My name is Nalin Asanka Gamagedara Arachchilage (too long, isn't it? I admit that this can be confusing sometime). I am a Lecturer in Cyber Security in the Australian Centre for Cyber Security (ACCS) and School of Engineering and Information Technology (SEIT) at the University of New South Wales (UNSW Canberra at the Australian Defence Force Academy), where I lead the OzUSec (Australian Usable Security) research group. Apart from my teaching, I also research in the area of usable security and privacy (i.e. designing secure (and also privacy) systems that people can use) and supervise postdoctoral researchers and postgraduate students (PhD/MPhil) with refereed publications and thesis.
I hold a PhD in Usable Security entitled “Security Awareness of Computer Users: A Game Based Learning Approach” from Brunel University London, UK (External examiner: Professor David Benyon). My research focused on developing a game design framework to protect computer users against "phishing attacks". I obtained a BSc (MIS) Hons from University College Dublin, National University of Ireland and have completed a master's degree, MSc in Information Management and Security at the University of Bedfordshire, UK. I'm a Sun Certified Java Programmer (SCJP) at Sun Microsystems (now Oracle), USA. I am also a professional member of Association for Computing Machinery (MACM), The Institute of Electrical and Electronics Engineers (MIEEE) and The Australian Computer Society (MACS).
Prior to undertaking my current position at the University of New South Wales (UNSW at ADFA), I worked as Research Fellow in Usable Security and Privacy in the Laboratory of Education and Research in Software Security Engineering (LERSSE) at the University of British Columbia (UBC), Canada. Before moving to Vancouver, I was a Postdoctoral Researcher in Systems Security Engineering in the Cyber Security Center, Department of Computer Science at Oxford University.
My main research interests are Usable Security and Privacy, Cyber Security, Security Economics, Trust, Cybercrime, Human Computer Interaction, Serious Games for Cyber Security Education and e-Learning Security. My research is inter-disciplinary in nature and has published numerous articles at reputed international conferences and journals. I have also presented my research at Facebook Headquarters, Menlo Park, California, USA and collaborated with HP in a research capacity at the HP Lab, Bristol, UK. I have been an invited speaker for conferences both nationally and internationally. I served as demos and works in progress chair, publicity chair, programme committee member, technical/web-master in a number of reputed international conference as well as regularly review articles (in the area of usable security and privacy) at reputed international conferences and high impact factor journals.
I have an extensive teaching experience across all levels of teaching in relatively small (size of cohort: 20) as well as large classes (size of cohort more than 250). I currently work on developing, updating managing and delivering the curriculum for a number of courses (ZEIT3120 Programming for Security, ZEIT8036 Humans and Security and ZEIT8037 Cyber Security Risk Management) at UNSW. I am the course convenor for the Chief of Army Honours students and convened the ZEIT8029 Network and Mobile Device Forensics in 2016.
I worked on a number of academic positions in Computer Science at Brunel University, University of Bedfordshire, Westminster University and Central Bedfordshire College in the UK. Before moving to UNSW Canberra, I briefly worked as Sessional Lecturer in Computer Science at Deakin University, Victoria University and Central Queensland University (CQUniversity) in Melbourne, Australia. Apart from my academic career, I also worked on a number of software engineering roles ranging from Programmer, Software Engineer to IT Manager, where I gained hands-on experience and skills on various technologies such as Java, Java EE, Java ME, Php, HTML, XML, R-DBMS, Oracle, MySQL, UML, Linux (Ubuntu), Android SDK, Netbeans and Eclipse. I have also gone through a professional Linux Network Administration training program.
