SUMMARYMIT’s Cybersecurity Clinic, launched in 2019 by Jungwoo Chun and Lawrence Susskind, trains students to assess vulnerabilities for municipalities and health-care organizations and recommend low-cost defenses against ransomware and other cyberattacks. More than 120 students have completed the course, and the clinic has delivered over 40 free assessments, with its MITx modules reaching tens of thousands of learners and inspiring a growing consortium of university clinics.
In May 2019, the government of Baltimore, Maryland, fell into chaos. Cybercriminals had locked the city out of many of its critical files and demanded payment to decrypt them. The city refused to pay ransom. The attack incapacitated a swath of services, including real estate transactions and bill payment, and recovery costs soared into the millions.
The syllabus of class 11.074/11.274 (Cybersecurity Clinic), a course in the MIT Department of Urban Studies and Planning (DUSP), includes a case study on Baltimore’s situation as an example of increasingly common ransomware attacks on municipal governments and other public agencies. To counter such threats, Lecturer Jungwoo Chun and Ford Professor of Urban and Environmental Planning Lawrence Susskind launched the MIT Cybersecurity Clinic in 2019. They have offered the course nearly every semester since.
Much like a legal or medical clinic, the course doubles as hands-on training for students and a pro-bono service to at-risk communities. After completing instructional modules and passing a certification exam, students are assigned in teams to a client. By the end of the semester, each team creates a report assessing the client’s vulnerabilities to cyberattack and recommending steps to improve protection. So far, the clinic has provided more than 40 assessments, confidential and free of charge, primarily for New England municipalities and health-care organizations.
In 2025, the FBI’s Internet Crime Complaint Center documented an average of 2,765 cyberattacks targeting Americans every day. When these attacks strike cities and towns, the fallout goes beyond finances, says Chun: “There’s a terrifying, cascading effect on every dimension of our lives.”
In recent years, cyberattacks targeting the kinds of client communities served by MIT’s clinic have imperiled water supplies, impeded 911 and police services, and exposed citizens’ personal data.
Despite being gateways to essential infrastructure, many small municipalities and hospitals lack in-house staff trained in cybersecurity. Demand for such experts far exceeds supply in today’s labor market, and public sector budgets rarely can match the high salaries private companies offer qualified candidates.
According to Comparitech, from 2018 to 2024, there have been 525 ransomware attacks on U.S. government entities, approximately one every five days, leading to an estimated $1.09 billion in downtime costs.
“Underfunded public and not-for-profit bodies need to follow a self-help pathway,” Susskind says. “There are many low-cost moves that these organizations can implement with a little coaching from a free-service clinic.”
Defensive social engineering
Some might be surprised to find a university cybersecurity program housed outside the computer science department. Chun is an applied social scientist with expertise in public policy and planning, and Susskind is a leading scholar of conflict resolution and consensus building. They call the approach they’ve developed for the clinic “defensive social engineering” to emphasize that cybersecurity isn’t solely a technical challenge.
Chun acknowledges that the rapid development of artificial intelligence has created alarming new tools for criminals — “now AI can not only identify the vulnerability, but do the attack itself, which is really scary” — and an ever-evolving menu of software claims to guard against these attacks. Accordingly, the course spends considerable time on the technical aspects of cybersecurity. “But at the end of the day,” Chun says, “the biggest attack vector is still through humans.”
The term “social engineering” commonly refers to ways cybercrime victims are manipulated into compromising security (for example, by sending money to a scammer, downloading malicious code, or disclosing sensitive information). Susskind and Chun’s concept of defensive social engineering is similarly grounded in human psychology. The approach emphasizes that cybersecurity must be part of everyone’s job, technical or otherwise.
“It’s about people knowing what to do, people making the right choices,” says Chun. “It’s helping them use the resources and budget they have now on things that can be long-lasting, rather than just spending on the latest antivirus software.”
“Students with computer science backgrounds are surprised by the importance we attach to helping clients build organizational capacity,” says Susskind. “Students need to understand the leadership dynamics in their client communities. The IT director can’t just do what she or he wants. They depend on the local government for their budget. They need approval to hire new staff.”
