Our research topics take advantage of the CDT's interdisciplinary nature to tackle major challenges in many different areas of cyber security. Below are some sample areas of research. These are not the only topics we supervise, but they do demonstrate the range of research areas we cover.
Note that applicants need not have a specific project to apply for the CDT, as a research project can be determined towards the end of the first year of the programme.
Please also note that advertised projects are sample projects and prospective applicants are not required to apply to one of the advertised projects, but are welcome to discuss broader research interests with the academic named in the advert - and/or to apply with their own research proposal.
Understanding cyber security risk behaviour of Generation Z
Research has shown that adolescents are more likely to make risky decisions and are more likely to be influenced by peers. Importantly, the current generation of adolescents (Generation Z; born between 1997-2012) are viewed to have been raised on the internet and social media, and they are one of the most tech savvy generations. However, the media and internet security companies (e.g., McAfee) report that adolescents self-report that they are aware of cyber security risks such as hacking and phishing scams, but they do not act in accordance with this awareness; for example, they post confidential insights which can pose security risks and share personal information online.
Further, a recent study by Donegan (2020) found that Generation Z employees are more likely to experience security-related issues (on average 4 per week) in comparison to employees older than 45 years old (on average 1 per week), with issues focussed around passwords and technology issues. Moreover, it is found that these younger employees are more likely to make poor decisions when browsing websites (click to proceed to flagged insecure sites, revisiting sites where known hacks had previously occurred) and have poor understanding of tracking mechanisms (31% of 18- to 24-year-olds did not understand what “accept cookies” means). These findings may relate to a lack of awareness and training for Gen Z and they are alarming, given the time that Gen Z spend online; a recent Pew report (2018) reported that 95% of US teens report having a Smart phone, 45% report being online almost constantly, and a recent Ofcom report (2020) supports this with from age 15 almost all UK adolescents surveyed own their own smartphones. In fact, a recent JISC (2018) report highlights that Higher Education organisations have decreased cyber security training for their students (many who are Generation Z; 3% had compulsory training, 38% optional training, 51% no training in 2017). However, the phenomenon may also be related to what we know about adolescents’ development; adolescence is now considered to range from 10 years to 24 years and is a period where the brain is continuing to develop until 24 years, which has been linked to risky decision making and the importance of peer acceptance.
Given the above information, it is important for us to better understand how adolescent development may link to cyber security behaviours using an interdisciplinary approach. The supervision team includes Prof Watling (Psychology) and Dr Mersinas (Information Security). We are looking for a candidate with an interest in exploring risk taking behaviours of adolescents (Gen Z) online and the impact of such behaviours for cyber security risks and incidents. Potential candidates may be interested in approaching the topic a) from a risk attitude and behaviour perspective, b) from a security awareness training perspective, or c) from a combination of both (a) and (b).
We seek applicants with an interest in cyber security who have a social science background (e.g., undergraduate degree in the field of Psychology, Criminology, Sociology, Politics and IR, Human Geography). Ideally, applicants will have a good statistical background, understanding of research methods (e.g., qualitative and quantitative), and an understanding of adolescent development.
Questions may be directed to Prof Watling (Psychology) and Dr Mersinas (ISG)
Ethnographic explorations of security needs and practices in protests
The Centre for Doctoral Training in Cyber Security for the Everyday at Royal Holloway University of London seeks to recruit a PhD student to explore the security needs and practices of participants in protests.
How is trust established - and with whom?
What security expectations are held within protest groups and how do they manifest themselves?
How does onboarding work?
What role(s) do security technologies play within protest groups? How are concerns over infiltration of networks considered and voiced?
