News

March 31, 2015Papers now available online:
January 26, 2015Papers now available online:
January 19, 2015Important security conferences in The Netherlands
Workshop on the Economics of Information Security (WEIS), New Security Paradigms Workshop (NSPW) and International Conference on Computer Safety, Reliability & Security (SAFECOMP) are all organised in The Netherlands this year (see upcoming events).
January 18, 2015Security-by-experiment for future grids
How to set up security-aware pilots for new technologies? "Experimenting with Incentives: Security in Pilots for Future Grids", joint work with Francien Dechesne and Dina Hadziosmanovic.
January 6, 2015Cyber security as social experiment
Security-by-design or security-by-experiment? Read my New Security Paradigms Workshop paper, joint work with Dina Hadziosmanovic and Francien Dechesne, on responsible deployment of security-sensitive technologies. The paper is based on the paradigm "new technologies as social experiments" of Ibo van de Poel.
December 24, 2014Security awareness testing on Dutch national radio
Today, I appeared on Dutch national radio in an item on security awareness testing. Suspicious USB sticks had been delivered to several companies, causing the police to issue a warning. In the end, it was unclear whether this was malicious or just a test, with the latter being the most likely. This emphasises the importance of informing the right people and following the right procedures in such tests.
December 2014Dagstuhl Socio-Technical Security Metrics
The Dagstuhl seminar on Socio-Technical Security Metrics was excellent in terms of interdisciplinary discussions. Many follow-up activities are planned by participants and working groups.
October 8, 2014Joop Bautz Award
Ruud Verbij won the Joop Bautz Information Security Award for his master's thesis on quantitative adversarial risk assessment of electronic voting systems. He also received the second prize in the NGI-NGN thesis contest.
August 2014Accepted papers:
May 13, 2014Papers now available online:
Reconciling malicious and accidental risk in cyber security.
Cost-Effectiveness of Security Measures: A Model-Based Framework.
Quantitative penetration testing with item response theory. (technical report, forthcoming in IAS 2013)
Defining "the weakest link": Comparative security in complex systems of systems.
Obligations to enforce prohibitions: on the adequacy of security policies.
April 12, 2014I was program co-chair of the GraMSec workshop on graphical security models, April 12 in Grenoble, France. We had very interesting papers, keynote lecture and discussion!
October 25, 2013Quantitative penetration testing
Thus far, penetration testing has been used as a qualitative method, indicating whether certain attack scenarios are possible. Florian Arnold, Marielle Stoelinga and I propose methods for quantitative penetration testing, such that the results can be used in risk assessment. Florian will present the paper at the Information Assurance and Security (IAS) conference
September 20, 2013Finally: a formalisation of "the weakest link"
Ever heard the claim that humans are the weakest link in security? But how to prove such a claim? In my paper "Defining `The Weakest Link': Comparative Security in Complex Systems of Systems" I address this question. The paper will be presented at the Economics of Security in the Cloud (ESC) Workshop
August 15, 2013Dagstuhl seminar proposal accepted
The proposal for a Dagstuhl seminar on Socio-Technical Security Metrics, joint work with Dieter Gollmann, M. Eric Johnson, Vincent Koenig and Angela Sasse, has been accepted. The seminar will take place November 30 - December 5, 2014. The seminar is invitation-only, but expressions of interest are welcome (no guarantees).
July 1, 2013Papers now available online
Security policy alignment: A formal approach.
A move in the security measurement stalemate: Elo-style ratings to quantify vulnerability.
On thinging things and serving services: Technological mediation and inseparable goods.
Cyber Crisis Management: A Decision-Support Framework for Disclosing Security Incident Information.
Defining the Cloud Battlefield - Supporting Security Assessments by Cloud Customers.
June 19, 2013Opinion on e-voting in the Netherlands
As requested by a Dutch commission on the possibility of re-introducing electronic voting machines, I've issued an opinion on e-voting (Dutch). The main point is that machine counting of paper ballots (optical scan) would be the preferred option. The previous minister launched experiments of this type, but the current minister stopped these.
December 18, 2012New paper on cloud security
The paper "Defining the Cloud Battlefield - Supporting Security Assessments by Cloud Customers", joint work with Sören Bleikertz, Toni Mastelic, Sebastian Pape and Trajce Dimkov, has been accepted for the IEEE International Conference on Cloud Engineering (IC2E).
November 5, 2012TREsPASS project has started
Consortium receives 10 million funding for research into "attack navigators" to assess the information risks in complex systems.
October 23, 2012And What If We Don't Predict the Next Hack?
Italian scientists jailed for not predicting an earthquake; how different is the prediction of information risks?
September 19, 2012Paper presented at NSPW 2012
I presented the paper "A Move in the Security Measurement Stalemate: Elo-style Ratings to Quantify Vulnerability" on chess ratings for security, joint work with Sanne van der Ven and Christian W. Probst, at the New Security Paradigms Workshop, Bertinoro, Italy. Lots of positive reactions, now revising for postproceedings.
