Publications | Papers | Articles | Talks | Press

Reasearch Papers

I do research and write about it. Most of the writing is in English, some of my work is also available in German or other languages.

2021

• Paper - OECD - Encouraging vulnerability treatment »»
  This paper discusses vulnerabilities in products’ code such as software and firmware, and in how products are implemented in information systems.
  | Published: Feb 2021 | Available: Paper (en,fr) »

• Paper - OECD - Understanding the digital security of products »»
  This report shows that economic factors play an important role in the insecurity of smart products and develops an analytical framework based on the value chain and lifecycle.
  | Published: Feb 2021 | Available: Paper (en,fr) »

• Paper - Bug Bounty Program of Last Resort »»
  This paper makes the case for a centralized Bug Bounty Program of Last Resort to cover critical open-source projects and smaller vendors, who cannot fund them.
  | Published: Feb 2021 | Available: Paper (en) »

2020

• Paper - Cyber Resilience in the Electricity Ecosystem »»
  Effective and sustainable measures for protecting the electricity industry supply and value chains now go beyond securing individual products or systems, driving the need for an adaptation of roles and responsibilities, from procurement and design through to retirement.
  | Published: Nov 2020 | Available: Paper (en) »

• Factsheet - Dependency and Complexity »»
  Our society and economy have become critically reliant on a variety of digital infrastructures. Tight coupling, complexity, and increasing dependencies on few and dominant players, services, technologies, and infrastructures result in a huge accumulation of critical risks in the digital society.
  | Published: Sep 2020 | Available: Factsheet (en,de,fr) »

• Factsheet - Adversarial Artificial intelligence (AAI) »»
  AI pervasiveness gives rise to «Adversarial Artificial intelligence (AAI)» where attackers (A) exploit AI to craft attacks to compromise AI models in use, and (B) use AI to scale and automate elements of attacks that previously were simply impossible (DeepFakes) or relied heavily on manual processes.
  | Published: Sep 2020 | Available: Factsheet (en,de,fr) »

2019

• Paper - Analysis and measures to secure the digital supply chain »»
  This white paper describes the risks of the digital supply chain and identifies essential measures for the security of both routine and critical functions in industry, government, the police and the military.
  | Published: Sep 2019 | Available: Paper (en,de,fr) »

2017

• Paper - Swisscom Security 2017 | Data Breaches & Bug Bounties »»
  Analysis of the numbers and impact of leaked accounts of large data breaches on major Swiss industry sectors and the government. Perspective of the cyber threats attributable to software vulnerabilities and an insight into Swisscom’s Bug Bounty program.
  | Published: Apr 2017 | Available: Paper (en,de) »

2015

• Paper - Swisscom Security 2015 | Current Threat Status and its Development »»
  Over the course of the past decades, the development of new technologies (the Internet) and has opened up unbelievable opportunities that have durably changed our lives. Some of these emerging interaction between people, applications, and devices, make way for entirely new cyber attack scenarios.
  | Published: Sep 2015 | Available: Paper (en,de,fr,it) »

2014

• Paper - Cyber Crime Threat Intelligence - Turkey »»
  This paper explains how cyber criminals operate botnets and compromise victims at large scale, and informs organizations how to best utilize cyber threat intelligence to protect their business and deal with infected customers.
  | Published: Aug 2014 | Available: Paper (en) »

• Paper - Why Your Data Breach is My Problem »»
  Every data breach, regardless of its source, allows cyber criminals to refine current data, correlate it with new data, and create profiles that can identify millions of users – with severe consequences for their victims. Data that has been lost cannot be taken back.
  | Published: Mar 2014 | Available: Paper (en) »

2013

• Paper - International Vulnerability Purchase Program (IVPP) »»
  Cyber security depends largely on reporting vulnerabilities under the practices of coordinated disclosure. Meanwhile, the black market is expanding rapidly and offering large rewards for the same information. We examine the economics of depriving cyber criminals’ access to new vulnerabilities.
  | Published: Dec 2013 | Available: Paper (en) »

• Paper - The Known Unknowns in Cyber Security »»
  Vulnerabilities that are known only to privileged closed groups, such as cyber criminals, brokers, and governments, pose a real and present risk to all who use the affected software.
  | Published: Dec 2013 | Available: Paper (en) »

• Paper - Cyber Kill Chain vs. Defense Effectiveness »»
  Data from extensive and harsh live testing of security products demonstrates that 100% attack prevention is an illusion. Organizations should assume that they are already compromised, and therefore complement prevention with breach detection.
  | Published: May 2013 | Available: Paper (en) »

• Paper - Correlation Of Detection Failures »»
  A comparison of the block performances of multiple protection technologies reveals a significant correlation of failures to detect exploits. The number of exploits that were able to bypass layers of security is significantly higher than is the prediction for risk models ignoring correlation.
  | Published: May 2013 | Available: Paper (en) »

• Paper - Vulnerability Threat Trends 2012 »»
  Despite massive security investments of the software industry, vulnerability disclosures have risen considerably in 2012.
  | Published: Feb 2013 | Available: Paper (en) »