In dynamic protest settings, responses to these questions are likely to be shaped and continuously re-shaped over time, making extended and immersive ethnographic fieldwork a particularly useful research approach. With an emphasis on collective action and shared security goals, it is expected that the ethnographic fieldwork will explore the mundane social, political, spatial, cultural notions that underpin large-scale protests and related information security needs and practices. Moreover, it will study how technologies facilitate collective action and engage with participants through on-the-ground observation and engagements, during protests and related activities. This project complements existing work in the Ethnography Group (https://ethnography.isg.rhul.ac.uk) within the Information Security Group at Royal Holloway. The Ethnography Group was established in September 2022 and comprises researchers with distinct interests in using ethnographic approaches to un-earth information security needs among populations with no institutional representation. Current work by members of the Ethnograpy Group includes exploring how information security is experienced and practised among domestic workers in Nigeria, within single-parent households in Thailand, in post-conflict societies and among activist and protest networks, to name a few. Applicants should have an interest in information security but come from a social science background, with at least an undergraduate degree in a field cognate to Anthropology, Human Geography, Sociology or Science and Technology Studies. Ideally, applicants will have experience in conducting ethnographic fieldwork, engaging in participant observation and/or collecting and analysing qualitative data. Prospective applicants are welcome to discuss with Dr Rikke Bjerg Jensen
Privacy-Preserving Applications based on Secure Multi-Party Computation
The Centre for Doctoral Training in Cyber Security for the Everyday seeks to recruit a PhD student to work on practical privacy-preserving applications based on secure multi-party computation (MPC).
Multi-party computation (MPC) protocols enable two or more parties to securely compute functions over private inputs. Such cryptographic protocols can also be used to distribute the trust that is usually required when outsourcing computation to a third party. Therefore, MPC has been proposed as a privacy-enhancing technology for a variety of applications, for example, to enable privacy-preserving machine learning in the cloud.
Unfortunately, applying existing MPC protocols to new use cases often results in an impractical overhead in terms of computation and communication. Also, the development and deployment of MPC-enabled applications poses a significant challenge for software engineers because MPC compilers so far are fairly limited and the back-end implementation of MPC protocols are mostly research prototypes.
The goal of this project is to improve the performance and usability of MPC for real-world applications that process sensitive data. This could include, but is not limited to, a) designing new or optimizing existing MPC building blocks, b) proposing custom MPC protocols for highly relevant and common functionalities, and c) supporting software developers with enhanced automation for building and deploying MPC-enabled applications.
The Information Security Group (ISG) at Royal Holloway has a strong track record in cryptographic research, including algorithm design and analysis, post-quantum cryptography, homomorphic encryption and applications of secure computation.
Applicants are expected to have a background in mathematics, computer science, or a related discipline. Prospective applicants are welcome to contact Dr Christian Weinert to discuss the project.
Cybersecurity and Privacy in Female-oriented Technologies (FemTech)
This project will examine cybersecurity, privacy, bias and trust in female-oriented technologies (FemTech). FemTech is a term applied to a category of digital technologies (apps, IoT devices, etc.) focusing on women's health e.g. in menstruation, nursing, sexual and reproductive health. FemTech apps have millions of users and the FemTech market has a significant market (estimated to be an over $75-billion industry by 2025). By processing user data e.g. via AI and ML, FemTech assists in managing women’s health, and gives scientists more insight about people’s bodies. However, there is a lack of clarity in the law (e.g. GDPR) and the industry practice in relation to this extremely sensitive data on different levels i.e. user consent, third-party sharing, and algorithmic bias which may lead to malicious purposes.
Previous work demonstrates the poor security and privacy practices of the industry e.g., how the majority of fertility apps start tracking the user right after the app is open and before any user consent, and how new IoT sensors can put users at serious risk by collecting a wide range of intimate and sensitive data about the users and when we look at the risks from the differential vulnerabilities lens. Yet the user perception and protection behaviour are far less than the actual risks. The project’s aim is to evaluate the security and privacy of such systems and co-design (with users and other stakeholders) the new generation of FemTech solutions allowing the users to improve the quality of their lives without fear and risk.
This project takes its novelty by bringing a critical approach into the engineering processes of developing FemTech solutions via studying systems and engaging with the end-users (and other stakeholders) as co-designers. This project will achieve its aims by:
· Evaluating the security and privacy of FemTech by carrying out research on several aspects of the ecosystem e.g., web apps and APIs, mobile apps, sensors, networks, cloud architecture and configuration, source code analysis, hardware and firmware, as well as analysing the tracking practices and privacy notices according to the law e.g. GDPR for special category data and other related regulations.
