Dr Nalin Asanka Gamagedara Arachchilage

Lecturer in Cyber Security
School of Engineering and Information Technology
UNSW Canberra Cyber

LOCATION

Building 26 Room 116
Australian Centre for Cyber Security (ACCS)
The University of New South Wales
Australian Defence Force Academy
PO Box 7916, Canberra BC ACT 2610
AUSTRALIA

  • ABOUT
  • PUBLICATIONS
  • RESEARCH ACTIVITIES

My name is Nalin Asanka Gamagedara Arachchilage (too long, isn't it? I admit that this can be confusing sometime). I am a Lecturer in Cyber Security in the Australian Centre for Cyber Security (ACCS) and School of Engineering and Information Technology (SEIT) at the University of New South Wales (UNSW Canberra at the Australian Defence Force Academy), where I lead the OzUSec (Australian Usable Security) research group. Apart from my teaching, I also research in the area of usable security and privacy (i.e. designing secure (and also privacy) systems that people can use) and supervise postdoctoral researchers and postgraduate students (PhD/MPhil) with refereed publications and thesis.

I hold a PhD in Usable Security entitled “Security Awareness of Computer Users: A Game Based Learning Approach” from Brunel University London, UK (External examiner: Professor David Benyon). My research focused on developing a game design framework to protect computer users against "phishing attacks". I obtained a BSc (MIS) Hons from University College Dublin, National University of Ireland and have completed a master's degree, MSc in Information Management and Security at the University of Bedfordshire, UK. I'm a Sun Certified Java Programmer (SCJP) at Sun Microsystems (now Oracle), USA. I am also a professional member of Association for Computing Machinery (MACM), The Institute of Electrical and Electronics Engineers (MIEEE) and The Australian Computer Society (MACS).

Prior to undertaking my current position at the University of New South Wales (UNSW at ADFA), I worked as Research Fellow in Usable Security and Privacy in the Laboratory of Education and Research in Software Security Engineering (LERSSE) at the University of British Columbia (UBC), Canada. Before moving to Vancouver, I was a Postdoctoral Researcher in Systems Security Engineering in the Cyber Security Center, Department of Computer Science at Oxford University.

My main research interests are Usable Security and Privacy, Cyber Security, Security Economics, Trust, Cybercrime, Human Computer Interaction, Serious Games for Cyber Security Education and e-Learning Security. My research is inter-disciplinary in nature and has published numerous articles at reputed international conferences and journals. I have also presented my research at Facebook Headquarters, Menlo Park, California, USA and collaborated with HP in a research capacity at the HP Lab, Bristol, UK. I have been an invited speaker for conferences both nationally and internationally. I served as demos and works in progress chair, publicity chair, programme committee member, technical/web-master in a number of reputed international conference as well as regularly review articles (in the area of usable security and privacy) at reputed international conferences and high impact factor journals. 

I have an extensive teaching experience across all levels of teaching in relatively small (size of cohort: 20) as well as large classes (size of cohort more than 250). I currently work on developing, updating managing and delivering the curriculum for a number of courses (ZEIT3120 Programming for Security, ZEIT8036 Humans and Security and ZEIT8037 Cyber Security Risk Management) at UNSW. I am the course convenor for the Chief of Army Honours students and convened the  ZEIT8029 Network and Mobile Device Forensics in 2016.

I worked on a number of academic positions in Computer Science at Brunel University, University of Bedfordshire, Westminster University and Central Bedfordshire College in the UK. Before moving to UNSW Canberra, I briefly worked as Sessional Lecturer in Computer Science at Deakin University, Victoria University and Central Queensland University (CQUniversity) in Melbourne, Australia. Apart from my academic career, I also worked on a number of software engineering roles ranging from Programmer, Software Engineer to IT Manager, where I gained hands-on experience and skills on various technologies such as Java, Java EE, Java ME, Php, HTML, XML, R-DBMS, Oracle, MySQL, UML, Linux (Ubuntu), Android SDK, Netbeans and Eclipse. I have also gone through a professional Linux Network Administration training program.

Research Synopsis  

My primary research interests are at the intersection of computer security, human computer interaction (HCI), and on-line privacy, in an area known as usable security and privacy. Many aspects of computer security synthesize technical and human factors. If a highly secure system is unusable, users will try to by pass the system or move entirely to less secure but more usable systems. Problems with usability contribute to many high-prole security failures today in the technology-filled world. Nevertheless, usable security is not well-aligned with traditional usability for some reasons. First, security is not very often the primary task of the user. In most cases, security is not the primary purpose of using a computer. People use computers to shop, socialize, communicate, and be educated and entertained. Many applications handle security issues through security alerts that interrupt users primary task. Therefore, users represent security as a secondary task. Whenever security is secondary, it opposes the usability of the primary task: users find it is distracting and therefore they would rather ignore, circumvent, or even defeat. Second, securing information is about understanding risk and threats. Unlike traditional research in HCI, (usable) security and privacy focuses on the context of an adversary whose goals are to manipulate the user rather than breaking into the system straightaway. Therefore, this poses a great challenge for researchers, who need to model and reason about how the adversaries (i.e. bad guys) will make their attacks successful. Of course, it is rather important to understand how the user behaviours can be leveraged to protect themselves from cyber attacks. Such communication is most often unwelcome in the HCI community. Increasing unwelcome interaction is not a goal of usable security and privacy design. Third, discrete technical problems are all well-understood under the umbrella of on-line security and privacy (e.g., attacks such as phishing, malware, spyware, social engineering, Distributed Denial-of-Service or DDoS attack). A broader concept of both security and usability is therefore required for usable security. My goals are to investigate how users manage their security and privacy in existing systems in order to design new systems that achieve better privacy and security solutions by taking end users into account.

Future Research

In future work, I plan to apply my research expertise and skills to applications that are likely to have high social value and impact. In particular, my expertise is in user requirements analysis, data collection, data analysis functional interface design and development, experimental design, and information visualization. I will continue to apply this expertise to the many real world research problems on the human aspects of computer security and privacy. My immediate research goal is to continue my work on studying: improving security APIs, serious games for cyber security education (e.g. designing games to thward phishing attaks, usable access control games), personal cyber risk management planning, security and privacy in wearable embedded systems, privacy-preserving e-healthcare system and fall-back authentication mechanism.

