Human and Organisational Aspects of Security

In most of the famous past security incidents, the main issue was not technical. Rather, systems failed for putting unreasonable requirements onto their users, risk models where insufficient or outdated, security was too hard to integrate or too expensive to be economic, or the policies and and procedures of the organisation failed to integrate into the corporate workflow. Together with University partners, we are working on to analyse where the weak spots in human and organisational behaviour are, and develop countermeasures and recommendations to mitigate these risks while supporting usability and corporate workflows.

Another increasingly important aspect is the interaction of society and policy with security. The increasing focus on 'Cyberwar', for example, has lead many governments to actively collect 'Cyberweapons' both to prepare for a military conflict and to increase surveillance options. This in turn had an impact on the vulnerability-market. Researchers that find a vulnerability have less and less incentive to report it to the responsible vendor, but instead find it increasingly lucrative to sell them to governments. Due to the wide reach of software, any vulnerability that might help monitor potential terrorists also puts numerous civilian infrastructures in danger.

Ongoing Projects:

Am I a mercenary: Consequences of using the Law of War in Cyberspace.