· Investigating user perception and practice via conducting large-scale user studies (e.g. Prolific) and focused group workshops and interviews for co-designing future solutions, as well as studying socio-technical bias and trust in data, algorithms and AI systems via studying datasets and algorithms using and improving ‘fairness metrics’.
· Informing the design and implementation of the next generation of the FemTech solutions in a privacy-preserving, secure, safe, and fair way.
We welcome applications from students with an interest in usable security and privacy projects with a background in computing science, engineering or a very closely related discipline. The student will receive training in security and privacy analysis as well as user studies and co-design activities. We have been working with the FemTech industry for years and will provide the student with networking opportunities to deliver an impactful project.
Please contact Dr Maryam Mehrnezhad to discuss further.
References: 1. Mehrnezhad, Shipp, Almeida, Toreini, Vision: Too Little too Late? Do the Risks of FemTech already Outweigh the Benefits? EuroUSEC’22.
2. Mehrnezhad, Almeida, Caring for Intimate Data in Fertility Technologies, ACM CHI’21
3. Mehrnezhad, Coopamootoo, Toreini, How Can and Would People Protect from Online Tracking? PoPETS’22
4. Coopamootoo, Mehrnezhad, Toreini, Individuals’ Feelings about Online Tracking and their Protective Behaviour across Gender and Country, Usenix Security’22
Digital security standardization and great power competition
The Centre for Doctoral Training in Cyber Security for the Everyday at Royal Holloway seeks to recruit a PhD student who will explore how international security standardization is constructed and how it influences digital development and geopolitical dynamics. This project will potentially be conducted in partnership with the Royal United Services Institute (RUSI).
International standards are highly influential in establishing norms and best practice in cyber security, from both a governance and technological perspective. A wide range of international standardization bodies oversee security standards development, including those with general oversight such as ISO, technology-specific bodies such as the Internet Engineering Task Force (IETF), sector-specific bodies such as ETSI for telecommunications, and globally influential national bodies such as the US National Institute of Standards and Technology (NIST).
Many international standardization efforts are co-constructed by a range of stakeholders, who may have both common and competing agendas. Historically, the US has played a leading role in the development of many international security standards. However, China has been increasingly making its presence felt in terms of international standard setting in digital markets – aided and abetted by sheer economic-technological size, industrial capacity and determined leadership to shape technological evolution. The 2021 national strategy for standards followed up by a 2022 Action Plan illustrates that China has considerable ambitions leading up to 2035.
The project will investigate the historic and continued development of digital security standardization and examine key issues, which might include:
· An analysis of the geopolitics behind the emergence of historically influential security standards.
· The geopolitical dynamics behind the current international digital security standardization landscape.
· The manner in which the US and EU respond to increased competition over digital security standards and how and where it makes itself manifest.
· How digital standards will shape the capacity of foreign companies and other stakeholders to operate in markets such as China.
· How standards help to co-constitute geopolitical and digital power and the manner in which public and private stakeholders are embroiled in it.
We seek applicants with an interest in cyber-security but come from a social science or humanities discipline, with at least an undergraduate degree in a field cognate to Human Geography, Politics and IR, Science and Technology Studies, or Digital Humanities. Ideally, applicants will have experience in the collection, handling and ethical treatment of qualitative data, and experience of research methodologies such as ethnography and participant observation, semi-structured interviews, policy and documentary analysis. Applications are welcome from those who have had experience of working in relevant professional or policy-related fields.
Please contact Prof Keith Martin or Prof Klaus Dodds to discuss further
Evil Digital Twins - Combinatorial Structures over Sparse Graphs
The existence of certain structures or properties of sparse graphs and their efficient algorithmic identification or approximation presents interesting challenges where these are finite.
