Showing posts from 2014

2014 Retrospective ...

Highlight from November 2014: Receiving CCT status for Introduction to Cyber Security MOOC from Chris Ensor (Deputy Director, CESG) and Richard Pharro (CEO, APMG) 2014 has been an eventful year across many spheres of my academic life, complete with research published in major conferences and journals, PhD students graduating and new courses launched.  My final post for the year is a quick review of some of the highlights: January: The year started with the news that two of the papers I co-authored and submitted to the International Conference on Software Engineering (ICSE 2014) had been accepted for publication.  Both of these papers were based on the work of my PhD students, one on privacy requirements engineering and the other on adaptive user interfaces.  It turned out to be a pretty successful year for OU research at ICSE overall . February: We got confirmation that the EPSRC would be funding our project, " MonetizeMe: Privacy and the Quantified Self in the Digital

Cyber security careers

I am working on wrapping up the first presentation of Introduction to Cyber Security and preparing for the next presentation, which is now open for registration and will start on 26 January 2015 .   The popularity of the first presentation demonstrates a recognition of the importance of cyber security.  Hopefully some of the 15,000+ learners who engaged with the course will be inspired to study further and perhaps even pursue a career in the field.  This is an important and exciting discipline to work in, with a variety of career paths depending on people's interests and aptitude. The Open University provides a range of modules and qualifications that can support this journey, and I recently wrote a short article about some of the career options in cyber security which has now been published on OpenLearn.

REF 2014: Picking through the results

REF 2014 Computing and Informatics Results, ordered by 4*/3* outputs and scaled by staff numbers (Source: ).  For the past two years, academics in UK universities have been preparing and then waiting for the results of the Research Excellence Framework ( REF 2014 ), a quality audit of selected academic research undertaken during the period 2008-2013.  The results were finally published during the very early hours of 18 December, and there has been a flurry of activity as each university and department figures out how to interpret them in a way that reflects best on their performance. At the OU, the Centre for Research in Computing was returned under the "Computer Science & Informatics" unit of assessment (UoA).  The research was produced by academics in the Department of Computing and Communications and the Knowledge Media Institute.  The REF 2014 panel's assessment was that 75% of our research outputs were 4* (world-le

Deep Learning and Adaptive Sharing for Online Social Networking

Prompted by Facebook Research's recent announcement on using deep learning to help users avoid 'drunk posting' embarrassing information on the social networking platform, I wrote an article for The Conversation about deep learning and adaptive sharing.  This draws on our research on Adaptive Sharing for Online Social Networks , which was recognised as the Best Paper at the  13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-14).  The following is a short excerpt from the article: Facebook’s initial target appears aimed at extending its face recognition capability to automatically differentiate between a user’s face when sober and drunk, and use this to get a user to think twice before hitting the post button. Of course being detected as being drunk in photographs won’t be the only factor that determines when we want to moderate our social media sharing behaviours. The nature of the links we share, like and

Reviewing debut run of Introduction to Cyber Security MOOC

Introduction to Cyber Security MOOC The debut presentation of Introduction to Cyber Security MOOC came to an end this week. This 8-week MOOC was developed with the support of the UK National Cyber Security Programme and has been certified as a awareness level cyber security course by the CESG Certified Training programme. Over the next few weeks I will be working with colleagues to review the lessons learned from this first run and making the necessary changes to ensure that the next presentation goes smoothly. Some high-level numbers on the first presentation, as of the end of the Week 8 of the course, are as follows: Registered Learners: 24,245 Returning learners: 15,449 Active Learners: 12,977 (~84%) Fully participated: 3,692 (~24%) The percentages for active and fully participated learners has been calculated based on the number of returning learners rather than the total registrations.  'Active' means that a learner is still progressing through the content a

Privacy Distillation @ Best RESG Research 2014

Privacy Distilation for Mobile Applications from Arosha Bandara I had the opportunity to present our research on Privacy Distillation for Mobile Applications at the British Computer Society Requirements Engineering Specialist Group's Best of RESG Research 2014 event .  The slides above are based on those originally presented by Keerthi Thomas at ICSE 2014. Some interesting questions were discussed following my presentation, including: How does the distillation process cope with the overall mobile software eco-system? At the moment we have only considered the peer-to-peer information flows between the end users of the mobile application.  However, it should be possible to use the Privacy Facets Framework to consider the information, information flows and actors in the overall mobile software eco-system.  Of course some extensions will be required, for example to capture factors such the legal and regulatory aspects of privacy associated with the places in which in

Cyber security by the rest of us ...

