-> CISIS conference

Keynotes / Invited Talks

 The confirmed keynote of ARES 2010 will be held by Ross Anderson (http://www.cl.cam.ac.uk/~rja14/) and Gene Spafford (http://spaf.cerias.purdue.edu/).

Ross Anderson, Cambridge University

"Information security - where computer science, economics and psychology meet"


For years, people thought that the insecurity of the Internet was due to a shortage of features, and so all through the 1990s we worked vigorously on developing better encryption, authentication and filtering mechanisms. But things didn't get any better. We began to realise that failures - of both security and dependability - are intricately tied up with incentives. Systems often fail because the people who guard and maintain them don't bear the full costs of failure. Microsoft doesn't accept liability for vulnerabilities that lead to millions of its customers being hacked; DVD region coding is easy to subvert because equipment vendors don't lose money when it fails; and medical records become less private once systems are bought by government ministers rather than doctors.

This led to the emergence of a new field of study, information security economics. It provides valuable insights not just into `security' topics such as privacy, bugs, spam, and phishing, but into more general areas such as system dependability and policy. This research program has been starting to spill over into more general security questions (such as law-enforcement strategy), and into the interface between security and sociology.

An exciting recent development is the interaction with psychology. As systems get harder to attack, the bad guys attack the users instead; phishing only got properly going in 2004, but by 2006 cost British banks £35m. We now know that most information security mechanisms are too hard to use, being designed by geeks for geeks. We urgently need to introduce bright ideas from psychology and human-computer interface design. And in addition to these 'micro' scale concerns, there are many 'macro' scale problems - why do people overreact to terrorism, yet underreact to everything from environmental degradation through online threats to road traffic accidents?

The challenge is to build a proper multi-disciplinary framework for analyzing security problems - one that is both principled and effective. Up till now, security economics has started to fuse the engineering and economic aspects, while behavioral economics, which studies the heuristics and biases that affect human judgment, has put psychology and economics together. The next big research task may well be security psychology.


Ross Anderson is Professor of Security Engineering at Cambridge University. He is one of the founders of a vigorously-growing new academic discipline, the economics of information security.  Ross was also a seminal contributor to the idea of peer-to-peer systems and an inventor of the AES finalist encryption algorithm "Serpent". He also has well-known publications on many other technical security topics including hardware tamper-resistance, emission security, copyright marking, and the robustness of application programming interfaces (APIs). He is a Fellow of the Royal Society, the Royal Academy of Engineering, the IET and the IMA. He also wrote the standard textbook "Security Engineering - a Guide to Building Dependable Distributed Systems".

Gene Spafford, Purdue University

Thinking outside the box


To be announced.


Dr. Eugene Spafford is a professor with an appointment in  Computer Science  at  Purdue University, where he has served on the faculty since 1987. He is also a professor of  Philosophy  (courtesy), a professor of  Communication  (courtesy) and a professor of  Electrical and Computer Engineering (courtesy). He serves on a number of advisory and editorial boards. Spafford's current research interests are primarily in the areas of information security, computer crime investigation and information ethics. He is generally recognized as one of the senior leaders in the field of computing. Spaf (as he is known to his friends, colleagues, and students) is Executive Director of the Purdue CERIAS (Center for Education and Research in Information Assurance and Security), and was the founder and director of the (superseded) COAST Laboratory. As of 2007, Spaf is also an Adjunct Professor of Computer Sciences at the University of Texas at San Antonio, and is Executive Director of the Advisory Board of the new Institute for Information Assurance there. A more complete account of Spaf's activities and background may be found on the "Short biography" page. You can find out about his recent activities by visiting his news page. A complete C.V. is also available.