RISCS Annual Report 2019
We are delighted to present the 2019 RISCS Annual Report. The Report brings you progress updates of the RISCS projects, ...
Read More
An Investigation of Security Conversations in Stack Overflow: Perceptions of Security and Community Involvement
Developers turn to Stack Overflow and other on-line sources to find solutions to security problems, but little is known about ...
Read More
Taking the Middle Path: Learning about Security Through Online Social Interaction
Abstract As software-intensive digital systems become an integral part of modern life, ensuring that these systems are developed to satisfy ...
Read More
An Anatomy of Security Conversations in Stack Overflow
Abstract As software-intensive digital systems become an integral part of modern life, ensuring that these systems are developed to satisfy ...
Read More
Talking about Security with Professional Developers
Abstract This paper describes materials developed to engage professional developers in discussions about security. First, the work is framed in ...
Read More
Hopefully We Are Mostly Secure: Views on Secure Code in Professional Practice
Abstract Security of software systems is of general concern, yet breaches caused by common vulnerabilities still occur. Software developers are ...
Read More
Ransomware and Reputation
Abstract Ransomware is a particular form of cyber-attack in which a victim loses access to either his electronic device or ...
Read More
To pay or not: game theoretic models of ransomware
Abstract Ransomware is a type of malware that encrypts files and demands a ransom from victims. It can be viewed ...
Read More
Legal and Regulatory Challenges of the Sharing Economy
This policy brief examines the issues raised by the emergence of huge companies such as Uber in the UK and ...
Read More
Online romance scams and victimhood
Abstract Online romance scams defraud dating website users of large amounts of money and inflict serious psychological harm. Victims of ...
Read More
Do You Love Me? Psychological Characteristics of Romance Scam Victims
Abstract The online dating romance scam is an Advance Fee Fraud, typically conducted by international criminal groups via online dating ...
Read More
Predicting susceptibility to cyber-fraud victimhood
Abstract Purpose – This paper develops a theoretical framework to predict susceptibility to cyber-fraud victimhood. Design/methodology/approach – A survey was ...
Read More
Error Detection and Recovery in Software Development
Abstract Software rarely works as intended when it is first written. Software engineering research has long been concerned with assessing ...
Read More
Motivated software engineers are engaged and focused, while satisfied ones are happy
César França, Helen Sharp, Fabio Q. B. da Silva Abstract Context – Motivation and job satisfaction are not the same thing, and ...
Read More
Models of motivation in software engineering
Helen Sharp, Nathan Baddoo, Sarah Beecham, Tracy Hall, Hugh Robinson Abstract Motivation in software engineering is recognized as a key success factor for software projects, but although there ...
Read More
Examining Active Error in Software Development
Tamara Lopez, Marian Petre, Bashar Nuseibeh Abstract Software rarely works as intended while it is being written. Things go wrong in ...
Read More
Watching You Watching Me: The Art of Playing the Panopticon
Lizzie Coles-Kemp, Alf Zugenmaier, Makayla Lewis Abstract As governments increasingly deliver services over the Internet, the opportunities for monitoring and surveillance of society ...
Read More
Who Am I? Analyzing Digital Personas in Cybercrime Investigations
Awais Rashid, Alistair Baron, Paul Rayson, Corinne May-Chahal, Phil Greenwood and James Walkerdine ABSTRACT The Isis toolkit offers the sophisticated capabilities ...
Read More
Sampling Labelled Profile Data for Identity Resolution
Matthew Edwards, Stephen Wattam, Paul Rayson and Awais Rashid Abstract Identity  resolution  capability  for  social  networking profiles  is  important  for  ...
Read More
ECSEPA Map
ECSEPA MapWelcome to the UK Cyber Security Policy Making Interactive Map (time-stamped 1st May, 2019), part of the research project 'Evaluating ...
Read More
Uncertainty & Complexity in the Internet of Things: Analysis of the IoT Smart Family Workshop
On May 24, 2018, RISCS held a workshop in London that looked at highly complex decision-making. It followed on from ...
Read More
Cyber Metrics: Getting the conversation straight between technical and non-technical actors
On May 23, 2018, RISCS held a workshop in London that looked at the utility of cyber security metrics. The ...
Read More
RISCS Annual Report 2018
The 2018 RISCS Annual Report was released at the UK Cyber Security Research Institutes Conference in October 2018, and is available ...
