RHUL Cyber CDT Blog

In August 2025, I had the pleasure of attending the Symposium on Usable Privacy and Security (SOUPS) which was co-located with USENIX Security Symposium in Seattle, WA, USA. The technical program covered a wide range of topics within usable privacy and security and brought together interdisciplinary researchers and practitioners with valuable perspectives on security, privacy, and human-computer interaction. This year, the conference was held in Seattle, which provided a great setting as Washington state attracts tech startups and is the base for tech giants such as Amazon and Microsoft. Alongside 30 accepted papers presented across two days, the conference also held workshops, a poster session, lightning talks, a mentoring program and plenty of opportunities to network with attendees. Selected papers drew upon crucial topics on privacy and security, from exploring contemporary scams, to understanding user perceptions of generative AI, and IOT misuse. Papers also provided new insights ...

The 3 rd International workshop on Mining Software Repositories for Privacy and Security (MSR4P&S) this year, was co-located with SANER25 in Montreal, Canada. I was fortunate to be able to attend and present my recent work, Links Between Package Popularity, Criticality, and Security in Software Ecosystems. MSR4P&S focusses on the application of software mining techniques to the security domain, an intersection particularly relevant to my interests in software supply chain risks. This year, the work presented, ranged from the study of LLM PII disclosure risks, to Software Bill of Materials (SBOM) standards conformity. The other published works can be found on the workshop’s webpage . In the work I presented, we investigated the relationships between package popularity, criticality, and security within software ecosystems, specifically Python and JavaScript/TypeScript. Given the increasing maintenance workloads and stressors faced by open-source software (OSS) maintainers, our...

It is hard to imagine two more different conferences. On the one hand, there was the second iteration of the Global Conference on Cyber Capacity Building, full of international organisations, cyber not-for-profits, with its global representation of government cybersecurity officials and implementors. The setting, Geneva, with its international bodies from WTO to UEFA and mountainous scenic backdrop, was spectacular, the conference crowd well attired and familiar, the content reassuringly predictable, and the catering abundant. On the other hand there was the UK Evaluation Society conference in Glasgow. No less spectacular in its own way, but with a crowd of evaluation experts and academics who were much less familiar, the content expansive and original, not a suit in sight, and no free drinks. And whilst both areas, cybersecurity capacity building and evaluation, are well known and well understood in their own right by experienced practitioners and seasoned professionals, if you ...