September 10, 2012 Keep smartphones out of the voting booth
Plain nonsense to some, a serious threat according to others. What is left of the secret ballot when everyone takes a picture and tweets it? Is the secret ballot merely a choice, or is it something that the government needs to enforce?
August 20-22, 2012 Moral emotions and risk politics
I presented my work on "The Personalisation of Risk" at this conference in Delft.
August 17, 2012Stop sending me my own passwords!
Ok, service providers still don't get it. There are 2 kinds of passwords: those randomly generated, and those chosen by users. Now, the rule is very simple: never ever send a user-chosen password back to the user! First of all, you should have stored it encrypted/hashed, so you shouldn't even have it. Second, all channels used are potentially insecure, notably e-mail. If a user forgets a password, send her a new, randomly generated password instead, and don't remind users of their passwords just for convenience! Please, this is really basic stuff, there are security courses around these days.
August 13, 2012New paper on Security Policy Alignment
The paper "Security Policy Alignment: A Formal Approach", joint work with Trajce Dimkov and Dusko Pavlovic, has been accepted for the special issue on Security and Privacy in Complex Systems of the IEEE Systems Journal. The paper formalises security policies in relation to multi-step attacks and attack trees in socio-technical systems, providing the foundations for existing and future attack-finding methods.
July 3, 2012How to insure cyberspace?
ENISA recommends increasing the opportunities for cyber insurance. But do we actually have sufficient data on the associated risks of cyber attack, and the value of the information involved?
June 18-20, 2012CESUN conference
The paper "Preventing system abuse by service composition", joint work with students Sebastian Banescu and Simona Posea, has been presented at the Third International Engineering Systems Symposium in Delft. Layla AlAbdulkarim and I also organised a lively debate on Smart Grid Security and Privacy.
June 8, 2012Chess ratings for security
The paper "A Move in the Security Measurement Stalemate: Elo-style Ratings to Quantify Vulnerability", joint work with Sanne van der Ven and Christian W. Probst, has been accepted for the New Security Paradigms Workshop 2012.
June 4, 2012Another great example of risk reasoning
Technisch Weekblad quotes a German study claiming that meltdown rates of nuclear plants are ~ 200 times higher than previously estimated. The evidence: 4 meltdowns in the past decades, of which 3 (!) in Fukushima. This really reminds me of the Eyjafjallajökull-Katla statistics: the previous 3 eruptions of Eyjafjallajökull have been followed by Katla eruptions, so Katla "usually" erupts after Eyjafjallajökull. Come on people, you can't reliably estimate failure rates with n=3 or n=4!
May 2012New project on Smart Grid Vulnerability
The project proposal "Kwetsbaarheid Intelligente Distributienetten" (Vulnerability of Intelligent Distribution Networks) has been accepted within the Empowering Networks call of the Next Generation Infrastructures programme. The project is a collaboration between TUDelft and network operator Alliander. The project is expected to start this Fall.
March 28, 2012 Visit to Cologne University of Applied Sciences
I visited the Web Science program of Cologne University of Applied Sciences, for which I've been teaching an online course on Computer Ethics.
February 23, 2012 PhD defense Trajce Dimkov
Trajce Dimkov defended his PhD thesis at the University of Twente, on socio-technical security models in relation to socio-technical penetration testing.
February 17, 2012 "Stealing for Science" in the news
Our laptop theft experiments have made the national TV and radio (even in the face of other breaking news). Congratulations especially to Trajce Dimkov and his students, who did the bulk of the work.
February 13, 2012 Critical infrastructures ARE being hacked
With the hack of the Dutch telecommunications provider KPN, we have learnt again that almost everything can be hacked with sufficient efforts. There will inevitably be unpatched systems or unaware employees. And if telecommunication providers can be hacked, the same holds for energy suppliers.
February 1, 2012 Majority for e-voting
It seems that a majority in Dutch parliament is in favour of new experiments with e-voting. Of course, the solution should be hacker-proof... Wisely, the minister only took up (finally!) our suggestion to put effort into a machine-readable physical ballot instead. This avoids problems with duplicate registrations of votes in case voting computers would be augmented by a so-called "paper trail".
January 31, 2012 Virtual items can be stolen
The Dutch Supreme Court ruled that virtual items in computer games are goods that can be stolen, as it requires effort to obtain or create them, and they are under exclusive control of the owner.
January 17, 2012 EU project proposal TREsPASS submitted
A project proposal entitled ''TREsPASS: Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security'' has been submitted to FP7-ICT-2011-8.
December 15, 2011 Best paper award for André van Cleeff
The paper "Realizing Security Requirements with Physical Properties" by André van Cleeff, Trajce Dimkov, Wolter Pieters and Roel Wieringa received the Best Paper Award in the International Conference on IT Convergence and Security 2011 held in Suwon, Korea.
December 4-9, 2011Dagstuhl in the Cloud
I co-organised the Dagstuhl seminar on Secure Architectures in the Cloud. The report of the intensive discussions will be available soon.