The UC Berkeley School of Information (I School) and the Center for Long-Term Cybersecurity (CLTC) are pleased to announce that Varoon Bashyakarla, a second-year Master of Information and Cybersecurity (MICS) student, has been selected to represent CLTC and the I School as a RSA Conference Security Scholar at RSA Conference 2025, which will run from April 28 through May 1, 2025 at the Moscone Center in San Francisco.
RSAC Security Scholars connect with leading experts, peers, and conference attendees to share knowledge, experience, and connections to enrich the discourse on how to stay ahead of cyber threats. Varoon will present to RSAC attendees, potential employers, and fellow students at the RSAC Scholar Poster Board Session.
We interviewed Varoon to learn more about his research interests and hear his thoughts about this opportunity. Answers have been lightly edited for clarity.
Varoon Bashyakarla
UC Berkeley School of Information
Poster Session Abstract:
Quick Response (QR) codes have grown in popularity since the start of the COVID-19 pandemic. Though QR codes are used for a wide variety of purposes today, they can be presented under false or deceptive pretenses by luring unsuspecting users into QR phishing (“quishing”) attacks. Since QR codes are not human readable, they provide a layer of abstraction, which can be used to conceal site redirects and mask malicious destinations. This study investigates how users respond to different warning messages embedded in QR code flows by serving warnings on personal devices under the guise of accessing a restaurant menu to preserve ecological validity.
This study compares flows in which users see (1) no warnings (“control”), (2) standard warning messages (“standard treatment”), and (3) warnings with positive reinforcement (“positive reinforcement”).
The results of our pilot study of 245 American adults finds that only a small minority of users appear aware of QR code-related privacy and security risks. The study disproves our hypothesis that users shown positive reinforcement warnings exhibit more secure behavior than those issued standard warning messages, though positive reinforcement outcomes are not significantly worse (1-tail z-test of proportions, p = 0.201). Across both standard and positive reinforcement treatments, we find that users who engage with the warning by checking the security of the QR-linked URL exhibit significantly better security outcomes (1-tail z-test of proportions, p = 0.077), suggesting that efforts to improve engagement with proactive security checks may facilitate safer QR code scanning behavior at scale.
What are your primary research interests?
I am interested in exploring the mechanisms by which online privacy and security influence things we might call ‘greater goods’ – collective security, human rights, and democratic norms. This framing encompasses a variety of topics: the economic externalities of cybersecurity, cyberinsurance and quantifications of cyber risk, and the marketization of privacy. I am also interested in how digital technologies are used for surveillance, particularly when targeted against journalists and human rights defenders, and the way personal data is treated as an instrument of political influence in this process. The research I am presenting at RSA is a study in usability, which is a topic I have grown interested in during my time in MICS thanks to Professor Komanduri’s Usable Privacy and Security class.
Why did you apply to be an RSAC Security Scholar?
I applied to be an RSAC Security Scholar for a couple of different reasons. I have never before attended the conference, and it seems like a great convening of researchers and practitioners from whom I have much to learn. Also, the conference appears to attract a primarily American audience, and I am based in Europe. I am eager to acquaint myself with security communities in the US, especially as the United States and Europe navigate a number of critical challenges and opportunities in cyberspace related to shared values, security, and cooperation. Next, I suspect that I may establish contact with people who might be willing to serve as sources or experts for journalistic investigations to which I contribute. Lastly, being an RSAC Security Scholar afforded me the opportunity to present original research and to meet other students navigating cybersecurity-related careers.
What do you think are some of the most important emerging areas in cybersecurity?
Understanding how to protect machine learning models from adversarial attacks and poisoning remains an open question as AI models continue to attract attention and users. Given that people are growing increasingly aware of how much of their personal data they expose when using everyday digital technologies, I am particularly interested in the continued development and growth of privacy-enhancing technologies and the usability underlying them. Next, as the CrowdStrike outages from last summer revealed yet again, the growing centralization of cybersecurity risk remains an outstanding challenge that, I suspect, will remain relevant as long as few entities wield an outsized influence over the digital infrastructure supporting the global economy. Lastly, the proliferation of spyware technologies, their influence on democratic integrity, and the suspect economic models of vulnerabilities supporting this gray market are among the most pressing topics in cybersecurity today – not just for the cybersecurity risks entailed but also for the ethical boundaries they establish.
What are you most looking forward to about the RSA Conference?
MICS has helped me better understand what corner of the cybersecurity world I enjoy the most, and I believe the RSA Conference will help me do the same but in a different capacity. I’m eager to meet researchers and practitioners working on all different areas of cybersecurity and online privacy and to learn what about their work excites them. The statistician in me is keen on attending talks in the conference’s “Analytics and Intelligence” track. I am also looking forward to browsing vendor booths; a lot can be learned from the visual language vendors employ, the way they describe the problems they are addressing, and how they market their solutions. Finally, I’m also looking forward to presenting the research Tanmayi Nandan, Prem Radhakrishnan, and I conducted on QR code security and warning messages.