Breakdown of cyber crime types reported by learners in Week 1 As part of the Introduction to Cyber Security MOOC , we asked learners to review their computer security practices at the start of their learning by completing a simple online survey / self-audit.  Over 9100 learners completed the survey in Week 1 of the course, highlighting some interesting findings. For example, although 84% of respondents had configured their computers to require a password on startup, 30% did not 'lock' their computer so that it required the password to be re-entered if they left it unattended. With regard to password management, 55% of respondents depended on their memory for storing passwords, whereas 26% used software (password manager / web browser) to manage their passwords.  It is noteworthy that 18% reported that they write their passwords down and 59% reuse the same username / password across multiple websites. It was reassuring to note that 90% of learners who completed the

Stuff people encrypt ....

Rotors from an Enigma Machine This week on the I ntroduction to Cyber Security MOOC (hosted on Futurelearn), the topic is cryptography.  Learners are having fun figuring out how Alice and Bob communicate while keeping their messages secure from Eve - and sharing some funny cartoons in the process.  One of the exercises we set was to use a PGP mail tool ( Mailvelope ) to sign and encrypt an email sent to a mailbox we set up specifically for the MOOC.  I have a mail rule that invokes a simple script to strip out the PGP message text, decrypt it and send it back to the learner in an email. Although many people have successfully completed the task, there is a general consensus that routinely encrypting emails is unlikely to be adopted by most people.  The hurdles identified by people range from the impracticality of getting other people to use crypto in their communications, to the challenge of configuring the crypto tools and their general (lack of) usability.  It seems

Adaptive Sharing for Online Social Networks

TrustCom 2014, Beijing, China | Picture by  Peter23 We recently presented our initial work on developing quantitative models of privacy risk and social benefit at TrustCom 2014 in China.  The work was undertaken by Mu Yang, a post-doctoral researcher on the Adaptive Security and Privacy  project. The paper was recognised as the Best Paper at the conference, being judged against 73 papers presented at the conference The models presented in the paper could be used to optimise the audience for online social networking postings and we are currently developing a field experiment to evaluate the approach we are proposing.  You can find the paper at the link below: Yang, Mu; Yu, Yijun; Bandara, Arosha and Nuseibeh, Bashar (2014). Adaptive sharing for online social networks: a trade-off between privacy risk and social benefit. In: 13th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-14), 24-26 September 2014, Beijing, China.

Cyber Security MOOC

Introduction to Cyber Security Over the past few months I have been working with my colleagues at The Open University to produce a MOOC (Massive Open Online Course) that will provide learners with basic knowledge and skills relating to information security.  " Introduction to Cyber Security " is an 8-week course that will be hosted on the Futurelearn platform, with the first presentation scheduled to start on 13 October.  Learners will be guided through the content by Cory Doctorow, who is a visiting professor at the OU. The course was produced with the support of the UK government, as part of the National Cyber Security Programme, with the aim of raising general awareness and interest relating to cyber security.     It is hoped that learners who complete the course - from young people considering careers in computing, to those already in work looking to improve their knowledge and skills, or members of the public looking to protect themselves online - will gain valuab

Round up and catch up ...

Recent weeks have seen a spate of cyber security issues that include the Heartbleed bug that created a serious vulnerability in the OpenSSL library used by thousands of web services; the disclosure that eBay's user account information was stolen a few months ago (possibly related to Hearthbleed); and the Oleg Pliss Hack that appeared to ransom iPhone users' data by attacking their iCloud accounts. My colleague Andrew Smith ( @teraknor ) has written a number of articles for The Conversation on each of these attacks, all of which are informative and great reads: Let’s not panic like it’s 1999 as we clean up after Heartbleed : lessons to be learned from the Y2K experience when responding to global code fixes. Massive eBay hack - change your password now : how to minimise the likelihood of being affected by the eBay hack. Explainer - is your iPhone at risk after the Oleg Pliss hack? : what is this hack really about? Check out the complete list of Andrew's articles

Software Engineering for Smart Cities

Software Engineering for Smart Cities @ Masdar Institute Our research group recently participated in a workshop on software engineering for smart cities that was hosted at the Masdar Institute in Abu Dhabi.  With participants from the UK (Open University), Ireland (Lero), Japan (NII), Qatar (QU), Abu Dhabi (Masdar) and Argentina (UBA), the workshop covered a variety of topics from adaptive systems, security and privacy, to smart cities and human behaviour. It was an interesting couple of days where I picked up a number of interesting ideas, including how theoretical models of fairness could be used to compute the equitable distribution of work amongst a number of collaborating agents.  This would seem quite useful in our work on collaborative security where we want multiple software intensive components to work together to satisfy security requirements.

