• Compliance
  • Member Spotlight
  • Higher Ed

Pittsburgh Uses Scarehouse to Promote Cybersecurity Education

January 2021
University of Pittsburgh campus
Note: This article highlights the experiences of one United Educators (UE) member and doesn’t represent UE risk management or legal advice.

Cybersecurity attacks can plague higher education institutions and their students, many of whom arrive without much knowledge of phishing or the dangers of social media use.

The University of Pittsburgh (Pitt) has scared up a fun but educational way to have 3,000 students in one day assemble and learn about cybersecurity. Each Halloween, two departments within central information technology (IT) at Pitt — Security and Support Services — sponsor a Cybersecurity Scarehouse.

Pitt’s haunted house event wraps up the university’s monthlong focus on cybersecurity. (October is National Cybersecurity Awareness Month, according to the Department of Homeland Security.)

Scarehouses might cost thousands of dollars to organize. But when it comes to encouraging students to learn about cybersecurity, a scarehouse is a great “bang for your buck,” contends Joel Garmon, Pitt’s Chief Information Security Officer.

Holding the event on Halloween might not be a necessity for all schools, though it has been a huge success for Pitt. Students love candy and scares, making the event a draw. Plus, since fall semester recently started, the cybersecurity education occurs just as students are getting into a routine.

Pitt’s scarehouse is like many haunted attractions nationwide. It uses professional actors and involves, among other things, ghosts, goblins and other monsters jumping out of the dark. The theme in 2018 was “Stranger Things.” In 2019, it was horror movies in general.

Before entering the scarehouse, Pitt students must first pass through six educational stations that include a game or activity that discusses cybersecurity. Pitt determined that interactive stations engage students in learning about cybersecurity risks. Offering full-sized candy as prizes at each station helps too.

Create Education Stations

Pitt, a public research institution with an enrollment of about 6,000, sets up the following stations to teach students about cybersecurity:

  1. Family Feud. Students are asked to provide the top answers to a question. For example, Pitt might ask about the most “dangerous” social media sites to visit. A student buzzing in with a correct answer, such as Facebook, will receive points. The person running the station will then explain the risks of using the site and how students can protect themselves.
  2. Password strength testing. Students enter passwords into a website, which assesses the password’s complexity and announces how long it will take to crack it. A basic password might take less than a second to crack, while a complex password using capital and lowercase letters as well as symbols might take thousands of years to crack. The person running the station reiterates the importance of using a strong password and routinely changing it.
  3. Phishing or not phishing. An email will appear on a computer, and students have to buzz in and explain whether the email is phishing or not. Students must explain how they can tell.
  4. Ask the expert. An IT expert answers questions on a variety of cybersecurity topics.
  5. Jeopardy! In a game set up like the TV gameshow Jeopardy!, students must provide the correct information from various cybersecurity categories.
  6. Spin the wheel. A student spins a wheel, and based on where it lands, they are given a cybersecurity question.

Provide Cybersecurity Tips to Students

While the scarehouse shines a spotlight on cybersecurity awareness, Garmon notes that colleges and universities must continue year-round to educate students about cybersecurity risks. Among the guidance Pitt provides students, faculty, and staff:

  • Create a strong password that combines letters, numbers, and special characters. Never share your password with anyone, for any reason. By protecting your password, you also protect the important resources and data to which your password grants you access.
  • Change your password regularly. Don’t use the same password across multiple websites. Pitt requires students, faculty, and staff to change their university computing account password at least every 180 days.
  • Run antivirus and anti-malware programs regularly. Some viruses and spyware programs can collect and transmit account information. Pitt offers some cybersecurity software free through the university’s download service.
  • Understand when to be suspicious. Be suspicious of emails requesting personal information, containing spelling errors, or claiming your account will be reset. Also be wary when a popup appears on your computer and asks you to call a number to fix your computer. Pitt uses an alerts and notifications page to keep students, faculty, and staff up to date on the latest scams.
  • Be careful when using USBs. These drives and other external devices can be infected, so only accept them if they are provided by known, trusted sources.
  • Lock up smartphones and tablets. Use the passcode feature; set up phones to lock after five minutes of inactivity.

Pitt, which was founded in 1758, has been a UE member since September 1988.

Resources