Where does the ‘security’ buck stop?… And where should it stop?

Presentation overview

Humans are made responsible for security, be it of physical spaces or digital realms. The assumption in the digital realm is that humans can manage their own security e.g., choosing strong passwords, applying patches, spotting phishing messages etc. Such arrangements inescapably tend to blame ‘selfish or insecure’ human agents in cases of security breaches. Human-centered security research in active collaboration with industry practitioners, effectively challenged unfair responsibilisation of humans. Such undertakings have brought ‘factual’ individual realities of cognition, skills, behavioural influence at the centre of systems design.

This talk contributes to this space through two frameworks for practitioners. One of them uses a framework to systematically point to the entity in a position to alter security outcomes. We do so through a game theoretic evaluation of the antecedent question: what if individuals were different? Would that change security outcomes? The other framework provides a shift in the way humans and their needs are captured by systems designers. We bring the two frameworks together to introduce you to an Ethical Responsibilization paradigm. Though we use data breaches as an exemplar for the paradigm, we believe that the frameworks we present in this talk will enable the community to optimally direct their efforts towards entities that can actually make a difference when it comes to security. 

Biography

Partha is Lecturer (Assistant Professor) in software security at University of Bristol. He is a member of core team of the UKRI National Research Centre on Privacy, Harm Reduction and Adversarial Influence Online (REPHRAIN). He is an alumni fellow of the NCSC funded Research Institute for Sociotechnical Cyber Security (RISCS). Partha advocates a realisation-based research paradigm to cyber security. He leads the development of the testbed operating system (TestbedOS) to test application security and privacy properties in a reproducible manner. He was the first to propose the adoption of Amartya Sen’s Capability Approach for inclusive security engineering. This work has led to the first evidence base for a methodical shift for inclusive security engineering. He led the collaborative work with University of Cambridge that uncovered cloning attacks in E2EE messaging desktop clients. Partha was involved in the evaluation of six safety technologies to detect child sexually abusive material (CSAM) commissioned by the Home Office, UK. One of his papers won a distinguished paper award at IEEE SecDev 2024 and another won best paper for methodical contribution to build living knowledge sources, at CSCW 2023.