*** "I'm always looking for good PhD students and Postdoctoral Researchers to work on "usable security and privacy" research, especially "designing secure systems that people can use" ***

Media Contributions

My research has been featured in numerous media outlets including ABC News Radio, SYN Radio 90.7 FM, Sky News Australia, Daily show on Radio 2SER 107.3, Choice - Australia, Guardian labs (sponsored by Intel Corporation, Australia) and UNSW TV.

"ABC Breakfast program" with Joseph Thomsen on ABC Radio: I was involved in a live discussion on "The risky things that we post on social media, that we may not have realised is risky". "ABC Breakfast" is typically a free-owing, conversational program on ABC Goulburn Murray Radio.| 25 September 2017

ABC News: I spoke to ABC News (Alle McMahon) about risks of posting photos on social media, (& not risks you'd assume). | 22 September 2017

Daily show on Radio 2SER 107.3: I was involved in a discussion on "The Petya ransomware attack". "Daily Show" is typically a free-owing, conversational program on Radio 2SER 107.3. | 29 June 2017

"ABC NEWS Afternoons" with Mandy Presland on ABC NEWS Radio: I was involved in a discussion on "Phishing Scams". "ABC NEWS Afternoons" is typically a free-owing, conversational program on ABC NEWS Radio. | 19 June 2017. 

Panorama show on SYN Radio 90.7 FM: I was involved in a discussion on "WannaCry ransomware (cyber) attack and what we can do about it in Australia". "Panorama" is SYN's agship news and current aairs show, covering news, politics and culture. | 15 May 2017. 

Daily show on Radio 2SER 107.3: I was involved in a discussion on "How Do The New Data Notication Laws Aect You?". "Daily Show" is typically a free-conversational program on Radio 2SER 107.3. | 16 February 2017.

The Sydney Morning Herald and UNSW TV: In the age of phishing and hacking, here are three steps to help you become a cybersecurity expert, Dr Nalin Asanka Gamagedara Arachchilage. | 28 December 2016.

"Cyber in Business" - Addressing the cyber skills shortage: I was involved in a panel discussion on addressing the cyber skills shortage in Australia. "Cyber in Business conference" in Melbourne, Australia. | 09 December 2016.

"Sunday Live" with Janine Perrett on Sky News: I was involved in a panel discussion (Sky News studio in Parliament House in Canberra) on cyber security in Australia. "Sunday Live" is typically a free-owing, conversational program on Sky News. | 30 October 2016. 

Insurance tracker apps - good for the consumer?: I was interviewed by Choice, Australia. CHOICE is the consumer advocate that provides Australians with information and advice, free from commercial bias. | 6 October 2016.

How safe are you from hackers?: I was interviewed by Guardian labs, Australia. The article was sponsored by Intel Corporation, Australia. | 29 September 2016.

eLifeMagazine: I was interviewed by eLife Magazine at the University of Bedfordshire, UK, 2011.

Invited Talks

I have been an invited speaker for conferences both nationally and internationally. 

Department of Human Services (DHS): I am an invited speaker (represented ACCS/SEIT at UNSW Canberra) for Technology Innovation Directorate - CTO Group at the Department of Human Services, where I talked about \Human Factors in Cyber Security" | Friday, 8 September 2017

Office of the Government CISO in Australia: I was invited to deliver a talk (represented ACCS and SEIT at UNSW Canberra) about "Human Factors in Cyber Security: A gamied approach for cyber security education" to an industry audience at the Office of the Government Chief Information Security Ocer (GCISO), Sydney. The audience consisted of representatives from major industries in Australia including Data 61. | Thursday, 17 August 2017.

 

Australian Computer Society (ACS) Annual Conference: I am an invited speaker (represented ACCS and SEIT at UNSW Canberra) for the ACS Annual Conference, where I talked about "Human Factors in Cyber Security" | Tuesday, 15 August 2017.

CSO LiveWebinar | Email Fraud: Why you can't trust your emails anymore: I am an invited speaker (represented ACCS and SEIT at UNSW Canberra) for the CSO Live Webinar, sponsored by Proofpoint in Australia, where I talked about "Business  Email Compromise" | Tuesday, 13 June 2017.

ERM for Government 2017 in Australia: I am an invited speaker (represented ACCS and SEIT at UNSW Canberra) for the 11th annual ERM for Government 2017 in Australia, where I talked about “Leveraging Cyber Enterprise Risk Management to Mitigate Risk of Cyber-Attacks" | Wednesday, 26 April 2017.

Cyber in Business Conference, Australia: I am a panelist (represented ACCS and SEIT at UNSW Canberra) at the University Leaders Panel | 1 December 2016.

GovInnovate: Digital Government Conference, Australia: I am panelist (represented ACCS and SEIT at UNSW Canberra) at “Human factors in cyber security and thwarting phishing attacks" | 14 - 16 November 2016.

Government Digital Transformation Conference, Australia: I am panelist (represented ACCS and SEIT at UNSW Canberra) at “Human factors in cyber security" | 24 - 25 October 2016.

Australian Information Security Association (AISA) National Conference, Australia: I am panelist (represented ACCS and SEIT at UNSW Canberra) at “National cyber security education" | 18 - 20 October 2016.

Australasian Simulation Congress 2016, Australia: I was panelist (represented ACCS and SEIT at UNSW Canberra) “It's Not Just Entertainment, The Many Faces of Games in Society" | 29 September 2016.

Sydney Financial Information and Technology Summit, Australia: I was a panelist (represented ACCS and SEIT at UNSW Canberra) at “Getting ahead of Cybercrime" | 17 August 2016.

ANZ bank, Australia: I was invited to deliver a talk (represented ACCS and SEIT at UNSW Canberra) about “Serious Games for Cyber Security Education" to an industry audience at ANZ bank, Melbourne. The audience consisted of representatives from major industries in Australia including Telstra, NBN, NAB, Auspost, Sportsbet, Medibank and MCG. | Monday, 11 January 2016.

