In my research I prioritise a) robust software against malware attacks, b) accountability, and c) security metrics. I like to build systems and learn from them. My h–index according to Harzing‘s Publish or Perish is 8.

My research interests also comprise operating systems, secure operating environments, malicious software, client security, trusted path implementations, foundations of computer security, security models, access control, solutions for small and medium enterprises (SME), applications: electronic signatures, home banking, online voting, mobile and embedded systems, cloud computing.

I have been active in the field of finding methods and techniques to develop robust software against malware attacks for more than 15 years, yielding more than thirty scientific publications in international venues. I currently look into an extension to the Microsoft Windows operating system to implement a trusted path for arbitrary applications. That will offer confidentiality, integrity, and authenticity for communication of applications with users and could be used in banking, e-health, and cloud services. This is an ongoing project with a team from HTWG Konstanz and Masaryk University.

Addressing research and teaching in combination, I started a project to investigate automated insertion of vulnerabilities into applications, dubbed ”insecurity refactoring“. My aim is to generate many different training examples with low effort by automation to be used in software security education. Ph.D. students Felix Schuckert and Sandra Ringmann in my group pursue their Ph.D. in the area of software security.

My Ph.D. dissertation was in the intersection of robust software development and the emerging field of security metrics. I took up security metrics again with a novel approach to regulate privacy (”Privacy Points“) that was presented at international conferences.

A while ago I also included accountability in my research portfolio to address the investigation of malware attacks that cannot be prevented. To achieve accountability, I studied how operating systems and applications can be extended and modified to increase their readiness for forensic investigations. Yi-Ching Liao (who I supervised) completed her Ph.D. in this area. To aid the legal evaluation of incidents, I explored ways to couple computer security models with civil law. The research on forensic readiness has produced six publications presented at international conferences. The use of civil law concepts in access control was presented at an international conference and later published in an international electronic journal.