This blog contains some of my personal views on network and information security, some of my academic publications and the start of a tutorial I am creating.
Note that this is a personal blog and that opinions and views on this website are my own, and do not reflect those of my current or past employers.
About my background: I have been in the network and information security field since 2004. Currently I am at the European Commission, supporting the director of IT security, developing the corporate IT security strategy and policy. Before joining the Commission I worked for ENISA, the EU’s Network and Information Security Agency, leading the work on cloud security and EU-wide security breach reporting legislation.
In the past I worked for KPMG as an IT architect where I designed the interfaces and protocols of several national online electronic identity/authentication systems: the backbone of the Dutch e-government. I became a Certified Information System Auditor (CISA) in 2010. I received a PhD degree in Computer Security in 2010 and I have a Master’s degree in Theoretical Physics. I started working in IT in 2003, as a computer programmer in a small Italian software company in Pisa.
For me usability and security are closely related. Consider the design of the water tap in your shower, as an analogy: the hot water knob is always right, the cold one always left. This way you can pick the right one blindly – even with soap in your eyes. This for me is security: The system does exactly what you expect it to do. And nothing else. It is clear how it operates and you do not need manuals or technical knowledge.
Safety is a related but different concept. Using the analogy of the water tap, safety would be a valve limiting the hot water to below 40 degrees Celcius, so you can’t ever get burned. So in some settings security and safety could even be at odds. Kids know this by experience: Safety caps on toxic bottles are impossible to open. For kids at least.
I believe many cybersecurity problems are due to insecure systems. Simply opening an email can put your entire PC and your bank account at risk. Not to mention your family, friends, colleagues, etc. Instead of just opening the email, your PC has started to do many other things you did not ask for and did not want. In fact I often find myself blaming technology and rarely the user. I see new technology trends, such as cloud computing, smartphones, app stores, social media as major opportunities for improving cyber security, as solutions. And I think it is wrong to view new technology as a risk.