ERM for Government 2016 in Australia: I am an invited speaker (represented ACCS and SEIT at UNSW Canberra) for the 10th annual ERM for Government 2016 in Australia, where I talked about “Increasing awareness and education around cyber security" | Friday, 29 April 2016.

The British Council, Sri Lanka: I am an invited speaker (followed by an interview) at the Education UK unit at the British Council, Sri Lanka, where I talked about “How to conduct research in the UK" (over 200 participants), 2011.

Emailing me

When emailing, I use and encourage the use of GPG, so called GnuPG (equivalent to PGP). I prefer to receive encrypted email messages. Please use the key (Expires: 30 August 2020) below if you wish to send me encrypted email messages. 

PGP Key ID: 0B6EE872
Fingerprint: B2D3 FB00 4E06 EE08 29CD  0927 C663 226E 0B6E E872
 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: GPGTools - https://gpgtools.org
 
mQINBFfFgogBEADvO0DlTdbuY3vL627A2E8CBW1g7GYKVgFhNXqSQ1AOj/0Vtnoc
9tpmPsBhdoGawMaRkfjKHnDi1agIfe5pHh5xfXRNgtkklkv+TncZxpU6VRCg8Vd4
EEg+ncfeEOI6V+D+n4mhYoTT2hxRWtMbaaBmoqDjyWnYrhFyCtGRO5xkshH16vBM
xAOOeKAsQrn7npC2aAzgIZIxcAmmIsn5iyYjxcmazEFfJjRgkk0Fu01h8lejGDvd
Kwy4WuhQeDjDR0Jli/1x4oMKz2+QHKx1ZE5a+gFHGQFxy53fagrgIA/SdJMBvYx4
MBBjJN3WmlpG7ExFzCZiqJmDEcNSssDLns01KrkNEx0HfdtpVCzHWviFwUdnAi0Y
qI+tNVELlt4UVf+NiZteZFv9NJG360Y1UugjFa3Vb5j15YoB66sUZCktXvByMFKU
6Y2y/8hXOM8qbq3rn3ISkdrXWQP0Nwdipq3jD7jBPWRj4D2mkt18a+ebHzzZdS5b
/YXmafF/5a9M72f9t6dR9HWiSOrt7Psy+yxjWl2ao+TmWF7VAq6LbugUCBYd0/YP
Zxmjfm8JWkzT4dJwTbMqiwOiqqdvliFqEbJcvuP5UOXBH51Kfh0s21zFBu1mmzL8
egHMrrcqFzYRfOLKr3ViPjwWYuQmIhF01XBpzXOERsRXekRt3STK5ebIQQARAQAB
tCNOYWxpbiBBc2Fua2EgPG5hbGluLm5pYm1AZ21haWwuY29tPokCPQQTAQoAJwUC
V8WDSwIbAwUJB4YfgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDGYyJuC27o
cj+aEACQk2h9CFy1wG88eMsN+33TVMbEZTpZ2cbAmH9Q3YmpxYLXjqO1WKACq4Rx
m1jj9rGS1Yp/J+doegiKh0kKSHI1Qyii+XMLHZO2ekOYZs/BY8+E7t9FjD608Enk
aek6I6ShnhRlSUwZqNdF2onwvWdqGKL7Bh2JTpNtgBcB4nZNURFJTePUmS6DsIaE
dtZ1quqzeOg/Y73RhbIHJrHgf/eZY+wbFOsy0w3krNCw2c7E7NZxwC/cgFMLymtM
Rx2wIq6j9S/2ia7OzCGimmnOMrtT1ObddqnJ6QvnoAH1B87SqGT0U8MXabIjUSiw
hb9Vzl9H/tP+//387gDu4RS3Os+SngI+0bcw/sOaqwU99L4zd1336n+8t1O+On3E
uXJ5bHP+UeulessnQyMD5oa8rufQaRZbb/Oyio/nzzExFNQITMw1gH31EH3x5JtI
pCDbf87AhToL1R47bmjX/17Fo4XBd3FVwjYir5NE5svP/8gkQScIllne9p7nKks1
ElYp/HmgCsBlIeCs3Z+ka4UM3kW7bOc8yNwsthXLf8Dqo4HOFAxbWT6fxdleYBUQ
VlTpR2aLSaI+cszQWj/tJPho1eOigXIJGzO4/MIMDSBPDrQgSkNsw6PFjOmk2D+J
d1/8/8Jj7gleJ3YM6DCj8R2wyFFO53j5ssDP1l3nETUBB3AG77QnTmFsaW4gQXNh
bmthIDxuYWxpbi5hc2Fua2FAYWRmYS5lZHUuYXU+iQJABBMBCgAqAhsDBQkHhh+A
BQsJCAcDBRUKCQgLBRYCAwEAAh4BAheABQJXxYNwAhkBAAoJEMZjIm4LbuhyHpEQ
ALroPrwQwgxRyKquMLY7PN/c2SpQBLf43j0wRqnm8sWH/HmE5cmjiC4/MTRioneT
8L9LFnmMamr/tICTr91wgROw19jB6CPi0P0CBhHvUP/pphzt3+5Iz9mo2jpN8+YG
O2UHfgVPwjfuXYeEKqAIecDtabjSWCq0bZJ2GZm1qSRSHbRdrgdQN2F+ozil3FEu
006+zmwoad3Lf9PA0GaqfEecBkhgY6Gt2Lz2k7msQ2etqWU2zdtBoYHgKbqAF67z
MdCcKrjXJ7M/gc/0AeCZlUwzMQPOZ6zn8kBWepNfG0Ditil/R/CpxSySSL1QWN+a
fRgqjINnsxxeZt6gbN6kj9uIKkeyvMtesFZAvr7TUa1IxpAAGN3lWwABwrunVHdU
JvsQpM7Hi9YWeCsU6bdA8DaaCbLbQGDjIZ3jjen0PReqin3VIJWfaCXlbQvcPTFH
02OPv4zheB8JOXbi9Vbov8Nu0JO4KvBPeylS7L4qIlAPuzCd4kfYHZIvIxlQBGna
bs2UUjNej+a2CfNuLT9iKPLqfdf62q0CSy6iYVupZ/VOm0d1Rlqc6kb2nV30/uo6
NI1SU+PeUhGdzK845hcU2w3rI4w4a4dPyV4XtR8SAgTcVjMAY2yuVYo0OkQ6Ml9b
E1IAFudivNE8UpyI1GMUl4+6PBIrRzjsNP9MCeCOnI5JuQINBFfFgogBEADhJWdH
SPSWBfRGcuVIlCFevTfRyPdmNPZN+b3n7/zA38zQ1I36hKZm9NEE1L8WllI7N+Tu
GTNdJo4b4IroHrgqhZYPvUx4JlpN7pf+Rewpv7D5ukGyRPHQe8IGPn81yaw998/G
GefVi4EaDStE4iBdDTaOfjuv188E0zIHnBYTiWYqpwdToZUp11IRqRbpJVSkluPL
Rbvx5KMg/JHOlnkk85H20F2HbwySHLXzwBfPxfJSy/pJbPtX7iOJHDY+Nl04AD3x
xDfIPb/Jr7ydA9xtE1l6aT6vQUBLj/hmFyrVVUAK9oA+DuGKRbkjFq40D6i7aGfH
sLxirSPhRKYJLlV1Bn4dWG4PNkmHrIwo9xMyyZ2OoUcQSRJd3bQJMCZRNApPFWg5
wJ1TTjXuIZBoE93EeZMIsjh5LPk485TzGuPQum2pf7arfysHCu7mFJkYDDpkf9b4
Kmj6GthzfG4+rcqX8peesnk2XNXcFUehSY5MPHLaS9s0WBmyueCoIYgQ2V4gEJBl
mV2fMU6lOJWW+0pnvLE92h0mFZwXwghOYGCt3tRVzwaq898RI1sN5wRnVsTCJrGe
kHXOqmt2YEpXb9xtlCxGyMtpyGxCnPvep3dtk9YAim1boyKhxL8LsjGmGRifl4HQ
cGO4n8jUXOuNc+3jpfnT7mY94NIfJxo3vEvRAwARAQABiQIlBBgBCgAPBQJXxYKI
AhsMBQkHhh+AAAoJEMZjIm4LbuhyF5UP/1Q/Dg2LefAccd3i9WqQ81mh0oF76Lol
z20xak0k5fmDC/FMerePXzvnQFsanbzkLkAI4+nTL8if5EQonWHDVmU2tAXR3e32
82UpyIr5k47q3BjrwvBW689wcmvKVQ9U7pptNCwWfNOR5Qi3QigQCyF8IJ7qfEs0
GBHuBfJ6ShKtTr7ob9eRUToLQlqL35iwLIoWm/hkZQmmmJuAUzNcNKXxuIJ9ZQDw
Qwqfe+c6qQjbdV7rJSLp/JJ3qvECSFuCBnJJPRMBvQTDkkfKPwpot90WDoLW0i7M
tTHGED7Xa9lv6K4yyYGOaM15mYBSSoUNY8SdnASrhNAWvMxtL61ZZTDUePszR8pL
sKR8tA3FgNtPM7XcM7dVlXzzFRQ9LFSSWEkT7Xm0aNlIytKwnH5v5VdvuScIGHxh
uWrMLN5ehsMCXuNdnrMhZ0DknZVC49jq3mDCm5lAXWwwZMPAoT2pFg8y141Xl7fA
aFzuYUyZKoCty/4MHqGofKTBGiXbKSw5xb07+N9v6qHXdAD03mXoOxj14n5bZYmv
L6Bn2V+pURL89g+JlW9fWvkF8iu0VdEKC604sHoW59g9Cnf5IuQneoxnIufS+sR4
QHitG8PtCNY9jLYc4vGffLcPoIo+hN5GCqIlwllAGI5RwKGn8QQqzTw66Id67VSM
bFEOC48o7eXG
=X6Gz
-----END PGP PUBLIC KEY BLOCK-----

