Other bank security work included a paper on Verified by VISA and another on the unwisdom of banks adopting proprietary standards. 2005 highlights included research papers on The topology of covert conflict, on combining cryptography with biometrics, on Sybil-resistant DHT routing, and on Robbing the bank with a theorem prover; and a big survey paper on cryptographic processors. 2016 highlights include a new Android side channel; an investigation of the social externalities of trust; studies of when lying feels the right thing to do, of taking down websites to prevent crime and bank fraud reimbursement; and finally two papers on Brexit. On the control systems front, we published papers on the technical security and security economics of smart meters, on their privacy, on their deployment and on key management for substations. 2012 highlights included a big report on Measuring the Cost of Cybercrime and a history of security economics; an attempt to kill the government’s smart metering project; three papers on dynamic networks; and four papers on payment protocols: Chip and Skim: cloning EMV cards with the pre-play attack, How Certification Systems Fail, A birthday present every eleven wallets?
2007 highlights included technical papers on RFID and on New Strategies for Revocation in Ad-Hoc Networks (which explores when suicide attacks are effective); a paper on fraud, risk and nonbank payment systems I wrote for the Fed; and a survey paper on Information Security Economics (of which a shortened version appeared in Science). 2013 highlights included Rendezvous, a prototype search engine for code; a demonstration that we could steal your PIN via your phone camera and microphone; an analysis of SDN Authentication; and papers on quantum computing and Bell’s inequality. 2019 highlights include an acoustic side channel on smartphones, one paper on whistleblowing and two papers on blocking adversarial machine learning. 2011 highlights included a major report on the Resilience of the Internet Interconnection Ecosystem which studies how an attacker might bring down the Internet; an updated survey paper on Economics and Internet Security which covers recent analytical, empirical and behavioral research; and Can We Fix the Security Economics of Federated Authentication? 2008 highlights included a major study of Security Economics and European Policy for the European Commission; the second edition of my book “Security Engineering”; the discovery of serious vulnerabilities in Chip and PIN payment systems; an analysis of the failings of the Financial Ombudsman Service (see also a video from the World Economic Forum in November 2008); the FIPR submission to the Thomas-Walport Review; a piece on confidentiality in the British Journal of General Practice; three videos on privacy made by ARCH; and a video on surveillance.
EDRI’s first campaign was against the IP Enforcement Directive; afterwards FIPR and EDRI established a common position on intellectual property. My book has become the standard textbook and reference since it was published in 2001. You can download both the first and second editions without charge here; the third edition will become free from 2024. Security engineering is not just concerned with infrastructure matters such as firewalls and PKI. My book was an attempt to help the working engineer to do better. There’s a videos of a talk I gave on dependability at the IET, as well as a survey paper, the slides, and a podcast. Finally I gave an invited talk at 36C3 on the sustainability of safety, security and privacy. I ended the year debating health privacy with health minister Lord Warner. I was a special adviser to House of Commons Health Committee for their Report on the Electronic Patient Record. By default, when I post a paper here I license it under the relevant Creative Commons license; you may redistribute it with attribution but not modify it. Terrorism: Here are Comments on Terrorism I wrote after the 11th September attacks. I won the 2015 Lovelace medal; the interviews I did for that award are here, while my oral history interview transcript is here and an Academy video is here.
In the dark years that followed, I testified against police attempts to increase pre-charge detention to ninety days; and here is a video I did on the effects of 9/11. We must constantly push back on the scaremongers. The big paper was on Measuring the Changing Cost of Cybercrime; since we did the first systematic study seven years ago, the patterns changed surprisingly little despite a huge changed in technology. The first edition was pivotal in founding the now-flourishing field of information security economics: I realised that the narrative had to do with incentives and organisation at least as often as with the technology. This was a watershed in copyright history: the IP lobby was never going to be stopped by fine words, only by another lobby pushing in the other direction, and the Enforcement Directive was when that first came together. The second edition incoporated the economic perspectives we’ve developed since then, and new perspectives from the psychology of security, as well as updating the technological side of things.