Cloud Wedge - geek of the week

CloudWedge: 'Geek of the Week' My colleague Yijun Yu recently wrote a opinion piece for The Conversation about how cloud computing could have made a difference to the search for Malayian Airlines MH370.  Essentially the question he poses is: why, in the age of global internet connectivity (including now onboard planes!), do we depend on the onboard flight data recorder for information about what happens on a plane? Of course there are numerous challenges with this - not least the cost of bandwidth for all the flight data (including cockpit audio) to be uploaded in real time and the security of the data.  Yijun's article addresses some aspects of the latter, and the former is not an insurmountable problem.  For example it should be possible to upload basic flight telemetry (e.g., GPS location, air speed, engine statistics and fuel data) without requiring significant bandwidth.  Indeed aero engine manufacturers such as Rolls-Royce deployed engine monitoring systems

Collaborative Adaptive Security

Collaborative Adaptive Security scenario As part of our work on Adaptive Security and Privacy ( ) we are exploring the role of collaboration between different components in a ubiquitous computing environment in order to maximise the satisfaction of security requirements.  The intuition behind this is that the highly dynamic, heterogeneous device ecosystem of ubiquitous computing environments creates the need to satisfy different security requirements depending on the particular context.  The above video presents an early (and very rough!) example of the type of situation we are thinking about.  In this scenario, it is not possible for a single device in the environment to deliver all the required security functionality but if multiple devices collaborate, then the security requirement can be satisfied. Some of our initial ideas of how to engineer a system to exploit a collaborative adaptation for security will be presented at the upcoming Symposium on So

Merging privacy ...

Facebook vs. Whatsapp The acquisition of WhatsApp by Facebook has raised a number of interesting privacy debates, with the latest being a legal challenge to the deal on the grounds that WhatsApp's existing user privacy agreement will be violated if Facebook starts using the data to deliver targeted advertising.  It raises the question of whether the difference in the privacy agreements between WhatsApp and Facebook was part of the analysis when the acquisition was planned. Questions that could (arguably should) have been part of the decision to value WhatsApp at ~£11bn (~US$16bn) include: if isolating WhatsApp from Facebook (as proposed in the above article) would limit the possibility of creating new revenue streams (e.g., through advertising), from WhatsApp users? would users leave WhatsApp in droves if Facebook changed the privacy policy to allows user data to be used for advertising? whether hardly any users will care about the potential use of personal informatio

ICSE 2014 Success ...

ICSE 2014 I am really pleased to have two research papers being presented at the 36th International Conference on Software Engineering, which will take place in Hyderabad, India in 31 May - 7 June 2014.  The papers are: Thomas, Keerthi; Bandara, Arosha K.; Price, Blaine A. and Nuseibeh, Bashar (2014). Distilling Privacy Requirements for Mobile Applications . In: 36th International Conference on Software Engineering (ICSE 2014), 31 May-7 June, 2014, Hyderabad, India (Forthcoming), ACM. Akiki, Pierre A.; Bandara, Arosha K. and Yu, Yijun (2014). Integrating adaptive user interface capabilities in enterprise applications . In: 36th International Conference on Software Engineering (ICSE 2014), 31 May-7 June, 2014, Hyderabad, India (Forthcoming), ACM. The first of these papers presents a novel approach, called Requirements Distillation, for eliciting privacy requirements from qualitative data, such as user interviews or experience reports.  This was developed by my student, Keert

Publication statistics ...

My publication stats from Open Research Online (ORO) Like many universities and research institutes, the Open University set up a research publications repository back in 2005/06 (as part of the preparation work for the RAE 2008).  It is called Open Research Online (ORO) and has grown into a really significant collection of research outputs that span a breadth of topics - from health and social care to business and law and mathematics and computing.   A particular strength of the system is that it provides an easy way to share our research papers with the world, without having to manually upload things to our personal webpages. Recently the developers included an overview page that shows the download statistics for papers by each author, which shows that the 36 papers I have added to the system have generated a total of just over 7250 downloads.  The most downloaded papers relate to work on privacy and usability that was undertaken as part of the PRiMMA project.  Of course the

Unmissable blogs ...

I don't always have a lot of time to keep up with what is going on in the 'Blog-o-sphere', but there are a a few blogs that I try to read whenever possible.  In an effort to increase the frequency of my own blogging I thought it would be a good idea to write a post about my 'unmissable blogs': - written by Anthony Finkelstein, provides some excellent insights into software engineering research and academia in general, with some great humour thrown in. Check out some of the excellent '10 Top ...' lists! Geek Prof - written by Ian Sommerville, is a blog I've only recently been introduced to but found to be a really good read.  Wise words about the state of academia and research, as well as insights on a range of topics that range from cybersecurity to software and systems engineering. Crypto-gram - written by Bruce Schneier, the content of which can be accessed in multiple forms, including a podcast and a email newsletter.  This is one

Calming those Angry Birds ...

Screenshot of article on The Conversation site The latest revelations from the Snowden files includes evidence that NSA and GCHQ were tapping into some of the application analytics data being gathered by popular mobile applications like Angry Birds.  I was invited by The Conversation platform to contribute to a short article titled, " Angry Birds will have angry users until privacy rules are clear " that discusses this issue and where the responsibility for privacy and security in mobile applications lies.