 

Books

Gamagedara Arachchilage NA, 2016, Serious Games for Cyber Security Education, LAMBERT Academic Publishing, Germany

Crane S; Reinecke P; Anderson G; Arapinis M; Baldwin A; Collinson M; Arachchilage NAG; Gill M; Kounga G; Kehlmann D, 2015, The Trust-Domains Guide: A Guide to Identifying, Modelling, and Establishing Trust Domains, HP Labs, Bristol, UK

Journal articles

Gupta BB; Arachchilage NAG; Psannis KE, 2018, 'Defending against phishing attacks: taxonomy of methods, current issues and future directions.', Telecommunication Systems, vol. 67, pp. 247 - 267

Gupta BB; Arachchilage NAG; Psannis KE, 2017, 'Defending against Phishing Attacks: Taxonomy of Methods, Current Issues and Future Directions', Telecommunication Systems

Hameed MA; Arachchilage NAG, 2017, 'A Conceptual Model for the Organisational Adoption of Information System Security Innovations', ArXiv, https://arxiv.org/abs/1704.03867

Gupta BB; Agrawal DP; Yamaguchi S; Arachchilage NAG; Veluru S, 2017, 'Editorial security, privacy, and forensics in the critical infrastructure: advances and future directions', Annales des Telecommunications/Annals of Telecommunications, vol. 72, pp. 513 - 515, 10.1007/s12243-017-0607-2

Arachchilage NAG; Love S; Beznosov K, 2016, 'Phishing threat avoidance behaviour: An empirical investigation', Computers in Human Behavior, vol. 60, pp. 185 - 197, 10.1016/j.chb.2016.02.065

Senarath A; Arachchilage NAG; Gupta BB, 2016, 'Security Strength Indicator in Fallback Authentication: Nudging Users for Better Answers in Secret Questions', International Journal for Infonomics, vol. 9, pp. 1228 - 1232

Tarhini A; Arachchilage NAG; Masa'deh R; Abbasi MS, 2015, 'A Critical Review of Theories and Models of Technology Adoption and Acceptance in Information System Research', International Journal of Technology Diffusion (IJTD), vol. 6, 10.4018/IJTD.2015100104