Read More
Ethical and social challenges with developing autonomous agents to detect and warn potential victims of Mass-marketing fraud (MMF)
Monica Whitty, Matthew Edwards, Michael Levi, Claudia Peersman, Awais Rashid, Angela Sasse, Tom Sorell, Gianluca Stringhini ABSTRACT Mass-marketing frauds (MMFs) ...
Read More
RISCS Annual Report 2017
The RISCS Annual Report 2017 was released at the UK Cyber Security Research Institutes Conference in October 2017, and is ...
Read More
Modeling and analysis of influence power for information security decisions
Iryna Yevseyeva, Charles Morisset and Aad van Moorsel Abstract Users of computing systems and devices frequently make decisions related to information ...
Read More
Personality and Social Framing in Privacy Decision-Making: A Study on Cookie Acceptance
Lynne M. Coventry, Debora Jeske, John M. Blythe, James Turland and Pam Briggs Abstract Despite their best intentions, people struggle ...
Read More
Two-stage Security Controls Selection
Iryna Yevseyeva, Vitor Basto Fernandes, Aad van Moorsel, Helge Janicke and Michael Emmerich Abstract To protect a system from potential ...
Read More
Exploring the relationship between impulsivity and decision-making on mobile devices
Debora Jeske, Pam Brigg and Lynne Coventry Abstract Mobile devices offer a common platform for both leisure and work-related tasks, but this has ...
Read More
Combining Qualitative Coding and Sentiment Analysis: Deconstructing Perceptions of Usable Security in Organisations
Ingolf Becker, Simon Parkin and M. Angela Sasse Abstract Background: A person’s security behavior is driven by underlying mental constructs, ...
Read More
Towards robust experimental design for user studies in security and privacy
Kat Krol, Jonathan M. Spring, Simon Parkin and M. Angela Sasse Abstract Background: Human beings are an integral part of ...
Read More
“I don’t like putting my face on the Internet!”: An acceptance study of face biometrics as a CAPTCHA replacement
Kat Krol, Simon Parkin and M. Angela Sasse Abstract Biometric technologies have the potential to reduce the effort involved in ...
Read More
Applying Cognitive Control Modes to Identify Security Fatigue Hotspots
Simon Parkin, Kat Krol, Ingolf Becker and M. Angela Sasse Abstract Security tasks can burden the individual, to the extent ...
Read More
Productive Security: A Scalable Methodology for Analysing Employee Security Behaviour
Adam Beautement, Ingolf Becker, Simon Parkin, Kat Krol and M. Angela Sasse Abstract Organisational security policies are often written without ...
Read More
Social Learning in Systems Security Modelling
Tristan Caulfield, Michelle Catherine Baddeley and David Pym Abstract Usable Systems modelling can be used to help improve decisions around ...
Read More
Optimising time allocation for network defence
Tristan Caulfield and Andrew Fielder Abstract The presence of unpatched, exploitable vulnerabilities in software is a prerequisite for many forms ...
Read More
Decision support approaches for cyber security investment
Andrew Fieldera, Emmanouil Panaousisb, Pasquale Malacariac, Chris Hankina, Fabrizio Smeraldi Abstract When investing in cyber security resources, information security managers ...
Read More
Efficient Numerical Frameworks for Multi-objective Cyber Security Planning
Simon Parkin, Samy Driss, Kat Krol and M. Angela Sasse Abstract We consider the problem of optimal investment in cyber-security by an enterprise. Optimality is ...
Read More
An Exploratory Study of User Perceptions of Payment Methods in the UK and the US
Kat Krol, Muhammad Sajidur Rahman, Simon Parkin, Emiliano De Cristofaro and Eugene Y. Vasserman Abstract This paper presents the design ...
Read More
Better the Devil You Know: A User Study of Two CAPTCHAs and a Possible Replacement Technology
Kat Krol, Simon Parkin and M. Angela Sasse Abstract CAPTCHAs are difficult for humans to use, causing frustration. Alternatives have been ...
Read More
Assessing the User Experience of Password Reset Policies in a University
Simon Parkin, Samy Driss, Kat Krol and M. Angela Sasse Abstract Organisations often provide helpdesk services to users, to resolve any problems that they may ...
Read More
Discrete Choice, Social Interaction, and Policy in Encryption Technology Adoption
Tristan Caulfield, Christos Ioannidis and David Pym Abstract We introduce a model for examining the factors that lead to the ...
Read More
Barriers to Usable Security? Three Organizational Case Studies
Deanna D. Caputo, Shari Lawrence Pfleeger and M. Angela Sasse Abstract Usable security assumes that when security functions are more ...
