IMPACT 2024 USA white

Dr Julie Haney

Human-Centered Cybersecurity Program Lead, NIST


From ivory tower to real world

Building bridges between research and practice in human-centered cybersecurity


Julie Haney leads the Human-Centered Cybersecurity program at the U.S. National Institute of Standards and Technology (NIST). She conducts research about the human element of cybersecurity, including the usability and adoption of cybersecurity solutions, work practices of cybersecurity professionals, and people’s perceptions of privacy and cybersecurity. Her research has spanned multiple topics, including internet of things, cybersecurity advocacy, cybersecurity awareness training, cryptographic development, voting, and the research-practice gap. Julie has been an invited speaker at numerous cybersecurity forums spanning industry, government, and academia, and has authored peer-reviewed articles in both research and practitioner publications.

She also served as a guest editor for the IEEE Security & Privacy magazine special issue, “Usable Security and Privacy for Security and Privacy Information Workers.” In 2023, she was awarded a Department of Commerce Bronze Medal for her leadership of the Human-Centered Cybersecurity program. Prior to joining NIST in 2018, Julie spent over 20 years working in the U.S. Department of Defense as a cybersecurity professional and technical director where she conducted vulnerability assessments, wrote widely used cybersecurity guidance, and advocated for the adoption of cybersecurity mitigations. She has a PhD in human-centered computing from University of Maryland, Baltimore County, an MS in computer science from University of Maryland, and a BS in computer science from Loyola University Maryland.

Presentation overview

Human-centered cybersecurity researchers aim to improve people’s interactions with cybersecurity technologies and processes. Ultimately, improvements depend on cybersecurity and IT practitioners becoming aware of the research, understanding its relevance, and acting upon it. This is easier said than done, as human-centered cybersecurity, like other fields, may be subject to a disconnect between researchers and practitioners: the so-called “research-practice gap.” Past research in other domains reveal that the gap may be due to differing incentives, values, and work routines among the two communities. Typical recommendations to address the gap often place most of the burden on researchers, who may not have the resources or expertise needed for knowledge transfer. Further, these recommendations largely focus on research outputs, ignoring practitioner engagement throughout the entire research lifecycle to ensure research is relevant to practitioners. Because the human-centered cybersecurity field has its own unique characteristics and challenges, it is also unclear if prior findings and recommendations from other fields apply.

This talk will present results of a research effort to better understand points of interactions between the practitioner and human-centered cybersecurity research communities. Surveys capturing the perspectives of both practitioners and researchers reveal the perceived importance, challenges, frequency, and methods of interactions, knowledge sharing, and integration of research evidence into practice. While both communities appear to be eager to learn from each other, they often lack time, institutional support, or knowledge of how best to connect. Based on these findings, the talk will propose strategies and encourage attendee dialogue about how to facilitate collaboration without putting undue burden on either community. Discussion will also include the possible creation of “evidence bridges,” intermediaries that synthesize and make accessible research relevant to practitioner decision-making while engaging with practitioners to understand their research evidence needs.