Fabio Massacci
Personal web page
Research Topics for the China Scholarship Council Applications by Fabio Massacci
Scholarships Opportunities at Vrije Universiteit
- Full PhD students: selected Chinese students can enroll in designated doctoral (PhD) programmes of Vrije Universiteit Amsterdam provided that they engage in the programme for no more than 48 months. If the selected Chinese students successfully complete the requirements of the designated program and defend their dissertation, they will be conferred a degree by Vrije Universiteit Amsterdam.
- Sandwich/joint PhD students: selected Chinese students can enroll in designated research programmes of VU University and complete part of their doctorate, reaching from 6 to 24 months. The selected Chinese students are to return to their home institutions in China for their dissertation defense upon completion of their research at Vrije Universiteit Amsterdam.
- Postdoctoral fellows: selected Chinese postdoctoral fellows can enroll in a Vrije Universiteit Amsterdam postdoctoral training programme for 3 to 12 months.
More information on the application process are available at VU China Scholarship WebPage
Interesting Research Topics
I’m interested in all topics of experimental cybersecurity, risk analysis and security economics. See my web page.
Particularly relevant and interesting topics would be
- Economics of Cybersecurity Software Certification. This theme is particularly relevant for a number of Chinese companies (most notably Huawei) which are subject to an intense scrutiny over their software development process. See for example the UK NCSC Document. what is the most cost effective way to do so?
- Cybersecurity of Pandemics. There are gazillions of proposals for tracing apps. The empirical evidence is that if you look carefully at the data of countries that claimed to have put that in place highly invasive contact tracing (e.g. South Korea and China), you find out that what really worked was protection of medical staff (so that they won’t pass the infection to their vulnerable patients) and tracing of sick and known to be infected people rather than general contact tracing. People invented all kind of schemes to eschew that. The key researcgh question is therefore what is really useful, can we find a model for that?
- Vulnerability Prioritization for large enterprises. It is well known that the US NVD and the Chinese NVD have different prioritizations and different time scales for vulnerabilities. You can of course spin all kind of conspiracy theories (choose your bad guy here) but I believe there are more mundane explanations and these explanations could help us in providing better guidance to large enterprises.
- Evaluation of Machine Learning for Software Vulnerabilities. Several proposals for ML abound on how to use that for finding vulnerabilities. The current trend is the following: paper X claims to have found out a better way to find vulnerabilities in software, few months later paper Y shows that paper X overfitted. Lather, rinse and repeat. Neither Y nor X showed that the method really worked for developers. The key difference is that when you use ML for computer vision it is immediate for a human to spot that they required a picture of a panda and the algorithm reported a gorilla. For vulnerabilities this is not so simple…
In the realm of security economics I’m mostly interested in the notion of
- Malicious High Frequency Trading. This is an activity I started with Jing Nie (see below), but paused due to lack of time. Trading is by definition adversarial, but we define a trading a malicious when a trader tries to actually exploit features of the implementation of the trading mechanism that would not otherwise work if trading was perfect as the theory suggest. Front-running trying to exploits millisecond in optical cable speeds is actually a good example.
- Systemic Risks for Cyberinsurance. When developers use a library all applications that use that libraries become potentially vulnerable. If you buy cyberinsurance for potential data losses of course the insurer must spread the risk across a diverse population. But software libraries are all the same. So what is the correct way of pricing that?
I’ve also worked in mechanisms for secure (crypto-based) distributed trading (See our FutureMEX paper) and if you are interested in that just let me know.
If you would be interested in another topic I haven’t though about, let me know. I like to be challenged.
References
If you are interested for references about me in China you might aks
- Associate Prof. Lin Liu, Tsinghua University
- Assistant Prof. Tong Li, Bejing University of Technology
- Assistant Prof. Jing Nie, School of Banking and Finance, University of International Business and Economics,
Contact
Contact me at first-letter-of-name.surname@vu.nl