Read More
RISCS Annual Report 2016 Published
The RISCS Annual Report 2016 was released at the UK Cyber Security Research Institutes Conference in October 2016, and is ...
Read More
An Inclusive, Value-Sensitive Design Perspective on Future Identity Technologies
Lisa Thomas and Pamela Briggs Abstract Identity technologies constitute one of the fastest growing areas for research and development, driven ...
Read More
Improving Security Policy Decisions with Models
 Tristan Caulfield and David Pym Abstract A rigorous methodology, grounded in mathematical systems modeling and the economics of decision making, ...
Read More
A Bayesian Approach to Portfolios Selection in Multicriteria Group Decision Making
Michael T.M. Emmerich, André H. Deutz and Iryna Yevseyeva Abstract In the a-posteriori approach to multicriteria decision making the idea ...
Read More
Selecting Optimal Subset of Security Controls
Iryna Yevseyevaa, Vitor Basto-Fernandesb, Michael Emmerichc, Aad van Moorsela Abstract Choosing an optimal investment in information security is an issue ...
Read More
Addressing Consumerisation of IT Risks with Nudging
Iryna Yevseyeva, James Turland, Charles Morisset, Lynne Coventry, Thomas Gross, Christopher Laing, Aad van Moorsel Abstract In this work we ...
Read More
Using IMUs to Identify Supervisors on Touch Devices
Ahmed Kharrufa, James Nicholson, Paul Dunphy, Steve Hodges, Pam Briggs, Patrick Olivier Abstract In addition to their popularity as personal devices, tablets, are becoming increasingly prevalent ...
Read More
Resiliency Variance in Workflows with Choice
John C. Mace, Charles Morisset, Aad van  Moorsel Abstract Computing a user-task assignment for a workflow coming with probabilistic user availability provides a measure ...
Read More
Impact of Policy Design on Workflow Resiliency Computation Time
John C. Mace, Charles Morisset, and Aad van Moorse Abstract Workflows are complex operational processes that include security constraints restricting ...
Read More
Modelling and Simulating Systems Security Policy
Tristan Caulfield and David Pym Abstract Security managers face the challenge of designing security policies that deliver the objectives required ...
Read More
Principles of Persuasion in Social Engineering and their Use in Phishing
Ana Ferreira, Lynne Coventry, Gabriele Lenzini Abstract Research on marketing and deception has identified principles of persuasion that influence human decisions. However, this ...
Read More
Social Media as a Resource for Understanding Security Experiences: A Qualitative Analysis of #Password Tweets
Paul Dunphy, Vasilis Vlachokyriakos, Anja Thieme, James Nicholson, John McCarthy, Patrick Oli Abstract As security technologies become more embedded into ...
Read More
Unpacking Security Policy Compliance: The Motivators and Barriers of Employees’ Security Behaviors
John M Blythe, Lynne Coventry, Linda Little Abstract The body of research that focuses on employees’ Information Security Policy compliance ...
Read More
Picking vs. Guessing Secrets: A Game-Theoretic Analysis
MHR Khouzani, Piotr Mardziel, Carlos Cid, Mudhakar Srivatsa Abstract Choosing a hard-to-guess secret is a prerequisite in many security applications ...
Read More
Nudging towards security: Developing an Application for Wireless Network Selection for Android Phones
James Turland, Lynne Coventry, Debora Jeske, Pam Briggs, Aad van Moorsel Abstract People make security choices on a daily basis ...
Read More
Quadcriteria Optimization of Binary Classifiers: Error Rates, Coverage, and Complexity
Date: June 18, 2015 Presented: EVOLVE 2015 - A Bridge between Probability, Set Oriented Numerics, and Evolutionary Computing, June 18-24 ...
Read More
Layered Graph Logic as an Assertion Language for Access Control Policy ModelsM. Collinson, K. McDonald, and D. Pym
Matthew Collinson and Kevin McDonald Abstract We describe a uniform logical framework, based on a bunched logic that combines classical ...
Read More
Scaring and Bullying People into Security Won’t Work
Angela Sasse  Abstract Users will pay attention to reliable and credible indicators of risks they want to avoid. Security mechanisms ...
Read More
On Missing Attributes in Access Control: Non-deterministic and Probabilistic Attribute Retrieval
Jason Crampton, Charles Morisset, Nicol Zannone Abstract Attribute Based Access Control (ABAC) is becoming the reference model for the specification ...
Read More
Captchat: A Messaging Tool to Frustrate Ubiquitous Surveillance
Paul Dunphy, Johannes Schöning, James Nicholson, Patrick Olivier Abstract There is currently a widespread uncertainty regarding the ability of citizens ...
