This article is published in the March 2015 issue.

G/rep{sec} = underrepresesented groups in security research

Three years ago in May 2012, as Terry Benzel, Deputy Director, Computer Networks Division, Information Sciences Institute at USC, Hilarie Orman, The Purple Streak (a software security firm), and I, Susan, then a visiting scholar at Harvard, sat at the IEEE Symposium on Security and Privacy, we had trouble seeing any other women. As women researchers in security and privacy of a certain age, we were accustomed to that. But we were not accustomed to the original proposal for the program committee for the following year’s program committee: forty men, two women. We looked at each other. There was not “world enough and time” to wait for the situation to change; we needed to take action now.

Having served on the CRA Committee on the Status of Women in Computing Research (CRA-W), I knew about funding for discipline-specific workshops. The application date was a month away. Jeremy Epstein, the NSF program officer for Secure and Trustworthy Computing, was at the symposium; he mentioned funding deadlines were imminent, and suggested we get an application in quickly.

Within six weeks we had a workshop location, a draft program, and two proposals completed; by August, we had funding secured. Hilarie came up with a workshop name: “GREPSEC,” G/rep{sec} = underrepresesented groups in security research. We took it.

The CRA-W funding came with a twist. The funding was joint with the Coalition to Diversify Computing; the requirement was that we also include members of underrepresented groups. If women are rare in computer security and privacy, members of underrepresented groups are even more so. We took on the challenge.

All three of us had experience with participating in such mentoring meetings. We opted for a day-and-a-half long meeting, scheduled just before the 2013 IEEE Symposium. Finding and arranging for speakers was the most complex part: we sought to cover security and privacy broadly; we wanted women and minority speakers, and we sought a balance between academic and industry speakers (government too, where we could find them).

Following the successful 2008 MIT Women in Mathematics: A Celebration meeting, in which Susan was a co-chair, we decided on a schedule that focused on technical sessions, while leaving lots of free time for informal mentoring at the coffee breaks and meal. Doing things that way, rather than presenting explicit mentoring panels, presents the clear message that the women and members of underrepresented groups are scientists and researchers. That was the most important message to convey.

Attracting speakers was fun, and largely easy. We had a wonderful list: Terry Benzel, Dan Boneh, Claudia Diaz, Rachel Greenstadt, Cynthia Irvine, Anthony Joseph, Carl Landwehr, Teresa Lunt, Deidre Mulligan, Aleatha Parker-Wood, Ron Perez, Diana Smetters, Zach Tudor, Helen Wang, Jeannette Wing. We had representation from academia (Stanford, KU Leuven, Drexel, Naval Postgraduate School, George Washington University, USC) and from industry (PARC, AMD, Google, Microsoft). (Some of the speakers also had previous experience in working in or with government.)

Attracting students was more complicated. We could find women graduate students through advertising on the Systers mailing list, through the CRA-W lists and postings, and through targeted mailings to security and privacy researchers. Reaching members of underrepresented groups was more challenging. Many of the students are not at the top research universities, and thus not in the loop just described. We arranged for posting on the Latinas mailing list, while Russ Joseph, co-chair of the CRA-W/CDC committee on discipline specific workshops, helped get the word out to faculty at minority institutions. We also arranged for flyers at the Tapia Conference. We made sure to advertise heavily.

We received a total of ninety-four applications from fifty-seven institutions. Ten applications were from undergraduates, of whom six were members of underrepresented groups. Because we had sufficiently many applications from graduate students, we opted not to host undergraduates.

The combined funds from the three grants — we had also received a small grant from Microsoft — provided funding for twenty-seven domestic and four international students from twenty-three institutions. Grants were awarded to twenty-eight women, of whom twenty-five attended the workshop, and ten members of underrepresented groups, of whom seven attended the workshop. The attendees included six men. With additional funding from Microsoft, we were able to fund some non-US students from non-US institutions; given the strength of the University of Waterloo’s cryptography program, for example, this was a great plus.

The students ranged from first-year graduate students with burgeoning interests in security and privacy to students close to completing their PhDs in the field.

The ratio of speakers to students was deliberately high since we wanted to encourage one-on-one mentoring. Half the speakers were present for both days, half for only one. Having focused the talks and panels on technical content, we encouraged—and left ample time for—the students to mingle with the speakers during coffee breaks, meals, and the Saturday evening reception. Except for the initial breakfast on Saturday morning, where the speakers mostly sat with each other, the rest of the informal time we saw the students and speakers talking, sometimes quite intensively. I, Susan, knew it was working when I saw two minority males corner Ron Perez, senior fellow at AMD. This is exactly what we had hoped for.

Despite the fact that some students were coming from top-ranked institutions while others had a much less strong background, we felt it was important that the students feel that they were on a level playing field. So instead of doing an evening poster session with haves and have-nots, we opted for everyone participating in a one-minute introduction just before the Saturday evening reception, with each student telling who they were and where they were from, and a problem they were working on, or interested in. That was terrific. We had them go in alphabetical order — no shy ones last — and the process worked wonderfully. It broke the ice even for the very shy ones. The evening reception, and the following day, showed lots of lively discussion between the students and the speakers—exactly what we had intended.


We covered a variety of technical topics: high-assurance systems (software and hardware), security research problems in industry, mixing AI and security, developing trust in cyberspace (pulling together people, laws, and technology). We had keynotes on a theory of trust in networks and people, on where cryptography and authentication are heading, and on developing a building code for software.

We had different impacts on different students. For some of the students, including those at institutions with a lower research profile, this was the first time that they were exposed to cutting-edge research. For students at universities with a higher research profile, the workshop enabled them to have a wider exposure to the broad set of research questions in security and privacy; such a perspective is extremely useful and is often unlikely to be part of graduate education. In addition, several of the students went on to attend the IEEE Symposium on Security and Privacy, a leading conference on security and privacy; this attendance contributes to creating a new generation of researchers, educators and developers in the discipline. We even had impact on researchers; one of them, Carl Landwehr, presented a keynote that later evolved into a research paper.

We learned various things from our workshop. Some students, those from the “Research I” and “Research II” categories, knew about buying plane tickets and getting reimbursements. Those from institutions that did not strongly support research floundered, and we lost several attendees (lost in the sense that they did not attend; we hope none them were unable to navigate the BART trains and are still wandering about in the system). So for GREPSEC II — yes, we are running the workshop again — we have arranged to pre-purchase tickets and directly pay hotels. The work to present a level playing field for the students really helped, but students from less research focused institutions tended to be quiet. So we’ll continue the one-minute intros in this year’s program, but we’ll move that to earlier in the program. We’ll also work to have the students mix more.

The need for GREPSEC is clear. The funding is less so. We have again received funding from NSF and CRA-W/CDC — thank you — and from Google, Microsoft, and the Information Sciences Institute. But given the national needs in cybersecurity and privacy, and the continuing paucity of women and members of underrepresented groups in the field, a long-term grant to fund several more workshops over the next six-ten years, is probably what is needed. Terry, Hilarie, and I hope to attain that, to become the GREPSEC steering committee, and let the next set of women and members of underrepresented groups become the committee to run GREPSEC III and beyond.