Arachchilage NAG; Tarhini A; Love S, 2015, 'Designing a mobile game to thwarts malicious IT threats: A phishing threat avoidance perspective', International Journal for Infonomics (IJI), vol. 8

Arachchilage NAG; Love S, 2014, 'Security awareness of computer users: A phishing threat avoidance perspective', Computers in Human Behavior, vol. 38, pp. 304 - 312, 10.1016/j.chb.2014.05.046

Arachchilage NAG; Lauria S; Love S, 2013, 'Twitter Controls the Household Heating System', International Journal of Sustainable Energy, vol. 2

Arachchilage NAG; Namiluko C; Martin A, 2013, 'Developing a Trust Domain Taxonomy for Securely Sharing Information Among Others', International Journal for Information Security Research (IJISR), vol. 3

Arachchilage NAG; Love S; Maple C, 2013, 'Can a mobile game teach computer users to thwart phishing attacks?', International Journal for Infonomics (IJI), vol. 6

Arachchilage NAG; Love S, 2013, 'A game design framework for avoiding phishing attacks', Computers in Human Behavior, vol. 29, pp. 706 - 714, 10.1016/j.chb.2012.12.018

Gamagedara Arachchilage NA, 2013, 'Gaming for Security', ITNOW, vol. 55, pp. 32 - 33, 10.1093/itnow/bws139

Arachchilage NAG; Love S; Scott M, 2012, 'Designing a Mobile Game to Teach Conceptual Knowledge of Avoiding Phishing Attacks', International Journal for e-Learning Security, vol. 2, pp. 127 - 132

Arachchilage NAG; Cole M, 2011, 'Designing a Mobile Game for Home Computer Users to Protect Against Phishing Attacks', Intenatioal Journal for e-Learning Security (IJeLS), vol. 1

Conference Papers

Senerath A; Arachchilage NAG; Slay J, 2017, 'Designing Privacy for You : A User Centric Approach For Privacy', in Designing Privacy for You : A User Centric Approach For Privacy, Springer, Vancouver, Canada, presented at 19th International Conference on Human-Computer Interaction (HCII), Vancouver, Canada, 09 - 14 July 2017

Wijayarathna C; Arachchilage NAG; Slay J, 2017, 'A generic cognitive dimensions questionnaire to evaluate the usability of security APIs', in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), pp. 160 - 173, presented at , 10.1007/978-3-319-58460-7_11

Senarath A; Arachchilage NAG; Slay J, 2017, 'Designing privacy for you: A practical approach for user-centric privacy', in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), pp. 739 - 752, presented at , 10.1007/978-3-319-58460-7_50

Micallef N; Arachchilage NAG, 2017, 'A Gamified Approach to Improve Users’ Memorability of Fallback Authentication', in A Gamified Approach to Improve Users’ Memorability of Fallback Authentication, The 13th Symposium on Usable Privacy and Security (SOUPS), Santa Clara, CA, presented at The 13th Symposium on Usable Privacy and Security (SOUPS), Santa Clara, CA, 12 - 14 July 2017, https://www.usenix.org/system/files/conference/soups2017/way2017-micallef.pdf

Wijayarathna C; Arachchilage NAG; Slay J, 2017, 'Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Security APIs', in PPIG, 28th Annual Workshop of the Psychology of Programming Interest Group, Delft, Netherlands, presented at 28th Annual Workshop of the Psychology of Programming Interest Group, Delft, Netherlands, 01 - 03 July 2017

Misra G; Arachchilage NAG; Berkovsky S, 2017, 'Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks', in Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks, International Symposium on Human Aspects of Information Security & Assurance (HAISA 2017), Adelaide, Australia, presented at International Symposium on Human Aspects of Information Security & Assurance (HAISA 2017), Adelaide, Australia, 28 - 30 November 2017

Micallef N; Arachchilage NAG, 2017, 'A Serious Game Design: Nudging Users' Memorability of Security Questions', in Australasian Conference on Information Systems (ACIS 2017), Australasian Conference on Information Systems (ACIS 2017), Hobart, Tasmania, presented at Australasian Conference on Information Systems (ACIS 2017), Hobart, Tasmania, 04 - 06 December 2017

Micallef N; Arachchilage NAG, 2017, 'A Model for Enhancing Human Behaviour with Security Questions: A Theoretical Perspective', in Australasian Conference on Information Systems (ACIS 2017), Australasian Conference on Information Systems (ACIS 2017), Hobart, Tasmania, presented at Australasian Conference on Information Systems (ACIS 2017), Hobart, Tasmania, 04 - 06 December 2017

Micallef N; Arachchilage NAG, 2017, 'Involving Users in the Design of a Serious Game for Security Questions Education', in Proceedings of the Eleventh International Symposium on Human Aspects of Information Security & Assurance, HAISA 2017, Eleventh International Symposium on Human Aspects of Information Security & Assurance, HAISA 2017, Adelaide, Australia, presented at Eleventh International Symposium on Human Aspects of Information Security & Assurance, HAISA 2017, Adelaide, Australia, 28 - 30 November 2017

Senarath A; Arachchilage NAG; Slay J, (ed.), 2017, 'Designing Privacy for You: A Practical Approach for User-Centric Privacy - Practical Approach for User-Centric Privacy.', in HCI (22), Springer, pp. 739 - 752, presented at Human Aspects of Information Security, Privacy and Trust - 5th International Conference, HAS 2017, Held as Part of HCI International 2017, Vancouver, BC, Canada, July 9-14, 2017, Proceedings, https://doi.org/10.1007/978-3-319-58460-7

Misra G; Arachchilage NAG; Berkovsky S, (eds.), 2017, 'Phish Phinder: A Game Design Approach to Enhance User Confidence in Mitigating Phishing Attacks.', in HAISA, University of Plymouth, pp. 41 - 51, presented at Eleventh International Symposium on Human Aspects of Information Security & Assurance, HAISA 2017, Adelaide, Australia, November 28-30, 2017, Proceedings., http://www.informatik.uni-trier.de/~ley/db/conf/haisa/haisa2017.html

