Research Overview

There is an ever-growing need to assure the security of critical software-dependent systems, and the information that they use, store, and communicate, in the face of cyber-attacks and failures. As systems grow larger and more complex they invariably become more susceptible to an array of unforeseen security vulnerabilities. Security should therefore be considered at all stages of their development. The current approach of having security retrofitted or “bolted-on” to the systems that we build is not sufficient. Instead, we need to consider the increasingly critical security requirements for these systems and design them with security “baked-in” so that the evidentiary basis for security assurance can be generated and reasoned about alongside the system it supports. This presents a range of complex challenges. My research is motivated by the need for the advancement of rigorous and practical approaches to address increasingly critical issues in designing, implementing, evaluating, and assuring the safe, secure, and reliable operation of software-dependent systems. To this end, I conduct research that spans the areas cyber security evaluation and assurance, threat modeling, security-by-design, and formal methods and data-driven approaches for software and security engineering. I am interested in exploring new ideas, techniques, and tools that can support cyber security evaluation and assurance activities and advance security-by-design approaches leading to improved system security and higher system confidence.

Areas of Application

I am focused on applying these approaches in a variety of applications areas including, but not limited to, critical infrastructure (e.g., maritime port systems and operations, smart energy grids/infrastructures), IoT-enabled eHealth, industrial control systems, and more.

Research Interests, Areas, and Themes

Cyber Security Evaluation and Assurance

My primary research interest is in developing cyber security evaluation and assurance solutions for a broad range of software-dependent systems. I believe there are important research opportunities in studying the challenges and critical issues in designing and implementing safe, secure, and reliable software-dependent systems within a variety of emerging and pervasive application areas, including but not limited to critical infrastructure (e.g., maritime port systems and operations, smart energy grids/infrastructures), the Internet of Things (IoT), industrial control systems, cyber-physical systems, and more. I am especially interested in developing methods, techniques, and tools for performing automated analyses of these large and complex systems to obtain actionable information that can be used to establish—at early stages of system development—verifiable evidence and sound argumentation demonstrating that the system operates at a level of security commensurate with the potential risks and associated losses incurred if the system experiences an attack or failure. I am particularly interested in data-driven security evaluation and assurance methodologies and developing objective and meaningful security metrics and measures.

Engineering Secure and Trustworthy Software-Dependent Systems

I have a broad interest in engineering secure and trustworthy software-dependent systems. I am particularly interested in developing new ideas, techniques, and tools for establishing software architectures, design patterns, and middleware that aid in developing intrinsically secure and resilient systems through the identification, analysis, and mitigation of security vulnerabilities, such as implicit component interactions. This includes requirements engineering (especially assessing and managing trade-offs with security requirements) and model-based development.

Formal Methods

I am an advocate for the development and adoption of formal methods for the specification and verification of software-dependent systems. In particular, I am interested in studying and developing theory and applications for algebraic approaches, methods, and techniques for developing systems with high standards of safety, security, and reliability whenever such approaches can be demonstrably effective.