2012

• Paper - Modeling Exploit Evasions in Layered Security »»
  We correlate OSINT data of exploits & crimeware kits with results of security tests of Next Generation Firewalls (NGFW), Breach Detection Systems (BDS), and Antivirus protection tools. Using Maltego we interactively model the kill chain and how to evade detection by the enterprise security stack.
  | Published: Dec 2012 | Available: Paper (en) »

• Paper - Secunia Yearly Report 2011 »»
  The Secunia Yearly Report 2011 focuses on the evolution and threats of software vulnerabilities, software vulnerability exploits, and the challenges involved in protecting private users and corporate infrastructures reliant on information technology.
  | Published: Feb 2012 | Available: Paper (en) »

2011

• Paper - How to Secure a Moving Target with Limited Resources »»
  This white paper outlines the limitations of traditional defence mechanisms; specifically how cybercriminals have refined the malware manufacturing and development process to systematically bypass them – thereby initiating an arms race with defenders.
  | Published: Jun 2011 | Available: Paper (en) »

• Paper - Cybercriminals do not need administrative users »»
  This paper discusses the limitations of security by denying users administrative access to their systems, and highlights how cybercriminals can achieve their goals without administrative access.
  | Published: Apr 2011 | Available: Paper (en) »

2010

• Paper - Familiarity Breeds Contempt »»
  Our analysis of a decade of software vulnerability (both open and closed source), shows that properties extrinsic to the software play a much greater role in the rate of vulnerability discovery than do intrinsic properties such as software quality.
  | Published: Dec 2010 | Available: Paper (en) »

• Paper - Quantification of deviations from rationality with heavy-tails in human dynamics »»
  We study the persistence of the use of outdated Web browsers (Firefox, Opera, Chrome and Safari) after users have been prompted to perform an update.
  | Published: Jul 2010 | Available: Paper (en) »

• Paper - The Security Exposure Of Software Portfolios »»
  We examine the software portfolio of the average user based on empirical data from over two million users frequently scanning their systems with Secunias Personal Software Inspector (PSI).
  | Published: Mar 2010 | Available: Paper (en) »

2009

• Paper - Modelling the Security Ecosystem »»
  We introduced a model of the security ecosystem to capture its major players and processes. On the basis of the model we analyzed and discussed the roles and incentives of the players involved, backed with empirical data of more than 27,000 vulnerabilities.
  | Published: Jun 2009 | Available: Paper (en) »

• Paper - Why Silent Updates Boost Security »»
  Security updates don’t benefit the end user of software if the update mechanism and strategy is not effective. In this paper we analyze the effectiveness of different Web browsers update mechanisms based on massivle Google web log data.
  | Published: May 2009 | Available: Paper (en) »

• Paper - Firefox (In)Security Update Dynamics Exposed »»
  How (in)secure is your Internet browser? You never know. One way to know more is to look at how frequently it gets updated. With data from Google’s search logs we analyze the time series of update installs to compare the security of browsers.
  | Published: Jan 2009 | Available: Paper (en) »

• Dissertation - Security Econometrics - The Dynamics of (In)Security »»
  In this dissertation we claim that knowledge of the vulnerability lifecycle (the vulnerability discovery-, exploit-, disclosure-, and patch-time) allows us to distinguish major processes in the security environment and to quantify the risk exposure and evolution thereof at macroscopic level.
  | Published: Jan 2009 | Available: Dissertation (en) »

2008

• Paper - Understanding The Web Browser Threat »»
  Access to Google’s global Web server logs enabled us to provide the first in-depth global perspective on the state of insecurity for Web browser technologies. Understanding the nature of the threats against Web browser and their plug-in technologies is important for continued Internet usage.
  | Published: Aug 2008 | Available: Paper (en) »

• Paper - Putting Private And Government CERT’s To The Test »»
  By monitoring relevant security sites on 30-minute intervals for more than 18 months, we collected a unique dataset to compare CERT’s and private offerings.
  | Published: Jul 2008 | Available: Paper (en) »

• Paper - Exposing Vendors (In)security Performance (0-Day Patch) »»
  We evaluated the patch development process of Microsoft and Apple using publicly available vulnerability data from 2002 to 2007. By correlating information from multiple sources, we analyzed possible bias in vendor information.
  | Published: Mar 2008 | Available: Paper (en) »

2006

• Paper - Large-Scale Vulnerability Analysis »»
  Analyzing over 80,000 security advisories, we determined the discovery-, disclosure-, exploit-, and patch-date of the vulnerabilities. We quantify the trend towards zero-day exploits and measure the gap between exploit- and patch-availability.
  | Published: Sep 2006 | Available: Paper (en) »

• Paper - Technology Speed of Civil Jet Engines »»
  The speed of technology of civil jet engines is investigated. A fundamental limit given by the second law of thermodynamics is not reached yet. A measure based on airplane efficiency is derived and applied to jet airlines of different sizes and time periods, ranging back to the 1960’s.
  | Published: Jun 2006 | Available: Paper (en) »

2004

• Paper - DDoS Attacks through Non Delivery Messages »»
  Analysis of e-mail non-delivery receipt handling by live Internet- bound e-mail servers has revealed a common implementation fault that could form the basis of a new range of DoS attacks.
  | Published: Apr 2004 | Available: Paper (en) »