks like without shutting down academic collaboration, and how to build a proactive security culture that holds up against AI-driven social engineering attacks.
Key Takeaways
- Higher education has one of the most complex identity surfaces of any sector. A single person can be a student, adjunct faculty member, staff employee, and research collaborator simultaneously, sometimes across multiple schools within the same institution. Lifecycles run for decades and blur past active employment into alumni and emeritus access.
- Generic content cannot earn the buy-in higher education requires, and without engagement the program does not mature. A molecular biology researcher and a clerical employee in accounts payable face entirely different threats and are not well-served by the same module. Phishing simulations plateau when users have seen the same templates for years, or simply do not open the emails in the first place.
- Research data is the fastest-growing compliance burden. Every project potentially has its own contract, classification, and data residency requirement. Real-time controls that follow the researcher, the data, and the regulation are far more sustainable than static policy.
- Universities need real-time, role- and behavior-based intelligence. Title alone is not enough. Combining role, observed behavior, simulation results, and security stack signals lets teams reach the right user with the right message at the right moment, and drive dynamic authentication or micro-segmentation.
- Earn buy-in, do not mandate it. Higher education does not have the hard levers healthcare and financial services have. Tying security to personal benefit, payroll protection, family identity, parenting children online, plus showing users the specific attacks aimed at them, is what drives behavior change.
Stay Updated
Get the latest threat intelligence, research, and product updates from Dune Security.
Photo Gallery
Step into the atmosphere of our past event — watch the recap and relive the moments where cybersecurity, innovation, and community came together.
Our Latest Insights


Stevens Institute of Technology modernizes security awareness and improves individual risk management with Dune Security
Stevens Institute of Technology modernizes security awareness and improves individual risk management with Dune Security




Hitachi Digital future-proofs security training for a global workforce with Dune Security
Hitachi Digital future-proofs security training for a global workforce with Dune Security




Phishing Didn't Leave the Inbox. It Expanded Around It.
Mobile-centric phishing carries a 40% higher success rate than email. Vishing is up 442%. Deepfake fraud is projected to hit $40 billion by 2027. The attack surface didn't shift, it expanded. Here's what that means for enterprise defense.


Social Engineering Is About to Be the Only Game in Town
AI is finding and patching zero‑days at machine speed. The traditional attack surface is collapsing. The only place attackers can still win consistently is the user. Learn what that means for CISOs trying to defend the enterprise, and why the operating model that worked for networks, endpoints, and identity has to come to the User Layer next.




The Top User-Driven Cyber Threats Targeting Law Firms
Law firms sit on some of the most sensitive and valuable data in the enterprise, and attackers have built an entire playbook around exploiting the users who handle it. Learn how four dominant threat vectors are targeting legal sector workflows in 2026 and what it takes to stop attacks at the User Layer.




Securing Education
Dune Security CTO Michael Waite joins the Cyber Security Matters podcast to discuss how AI-driven social engineering is evolving, why legacy security awareness training no longer works, and how behavior-based risk quantification can better protect users from emerging threats.




Securing Education
Dune Security CEO David DellaPelle joins Secure Insights to break down why user risk drives breaches, how AI is accelerating social engineering, and why legacy awareness models are no longer effective.




Securing Education
Dune Security CEO David DellaPelle joins the Cyber Security America podcast to explain how AI-driven social engineering is outpacing traditional security awareness training and why organizations need a behavior-driven approach to identifying and reducing user risk.




Philadelphia Area Cyber Technology Showcase & Golf Outing
Dune Security sponsored GuidePoint Security's Philadelphia Area Cyber Technology Showcase and Golf Outing, a regional gathering of cybersecurity professionals and technology partners.
.avif)
.avif)


Controlled Chaos: Enabling Innovation While Ensuring Safety & Security
GRC and security leaders from UiPath, Yugabyte, and CXD Consulting on enabling rapid innovation without losing the controls that keep the business standing.





.avif)