Fabio Massacci


Personal web page

View My GitHub Profile

All You Wanted to Know

One’s life in one line

  • Fabio Massacci (MEng’92, PhD’98 Computer Engineering, MA’95 in International Relations), married with two children, has been in Rome, Cambridge, Toulouse, Trento, and Amsterdam. He held visiting positions in Durham, Koblenz, Lueven, Marina del Rey, and Oslo.

Three standard deviations in three lines

  • He is one of the few professors who has presented in top hackers’ venues (BlackHat USA, Asia), top computer security conferences (ACM CCS, IEEE S&P), top empirical software engineering journals (ESEJ, IEEE TSE) and top risk analysis journals (Risk Analysis). For his work on security and trust in socio-technical systems he has received the Ten years Most Influential Paper Award by the IEEE Requirements Engineering. He has coordinated several European > projects (including a multidisciplinary projects with economist, sociologists abd computer scientists on socio-economic aspects of security SECONOMICS). He is the coordinator on the H2020 AssureMOSS project on open source security risk assessment and certification (“Written everywhere, Secured in Europe”).
  • While almost all professors are sellers of technologies (through their papers or their spin-offs) he was for 7 years deputy rectors for ICT procurements and services supervising a 70+ workforce and several millions Euro in outsourcing contracts. This made him a buyer of computing technology and a user of risk analysis. His perspective of what is a useful security technology or a useful risk analysis is shaped by this experience and very diverse: prestigious corporations are not longer (only) the place to send your > students or funders of your research, they are sloppy suppliers selling overpriced products.
  • He actively participated to civil society. He worked as a volunteer with underprivilege people and in refugee camps. He held, among others, the post of European Executive member and Treasurer of Service Civil International an international NGO with consultative status at UNESCO and the European Youth forum. For his MA he wrote a dissertation on the cooperation between democracies and social islamic movements (instead of funding Saudi princes). He qualified at the world-wide competition to become an U.N. Officer but eventually opted to be an Assistant Professor (ok, nobody is perfect).

The Full Life (sort of)

Download the CV Full CV - Updated Jan 2021.


Read my recent paper on Advanced Persistent Threats: updates are useless

My Researcher IDs and where to find my papers.

You can also find quite a few on Trento’s web page and in Amsterdam’s web page. Few highlights can be also foud below.


Current Affiliation

Research Consultancies

Editorial Boards

Research Highlight

Recent Selected Papers

Updates are useless - a comprehensive study of Advanced Persistent Threats

At TSE22 we have just published a comprehensive study of over 86 APTs and 350 campaigns from 2008 to 2020. It includes information about attack vectors, exploited vulnerabilities (e.g. 0-days vs public vulnerabilities), and affected software and versions. The paper has two important messages: APTs are not as terrible as security experts depict them and updating is not the solution: either you do at lightspeed a gazillions of update or if do regresssion etc., then your risk likelihood is the same as those who only rush to update for disclosed vulnerabilities and before that did… nothing.

Technical Leverage - the software and security metric that CFOs can finally understand.

At ICSE21 we have just presented a new and simple metric borrowed from finance: the ratio in a project between other’s people money (in this case code from imported dependencies) code and your own money (code you developed yourself). Our analysis on Java projects: shipping 4x times your own code base slows down releases by few paltry days. It’s an opportunity. Beware, increase your leverage too much and you get +60% chances of shipping vulnerabilities. It’s a risk. Make sure you don’t end up as Lehman Brothers.

Empirical Security and Software Engineering

Risk Analysis and Policy

Crypto and Fintech

Less Active Research Topics


Scientific Awards

Industry Impact


Research Staff

PhD Students

Former Collaborators

NEW positions


Active Projects

Past Projects

Civil Society Engagement

If you think that is strange, I have been also strongly involved in the sector of International Voluntary Service Organizations and Peace Movements. Now I’m more active in supporting Fair Trade Organization. I have a special relationship with the Philippines as I personally know quite a few activists of the human rights and fair trade movement there.

I met my wife Beatrice De Blasi while working in the NGO sector.

Lectures and Teaching

For the lectures, it is a lot better that you check the web pages of the University. Those ones are always updated (and anyhow they are the ones that I have to use).

For Master Theses, send me an email from your students’ account. Try to read the bio to make sure that I’m sort of interested in the things you want to do.

I also supervise Theses carried in industry and I actually encourage you to do so. A thesis in industry is not a bad thesis, there are just some caveat in terms to make sure that you can make an interesting work and report some interesting scientific findings.

I have a long standing cooperation agreement with SAP Research Labs in France. You might do a internship there than can then become a MSc thesis. Several people continued into an industrial PhD.

I have several Research/Thesis projects for motivated students either in Amsterdam or Trento. The research project roughly correspond to 6 or 12 ECTS. They can also become thesis with either a broader or deeper scope.

Contacts and Appointments

Jeez, you went till here. You deserve something. IF you are a former student of mine who wants a recommendation letter it is mission critical that you read the instructions.

Otherwise, send me an email…. Ahahhaha that was a good joke… You can use

  • my IEEE address “name.surname@ieee.org”.
  • my Amsterdam address “initial.achternaam@vu.nl”,
  • my Trento address “nome.cognome@unitn.it”,

Alternatively you may contact me on LinkedIn. This is the only social network I use.

If you want to know where I am or talk to me, check my IEEE Calendar. Most likely on digital platform somewhere.

You might also directly call me at my office numbers

  • +31-20-5986098
  • +39-0461-282086

The text on this page is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License CC-BY-SA-3.0