Read More
Modelling User Availability in Workflow Resiliency Analysis
John C. Mace, Charles Morisset, Aad van Moorsel Abstract Workflows capture complex operational processes and include security constraints limiting which ...
Read More
Modelling and Simulating Systems Security Policy
Tristan Caulfield, David Pym Abstract Date: 2015 Published: Proceedings of the Eighth International Conference on Simulation Tools and Techniques (SIMUTOOLS ...
Read More
Comparing Decision Support Approaches for Cyber Security Investment
Andrew Fielder, Emmanouil Panaousis, Pasquale Malacaria, Chris Hankin, Fabrizio Smeraldi Abstract When investing in cyber security resources, information security managers ...
Read More
Shadow Security’ as a Tool for the Learning Organization
Iacovos Kirlappos, Simon Parkin, M. Angela Sasse Abstract Traditionally, organizations manage information security through policies and mechanisms that employees are ...
Read More
Strategic Discovery and Sharing of Vulnerabilities in Competitive Environments
M. H. R. Khouzani, Viet Pham, Carlos Cid Abstract We investigate the incentives behind investments by competing companies in discovery of their security vulnerabilities and ...
Read More
Cybersecurity Games and Investments: A Decision Support Approach
Emmanouil Panaousis, Andrew Fielder, Pasquale Malacaria, Chris Hankin, Fabrizio Smeraldi Abstract In this paper we investigate how to optimally invest in cybersecurity controls. We are ...
Read More
Sensible Privacy: How We Can Protect Domestic Violence Survivors Without Facilitating Misuse
Budi Arief, Kovila P.L. Coopamootoo, Martin Emms, Aad van Moorsel Abstract Privacy is a concept with real life ties and ...
Read More
Consumerisation of IT: Mitigating Risky User Actions and Improving Productivity With Nudging
Iryna Yevseyeva, Charles Morisset, James Turland, Lynne Coventry, Thomas Groß, Christopher Laing, Aad van Moorsel Abstract In this work we ...
Read More
A Decision Making Model of Behavior in Information Security
Iryna Yevseyeva, Charles Morisset, Thomas Groß, Aad van Moorsel Abstract Information security decisions typically involve a trade-off between security and productivity. In practical settings, it ...
Read More
Mental Models of Online Privacy: Structural Properties with Cognitive Maps
Kovila P. L. Coopamootoo & Thomas Groß Abstract Individuals usually build small-scale representation of reality to help them navigate their ...
Read More
A Formal Model for Soft Enforcement: Influencing the Decision-Maker
Charles Morisset, Iryna Yevseyeva, Thomas Groß, Aad van Moorsel Abstract We propose in this paper a formal model for soft enforcement, where a decision-maker is ...
Read More
A Tactile Visual Library To Support User Experience Storytelling
Makayla Lewis and Lizzie Coles-Kemp Abstract This paper presents an adult visual narrative stimulus (tactile visual library) that supports the ...
Read More
Network Situational Awareness: Sonification & amp; Visualization in the Cyber Battlespace
Tom Fairfax, Christopher Laing and Paul Vickers Abstract This chapter treats computer networks as a cyber warfighting domain in which ...
Read More
Decision justifications for wireless network selection
Debora Jeske, Lynne Coventry and Pam Briggs Abstract A number of security risks are associated with the selection of wireless ...
Read More
Perceptions and actions: Combining privacy and risk perceptions to better understand user behaviour
Debora Jeske, Lynne Coventry and Pam Briggs Abstract Exploring the link between privacy and behaviour has been difficult, as many ...
Read More
A Year is a Short Time in Cyber-Space
Date: June 2014Published: Industry & Parliament Trust Report: Cyber Security 2.0: Reflections on UK/EU Cyber-Security Co-OperationPublisher: Industry and Parliament TrustPublisher ...
Read More
SCENE: A Structured Means for Creating and Evaluating Behavioral Nudges in a Cybersecurity Environment
Lynne Coventry, Pam Briggs, Debora Jeske and Aad van Moorsel Abstract: Behavior-change interventions are common in some areas of human-computer interaction, but rare in the ...
Read More
What Usable Security Really Means: Trusting and Engaging Users
AbstractNon-compliance with security mechanisms and processes poses a significant risk to organizational security. Current approaches focus on designing systems that ...
Read More
Compositional Security Modelling: Structure, Economics, and Behaviour
Tristan Caulfield, David Pym and Julian Williams Abstract Security managers face the challenge of formulating and implementing policies that deliver their desired system ...
