Since 1992, the New Security Paradigms Workshop (NSPW) has published innovative, diverse, and sometimes controversial work that challenges current paradigms in computer security. This year's papers continue this tradition, with work that touches on many of the major challenges facing computer security today. We had papers on usable authentication, malware detection, filesystem access control, and secure routing. We had papers that challenged the foundations of security practice by questioning how we analyze and evaluate security problems. We even had a paper that argued that users were potentially right to ignore standard security advice.
Again this year we had a strong group of submissions from which to build our program. We received 36 submissions; almost three-quarters of these came from academia, with the rest coming from industry (10). We accepted 12 submissions: 11 papers and one panel. The breakdown of the submissions (and acceptances) by geographical region was as follows: 17 submissions had authors from North America (6 accepted), 16 from Europe and the UK (5 accepted), and 3 submissions had authors from other countries (one accepted).
To choose our program, first the 13 program committee members reviewed roughly eight submissions each. Once reviews were uploaded to the excellent yet free review system, EasyChair, we had a vigorous online discussion for two weeks. This discussion led to a consensus opinion on almost all of the papers, resulting in the selected papers you see here. As has been a tradition with NSPW from the beginning, all of the papers were discussed extensively at the workshop with all attendees participating. Following upon its success last year, we also divided into small groups to give the authors feedback before they presented their work in front of the entire workshop. In addition, to help improve the quality of the proceedings and provide ongoing support to authors throughout the revision process, all accepted papers were shepherded both before and after the workshop.
As should be clear, NSPW thus required a significantly larger time and energy commitment from program committee members, authors, and participants than is the norm for security venues. We believe their effort was worthwhile; after reading this proceedings, we hope you will agree.
Proceeding Downloads
Laissez-faire file sharing: access control designed for individuals at the endpoints
When organizations deploy file systems with access control mechanisms that prevent users from reliably sharing files with others, these users will inevitably find alternative means to share. Alas, these alternatives rarely provide the same level of ...
Server-side detection of malware infection
We review the intertwined problems of malware and online fraud, and argue that the fact that service providers often are nancially responsible for fraud causes a relative lack of incentives for clients to manage their own security well. This suggests ...
What is the shape of your security policy?: security as a classification problem
This new paradigm defines security policies on cause-effect relations and models security mechanisms in analogy with pattern recognition classifiers. It augments the arsenal of formal computer security evaluation tools with new techniques. A causality ...
Quantified security is a weak hypothesis: a critical survey of results and assumptions
This paper critically surveys previous work on quantitative representation and analysis of security. Such quantified security has been presented as a general approach to precisely assess and control security. We classify a significant part of the work ...
Generative usability: security and user centered design beyond the appliance
In this position paper we consider the ways in which users can be given control over technology and information, considering the spectrum of design possibilities from 'generative component' solutions, to 'appliance' solutions. We show how security ...
The sisterhood of the traveling packets
From a cyber-security perspective, attribution is considered to be the ability to determine the originating location for an attack. However, should such an attribution system be developed and deployed, it would provide attribution for all traffic, not ...
Quis Custodiet ipsos Custodes?: a new paradigm for analyzing security paradigms with appreciation to the Roman poet Juvenal
Do you believe that more than one single security paradigm exists? We do.
We also believe that we have a major problem because of all these security paradigms: until we find a way to identify and understand how these paradigms restrict our analyses we ...
Musipass: authenticating me softly with "my" song
The modern world increasingly requires us to prove our identity. When this has to be done remotely, as is the case when people make use of web sites, the most popular technique is the password. Unfortunately the profusion of web sites and the associated ...
A reinforcement model for collaborative security and Its formal analysis
This paper presents a principled approach to one of the many little studied aspects of computer security which relate to human behavior. Advantages of involving users who usually have strong analytic ability to detect violations and threats but not ...
Securing data through avoidance routing
As threats on the Internet become increasingly sophisticated, we now recognize the value in controlling the routing of data in a manner that ensures security. However, few technical means for achieving this goal exist. In this paper we propose and ...
Fluid information systems
Networked communication systems and the data they make available have, over the last decades, made their way to the very core of both society and business. Not only do they support everyday life and day-to-day operations, in many cases they enable them ...
So long, and no thanks for the externalities: the rational rejection of security advice by users
It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive ...
- Proceedings of the 2009 workshop on New security paradigms workshop