Wijayarathna C; Arachchilage NAG; Slay J, (ed.), 2017, 'A Generic Cognitive Dimensions Questionnaire to Evaluate the Usability of Security APIs.', in HCI (22), Springer, pp. 160 - 173, presented at Human Aspects of Information Security, Privacy and Trust - 5th International Conference, HAS 2017, Held as Part of HCI International 2017, Vancouver, BC, Canada, July 9-14, 2017, Proceedings, https://doi.org/10.1007/978-3-319-58460-7

Micallef N; Arachchilage NAG, 2017, 'Changing users' security behaviour towards security questions: A game based learning approach', in 2017 MILITARY COMMUNICATIONS AND INFORMATION SYSTEMS CONFERENCE (MILCIS), IEEE, Canberra, AUSTRALIA, presented at Military Communications and Information Systems Conference (MilCIS), Canberra, AUSTRALIA, 14 - 16 November 2017

Hameed MA; Arachchilage NAG, 2016, 'A Model for the Adoption Process of Information System Security Innovations in Organisations: A Theoretical Perspective', in ACIS, 27th Australasian Conference on Information Systems, University of Wollongong, Australia, presented at 27th Australasian Conference on Information Systems, University of Wollongong, Australia, 05 - 07 December 2016, https://arxiv.org/pdf/1609.07911v1.pdf

Cherapau I; Muslukhov I; Arachchilage NAG; Beznosov K, 2015, 'On the Impact of Touch ID on iPhone Passcodes', in On the Impact of Touch ID on iPhone Passcodes, USENIX Association, Ottawa, Canada., presented at 11th Symposium on Usability, Privacy, and Security (SOUPS 2015), Ottawa, Canada., 22 - 24 July 2015, https://www.usenix.org/system/files/conference/soups2015/soups15-paper-cherapau.pdf

Scott MJ; Ghinea G; Arachchilage NAG, 2014, 'Assessing the role of conceptual knowledge in an anti-phishing educational game', in Proceedings - IEEE 14th International Conference on Advanced Learning Technologies, ICALT 2014, pp. 218, presented at , 10.1109/ICALT.2014.70

Arachchilage NAG; Martin AP, (eds.), 2014, 'A Trust Domains Taxonomy for Securely Sharing Information: A Preliminary Investigation.', in International Symposium on Human Aspects of Information Security & Assurance, University of Plymouth, UK, Plymouth, UK, pp. 53 - 68, presented at HAISA, Plymouth, UK, 19 - 21 July 2014, http://www.informatik.uni-trier.de/~ley/db/conf/haisa/haisa2014.html

Arachchilage NAG; Namiluko C; Martin A, 2013, 'A taxonomy for securely sharing information among others in a trust domain', in 2013 8th International Conference for Internet Technology and Secured Transactions, ICITST 2013, pp. 296 - 304, presented at , 10.1109/ICITST.2013.6750210

Arachchilage NAG; Cole M, 2011, 'Design a mobile game for home computer users to prevent from “phishing attacks”', in Information Society (i-Society), 2011 International Conference on, IEEE, pp. 485 - 489, presented at , IEEE

Arachchilage NAG; Cole M, 2011, 'Design a mobile game for home computer users to prevent from "phishing attacks"', in International Conference on Information Society, i-Society 2011, pp. 485 - 489, presented at

Arachchilage NAG; Hameed MA, 'Integrating self-efficacy into a gamified approach to thwart phishing attacks', in Integrating self-efficacy into a gamified approach to thwart phishing attacks, presented at

Micallef N; Arachchilage NAG, 'A Gamified Approach to Improve Users' Memorability of Fall-back Authentication', in Symposium on Usable Privacy and Security SOUPS 2017, July, 2017, Santa Clara, California, presented at

Senarath AR; Arachchilage NAG, 'Understanding Organizational Approach towards End User Privacy', in Australasian Conference on Information Systems, 2017, Hobart, Australia, presented at

Micallef N; Arachchilage NAG, 'Involving Users in the Design of a Serious Game for Security Questions Education', in Involving Users in the Design of a Serious Game for Security Questions Education, presented at

Conference Posters

Arachchilage NAG, 2015, 'User-Centred Security Education: A Game Design to Thwart Phishing Attacks', in User-Centred Security Education: A Game Design to Thwart Phishing Attacks, UNSW Canberra, The Australian Defence Force Academy, Canberra, Australia, presented at International Conference: Redefining the R&D Needs for Australian Cyber Security, The Australian Defence Force Academy, Canberra, Australia, 16 - 16 November 2015

Arachchilage NAG; Flechais I; Beznosov K, 2014, 'A Game Storyboard Design for Avoiding Phishing Attacks', in Proceedings of the 11th Symposium On Usable Privacy and Security (SOUPS), CMU, USA, Facebook Headquarters, Menlo Park, California, USA, presented at 10th Symposium on Usability, Privacy, and Security (SOUPS 2014), Facebook Headquarters, Menlo Park, California, USA, 09 - 12 July 2014, http://cups.cs.cmu.edu/soups/2014/posters/soups2014_posters-paper39.pdf

Theses / Dissertations

Arachchilage NAG, 2012, Security awareness of computer users: A game based learning approach, phdthesis, thesis, Brunel University, School of Information Systems, Computing and Mathematics


Research Projects
A number of projects available (but not limited to) in the area of usable security and privacy are listed here:

Improving usability of security APIs: Software companies are placing more burden on the API (Application Programming Interface) developers to create usable security mechanisms as a result of continuing research into encouraging secure user behavior. Let's assume that API developers create an API which is read-only. Therefore, the application developer can only view information but cannot alter the information in the API's data under any circumstances. For example, API for stock market allows developers to request data (i.e. the value) on the current stock. However, what if the application developer can put in new data or change any of the records. It is vital that these security APIs (e.g. TLS, SHA or HTTPS) are designed with usability in mind, which enhance the overall programming user experience. On the other hand, programmers, who use APIs, are not the security experts in most cases. They are task oriented, which sometime negatively aects the security aspect of the application they develop with the use of APIs. The software development style can eect its application security developed by programmers in many ways. Therefore, it is worth designing and developing security APIs with usability in mind where non security experts can also utilize them within their applications (e.g. TLS, SHA or HTTPS).