My primary research interests are at the intersection of computer security, human computer interaction (HCI), and on-line privacy, in an area known as usable security and privacy. Many aspects of computer security synthesize technical and human factors. If a highly secure system is unusable, users will try to by pass the system or move entirely to less secure but more usable systems. Problems with usability contribute to many high-prole security failures today in the technology-filled world. Nevertheless, usable security is not well-aligned with traditional usability for some reasons. First, security is not very often the primary task of the user. In most cases, security is not the primary purpose of using a computer. People use computers to shop, socialize, communicate, and be educated and entertained. Many applications handle security issues through security alerts that interrupt users primary task. Therefore, users represent security as a secondary task. Whenever security is secondary, it opposes the usability of the primary task: users find it is distracting and therefore they would rather ignore, circumvent, or even defeat. Second, securing information is about understanding risk and threats. Unlike traditional research in HCI, (usable) security and privacy focuses on the context of an adversary whose goals are to manipulate the user rather than breaking into the system straightaway. Therefore, this poses a great challenge for researchers, who need to model and reason about how the adversaries (i.e. bad guys) will make their attacks successful. Of course, it is rather important to understand how the user behaviours can be leveraged to protect themselves from cyber attacks. Such communication is most often unwelcome in the HCI community. Increasing unwelcome interaction is not a goal of usable security and privacy design. Third, discrete technical problems are all well-understood under the umbrella of on-line security and privacy (e.g., attacks such as phishing, malware, spyware, social engineering, Distributed Denial-of-Service or DDoS attack). A broader concept of both security and usability is therefore required for usable security. My goals are to investigate how users manage their security and privacy in existing systems in order to design new systems that achieve better privacy and security solutions by taking end users into account.
In future work, I plan to apply my research expertise and skills to applications that are likely to have high social value and impact. In particular, my expertise is in user requirements analysis, data collection, data analysis functional interface design and development, experimental design, and information visualization. I will continue to apply this expertise to the many real world research problems on the human aspects of computer security and privacy. My immediate research goal is to continue my work on studying: improving security APIs, serious games for cyber security education (e.g. designing games to thward phishing attaks, usable access control games), personal cyber risk management planning, security and privacy in wearable embedded systems, privacy-preserving e-healthcare system and fall-back authentication mechanism.
*** "I'm always looking for good PhD students and Postdoctoral Researchers to work on "usable security and privacy" research, especially "designing secure systems that people can use" ***
My research has been featured in numerous media outlets including ABC News Radio, SYN Radio 90.7 FM, Sky News Australia, Daily show on Radio 2SER 107.3, Choice - Australia, Guardian labs (sponsored by Intel Corporation, Australia) and UNSW TV.
"ABC Breakfast program" with Joseph Thomsen on ABC Radio: I was involved in a live discussion on "The risky things that we post on social media, that we may not have realised is risky". "ABC Breakfast" is typically a free-owing, conversational program on ABC Goulburn Murray Radio.| 25 September 2017
ABC News: I spoke to ABC News (Alle McMahon) about risks of posting photos on social media, (& not risks you'd assume). | 22 September 2017
Daily show on Radio 2SER 107.3: I was involved in a discussion on "The Petya ransomware attack". "Daily Show" is typically a free-owing, conversational program on Radio 2SER 107.3. | 29 June 2017
"ABC NEWS Afternoons" with Mandy Presland on ABC NEWS Radio: I was involved in a discussion on "Phishing Scams". "ABC NEWS Afternoons" is typically a free-owing, conversational program on ABC NEWS Radio. | 19 June 2017.
Panorama show on SYN Radio 90.7 FM: I was involved in a discussion on "WannaCry ransomware (cyber) attack and what we can do about it in Australia". "Panorama" is SYN's agship news and current aairs show, covering news, politics and culture. | 15 May 2017.
Daily show on Radio 2SER 107.3: I was involved in a discussion on "How Do The New Data Notication Laws Aect You?". "Daily Show" is typically a free-conversational program on Radio 2SER 107.3. | 16 February 2017.
The Sydney Morning Herald and UNSW TV: In the age of phishing and hacking, here are three steps to help you become a cybersecurity expert, Dr Nalin Asanka Gamagedara Arachchilage. | 28 December 2016.
"Cyber in Business" - Addressing the cyber skills shortage: I was involved in a panel discussion on addressing the cyber skills shortage in Australia. "Cyber in Business conference" in Melbourne, Australia. | 09 December 2016.
"Sunday Live" with Janine Perrett on Sky News: I was involved in a panel discussion (Sky News studio in Parliament House in Canberra) on cyber security in Australia. "Sunday Live" is typically a free-owing, conversational program on Sky News. | 30 October 2016.
