The need to secure and esnure the privacy of software systems and the relevant infrastructure, has been recognised as a major challenge not just for the further usage of technology but also for the further advancement of human society. As such, a number of fundamental research challenges have been identified for relevant disciplines such as security engineering, privacy engineering, software engineering, and information systems.
My research interests lie in the intersection of privacy, security and software engineering.
My long-term research goal is to effectively analyse, understand and improve security and privacy of software systems for large, open and dynamic environments. In doing so, I have pioneered work in developing ontologies, languages, models, processes, methodologies and automated testing and optimisation techniques that consider security and privacy as integral aspects of the software systems development process.
In particular, my research focuses on the following areas:
- Security and Privacy Requirements Engineering. My work in this area is concerned with the development and precise definition of modelling languages, methodologies and ontologies to support elicitation, modelling and analysis of security, trust, and privacy requirements. I have developed the Secure Tropos methodology, one of the first methodologies in the literature that implements the idea of security and privacy by design and integrates security, privacy and engineering techniques under one methodological approach.
- Data Privacy Management and GDPR. I am interested in developing platforms and solutions that facilitate visual analysis of privacy requirements and needs and assist the creation, monitoring and enforcement of Privacy Level Agreements. Moreover, my work is focused in the analysis and development of innovative data privacy governance platforms, which facilitate scoping and processing of data and data breach management and support organisations towards GDPR and regulatory compliance.
- IoT, 5G, Cyber-Physical, and Cloud Computing Security. My work in this area is focused on developing novel models, methodologies and analysis techniques that guarantee the highest possible levels of protection within IoT, 5G and Cloud computing environments, in the presence of different security and privacy threats.
- Model-Based Security/Privacy Engineering. My work in that area focuses on the development and analysis of methods, processes, and architectures for secure and privacy-aware systems. At the requirements level, I focus on the development of processes that enable the elicitation and modelling of security and privacy requirements and analyse them in terms of security and privacy properties, relevant threats and vulnerabilities. At the architectural level, I focus on developing software architecture techniques to ensure that socio-technical systems satisfy security, trust and privacy requirements and that developed architectures reduce potential risks.
- Security Engineering Decision Support. I am investigating novel decision-making methodologies and models that offer the highest possible levels of protection within different domains (e.g. IoT, Cloud) with regards to different security and privacy threats and a set of evolving factors such as security requirements, financial cost, indirect costs (e.g. people’s productivity), intangible and tangible assets. I am also interested in developing underlying formalisms, utilising logics and graph transformations, to enable precise specifications and automated reasoning, within the context of security and dependability, taking into account organisational policies and resource allocation.
- Security Attack and Threat Discovery. I am interested in developing novel reasoning techniques and algorithms that assist the discovery of potential cyber-attack paths in supply-chain and critical infrastructures, taking into account information from the Common Weakness Enumeration (CWE) and from the Common Vulnerabilities and Exposures (CVE). My work can be applied within a dynamic risk management system to detect the vulnerabilities of the IT infrastructure and to deliver attack paths that satisfy certain criteria.
- Security and Privacy Patterns. My work investigates the development of security and privacy pattern languages that enable the representation of patterns and guide developers through the process of designing a system to ensure security and privacy. A major novelty of this work is that the solution to the pattern is represented using concepts from the requirements stage, which enable developers to directly apply the patterns of the language to the security and privacy requirements analysis.
- Automated Analysis Tools. I am interested in developing tools to support security and trust analysis of the socio-technical systems at different levels. At the higher level, they are graphical editors where security, privacy and trust models can be drawn and the grammatical correctness of the models is automatically checked. On the lower level, they enable analysis of security, privacy and trust properties and security threats.
Within these research areas I have supervised to completion seven PhD and one MPhil students and I currently supervise Five PhD students at the University of Brighton. I have examined 16 PhD students.
I have lead the University of Brighton team on three European Union funded projects, VisiOn, MITIGATE and SESAME and I am the technical coordinator of the DEFeND Project.
I am also interested in applying the theoretical research outputs of my work to different application domains and my work has been applied to the development and analysis of systems in the areas of critical infrastructures, cloud computing, health-care, telecommunications, banking, and e-commerce.