However, we know to our cost that there is no such a systematic approach available to evaluate the usability of security APIs. While numerous denitions of the term usability have been suggested, the ISO 9241-11 usability standard defines the extent to which a product can be used by specied users to achieve specied goals with eectiveness, eciency and satisfaction in a specied context of use". Eectiveness is the user's ability to complete tasks using the system and the quality of the output. Eciency is the level of resources consumed by the system to perform the particular tasks. Satisfaction is the user's subjective reaction of performing given tasks in the system use or what the user thinks about the system's easy of use. In general, it is not an easy task to dene the usability of a particular system without exactly knowing its intended users, performing tasks, characteristics of the physical, social and organizational environments. Programmers make use of security APIs created by the API developers during their software development tasks within the organization. However, they have a lack of security expertise in most cases. Researchers and industry experts have stressed the mantra of "The User is the Enemy" in the computer systems security. On the other hand, security APIs research has been treated the programmer as the enemy in the banking industry. This is mainly because programmers concentrate solely on protecting secrets (e.g. developing encryption keys) of the APIs. However, there is a lack of research investigating how programmers make use of security APIs in the software development process. It is imperative to increase the security of the software application developed as well as the libraries utilized in the software development process. Therefore, this research attempts to develop a systematic approach to evaluate the usability of security APIs.

Improving the usability of security testing tools:In order to protect user privacy in software system, various authentication and authorization protocols have been introduced. With the increased adoption of such protocols, so far there is little work on investigating usability of security testing tools. The usability aspect is considered mostly for the protocol itself, but not for the security testing tools that are used to ensure the system is safe enough to be publicly exposed. There are security testing tools developed having common usability issues. In this research, various security testing tools that are used for testing authentication and authorization protocols would be considered to identify common design issues that have caused usability problems. Feedback will be taken from users during the experimental studies and improvements are suggested to x the usability problems in security testing tools. Furthermore, it is expected to improve the tools by xing these issues and evaluate again with the users for validating their suggestions. Based on the findings, a set of design guidelines is introduced for developers adhere to enhance the usability and security of testing tools.

A bespoke fall-back authentication mechanism as an extra layer of security: Republican vice presidential candidate Sarah Palin's Yahoo! email account was "hijacked" in the run-up to the 2008 US election. The \hacker" simply used the password reset prompt and answered her security questions. As reported, the Palin hack didn't require much technical skills. Instead, the hacker merely used social engineering techniques to reset Palin's password using her birth-date, ZIP code and information about where she met her spouse. The answers to these questions were easily accessible with a quick Google search. The simplicity of the attack, of course, does not make less impact of the crime and makes it no less illegal either. However, when setting up a user account, almost all the major companies (e.g., insurance, banks, health care industries, hospitals, post oces, educational institutions, Apple, eBay, etc.) still ask their clients to set up a security question.

Security questions (a.k.a., "personal knowledge questions", "secret questions" or "challenge questions" among other names) have been designed to provide an extra layer of security and verify that the person requesting access to her account. For example, as backup mechanism to reclaim a lost account of eBay (Fig. 1.). On-line service providers such as eBay and banks are used security questions to protect their clients against suspicious logins. Despite the pervasiveness of security questions among many on-line services, far less attention has been paid to their security and usability. Previous research has argued in their favour on the ground that security questions should be more memorable than passwords. Their arguments were based on two reasons. First, the cued recall task instead of the free recall task: the presence of a security question makes the retrival of information from one's memory is assisted by the provision of cues. Second, the information being asked for is something users naturally recall rather than a secret stored explicitly for verication. However, security wise, previous studies have revealed potential weaknesses of security questions based on laboratory-based experiments and analysis as well as large-scale empirical data analysis of security questions based on the deployment at Google.

Alternate email accounts are already in use by some on-line services such as Amazon to authenticate users who have forgotten their passwords. For example, via a code sent to an alternate email address created at the time of the registration with the on-line service provider. Even if the user provided the alternate email address, this address may expire when the user changes her aliations such as job, organisation, institution, school, or Internet Service Provider (ISP). Likewise, login information loss could occur in case the user stored her password on her oce computer and used her organisational email address as the backup authenticator and then lost her job. On the other hand, web-mail service providers such as Yahoo!, Google, Microsoft, and AOL cannot always ask their users to register with alternate email addresses, because many of their users employ their email accounts as a primary email address and may not have another dependable email account for them to use as a backup authenticator. Even if their users managed to provide with alternate email addresses, chances are high to forget them as alternate email addresses are not being frequently used.

The SMS based account recovery mechanism, authentication code via SMS messages sent to the mobile telephone, is the other alternative currently in use as a secondary authentication factor by some on-line services such as bank. Verifying users credentials using mobile phone is attractive, because of the mobility feature such as mobility of the user, mobility of the device, and mobility of the service. However, this mobility feature itself could oppose security, for example, SMS messages may fail if the user does not have access to their mobile telephones while travelling overseas. On the other hand, mobile telephones are not only prone to get stolen and lost but also frequently shared among family and peers.

The capability to verify the user identity when an account hijacking attempt has occurred is an integral part of the login risk analysis system. Google researchers along with academics have revealed that current security questions are neither secure nor reliable enough to be used as a backup mechanism to reclaim a lost account. Their argument was security questions suer from a fundamental aw of usable security: the security questions and their answers are either

somewhat secure or usable, but rarely both. They also stressed that security questions can still be useful when the risk level is considered low. To design a better extra level of security, it is worth understanding the strength of the answers users provided for security questions. This research asks how one can design and develop a bespoke fall-back authentication mechanism as an extra layer of security. Initially, we will measure the strength of answers given to security questions

and then provides a set of guidelines to design an interface called "secret question meter" based on the mMnemonicCuesnemonic cues. The "secret question meter" interface provides visual feedback on the strength of answers given in security questions to nudge users towards stronger answers. The visual representation of answers' strength to security questions is often presented as a coloured bar on screen. Our "secret question meter" interface provides suggestions to assist users in selecting strong security questions and their answers.

