01. December 2021

Why users want the right thing but do the wrong thing


User experience // When it comes to security-critical systems, users are unquestionably part of the problem. But when it comes to the solutions they are pretty much left out of the equation. Are they an incalculable risk?

Dr. Matetić, who is the CAS study program in cyber security aimed at?
Nearly all industries, including the public sector, need cyber security specialists. In addition to skilled IT staff, managers also need a fundamental understanding of cyber security issues in their organizations. So the target group is therefore specialists and professionals who don’t necessarily have a strong background in IT, but work in a position in which it’s vital to have some knowledge of the technical/ political and strategic aspects of cyber security. Our goal is to prepare graduates for the complexity of today’s cyber security, and to help them under-stand the many different aspects that are necessary for making sustainable, rational decisions.

What sets ETH study programs apart from others at other universities and technical colleges?
In Switzerland, ETH is probably the best research and teaching institute in information and cyber security. This is evident in the variety of subjects we teach and the number of experts global leaders in their fields who work with us. However, cyber security is a very broad topic, and ETH alone can’t cover all the different disciplines. Anyone interested in studying with us should carefully examine whether the curriculum fits their needs: for example, if you want to learn how to program in Java, it might be better to find a suitable course at a university of applied science. If, on the other hand, you want to understand the underlying concepts and also be in a position to develop new approaches, ETH is a better fit.

Where did the idea come from? Did you sense some interest or demand from the business world?
In general, ETH Zürich is a leader in advanced education for skilled professionals and managers with an academic background. Its range of further education services seeks to further the development of society and business, and to strengthen Switzerland’s competitive edge. So it was time to expand our range of courses with a CAS and a DAS in cyber security. We sounded out whether there was a demand for this by talking to industry partners – both in the tech world and in other sectors – and also state organizations, including a variety of government departments and the military. Over a number of years, we observed a growing interest in master’s programs in information security in our IT department, which indicated some interest and demand. Ultimately, the growing shift towards digitalization, which we observed particularly during the pandemic, created a greater awareness and understanding of the topic in the various industries.

How did you determine the content for the CAS and the DAS?
We carefully prepared the curriculum for these two programs with two things in mind: firstly, that the content would differ depending on the target group, and secondly, to give students the appropriate amount and depth of information. It’s important to mention that we focus on the core competencies of ETH: We cannot, and have no wish to, offer a comprehensive “After the course, I know everything there is to know about cyber security” education program. We make interlinked research concepts, for example the basics of cryptography, accessible to non-experts. Only a fundamental understanding of the concept can allow us to understand the current and future challenges of cyber security. The CAS is divided into three modules: In module one, Introduction to Information Security, we wanted to give participants an overall picture of what cyber security is, and also give them the skills to understand the “language” of cyber security. In module two, Information Security Seminar + Project, participants are assigned a current issue in cyber security to explore. They delve into the minutiae to understand the topic itself, and all of its far-reaching implications and interrelations. The final module, Contemporary Topics in Cyber Security, aims to provide a broad overview of where the research is at right now, and the latest developments in cyber security.

“Today IT controls everything, from supply chains to business processes to medicine. Security problems have unexpected consequences on post-storage processes in the value chain.”

What do you think are the biggest cyber risks at the moment?
That varies, depending on your perspective. Companies, for example, still rate cyber risks by potential financial loss, while the general public is more concerned about their “digital wellbeing”. In my opinion, the biggest risks are ransomware and malware, weak points in the cloud, phishing and social engineering – and last but not least, a serious shortage of skilled cyber security professionals.

What about the biggest weak spots, or areas we need to work on?
We are seeing two big changes: firstly, the massive transfer of data to cloud infrastructures and the ever-growing range of digital trust services; secondly, the boom in cryptocurrencies and the use of blockchain technology in what used to be brick-and-mortar industries. Whenever we discuss IT topics, we also have to assume they are in need of improvement in cyber security terms. Why? Because today IT controls everything entire supply chains, business processes, even medicine. The consequences of cyber problems can be unexpected, for example a ransomware attack on a pipeline can lead to a shortage of petrol, which then causes all sorts of further trouble.

The course also explores “strategic and political aspects”. What can students expect from this part of the course?
Yes, we cover this with a series of sessions in the Contemporary Topics in Cyber Security module. At the moment, we are focusing on three things: 1. Cyber security meets security policy: We show how cyber security as a political topic has become a critical international security issue. 2. The realities of cyber conflicts and how cyber operations are strategically employed: Here, we focus on how state players use cyber tools for their own political or military gain. 3 in Bern. Cyber security norms and governance: Students get an overview of the different players working on developing international norms for cyberspace governance.

Dr. Siniša Matetić

In addition to his contributions to the CAS and DAS programs in cyber security at ETH, Dr. Siniša Matetić works as a senior manager for IT strategy and innovation at Swiss Post, dealing with a variety of issues in the area of digital trust.