Faculty Spotlight: Hanan Hibshi and the Impact of Cybersecurity

Hanan Hibshi, an assistant teaching professor at the Information Networking Institute (INI), is unique among the faculty. She is the only full-time faculty member to have first-hand experience of the INI as a student. Hanan has been a member of the Carnegie Mellon University (CMU) community since her time as a master’s student, when she joined the INI to study information security. She continued her studies at CMU to pursue research in usable security before returning to the INI as a member of the teaching faculty.  With her background as an INI alum, in addition to experience both in industry and research, Hanan brings her excitement for knowledge into the classroom, sharing examples from her studies and career to mentor her students.  

Hibshi shared her journey and the importance of training security engineers who understand the ethical implications of their work. 

Could you tell us a little about your journey?  

Hibshi: I grew up in Jeddah, Saudi Arabia. When I originally decided to study after high school,I wanted to become a neurosurgeon — I was fascinated by the human brain. I realized, however, that studying the artificial brain was what I wanted to do. 

After undergrad at King Abdulaziz University, I worked in the banking industry as the only programmer in a department. Typically, each bank has an IT department, but in my case, they had a budget department that dealt with highly sensitive data. I was fresh out of undergrad, working as a programmer, maintaining an in-house system and adding new features. It was a challenge for me, working on this system with no proper documentation and barely any comments in the code. I had to figure out everything on my own.  

Every time I teach, I tell my students, “I really want to make you comfortable in this class. You are safe because we are here to guide you. But I want you to experience dealing with software issues when there is no teaching assistant (TA) or professor in the room, and people are looking at you, expecting you to know the right answer. What would you do?”  

Something that seems very obvious to you might not be obvious to somebody else who is not in the technical field. You can be the brightest programmer in the room. But if you don’t communicate your ideas well, you will have a problem getting your message through.  

Eventually, I decided that even though I was doing amazingly at my job, I didn’t see myself in a corporate job for a very long time. I just wanted more. I’m an academic — I love reading. I love research. I love staying updated. It’s a highlight for me to sit in a lecture hall, and I missed that a lot. There was a scholarship program in Saudi Arabia that would support my master's and Ph.D. I got accepted, and I decided I would start all over. I became a student again. 

What is your area of expertise and how did you become interested in it? 

Hibshi: Security and privacy. I think the interest came because I didn't know anything about security. The INI stood out to me because it offered a degree that specialized in security, which was unusual at the time. The program was called the Master of Science in Information Security Technology and Management (now the M.S. in Information Security). I clicked with that title because, I wanted a specialized program focused on security, not a general computer science or computer engineering degree.  

Initially thought I'd focus on network security because I loved networks in undergrad, but then I met Lorrie Cranor, currently the director of CMU’s CyLab Security and Privacy Institute, who specializes in usable privacy and security. I was curious about the human aspect of security: how can we can get humans to use the security solutions and tools that we are creating? Eventually, I ended up working on my master’s thesis with Lorrie, where we studied how digital forensics professionals use forensics tools.

I continued researching the human aspect of security in my Ph.D. at CMU's Software and Societal Systems Department in the School of Computer Science, where my thesis expanded the pool of security professionals to people in fields like computer science, human-computer interaction and more. Through this research, with my advisor Travis Breaux in the School of Computer Science, I wanted to understand the larger challenges of usable security beyond forensics, since security affects so many different systems and types of work. 

How did you come to the INI?   

Hibshi: I first joined the INI as a graduate student and stayed at CMU to complete my Ph.D., while keeping my connection with the INI as an alum. At some point, I started running into INI Director Dena Haritos Tsamitis everywhere. One day, Dena encouraged me to consider teaching at the INI. Once I completed my Ph.D., I applied to join the INI’s faculty. I’ve been here ever since. 

At the INI, which courses do you teach? 

Hibshi: I teach Introduction to Information Security and Secure Coding in the fall and Browser Security in the spring. All three of these are core security course options for several INI programs. 

How do your courses intersect with tech ethics, and how do those lessons prepare students for their future careers in security? 

Hibshi: Ethics is ingrained since we start talking about information security. During the first lecture, I always tell my students, “Just because you know how to do something does not make it ethical.” I share my own stories about how there were times in my life when I had to say no and decide what was right. Our students need to have their internal compass. I talk about the law, policy and how we can get in trouble as security engineers. I also tell them, you’re a Tartan and you have a code of conduct. You want to model that and apply it to everything else you do. 

We keep bringing ethics into the conversation when we talk about the technical material, and it transcends all the courses. When we move to Browser Security, for example, we talk about ethics every time we discuss vulnerability research papers.When security engineers publish these papers, we’re benefiting society by telling the vendor about these vulnerabilities, giving them time to patch and sharing the lessons learned. In case somebody builds similar software in the future, they won’t run into the same problem and they will know what the fix is.  

What is your favorite part about being a professor? 

Hibshi: Staying young and learning. I’m a student for the rest of my life. I'm learning new teaching methods and new things about the field. I’m updated and connected with the world through my students. 

When you think about the advancements in the field, what are you most excited about? 

Hibshi: I’m excited that security means more to people, to industry, to governments. We’re investing more in that area. I’m excited that we understand that education on security also needs more attention. Everybody understands now that security is important.  

What are you most concerned about? 

Hibshi: It’s becoming harder and harder for us to live in this world with all the information around us. It’s just too tiring to keep up with all the attacks and leaks every day. I worry about people who are less informed about the field. I worry about those who are less fortunate, who might fall for some of those attacks or not know what to do in those situations. 

What advice do you have for students? 

Hibshi: Keep learning. This is an ever-growing field. It’s not just what you learn in the classroom — look at the professional development opportunities through conferences, whether it’s academic or industry. It’s a very diverse field; you don’t have to do the exact course that a friend of yours did or a friend told you that you should. Find the piece that interests you most in that field and focus on it. It could be the humans, the system, the network or the policy. It could be anything you find your passion in — try to follow that passion.