Conceptualizing teens' privacy in the technology-filled world: Teens and their parents predominantly assume the use of the Internet enriches their social life and academic work. On the other hand, there are aspects of the Internet that cause strain and make teens and their parents worry that these technologies are not unbenecial in teens' lives. Researchers have stressed that this description of teens' on-line life is still valid but remarkably resonant today.

Internet technology is so pervasive today that it provides the backbone for modern living enabling teens to chat, socialize, and be entertained and educated in the digital world. However, the complexity of teens' on-line interactions has increased dramatically due to the vast adoption of social media and mobile devices. As reported by the Pew Internet Project in 2013, eight in ten on-line teens use social media websites. Previous research has revealed that teens share a plethora of sensitive personal information about themselves on social media website than they did in the past. Of course, it is true that those websites are designed to encourage the sharing of information and the expansion of networks. However, as teens' reliance on the social media and mobile devices through the Internet grows, so does the possibility of their privacy invasion and other security breaches. When teens are on-line, they are likely to experiments in ways they typically wouldn't face-to-face, including who they talk with and what they talk about. This may cause to increase their risk of being vulnerable towards privacy exploitation. For example, a teen sharing personal information about her/his insecurities, or problems that worries, with somebody on-line who s/he doesn't know well. This may end up with teens particularly being vulnerable to individuals who may be seeking opportunities to take advantage of them. Teens' on-line conversations may initially appear as harmless, friendly banter but progress to sexual exploitation.

To design better privacy solutions and educational interventions, it is worth understanding how teens make privacy decisions, and characterize the privacy risks that result from these decisions. We believe designing better privacy solutions and educational interventions can contribute to make the cyberspace a safer place for every teen. Therefore, this proposal investigates how teens conceptualize privacy in the technology-lled world.

Privacy-preserving e-healthcare system: The e-healthcare system has recently been considered one of the major advancements in healthcare industry. For example, a personally controlled electronic health record (PCEHR) system is proposed by the Australian government to build the healthcare system more agile, secure, and sustainable. Although existing e-health systems claim that the patients can only access their electronic records, healthcare professionals and system/database operators may happen to access the patients electronic health record information. The conventional methods for preserving the privacy of healthcare systems entirely trust the system operators. Therefore, the health related information is vulnerable to be exploited by even the authorised personnel in an immoral/unethical way. Furthermore, issues such as the absolute number of healthcare records, their sensitive nature, exible access, and ecient user revocation have remained the most vital challenges towards ne-grained, cryptographically enforced data access control.

On the other hand, the rapid growth and enormous adoption of e-healthcare systems have transformed Web to a platform for communication and social interaction. Although e-healthcare systems have been designed and developed with a goal of sharing information, many users struggle to appropriately manage and share their information via existing information systems. Most existing e-health systems dene privacy either as private/ public dichotomy or in terms of a network of friends relationship; in which, all friends are treated equal and all relationships are mutual. These systems fail to support the privacy expectations that non-technical users bring from their real life experiences.

support the privacy expectations that non-technical users bring from their real life experiences. Sharing health information in on-line social networks (OSNs) has been shown to be benecial for people with various health conditions. People can benet from sharing their health information in OSNs in a number of ways including take part in social support, share their experiences and self-management education. Despite the acquired benets, people consider their health issues to be more personal and sensitive in nature, and raised privacy concerns when it comes to sharing health information with others. Furthermore, sharing health information has been shown to be vulnerable to dierent attacks, for example, users health information might be exposed to un-intended disclosure, resulting in privacy invasion, data re-identication and medical data misuse. Therefore, to protect patients privacy and create a sustainable health information-sharing environment, privacy-preserving features/functionalities could be implemented in OSNs.

From a scientic and technological point of view, there are several challenges that need to be addressed to make e-healthcare systems an enabling means to address privacy problems. Of special interests are implementations that demonstrate novel applications addressing privacy-preserving features/functionalities in e-healthcare systems.

Usable access control games:Previous research has ensured that technology alone is insucient to combat critical IT security issues. Little work in cyber security has addressed `user awareness' as a means of protecting computer users against cyber threats. The application of security policies for computer systems into mechanisms of access control is vital as well as a varied eld within computer security. The primary goal of any access control mechanism is to provide a veriable system for ensuring the protection of information from unauthorized access as outlined in one or more security policies. I propose a game design framework, which enhances the individuals' behavior through their motivation to adhere to best practices when setting up access controls. The motivation for this work is that existing security mechanisms have been partially successful in promoting security solutions, however, in many instances these controls are less than perfect, and are used instead of a more appropriate set of controls. It has recently been shown that a considerable attention has paid to researching and addressing the security issues related to individuals, commercial and civilian government organizations. Those individuals and organizations rely heavily on information processing systems to meet their customers operational, nancial, and information technology needs. Therefore, Condentiality, Integrity, Availability (CIA) of key software systems, databases, and data networks are major concerns throughout all sectors. I argue that the corruption,unauthorized observation or disclosure, or theft of corporate resources could interrupt an organization's smooth operations and have immediate, serious nancial, legal, human safety, personal privacy and public condence impact. My approach will be rstly to develop a game design framework, parameterized by the individual's or organization's own circumstances. The developed game design framework will be informed by an empirical investigation (e.g., Human-Centered Design), and validated through interviews/ questionnaire surveys with a considerable sample of representative individuals. Secondly, I will use the elements of the framework to develop a game for both the mobile and desktop platforms, which allows the individual to enhance their behavior though motivation to adhere to best practices when setting up access controls. Previous research revealed that games based education and training could facilitate to embed learning and training in a natural environment. Therefore, my proposed work is based on the notion that not only can a computer game provide an education and training, but also games potentially provide a better learning and training environment, because game based education and training motivate the user and keep attention by providing immediate feedback. Finally, adopting an iterative approach as the game develops, I will undertake user trials to evaluate both the usability of the game and its eectiveness in setting up access controls in a real world environment.