A High Level Research Overview
This page is no longer actively maintained, but I will not delete in order to fight link rot.
Please see the page describing the research of my team at the Human & Technical Security Page.
Beginning Outdated Research Review
Here are research highlights and policies. To learn about my research, read the papers! These are available and sorted by topic at the publications page. These are just somewhat random examples. and security, and security and privacy.
I am interested in intersections in the challenges that have risen in the technical and human domians: psychology and security, economics and security, and security and privacy.
Software Defined Networks are the next generation of routing. Yet in SDN development, security is being neglected. Southbound, northbound on the servers that will hosts all the vm switches, all are considered trusted. This is a more recent area for me, the application of organizational and technical trust to SDN.
Kevin Beton, L Jean Camp & Chris Small,
OpenFlow Vulnerability Assessment, HotSDN, August 2013, Hong Kong. Extended abstract.
Security as Risk
Computer Security is Risk Communication
Want Technically Naive People to Adopt Security Technology? Talk to them in their own terms...
Individual security solutions have not been adopted even when individuals have expressed their desire to do so. Our experiment suggests one contributing factor is that the rich array of metaphors used by computer security professionals fail to align with individual's mental models. Speaking of
infections is not helpful risk communication.
Risk Communication Videos
Target for Behavior Change not Education Is the goal is to ensure that individuals respond appropriately, or to have them exhibit a correct understanding of the mechanics of the risk. If this makes no sense to you, then you probably have some expertise in computer security.
Access control - http://www.youtube.com/watch?v=F9m6A4gWKX8
Keylogger - http://www.youtube.com/watch?v=6zHJoZqrCB0
Phishing - http://www.youtube.com/watch?v=4ZQ9pFTCdy4
To reference please use either
L. Jean Camp,
Mental models of privacy and security IEEE Technology
And Society Magazine (2009) No 3:28, IEEE, Pages: 37-46.
J. Blythe, L. Jean Camp & V. Garg,
Targeted risk Communication for Computer Security, 2011 International Conference on Intelligent User Interfaces, (Palo Alto, CA) 13-16 February 2011.From the ACM portal
Incentive-Based Access Control Working with doctoral graduate Debin Liu we have first paper on incentive-based access control, entitled Mitigating Inadvertent Insider Threas.
Future work from this paper now
work in progress.
Net Trust: Defeating Social Engineering
Description:The Tech Talk Overview describes how Net Trust works. Current trust mechanisms are built for computers, not humans, despite the reams of available research on human trust decisions. In fact, the most common trust devices (e.g., seals, domain names) require the cooperation of the malicious to function. We have developed a system to use social networks to inform trust decisions. Initial users tests show that Net Trust alters trust behaviors, providing information to people that makes them more trusting of some sites and less trusting of others. Alex Tsow, Camilo Viecco, and L. Jean Camp,
Privacy-Aware Architecture for Sharing Web Histories, IBM Journal of Research & Development - or - L. Jean Camp,
Reliable, Usable Signaling to Defeat Masquerade Attacks, IS A Journal of Law and Policy in the Information Society, 2007, Vol. 3, No 2: 211-235.
Private social networking, information-sharing with security; perfect forward secrecy after de-friending; highly customized interactions
Is the exhaustion of IPv4 an inevitable train wreck? In this paper we generate historical data using whois and compare three policies. The first is prohibition of allocation to those already well-endowed with IPv4. The second is limiting allocations to the minimal allocation that can reasonably expected to be in the routing tables. The third is picking a cut-off date and allocating fractions until that date.
Want Security? Build Privacy.
There is some question as to why end users do not adopt security technologies. We argue that this is typical of users to behave as human beings in the domain of risk and uncertainty. That is, there are consistent biases that determine if risks are acceptable or not. Responses to risk are determined more by the perception of benevolence of the creator of the risk than by the magnitude of the risk. Here is Trust on the Web, a Tale of User Deceit.
Other work available here.