2009 Proceeding- General Chairs:
- Matt Bishop,
- Christian W. Probst,
- Program Chairs:
- Angelos Keromytis,
- Anil Somayaji
Since 1992, the New Security Paradigms Workshop strives to attract and discuss proposals for new principles on which to base information security. One unique aspect of the workshop is the generous allotment of time given to discuss each paper, making it an ideal forum to brainstorm about and refine new concepts and ideas. Combined with a collegial atmosphere and semi-secluded, picturesque locations, NSPW has created quite a following among computer security professionals who have been fortunate to attend even one workshop.
Participation in the workshop was limited to the authors of accepted papers, conference organizers, and a small number of other invitees. A new feature this year was the introduction of small sessions, in which authors were teamed with a small number of attendees who were instructed to read the specific paper at depth before the conference. The goal of these sessions was to enable focused, in-depth discussion and to help new authors ensure that their main presentation to the full workshop lead to a fruitful discussion. The exit polls from the workshop indicate that authors and attendees all liked this feature, and so we will continue with this format next year as well. Key points of the comments made during the discussions were scribed and handed to the authors at the end of each session. This feedback made it into the papers you will find in this volume: NSPW is one of the few venues that uses a post-workshop paper revision cycle to allow authors to refine their ideas (and the presentation of their ideas) based on the conversations and interactions at the workshop itself. We hope you will find the end result of this process informative, provocative, and inspiring.
We received 37 submissions (ten more than last year); two-thirds of these came from academia, with the majority of the rest from industry (and 3 from governmental institutions). Each of the 24 program committee members reviewed 5-6 submissions. Based on these reviews, we accepted 12 papers. The breakdown of the submissions (and acceptances) by geographical region was as follows: 26 submissions had authors from North America (10 accepted), 9 from Europe and the UK (2 accepted), and 2 submissions had authors from other countries. Our program committee particularly looked for new paradigms, innovative approaches to older problems, early thinking on new topics, and controversial issues that might not make it into other conferences but deserved to have their try at shaking and breaking the mold. Following the review phase, the program committee held an extensive online discussion. Another addition this year was the use of pre-conference paper shepherds, who worked with the authors to ensure that papers were compatible with the unique style of NSPW. We would like to thank the program committee members and the paper shepherds for doing an excellent job all around. Credit for the quality of the program must surely go to them and to the authors who entrusted us with their work.
Proceeding Downloads
We have met the enemy and he is us
The insider threat has long been considered one of the most serious threats in computer security, and one of the most difficult to combat. But the problem has never been defined precisely, and that lack of precise definition inhibits solutions. This ...
Localization of credential information to address increasingly inevitable data breaches
Large-scale data breaches exposing sensitive personal information are becoming commonplace. For numerous reasons, conventional personal (identification) information leaks from databases that store online and/or on-site user transaction data. Collected ...
ROFL: routing as the firewall layer
We propose a new firewall architecture that treats port numbers as part of the IP address. Hosts permit connectivity to a service by advertising the IPaddr:port/48 address; they block connectivity by ensuring that there is no route to it. This design, ...
The user is not the enemy: fighting malware by tracking user intentions
Current access control policies provide no mechanisms for incorporating user behavior in access control decisions, even though the way a user interacts with a program often indicates what the user expects that program to do. We develop a new approach to ...
The compliance budget: managing security behaviour in organisations
A significant number of security breaches result from employees' failure to comply with security policies. Many organizations have tried to change or influence security behaviour, but found it a major challenge. Drawing on previous research on usable ...
A profitless endeavor: phishing as tragedy of the commons
Conventional wisdom is that phishing represents easy money. In this paper we examine the economics that underly the phenomenon, and find a very different picture. Phishing is a classic example of tragedy of the commons, where there is open access to a ...
Security compliance: the next frontier in security research
Practitioners as well as researchers have repeatedly deplored that IT security research has failed to produce practical solutions to growing security threats. This paper attributes this failure to the fact that IT departments no longer invest in ...
Towards an ethical code for information security?
Most computer scientists reflexively reject the idea of a malicious universe due to its conflict with the dominant scientific paradigm of a non-teleological impartially disinterested universe. While computer scientists might not view the universe as ...
The developer is the enemy
We argue that application developers, while often viewed as allies in the effort to create software with fewer security vulnerabilities, are not reliable allies. They have varying skill sets which often do not include security. Moreover, we argue that ...
The ecology of Malware
The fight against malicious software (or malware, which includes everything from worms to viruses to botnets) is often viewed as an "arms race." Conventional wisdom is that we must continually "raise the bar" for the malware creators. However, the ...
Trading in risk: using markets to improve access control
With the increasing need to securely share information, current access control systems are proving too in flexible and difficult to adapt. Recent work on risk-based access control systems has shown promise at resolving the inadequacies of traditional ...
Choose the red pill and the blue pill: a position paper
In the movie "The Matrix," our hero Neo must choose between taking the Blue Pill and continuing to live in an online, synthesized fantasy world, or taking the Red Pill and joining the real world. The fantasy world appears to those living in it to be ...
Cited By
- Alhebaishi N, Wang L, Jajodia S and Singhal A (2019). Mitigating the insider threat of remote administrators in clouds through maintenance task assignments, Journal of Computer Security, 27:4, (427-458), Online publication date: 1-Jan-2019.
-
Zibuschka J and Roßnagel H (2012). A Structured Approach to the Design of Viable Security Systems ISSE 2011 Securing Electronic Business Processes, 10.1007/978-3-8348-8652-1_22, (246-255),
- Proceedings of the 2008 New Security Paradigms Workshop