Information security has traditionally been viewed as a technical issue, but policymakers and business leaders increasingly realize that economic and policy issues have a significant impact."
“I’m interested in studying how organizations and governments can optimize their information security strategies and policies to minimize risk and maximize the benefits of IT," Zhou explained.
Zhou has been particularly interested in the effectiveness of bug bounty programs that companies use to learn about vulnerabilities from the public. Through a bug bounty program, potential hackers or other users receive a reward if they tell a company about an exploitable weakness that they’ve found. Though big-name companies such as Microsoft, Alphabet, and Meta have successfully utilized these programs to bolster their security with help from the public, other companies such as Oracle have been more skeptical. Is it really the best idea to reward would-be hackers by paying them for reporting vulnerabilities that they may have taken advantage of themselves? Zhou hopes to get a clear answer to that question through his research.
“I’m interested in these programs from a practical and a theoretical perspective since the philosophy is so different from conventional security practices,” he said. “Organizations traditionally keep their security work in-house and discourage outsiders from looking for weaknesses in their products, but now there are entire programs encouraging outsiders to identify those weaknesses. It motivates me to understand how bug bounty programs differ from traditional security protection and how companies should choose between them.”
Zhou is particularly interested in the questions brought up by bug bounty programs—questions that need to be approached from multiple perspectives. These programs raise economic questions (how much is the reward for reporting vulnerabilities, and where does the money come from?) and technical questions (can the systems handle the risk of letting unauthorized people explore them?). Beyond that, however, Zhou notes that bug bounties represent a shift in how firms look at technology—another aspect that excites him.
“Rather than viewing hackers exclusively as enemies, organizations and policymakers can benefit from utilizing hacking resources to enhance their security,” he explained. “This represents a change in the mindset of improving information security.”
Now that Zhou is bringing his cybersecurity expertise to Kogod, he’s looking forward to imparting it to his students to support their career goals. Regardless of whether they go into a strictly technical role, digital issues will definitely come up in their work. Zhou knows how important it is to understand how to identify and address them.
Kogod students should know what cybersecurity risks their organizations might be exposed to and how to balance the need for security with the need for usability and convenience in technology systems."
“They also need to know how to effectively communicate the importance of cybersecurity to non-technical stakeholders in their organizations. These are just some of the important questions they should keep in mind," he explained.
As important as recognizing these issues is developing the ability to adapt to new ones. Zhou brings this philosophy into his research; going forward, he’s particularly interested in the continued adoption of AI technology and the latest batch of security questions it raises. In particular, he’s concerned with the ability to misuse AI to suit individual or firm needs and its potential impact on society at large.
“As AI becomes increasingly integrated into business decisions, there are many risks that need to be addressed; individuals can manipulate their features to get desired outcomes from AI models, or the use of AI could exacerbate inequality and undermine social welfare,” he said. “By exploring this area further, we can work toward creating a safer and more equitable environment for the application of AI, which has the potential to positively impact individuals and society as a whole.”
These are just some of the topics that Zhou hopes to tackle through his work at Kogod. As the semester begins, he’s looking forward to developing his teaching skills and continuing his research. He joins a faculty with a wide range of expertise in the IT field, and he’s thrilled to work with them to continue to pursue his goal of expanding his knowledge of information security.
“As a researcher, my goal is to generate insights that can help firms and governments make better information security decisions,” he said. “As a professor, my goal is to impact the Kogod community positively and to contribute to the school’s mission of preparing students for successful careers in business and beyond.”