Exploring the links between the efficient algorithmic identification of structures or constructions and almost-everywhere agreement protocols that have been studied since swork by Dwork, Peleg, Pippenger and Upfal offers an interesting perspective when considering not only random schemes. This work is to be informed by the increasingly pressing use of "Digital Twins" relying on adaptable communication structures to allow the representation and ultimately modelling, control, and optimisation of operations particularly of cyber-physical systems. Successful applicants should have a background in mathematics, computer science, or a closely related discipline; candidates may have the opportunity to collaborate and visit a research group in this area at NTNU, Norway as part of their studies. Questions may be directed to Prof. Stephen Wolthusen
Applications of Time and Delay in Cryptographic Protocols
The Centre for Doctoral Training in Cyber Security for the Everyday seeks to recruit a PhD student to work on applications of time and delay in cryptographic protocols.
The concept of delay has proved to be very useful in security protocols. Indeed, there are several primitives in the cryptographic literature that have considered the component of time and delay in order to offer additional security guarantees.
For instance, time-lock puzzles (TLPs) and timed-released crypto schemes allow you to encrypt a message to the future. Furthermore, proof of work schemes and verifiable delay functions (VDFs) have been designed so that it can be shown that a specific delay has occurred. These primitives can enhance the fairness of cryptographic protocols, and have found applications in the decentralised setting, e.g., for use in randomness beacons.
There are still some exciting challenges in this area of research. For instance, a) the performance and usability of some of these primitives needs to be improved, b) there is a need to diversify the security assumptions underpinning their security, in order to be quantum-safe, and c) there is a need to reduce, if not remove, the reliance on some trust assumptions, since many applications are in the decentralised setting.
The goal of this project is to explore one or more of these challenges, contributing to a very active area of research.
The Information Security Group (ISG) at Royal Holloway has a strong track record in cryptographic research, including algorithm design and analysis, post-quantum cryptography, homomorphic encryption and applications of secure computation.
Applicants are expected to have a background in mathematics, computer science, or a related discipline. Prospective applicants are welcome to contact Dr Elizabeth Quaglia to discuss the project.
Ethnographic explorations of information security at the margins
The Centre for Doctoral Training in Cyber Security for the Everyday at Royal Holloway University of London seeks to recruit a PhD student to explore how information security manifests at the margins of societies, using ethnographic methods of inquiry.https://ethnography.isg.rhul.ac.uk) within the Information Security Group at Royal Holloway. The Ethnography Group was established in September 2022 and comprises researchers with distinct interests in using ethnographic approaches to un-earth information security needs among populations with no institutional representation. Current work by members of the Ethnograpy Group includes exploring how information security is experienced and practised among domestic workers in Nigeria, within single-parent households in Thailand, in post-conflict societies and among activist and protest networks, to name a few. We seek PhD students to collaborate on, contribute to and extend this body of work. Applicants should thus have an interest in information security but come from a social science background, with at least an undergraduate degree in a field cognate to Anthropology, Human Geography, Sociology or Science and Technology Studies. Ideally, applicants will have experience in conducting ethnographic fieldwork, engaging in participant observation and/or collecting and analysing qualitative data.
Grounded in ethnography, this project explores how information security is understood, negotiated, shaped and practised among people living and/or working at the margins of societies. More specifically, it engages the often hidden, unvoiced and/or marginalised groups and communities not generally considered in the design of security technologies. 'The margin' is loosely defined and can be understood in cultural, economic, geographical, occupational, social terms. As such, the PhD can take multiple directions, engaging a diversity of groups, communities and/or specific sites of study. Ethnography is uniquely placed to uncover information security needs and practices through extended field studies, driven by immersion and observation with and within the groups it aims to understand. It enables long-term explorations of, for example, what security looks and feels like for the groups under study. How security is experienced and voiced and how it is negotiated and shared between group members. How security technologies are used and for what purpose within groups. What security expectations are held within groups and how they manifest themselves as well as the socio-materiality of their existence. This project complements existing work in the Ethnography Group (Prospective applicants are welcome to discuss with Dr Rikke Bjerg Jensen.
Automating Cyber Security?: Models, Environments and the (Geo)Political
The Centre for Doctoral Training in Cyber Security for the Everyday at Royal Holloway University of London seeks to recruit a PhD student to explore the role that computer models and environments play in ‘automating’ responses to cyber security and their (geo)political implications.
