Send email Copy Email Address

EMPIRICAL AND BEHAVIORAL SECURITY

We need solutions that work in both theory and practice. However, as truth is stranger than fiction, this means that to attain this grand goal we cannot simply retreat to our study but will need to draw insight from empirical data. That is, unless a tool is easy to use properly, although it may be secure in theory, it can still prove a liability in practice – which goes for both end-users and developers.

RESEARCH TOPICS

An essential aspect of our research is the empirical understanding of potential attacks and the threat landscape. This ranges from attacks on critically important Web applications all the way to adversaries aiming to phish users' credentials. In this research area, we focus on measuring threats at scale in the wild and identifying threats to users at an early stage. To this end, we develop novel methods for detecting vulnerabilities at Internet-scale, with a specific focus on Web applications. By combining large-scale measurements with methods from the social sciences, we also explore how technologies can be designed to be used in a secure and private way by both lay users and developers. A key strength of the research area is the strong connection between automated tools for detection and usability aspects of novel solutions to prevent attacks before they can happen, e.g., through developer-centric security tooling.

OUR LATEST PUBLICATIONS

Year 2026

Conference / Medium

ACM Conference on Computer and Communications Security (CCS)
Reflection, Education, Consistency: Towards Best Ethics Practices At Security And Privacy Conferences

Article

Proceedings of the ACM on Human-Computer Interaction Enabling Sensitive Conversations with Consent Boundaries: Moa, a Platform for Discussing PhD Advising Relationships

Conference / Medium

Symposium on Usable Privacy and Security (SOUPS)
An Analysis of the Security, Usability, and Automation Capabilities of Password Update Processes on Top-Ranked Websites

Conference / Medium

Symposium on Usable Privacy and Security (SOUPS)
“I didn’t know I would be this excited not to be scammed.” Exploring Emotional and Behavioral Responses During Phishing Attacks

Conference / Medium

Usenix Security Symposium (USENIX-Security)
FRAGJAM: DoS Attacks Using IP Reassembly Congestion

Year 2026

Conference / Medium

ACM Conference on Computer and Communications Security (CCS)
PyFEX: Uncovering Evasive Python-based Threats via Resilient and Exhaustive Path Exploration

Conference / Medium

Usenix Security Symposium (USENIX-Security)
Trust Nothing: RTOS Security without Run-Time Software TCB

Conference / Medium

Usenix Security Symposium (USENIX-Security)
SoK: Capability Operating Systems: Is the Future Finally Here?

OTHER RESEARCH AREAS

Algorithmic
Foundations and
Cryptography

Trustworthy
Information
Processing

Reliable

Security Guarantees

Threat
Detection and
Defenses

Secure
Connected and
Mobile Systems