I am a Professor of Cyber Security at the University of Southampton, where I hold a Royal Academy of Engineering Research Chair and lead the University's activities on cyber security. Specifically, I am the Head of the Cyber Security Group (CSG), the Director of the NCSC/EPSRC Academic Centre of Excellence for Cyber Security Research (ACE), and have been the Founding Director of the Cyber Security Academy (CSA), a partnership between Academia, Industry and Government to advance cyber security through research, innovation, education and training.
A computer scientist by training, I have since acquired strong expertise by research on cyber security, including social and human factors, cyber-crime, data privacy (including anonymity and anonymisation), internet-of-things, trust, provenance, blockchain, internet computing, foundations of computation and AI, and developed large networks of collaborators in academia, industry and government. I authored about 250 publications, reaching an h-index of 38 and around 3800 citations (source PoP at the time of writing).
I am enthusiastic about spreading best practice: I developed cyber security education and outreach programmes for undergraduates, graduates and industry, and collaborate with industry and public bodies internationally, including Cabinet Office, FCO, DBEIS, NCA, ICO, NAO, FCA and Bank of England. I worked with ministers in the UK, Italy, Malta and West Bengal, and with government bodies such as NCSC/GCHQ, DSTL, the Regional Organised Crime Units (ROCUs) and Hampshire Police. I am the Chief Scientific Officer for the Italian Ministry of Economy and Finance (MEF).
My activity focusses on cyber security since 2001. I worked on (idealised) programming languages for mobility of ambients over untrusted networks (444 citations in total at the time of writing), on trust management (122 citations), and was among the originators of the notion of 'trust structures' (257 citations), a novel approach to distributed trust management. I then focussed on `predictive' trust-and-reputation models. These are models of behaviour aimed at assessing the trustworthiness of computational agents, encompassing machine-learning and decision-making probabilistic techniques (189 citations).
More recent work focussed on anonymity and privacy, its interactions with trust and attackers' belief systems, with particular focus on understanding and analysing collaboration mechanisms in anonymity networks (47 citations). I am one of the originators of the information-theoretic measure of vulnerability with beliefs (34 citations). This quantifies data leakages in the presence of uncertain external information, which currently is one of the major threats to privacy in open network such as the Internet.
Recently, I have been focussing on distributed ledger technologies (DLT), aka blockchains, and their applications to distributed and cloud computing, and to the Internet-of-Things (IoT). DLT provides a first-time concept of decentralised digitally-enforceable contracts which do not rely on a trusted third-party, making the realisation of fully decentralised computations in trustless scenarios possible. This makes blockchains suited to a broad area of problems, including IoT and Cloud computing, and to application domains as diverse as smart energy and supply chain security. Decentralised computation, democratic control of data and immutability of records pave the way for blockchains to be the next-generation infrastructure for building reliable aggregations of IT components. This was exemplified very neatly by the first-ever blockchain-based solution to security and trust weaknesses in cloud computing, which I conceived to bring innovative solutions to the Police in the UK, MEF in Italy and Inland Revenue in Malta, and which is now drawing attention from other public administrations and applications worldwide.
Current PhD Students
I have inspired and contributed to the development of the MSc in Cyber Security and the MEng in Computer Science with Cyber Security. Over the past few years, I have driven the development of a comprehensive programme of professional cyber training for industry. In this context, I have worked on innovative `gamification' techniques to deliver complex cyber concepts in a non-technical manner.