Greater automation – or even autonomous – techniques to reportedly respond to threats, address vulnerabilities, and improve resilience are becoming increasingly prominent across a range of arenas. Such automation requires the production of computer models and environments that have become part of everyday (geo)political contestation in various places. Whether through models and environments to enhance the detection of malware and threats in commercial setting, to verifying identity to government systems, to the provision and deployment of cyber ranges or the construction of ‘digital twins’ in militaries and engineering, they are all part of the everyday practice of contemporary cyber security.
Such use of models and environments affects how people understand and respond to the world, which can have significant (geo)political effects. This ranges from geopolitical assessments of the adversarial behaviours of states, the ‘optimisation’ of cyber operations, to the political and ethical implications of denying access to differently positioning individuals and communities to critical state services. Flexibility over the cases chosen and aims will be supported – but may include questions such as, how do models and environments become interwoven into (geo)political decision-making? How do certain recursive machine learning algorithms become embedded into models and environments? How, why and when do the environmental assumptions transform a model’s ‘outputs’? And when are there moments for (geo)political reflection and scrutiny?
This project then seeks to explore and interrogate how such models and environments are built, negotiated, and used. It is expected that the candidate will engage in an inventive use of predominantly social science methodologies tailored by the candidate’s skills and interests, such as ethnography and creative workshops, to quantitative methods as necessary. Applicants should have an interest in cyber security, with an undergraduate degree in a field cognate to Anthropology, Human Geography, Sociology or Science and Technology Studies with an ambition to engage in some technological detail. Applicants with other backgrounds are encouraged with an expectation that they will engage in social science methods.
Prospective applications are welcome to discuss with the project supervisor, Dr Andrew Dwyer.
Formal Security Analysis of Cryptographic Protocols
Cryptographic protocols are distributed algorithms that allow entities to perform security-related functions over a (potentially untrusted) network. Such protocols are ubiquitous, and their security is essential to almost any IT system.Dr GuidoSchmitz.
It is quite challenging to create secure protocols as even small non-obvious mistakes can have fatal consequences. For example, the (very simple) Needham-Schroeder key exchange protocol contains a severe security flaw that went unnoticed for 17 years. For modern security protocols, such as TLS, it is even harder to ensure security. These protocols tend to be much more complex and are typically embedded into environments that introduce their own quirks and subtleties. Formal methods provide a systematic way to perform comprehensive analyses of such protocols concisely and rigorously. They allow us to specify security goals precisely and enable us to prove that a protocol indeed guarantees such properties. Using this approach, we can find attacks (if a proof fails), develop fixes, and formally verify whether our fixes are sufficient. Moreover, we can even exclude unknown classes of attacks on the systems we analyse. Although this field has been quite active in research for several decades now, there are still many open research questions to answer: Existing tools and approaches often struggle with analyses of complex protocols. Proofs are often quite laborious and are susceptible to human errors. Furthermore, modern environments such as Web, Mobile, and IoT also introduce their own complexity and pitfalls and blend into each other, creating new subtleties which can be an additional source of security issues. Hence, we need to develop new methods and techniques to tackle this complexity, mechanise and automate such security analyses to more extent, and take the characteristics of modern environments into account. We are looking for applications from highly talented candidates with a background in computer science, information security, mathematics, or a related field interested in logic, proofs, and formal analysis techniques. We value strong analytical skills and solid programming knowledge. Prospective applicants are welcome to discuss withMaking Security Sustainable
Aims: Propose and develop methods that help make security more sustainable.
Background: Currently, when we think of sustainability in security today, models such as “planned obsolescence” and “security as a service” may spring to mind. However, very little work has been done to understand what makes security sustainable in the first place. For instance, to what degree do concepts such as durability, agility, autonomy, resilience and robustness of systems interact. Furthermore, what are the direct and indirect effects of implementing sustainable security? The purpose of this PhD is to investigate characteristics that make cyber security sustainable. Examples include, but are not limited to understanding the relationship between technical and non-technical aspects of security such as: patching, system monitoring, intrusion detection, system hardening, security policies, etc. The purpose of this work is to investigate whether such a term is meaningful in the context of cyber security, whether it ought to be formalised as a set of principles, guidelines, framework (such as a maturity model), text definition or making use of formal methods – dependent on the student’s skills and experience.
