Cyber security is a research area that crosses multiple research areas, including Information Security, in particular for critical systems and end-users, or Identity & Privacy, where the strong identification provides a trust root and privacy the safeguards for citizens. Our cyber security research focuses mostly on combating cybercrime and protecting the social fabric. Cybercrime is a composition of crime and cyberspace.
The crime component implies the presence of a perpetrator, an adversary whose actions are harmful or costly for society. Crime also implies the involvement of a physical entity, for instance the victim or the capitalization in physical money, which implies in turn that there is no cybercrime entirely in cyberspace, in which we follow the defenition of Benenson et al. [Benenson2011]. There are always human beings that act or are acted upon, which raises the question of human factors in security.
The cyberspace component implies that there is a cyber element present, where the most likely case may be hurt done by cyber means. Cyberspace may be the medium for the crime or be used by the perpetrator to gain more scalability. Newman [Newman2009] categorizes the role of cyberspace into tool, target or place for the crime.
In Newcastle, we research security against cybercrime, organized in the CCCS, along four themes:
Human decision making impacts cyber security, this is part of the research hypothesis of the Cyber Security Research Institute on Choice Architecture for Information Security. We believe that human users, e.g., victims in a cybercrime, are affected by decision biases, even if they are supported by rigorous decision making methods. Our work aims at integrating human factors in cyber security work.
I'm a Tenured Reader in System Security (Associate Professor) at the Newcastle University. Im the Director of the Centre for Cybercrime and Computer Security (CCCS), a UK Academic Centre of Excellence in Cyber Security Research (ACE-CSR). I'm a member of the Secure and Resilient Systems group and the Centre for Software Reliability (CSR).
Before that, I've been a tenured research scientist at the Information Security and Cryptography group of IBM Research - Zurich as well as IBM Corporation's Research Relationship Manager for Privacy and director of IBM's Privacy Research Institute (PRI).
Identity and privacy research are intertwined.
The former aims at protocols and systems for managing, exchanging and authenticating identity attributes, the latter governs the protection of a user's identity in the widest sense.Read more: Identity & Privacy
Information security means the protection of information and information systems.
Security means that the properties confidentiality, integrity and availability (CIA) are fulfilled, considering the dependability and security taxonomy [ALRL2004].
These properties need to be defined with respect to a system, trust and adversary model, and specified in an explicit security goal.
Information can be at rest or in communication, which implies the security of systems as well as protocols and can include hardware security, as well.Read more: Information Security
With the term rigorous methods, I refer to cryptography and formal methods (there are others, I don't mention).
I use both kinds of methods to reach security and privacy goals.
Both areas have in common that they establish security properties with respect to a system model, adversary model, security specification and proof methodology.