Research story
Smart devices can make our lives easier—but, if the data they contain are not protected properly, these devices can also be vulnerable to cyber threats. Dr. Atefeh (Atty) Mashatan, an information technology (IT) expert, understood early in her career that standard cybersecurity solutions are not necessarily appropriate for all devices.
NSERC had the pleasure of chatting with Dr. Mashatan to learn about her passion for cybersecurity, her work to make smart devices more secure, and the importance of encouraging and retaining talented people from diverse backgrounds in this field.
Dr. Mashatan, how did you become interested in cybersecurity? What led you to this career path?
My interest in cybersecurity has deep roots in my love for puzzles and math-based games, which I developed at a very young age. Growing up, my mother was a high school math teacher, and she had a huge influence on me. I didn’t realize that math was traditionally seen as a male-dominated field because I had such a strong female role model right in my own home. This sparked my passion for math, and I chose to study it in university.
After completing my undergraduate degree, I pursued both a master’s and a PhD in math, specializing in cryptography at the University of Waterloo. Cryptography fascinated me because of its blend of abstract mathematical concepts and real-world application, but it wasn’t until later that I saw the broader picture.
After finishing my academic journey, I decided to explore how I could apply my education outside of academia. I took on a role as a senior information security consultant specializing in cryptography within the banking sector. That’s when I really began to understand how math and cryptography were implemented in the real world. The learning curve was steep, but it revealed a wealth of research opportunities—everything from technical challenges to issues around how people interacted with these technologies.
As I gained more experience, I broadened my focus to cybersecurity as a whole, considering not just the technologies but also the processes and human factors involved. Eventually, I returned to academia, where my colleagues and I tackled sociotechnical issues in IT from a management perspective. This experience has allowed me to see cybersecurity from a more holistic angle, blending my technical background with a deeper understanding of organizational and human considerations.
Among other NSERC grants, you hold the Canada Research Chair in Quality of Security Framework for Internet-of-Things. What does your research focus on?
My research is driven by a realization I had while working in industry: Many of the solutions developed in academia and intended for general use simply aren’t practical for industry settings in the real world.
This insight was a key turning point for me. I became particularly interested in the security of the Internet of Things (IoT). A lot of the security protocols designed for IoT networks were originally built with larger devices in mind, such as computers and servers. However, smart devices like light bulbs, appliances and even pacemakers have far less computational power. These small devices simply can’t handle the complex security algorithms that are required for more powerful systems.
As a result, the security measures designed for bigger devices are often not feasible for IoT devices, leaving them vulnerable. The challenge, then, is to find the right balance between the limited capabilities of these smaller devices and their security needs.
My research focuses on developing solutions tailored to the constraints of these smart devices, ensuring they are as secure as possible given the unique limitations of smart home and smart office environments. The goal is to create security protocols that are both lightweight and robust, providing effective protection without overburdening the device’s capabilities.
You are the founding director of the Cybersecurity Research Lab at Toronto Metropolitan University. Can you give us an example of a research project your lab is working on?
One example is our project contributing to the development of a quantum defence blueprint for the smart grid. In collaboration with the energy sector, we are focusing on mitigating the risks to smart grids posed by quantum threats and exploring how we can integrate quantum-resistant cybersecurity in such settings. The first step of the project involved identifying vulnerabilities in generic power system models and demonstrating potential disruptions that could occur from quantum-based attacks. For instance, one scenario explores an attack using cryptographically relevant quantum computers once they become available, while another scenario envisions an attacker breaching encrypted data today and decrypting it once quantum computing capabilities advance. We plan to explore improvements to existing security tools, including the feasibility of quantum key distribution and the use of next-generation, quantum-safe digital signature technologies.
As a member of the Quantum Advisory Council, you provide advice to ensure Canada stays on the path of quantum innovation and leadership. Why is quantum science important in the field of cybersecurity?
Quantum science is built on 4 key pillars: quantum computing, quantum sensing, quantum materials and quantum communication. Among the pillars, quantum computing stands out as a looming threat to commonly used cryptography, i.e., public-key cryptography. Quantum communication and quantum-resistant cryptography, on the other hand, provide tools to replace the widely implemented public-key cryptography that are quantum vulnerable.
Given constraints on time, resources and talent, many organizations are limited in their ability to independently address this emerging vulnerability. We need leadership and resources so that organizations can complete their migration from quantum-vulnerable systems to quantum-resistant systems in a secure and timely manner. We need a comprehensive plan to help prepare Canadian society and industry for the security challenges posed by quantum computing.
You’re also a member of the advisory group for the Mastercard Emerging Leaders Cyber Initiative, designed to empower women and non-binary leaders who want to shape the future of Canadian cybersecurity. Why is it important to encourage under-represented groups to pursue careers in IT?
Encouraging under-represented groups to pursue careers in IT is crucial for several reasons, one of the most pressing being the well-documented talent shortage in the field, especially in cybersecurity. Historically, cybersecurity has relied heavily on disciplines like mathematics, computer science and computer engineering—fields that have systemic barriers for women, Indigenous people, people with disabilities, and members of racialized and 2SLGBTQI+ communities.
It’s important to recognize that the IT landscape itself is diverse. Moreover, it’s ever evolving, and we need to be adaptable to capitalize on new opportunities as they arise. A thriving cybersecurity team within a large company often includes professionals from various backgrounds—not just those with traditional technical expertise in math or computer science, but also those specializing in risk management, compliance, governance and other areas. These roles, while still requiring a solid foundation in technical skills, also open doors to a broader range of skill sets and perspectives.
When I work with students, I focus on helping them see the many career paths within cybersecurity and how it can be a space where they can truly thrive. The possibilities are endless, and representation matters. Diverse teams lead to better outcomes, and everyone—regardless of their background—can make valuable contributions to the field.
This interview has been edited for conciseness and clarity.
About Dr. Atefeh (Atty) Mashatan