Research led by LERSSE Ph.D. student Pooya Jaferian will be featured at SOUPS this July. By interviewing IT professionals, he has explored access review activity in organizations, and then modeled access review in the activity theory framework. The model suggests that access review requires an understanding of the activity context including information about the users, their job, their access rights, and the history of access policy. Guidelines of the activity theory were used to design a new user interface, AuthzMap, which was compared to two state of the practice. The experiments demonstrated that AuthzMap improved the efficiency of access review most scenarios. Read the full paper for details.
Serving on Computers & Security Editorial Board
As of January 2014, I’m serving on the editorial board of Elsevier’s Computers & Security journal. Apparently, it is the official journal of Technical Committee 11 (computer security) of the International Federation for Information Processing (IFIP). The journal is in its 29th year, which makes it one of the oldest archival publications in the field of computer security. One of the main goals of the editorial board nowadays is to arrange quality reviews with quick turn-around.
Final Report on Internet Voting
After about 18 months of work, the Internet Voting Panel I served on has released its final report on February 12 and
submitted it to the Legislative Assembly of British Columbia. The report contains the panel’s conclusions and recommendations, and summarizes the benefits and challenges of implementing Internet voting for provincial or local government elections in B.C. On October 23, 2013 the panel published a Preliminary Report for a six-week public comment period, ending on December 4, 2013. The panel reviewed the commentary, including additional submissions from experts, academics and vendors in the Internet voting community. The report can be found on the panel’s web site.
San-Tsai Sun defends his Ph.D. dissertation on Web Single Sign-On Systems and graduates
My Ph.D. student San-Tsai Sun has successfully defended and submitted the final version of his thesis “Towards Improving the Usability and Security of Web Single Sign-On Systems.” He’s moving back to industry, where he will be applying his expertise in web security to real-world systems. Congratulations to San-Tsai on very successful completion of the Ph.D. program, with many quality publications.
What research do I really do?
My department has made a short introductory video-clip about my research group LERSSE. For those who won’t read papers but still want to get an idea about what kind of research my graduate students do, just sit back and enjoy this 3-minute long summary.
httpv://www.youtube.com/watch?v=mJMxjnwfe8U
If your bot friends are nicer and more interesting …
Popular press continues to discuss research of my graduate students on Social BotNets. The most recent article (by Eagle Gamma) appeared in Infoworld in early April. Unlike earlier coverage, it discusses more recent work (Design and Analysis of a Social Botnet), in which an economic analysis of Social Botnet feasability and challenges for throttling them is discussed.
Project Presentations at Graduate Course in Security
Students in my graduate course on computer security are presenting their term papers on April 10. The topics vary from evaluation of Sybil detection mechanisms to detection of DDoS attacks on grid clusters. This mini-conference is open to public.
The Impact of Password Meters on Password Selection
Password meters tell users whether their passwords are “weak” or “strong.” In this paper, we report on a laboratory experiment to examine whether these meters influenced users’ password selections when they were forced to change their real passwords, and when they were not told that their passwords were the subject of a study. We observed that the presence of meters yielded significantly stronger passwords. We then performed a followup field experiment to test a different scenario: creating a password for an unimportant account. In this scenario, we found that the meters made no observable difference: participants simply reused weak passwords that they used to protect similar low-risk accounts. We conclude that meters result in stronger passwords when users are forced to change existing passwords on “important” accounts and that individual meter design decisions likely have a marginal impact.
More details are in the paper, which will be presented at CHI ’13 held April 27-May 3.
Teaching Security and Privacy in Online Social Networks
This term, I’m teaching a graduate seminar-based course on security and privacy in online social networks. Students in the course are reading, presenting, critiquing, and discussing most significant and most recent papers from top venues on the subject. They also do a project related to security and write a term paper based on it. More information about can be found at the course web site.
Presentations of Term Projects in the Security Course
In my undergraduate course on security, we are holding a mini-conference on December 4, where each team of 3-4 students will present their term project. Project topics are diverse and practical. The mini-conference is open to public. See its schedule for location information and presentation times. The projects will be evaluated by the representatives of the high-tech industry.