Prerequisites: This can be a computer science driven project or a software engineering driven project, and the project should have an awareness of the wider social, economic and political issues that frame sustainable cyber security. We would expect the student to have a strong background in programming and software development using languages such as Python, Java or C/C++ and some background in requirements gathering and analysis. For the social science part, we expect students to have a background in conducting questionnaires, interviews, focus groups, user studies and ethnographic studies. Ideally, the student will have an interest in hypothesis testing using tools such as SPSS (but this is not a requirement).
Early activities: A report describing the state of the art in security and sustainability; a clear work plan describing the set of tests to be performed, tools to be implemented and classes of techniques to be proposed and studied;
Research: The student will be free to tackle the problem as they see fit with guidance from the supervisors. We expect to see either some practical tools development to study the sustainability of security in systems, or studying of how people perceive concepts related to sustainability of security in real world systems. Around the midway point, we would expect the formulation of key (testable) hypotheses to eventually lead to a framework that developers, policy makers and other organisation stakeholders can use to improve sustainability of security in ICT systems and organisations.
Suggested Reading:
There is very little available on this topic. Ross Anderson has a few works on the subject: https://www.cl.cam.ac.uk/~rja14/ , but otherwise most of the work in this area focuses on related topics such as resilience and robustness of systems, including:
- Julia Allen. Measures for managing operational resilience. Technical Report, 2011.
- Julia Allen, Pamela Curtis, Nader Mehravari, Andrew Moore, Kevin Partridge, Robert Stoddard, and Randy Trzeciak. Analyzing cases of resilience success and failure-a research study. Technical report,Carnegie Mellon University, the Software Engineering Institute, 2012.
- Richard A Caralli, Julia Allen, and David W White. CERT resilience management model: A maturity model for managing operational resilience. Addison-Wesley Professional, 2010.
- Deborah Bodeau and Richard Graubart. Cyber resilience metrics: Key observations. Technical Report,2016.
- Ronald J Brachman, Richard E Fikes, and Hector J Levesque. Krypton: A functional approach to knowledge representation. Computer, (10):67–73, 1983.
- Linkov and Trump. The science and practice of resilience. 2019.
Prospective applicants are welcome to discuss with the project supervisor,
Dr Jassim Happa
Cyber Security and International Relations: Conceptualising the Threat
This project analyses cyber security threats within the context of International Relations (IR). Despite the global nature of cyber threats, scholars working within cyber security fields and IR often do not speak to each other on what they understand the threats to be and the most effective means to address them, including through national and international policies.
This interdisciplinary project will apply qualitative social science methods to bring these different perspectives together in order to more fully explore cyber threats and the international measures that are adopted to control them. In particular, the project will explore how those threats are conceptualised. How does our conceptualisation of cyber threats differ across different disciplines and how does this then relate to our response and policy construction?
The student will have scope to focus on any specific threats they wish to specialise in and the aspects of IR that they wish to apply in their analysis. Possible areas of study, however, include: how certain cyber threats are defined relative to others e.g. as weapons of mass destruction; analysing the effectiveness of specific historical or current international policy and treaties; and how certain institutions understand and respond to the threat e.g. United Nations.
A background in IR is recommended.
Prospective applicants are welcome to contact Dr Michelle Bentley to discuss the project.
Protecting Users from Online Intimidation and Coercion
The Centre for Doctoral Training in Cyber Security for the Everyday seeks to recruit a PhD student to work on developing cryptographic techniques to help protect users from online intimidation and coercion.
Interaction with digital technologies is becoming a considerable aspect of our everyday lives: online, we communicate with each other through messaging systems, we express opinions in fora, we bid for purchases, we rate services, we vote. As the complexity of such interactions and the data we release increases and becomes more nuanced, so does our expectation of privacy.