On the other hand, Susskind says, students from planning or social science backgrounds often study smart city innovations without learning much about the technologies needed to manage the associated risks. And there are aspects of AI and advanced system design — along with cyber law and other topics critical to cybersecurity — that engineering students may not learn in their other courses. The Cybersecurity Clinic aims to round out the knowledge of students from every discipline. The course aims to broaden those students’ knowledge, too, by inviting at least half a dozen guest speakers each semester from industry, other universities and MIT academic departments, industry, and/or relevant public agencies.
This past spring, for example, the lineup of lecturers included Dan Ricci, the founder of Industrial Data Works, on the modeling of risk in energy systems within budget-constrained environments; Gus Serino, president of I&C Secure Inc., on operational-technology cybersecurity for industrial control systems; and representatives from the MassCyberCenter and the Cybersecurity Infrastructure Security Agency providing overviews of their respective state- and federal-level organizations’ programs and initiatives.
“There are highly specialized things to learn, especially about the ways AI is changing cybersecurity, that we need help teaching,” Susskind says. “The rate at which the field of cybersecurity is changing means that most academics will have a very hard time keeping up.”
A roadmap for improvement
Clinic students spend the first four weeks of the semester preparing for field assignments. A series of online modules, supplemented by class discussion, outline the scope and nature of cyberattacks against critical urban infrastructure; review the 23 risk areas most relevant to their type of clients; and provide guidance for each step of the assessment process. This includes simulations of tricky client interactions. What if clients don’t take students seriously, or fail to provide the necessary information? What if they argue to receive a more positive assessment than the facts warrant?
“I’ve never ever had a class that prepared us for such realistic scenarios before,” says Diego Contreras, a rising senior majoring in computer science and engineering who completed the course this spring.
The modules culminate in an exam students must pass on their first try to receive a field assignment. For the remainder of the semester, they’ll receive continued support via weekly class meetings and get faculty input on their drafted reports, but the onus is on students to coordinate their team’s activities and build client trust.
“You represent MIT, and that is quite the responsibility,” Contreras says. “This course has given me people skills I wouldn’t have developed in any other context.”
“The most delicate aspect of the project was balancing our assessment findings,” says Zev Moore ’26, who took the class last fall as a senior studying mathematical economics and finance. “Our approach was to provide important feedback while simultaneously validating the positive security measures our client already had in place, which ensured our report felt like a collaborative roadmap for improvement.”
Certain key recommendations show up in the majority of reports. For example, clients are advised to inventory all hardware and software tied into their network and track who has access; patch software and back up data regularly; require multi-factor authentication and frequent password updates; train employees not to open attachments from unknown parties; prepare an attack response plan that clarifies lines of authority and includes the organization’s stance on paying ransoms; and only use vendors with good cybersecurity hygiene.
“None of these items is costly,” Susskind says. “Together, they will probably avoid 80 percent or more of the possible cost and danger of cyberattacks.”
Spreading the model
To date, more than 120 students have completed the full course at MIT. The online modules that prepare students for certification are freely available to the public as a massive open online course on MITx called Cybersecurity for Critical Urban Infrastructure, which has attracted tens of thousands of learners. The modules are also used by universities with their own cybersecurity clinics — a growing cohort, thanks in part to a consortium (with 61 member institutions and counting) co-founded by MIT in 2021 with the University of California at Berkeley, Indiana University, and the University of Alabama.
Most student teams wrap up client work after finalizing their recommendations; a few have volunteered to stay on after semester’s end to advise on implementation. In either case, Susskind and Chun check in periodically with clients for at least two years following each engagement.
“We often hear of the vulnerability assessment report serving as the organization's blueprint for their short-term, mid-term, and long-term agenda to be more prepared for future attacks,” says Chun. “We primarily work with IT directors or chief technology officers, and many of them have been telling us post-engagement that they shared the MIT report with the city or town leadership and were able to convince them they needed extra budget or a specific line item. They were using the student report as leverage to say, ‘it’s not just me saying it. We have a credible team who dedicated their time and these are the findings.’
“It's really a humbling experience,” Chun adds, “when some of our past clients reach out to us again after some time to say: ‘Now we have different people, we just purchased new equipment. Can we do this all over again?’”