Read More
The Great Authentication Fatigue – And How To Overcome It Authors: M. Angela Sasse, Michelle Steves, Kat Krol, and Dana Chisnell
 M. Angela Sasse, Michelle Steves, Kat Krol and Dana Chisnell Abstract We conducted a two-part study to understand the impact of authentication on employees’ behaviour ...
Read More
Resilience in Information Stewardship
Christos Ioannidis, David Pym, Julian Williams and Iffat Gheyas Abstract In this work we address the main issues of IT ...
Read More
Nudging for Quantitative Access Control Systems
Charles Morisset, Thomas Groß, Aad van Moorsel and Iryna Yevseyeva Abstract Whereas an access control system returns a decision, such as permit, deny or not-applicable, ...
Read More
I’ve Got Something To Say: The Use of Animation to Create a Meta-Story about Professional Identity
Makayla Lewis and Lizzie Coles-Kemp Abstract This paper presents a current experience animation as a way to present a co-produced ...
Read More
Game Theory Meets Information Security Management
Andrew Fielder, Emmanouil Panaousis, Pasquale Malacaria, Chris Hankin and Fabrizio Smeraldi Abstract This work addresses the challenge “how do we ...
Read More
Design for Trusted and Trustworthy Services: Why We Must Do Better
M. Angela Sasse Abstract When the first e-commerce services emerged in the late 1990s, consumer trust in online transactions was ...
Read More
Who Says Personas Can’t Dance? The Use Of Comic Strips To Design Information Security Personas
Makayla M. Lewis and Lizzie Coles-Kemp Abstract This paper presents comic strips as an approach to align personas and narrative ...
Read More
Picture This: Tools To Help Community Storytelling
AbstractThis paper puts forward a qualitative storytelling study that explores user experiences within a community centre in the United Kingdom ...
Read More
Nudging whom how: IT proficiency, impulse control and secure behaviour
Debora Jeske, Lynne Coventry, Pam Briggs & Aad van Moorsel Abstract This paper considers the utility of employing behavioural nudges to ...
Read More
Are You Feeling It? The Use Of Comic Strips To Encourage Empathy in Design
Makayla Lewis and Lizzie Coles-Kemp Abstract This paper puts forward methods used to develop a current experience comic strip (CECS), ...
Read More
Learning from "Shadow Security": Why Understanding Non-compliance Provides the Basis for Effective Security
I. Kirlappos, S. Parkin, M. A. Sasse Abstract Over the past decade, security researchers and practitioners have tried to understand ...
Read More
Payoffs, Intensionality and Abstraction in Games
Chris Hankin and Pasquale Malacaria ABSTRACT We discuss some fundamental concepts in Game Theory: the concept of payoffs and the ...
Read More
Technology Should Be Smarter Than This!: A Vision for Overcoming the Great Authentication Fatigue
M. Angela Sasse Abstract Security researchers identified 15 years ago that passwords create too much of a burden on users ...
Read More
Security Policy Alignment: A Formal Approach
Wolter Pieters, Trajce Dimkov and Dusko Pavlovic ABSTRACT Security policy alignment concerns the matching of security policies specified at different ...
Read More
How Users Bypass Access Control – and Why: the impact of authorization problems on individuals and the organisation
Steffen Bartsch and M. Angela Sasse Abstract Many organizations struggle with ineffective and/or inefficient access control, but these problems and ...
Read More
Adding Insult to Injury
Jennett, Charlene; Brostoff, Sacha; Malheiros, Miguel; Sasse, M. Angela Abstract: To inspire confidence in consumer credit and improve outcomes for ...
Read More
”Comply or Die” is Dead: Long Live Security-Aware Principal Agents
Iacovos Kirlappos, Adam Beautement and M. Angela Sasse Abstract Information security has adapted to the modern collaborative organisational nature, and ...
Read More
Formalizing Physical Security Properties
Catherine Meadows and D.Pavlovic Abstract Although the problems of physical security emerged more than 10,000 years before the problems of ...
Read More
Too Close for Comfort: a study of the effectiveness and acceptability of rich-media personalized advertising
Miguel Malheiros, Charlene Jennett, Snehalee Patel, Sacha Brostoff and Martina Angela Sasse  Abstract Online display advertising is predicted to make ...
Read More
Program Analysis Probably Counts
Alessandra Di Pierro, Chris Hankin and Herbert Wiklicky Abstract: Semantics-based program analysis uses an abstract semantics of programs/systems to statically ...
Read More