Standard encryption can provide data privacy, but it cannot guarantee freedom in expressing our choices online in settings where we are intimidated or threatened by a coercer, who may require us to reveal all that we transmit online or force us to express a different choice, whilst monitoring the communication channel.
Cryptographers have considered the need for such an advanced privacy requirement, and have proposed the notion of coercion resistance to address this. In particular, coercion resistance has been studied in the multi-party computation (MPC) literature (under the name of incoercibility), and has been the object of intense research in the context of e-voting.
Unfortunately, the state of the art in the area consists of a plethora of related concepts, and solutions so far are based on a wide spectrum of assumptions, from restricting the moment in which coercion can occur to requiring untappable and anonymous channels. As a result, the cryptographic landscape of coercion resistance presents itself as extremely cluttered.
The goal of this project is to develop a thorough understanding of the notion of coercion resistance and design tools and techniques to protect users from online intimidation such that they can be integrated in real-world systems.
The Information Security Group (ISG) at Royal Holloway has a strong track record in cryptographic research, including algorithm design and analysis, post-quantum cryptography, homomorphic encryption and applications of secure computation.
Applicants are expected to have a background in mathematics, computer science, or a related discipline. Prospective applicants are welcome to contact Dr Elizabeth Quaglia to discuss the project.
Secure Coded Caching
Individual and Cultural Dimensions of Security Behaviour
Humans play a significant role in security incidents in a two-fold manner: on the one hand human error can cause security incidents and on the other hand, the way people behave with regards to security can minimise the probability and impact of such incidents. The components which influence individuals’ secure behaviours, however, constitute an open question in the field. These components span across both the individual level and at the environments (i.e., the context level within which individuals operate).
The individual level includes dimensions like personality, knowledge, skills, security awareness, prior experience with security incidents, and demographic factors. Whereas, the contextual level includes the dimensions of national culture, industry type, and organisational security culture. All these dimensions are shown to influence individuals’ secure behaviour.
Identifying the relative influence of the various individual and context-level variables in security behaviour has important implications for individuals, organisations, and societies and can inform security awareness training campaigns, education, communication, and security incident response. Insights can allow the tailoring of the aforementioned approaches on individual, organisational, sector, and cultural level.
We have a data sharing agreement with one of the biggest organisations in the world providing security awareness training across different countries. The successful applicant can benefit from a collaboration with a team of researchers within that organisation.
We are looking for applicants with a strong statistical background and experience in empirical research. Prior knowledge of information / cyber security is not essential. Dr Konstantinos Mersinas (Information Security, RHUL), Prof Dawn Watling (Psychology, RHUL). For further details please contact Dr Konstantinos Mersinas
Securing Sensors in Insecure IoT
Ubiquitous sensing through IoT has already revolutionized the way we interact with each other and our environment. IoT devices have a multitude of sensors such as Bluetooth and NFC, motion and ambient sensors, and have applications on various platforms such as mobile, wearables, and smart environments (buildings, roads, etc.). While this is exciting, it is also an opportunity for hackers to steal and exploit sensitive information for their individual or organisational advantage.
The current safeguarding methods do not stop sensors from recording, processing and broadcasting sensitive information. This sensor information leakage happens without users’ permission or notification most of the time. The problem is further exacerbated when the sensor, hardware and software resources come from different vendors, who have their own set of privacy and security policies. Securing IoT environments and devices is challenging due to various factors including the computational limitations on such platforms and devices, lack of input and output devices (e.g., monitor and keyboard) for classic security mechanisms (such as passwords), and lack of physical access in certain applications e.g., industrial IoT or medical IoT devices in people bodies. Current protection mechanisms are expensive and operate only on hardware or software levels and are often limited to certain products from specific manufacturers. This leads to high security and safety costs in heterogeneous IoT configurations.
This project aims to find novel alternative solutions for securing IoT environments by exploring the capability of sensors on IoT devices and the current landscape of IoT sensor security, performing attacks and developing low-cost mechanisms to protect the usage of sensors and the generated data in insecure IoT platforms. More specifically, this project aims to:
- Study the protection mechanisms in current sensor-based IoT platforms, and classify their security features, potential vulnerabilities, functionality and usability, and cost of implementation.