Insurance tracker apps - good for the consumer?: I was interviewed by Choice, Australia. CHOICE is the consumer advocate that provides Australians with information and advice, free from commercial bias. | 6 October 2016.
How safe are you from hackers?: I was interviewed by Guardian labs, Australia. The article was sponsored by Intel Corporation, Australia. | 29 September 2016.
eLifeMagazine: I was interviewed by eLife Magazine at the University of Bedfordshire, UK, 2011.
I have been an invited speaker for conferences both nationally and internationally.
Department of Human Services (DHS): I am an invited speaker (represented ACCS/SEIT at UNSW Canberra) for Technology Innovation Directorate - CTO Group at the Department of Human Services, where I talked about \Human Factors in Cyber Security" | Friday, 8 September 2017
Office of the Government CISO in Australia: I was invited to deliver a talk (represented ACCS and SEIT at UNSW Canberra) about "Human Factors in Cyber Security: A gamied approach for cyber security education" to an industry audience at the Office of the Government Chief Information Security Ocer (GCISO), Sydney. The audience consisted of representatives from major industries in Australia including Data 61. | Thursday, 17 August 2017.
Australian Computer Society (ACS) Annual Conference: I am an invited speaker (represented ACCS and SEIT at UNSW Canberra) for the ACS Annual Conference, where I talked about "Human Factors in Cyber Security" | Tuesday, 15 August 2017.
CSO LiveWebinar | Email Fraud: Why you can't trust your emails anymore: I am an invited speaker (represented ACCS and SEIT at UNSW Canberra) for the CSO Live Webinar, sponsored by Proofpoint in Australia, where I talked about "Business Email Compromise" | Tuesday, 13 June 2017.
ERM for Government 2017 in Australia: I am an invited speaker (represented ACCS and SEIT at UNSW Canberra) for the 11th annual ERM for Government 2017 in Australia, where I talked about “Leveraging Cyber Enterprise Risk Management to Mitigate Risk of Cyber-Attacks" | Wednesday, 26 April 2017.
Cyber in Business Conference, Australia: I am a panelist (represented ACCS and SEIT at UNSW Canberra) at the University Leaders Panel | 1 December 2016.
GovInnovate: Digital Government Conference, Australia: I am panelist (represented ACCS and SEIT at UNSW Canberra) at “Human factors in cyber security and thwarting phishing attacks" | 14 - 16 November 2016.
Government Digital Transformation Conference, Australia: I am panelist (represented ACCS and SEIT at UNSW Canberra) at “Human factors in cyber security" | 24 - 25 October 2016.
Australian Information Security Association (AISA) National Conference, Australia: I am panelist (represented ACCS and SEIT at UNSW Canberra) at “National cyber security education" | 18 - 20 October 2016.
Australasian Simulation Congress 2016, Australia: I was panelist (represented ACCS and SEIT at UNSW Canberra) “It's Not Just Entertainment, The Many Faces of Games in Society" | 29 September 2016.
Sydney Financial Information and Technology Summit, Australia: I was a panelist (represented ACCS and SEIT at UNSW Canberra) at “Getting ahead of Cybercrime" | 17 August 2016.
ANZ bank, Australia: I was invited to deliver a talk (represented ACCS and SEIT at UNSW Canberra) about “Serious Games for Cyber Security Education" to an industry audience at ANZ bank, Melbourne. The audience consisted of representatives from major industries in Australia including Telstra, NBN, NAB, Auspost, Sportsbet, Medibank and MCG. | Monday, 11 January 2016.
ERM for Government 2016 in Australia: I am an invited speaker (represented ACCS and SEIT at UNSW Canberra) for the 10th annual ERM for Government 2016 in Australia, where I talked about “Increasing awareness and education around cyber security" | Friday, 29 April 2016.
The British Council, Sri Lanka: I am an invited speaker (followed by an interview) at the Education UK unit at the British Council, Sri Lanka, where I talked about “How to conduct research in the UK" (over 200 participants), 2011.
When emailing, I use and encourage the use of GPG, so called GnuPG (equivalent to PGP). I prefer to receive encrypted email messages. Please use the key (Expires: 30 August 2020) below if you wish to send me encrypted email messages.