Click here. Open this attachment. Log into your account. We get dozens of emails daily asking us to perform these kinds of tasks-but all it takes is one from a malicious actor to risk exposing personal information … or worse, the safety of a nation.
"People everywhere click on things they shouldn't click on, which gives bad actors access to things they shouldn't have access to. And the results can be dramatic," said Holly Tucker, Mellon Foundation Chair in the Humanities.
This spring she led an undergraduate immersion program to investigate those threats. Seven students conducted original research on phishing attempts among their peers, including examining the increasing use of generative artificial intelligence to conduct more sophisticated attacks.
TACKLING SECURITY THREATS
The research program was associated with Vanderbilt's Institute of National Security, which will launch in the fall and be led by the founding director, retired Gen. Paul Nakasone, the former commander of U.S. Cyber Command and director of the National Security Agency.
The purpose of the institute is to address emerging security concerns in a 21st century environment, harnessing Vanderbilt's expert faculty, strategic partnerships and interdisciplinary approach. That exciting mix of talent and strategy will make the Vanderbilt Institute of National Security the premier institute for accelerating innovation, advising officials and preparing students to be the next generation of national security leaders.
"The security landscape is evolving at an unprecedented pace and in unknown directions. To meet these challenges, it is imperative that we approach them in a highly interdisciplinary way," Nakasone said.
"We are establishing the premier institute of national security to develop and support leaders who serve and solve our most pressing national security challenges," he added. "Students who participate in the immersion program led by Professor Tucker represent a new era of leaders in national security, and we are excited that many of these students have chosen to serve the nation upon graduation by contributing to national security solutions that will help keep us safe."
PHISHING ATTACKS IMMERSION
Research shows that undergraduates are among the most frequent targets of phishing attacks. The student immersion program led by Tucker partnered closely with Vanderbilt's cybersecurity team, led by Vanderbilt Chief Information Officer Shane Callahan, and representatives from the national security community.
"Vanderbilt has a unique attack surface," Callahan said. "We protect important research, large amounts of administrative data, athletics, student data and many other types of technology and data. Partnering with Tucker and her team allowed us to show students what real-life attacks look like. We were also able to demonstrate testing in a large enterprise, giving the students practical experience while trying to solve one of the hardest problems we face."
The students also met with an impressive roster of top national security officials, including FBI Director Christopher Wray, Ambassador-at-Large for Cyberspace and Digital Policy Nate Fick, Chief of the National Security Agency's Laboratory for Advanced Cybersecurity Research Rita Bush, and retired Air Force Lt. Gen. Charles "Tuna" Moore, former deputy director of U.S. Cyber Command who now is a distinguished visiting professor at Vanderbilt.
"We learned that one person clicking on a link to malware could conceivably shut a key system down," Tucker said.
"As a humanities professor," she added, "I never could have imagined leading an immersion group focusing on cybersecurity and national security."
PROTECTING TOMORROW, LEARNING FROM YESTERDAY
Tucker's expertise is on emerging technologies in the Scientific Revolution of the 17th and 18th centuries. Her interests in technology and nation-state conflicts in historical contexts led to an invitation for her to be a moderator for Vanderbilt's 2023 Summit on Global Conflict and Emerging Threats.
"I thought they were crazy," she said. "Why were they asking me?"
Upon reflection, however, she realized she did have a lot to say about new technology and international conflict. After all, her research has included how the importation of Chinese gunpowder and arrival of rifles on 16th century battlefields changed the face of medicine as well as European social dynamics more generally.
"What's fascinating to me is seeing the way societies respond to emerging technologies, not just on an individual level, but also how they affect the global balance of power," she said.
IMMERSION DREAM TEAM
When she was invited to join the Institute of National Security at Vanderbilt, she didn't hesitate to lead the immersion program, along with a diverse team that included Vanderbilt senior cybersecurity analyst Max Lieb, Jessica Phelan, MS'23 (computer science), Carlos Olea, MS'24 (computer science) and Ph.D. student Cameron Pattison (philosophy).
Her humanities background, Tucker said, has also helped her to explore the subject.
"Phishing emails are not always obvious," she said. "They often play on emotions or create a sense of urgency. Humanistic inquiry is all about the practice of subtle interpretation and the choices we make based on those interpretations."
"GET PHISHED"
The seven students selected for the immersion cohort learned about how they and their classmates could be vulnerable to phishing attacks-and developed an educational game that challenged students to discern whether an email was legitimate or malicious.
In the game, students are shown "real" emails alongside the types of phishing emails that commonly target undergraduates-offering employment, asking the user to click on attachments or requesting personal information. Some of both types of emails were human-generated, while others were created with ChatGPT.
The game design also provided an opportunity to collect data on how students engage with suspect emails, including whether their accuracy in discerning phishing attempts changed if the emails were generated by AI rather than humans.
The students developed the study design in collaboration with Vanderbilt faculty researchers and learned how to jump the hurdles of conducting ethical research on human subjects. Along the way, they had fun drumming up excitement among other Vanderbilt students for their game, which they called Get Phished. They set up fishbowls full of Swedish Fish candy and sent out a student in a giant shark costume, eventually "hooking" some 500 participants.
"I think the final count was well over 50 pounds of Swedish Fish packets," Tucker said.
The data gathered from the research is being analyzed by the Vanderbilt faculty team, which includes Professor of Special Education Laurie Cutting, Associate Professor of Psychology and Human Development Lisa Fazio, Assistant Professor of Psychology and Human Development Alex Christensen and Professor of Teaching and Education Alyssa Wise.
EARLY RESEARCH RESULTS
Early results show that students were fooled by the phishing emails as often as 1 in 5 times. Consistent with past research, they found that people who were more confident in their abilities were the least accurate in discerning phishing attempts. They also found that students were significantly less able to identify AI-generated phishing emails, failing 29 percent of the time, compared with 17 percent for human-generated.
Tucker and Cutting recently presented these results with NSA's Advanced Cybersecurity team. In early August, Tucker will give a presentation at U.S. Cyber Command's Academic Day conference at the University of Maryland.
"I appreciated learning about the seriousness of phishing attacks and how they can lead to disastrous cybersecurity attacks," said Elise Farley, BA'24 (computer science), who is beginning a career in technology consulting in Washington, D.C.
Computer science student Kate Fischer, Class of 2026, has long been interested in a career in national security, and she found the extent of threats using generative AI particularly eye-opening.
"I was able to gain many insights into the changing methods of global attacks that are facilitated by rapidly developing technologies," she said.
NEXT IMMERSION
Tucker is now putting together the cohort for the next immersion program in the fall: an undergraduate class focusing on generative AI and national security that will culminate in another student-led project. She is also going through the process of security clearances for an upcoming sabbatical, during which she will be stationed at Fort Meade in Maryland for four to six months to apply her humanities training and her growing cybersecurity experience to national security projects.
After years of writing award-winning books on French history, she is happily surprised by the new turn her career has taken.
"Only at Vanderbilt," she said. "My entire career at Vanderbilt has been about thinking outside the box and disciplinary limitations." In a way, it mirrors the scientific pioneers she's studied. "In the 17th century, scientists were called natural philosophers. All disciplines were brought to bear in the quest for knowledge-including philosophy, history, literature-during the Scientific Revolution," she said. "Someday people will look back at the early 21st century and see how much we've accomplished because we invested as much as possible in interdisciplinary approaches to our world's greatest challenges."
By Michael Blanding