- Perform security attacks via IoT sensors including side-channel, fingerprinting, and tracking attacks.
- Develop cost-effective proof-of-concept systems for security purposes such as pairing devices and authentication in IoT environments based on sensor data including calibration.
Each year, millions of unsecured sensor-enabled IoT devices are shipped to people’s lives, being used by children, adults, elderlies, and people with special needs e.g. in care houses and medical settings. By securing these sensors, we can offer more reliable products to the end-users enabling them to benefit from plenty of useful applications which will improve their quality of life without risk and fear.
We welcome applications from students with an interest in system security projects with a background in computing science, engineering or a very closely related discipline. The student is expected to have a background in mobile and IoT programming and will receive training in sensor, mobile, and IoT security.
Please contact Dr Maryam Mehrnezhad to discuss this further.
References:
[1] Gray, Mehrnezhad, and Shafik. Sensig: Practical IoT Sensor Fingerprinting Using Calibration Data, Security Standardisation Research (SSR), IEEE Euro Security and & Privacy Workshops (EuroS&PW), 2022.
[2] Mehrnezhad, Toreini, Shahandashti, Hao, Stealing PINs via Mobile Sensors: Actual Risk vs User Perception, Springer International Journal of Information Security, 2018.
[3] Mehrnezhad Toreini, Shahandashti, Hao, Touchsignatures: Identification of User Touch Actions and PINs based on Mobile Sensor Data via javascript, Elsevier Journal of Information Security and Applications, 2016
[4] Zhang, Beresford, Sheret. Sensorid: Sensor Calibration Fingerprinting for Smartphones, IEEE Security and Privacy, 2019
Software Supply Chain Ecosystems
Software is remarkably heterogeneous. Large parts of software that we use today are sourced from a variety of open-source projects and libraries. These projects often exhibit varying levels of quality assurance and provenance, often with small teams that manage them. Recently such open-source libraries have come to prominence with the 2021 Log4J vulnerability, run by a small group of developers. Software quality and therefore, its safety and security, are heavily influenced by libraries supplied by third parties that a vendor relies on.
Software vendors try and perform rigorous checks to ensure high quality is maintained. However, third-party libraries evolve independently, often forcing vendors to play catch-up with the libraries that they use. These changes can include both optimisation of features as well as the distribution of security patches. Therefore, evolution of libraries has an aggregative effect on the quality of software that depend on these libraries, which can result in buggy, or even vulnerable, versions of software.
We would like to understand the factors that influence software evolution and their feedback loops by examining how the market and supply chain ecosystems impact software development, with an empirical focus on its impact upon software security. Across both PhD projects, there will be an examination of design of novel theories, techniques, and tools to help developers cope with evolution of libraries that they use in building software.
We are looking to recruit two PhD students who will work with each other.
PhD 1. The first student will examine how software evolution and its supply chains develop from a socio-technical perspective. It will deploy ethnographic methods, including participant observation as well as interviews. It is intended that the research will identify various supply chains and develop reasoning for current practice and future development. This will inform knowledge on the popularity of libraries and the impacts on the wider software industry if those libraries change.
PhD 2. The second PhD project will work closely with the first to develop a rating system for software quality by considering the heterogeneity of software. Where possible, this student would develop the techniques and tools to assist developers in changing their code to use newer versions of libraries. These techniques would be based on recent advances in Automated Program Repair. The deliverables for this project could include, but are not limited to, IDE plugins for auto-updating software or running a microservice where developers are able to upload their code and get an updated version back.
These projects would be in close collaboration with world-leading research groups as well as industry and government, creating unique opportunities for in-depth collaboration, such as through internships. Such collaborations would allow the selected candidate to gain valuable work experience, giving them unparalleled opportunities for making impact.
Informal enquiries are encouraged. Please contact Dr. Andrew Dwyer (Andrew.Dwyer@rhul.ac.uk) for enquiries related to PhD 1 and Dr. Santanu Dash (santanu.dash@rhul.ac.uk) for enquiries related to PhD 2.