The Cybersecurity and Privacy Research group (CPR) at CSI focuses on making cybersecurity and privacy work for organizations and individuals. In a world where threats and threat agents seem to be in every corner, we are devoted to finding ways for organizations and individuals to integrate and adopt security and privacy techniques to counteract those threats. We do that by adopting a multidisciplinary approach where we consider cybersecurity and privacy to be the result of the interplay between technology, the organizations the technology supports, and the individuals who use it.

CPR is part of a cybersecurity and privacy environment at JTH, which also includes two study programmes at the bachelor’s and master’s levels with approximately 300 students. Our mission is to collaborate closely with society and tackle societal challenges with partners from industry and public sector stakeholders. Do not hesitate to get in touch!

Current research directions

Our research focus on human-centered cybersecurity and privacy. We acknowledge that security technology is important for cybersecurity and privacy. However, we do have plenty of technology. We also have standards, policies, and regulation for how the technology should be used and security governed. Still, security and privacy breaches are as common as ever. The main reason is the human factor which seems to be at the root of most of those breaches. Intentionally or unintentionally, humans struggle to correctly adopt security and privacy principles and technology. In broad terms, that is our research area. Examples of more specific directions include:

  • Accessible and usable security and privacy
    • Design of usable privacy and security by default for different online platforms and services. Focus on the best practices and guidelines for implementing privacy and security features that are easy to use, understand, and manage by a variety of users (e.g., consumers and members of an organization).
    • Usability evaluation and user experience of privacy and security, such as online security indicators, privacy policies, privacy settings, or similar.
  • Cybersecurity culture and awareness
    • Design and assessment of training efforts to find out what is effective in different contexts, long-term effects of training, and adaptation to the needs of different user groups.
    • Development of metrics and procedures for assessment of organizational culture and awareness
    • Policy compliance through user-centric policy development
  • OT/ICS security
    • Cybersecurity awareness specifically within production and manufacturing where little research current exist. Applicability of existing knowledge needs to be explored.
    • Strategies for handling supply-chain threats in industrial environments
  • Incident response
    • Decision-making under stress and cognitive overload, specifically for cybersecurity analysts
    • Effective communication during and after cyber incidents
    • Gamification as an approach to incident response training
  • Information/cybersecurity risk management
    • Implementation in organisations, tool usage, usage of catalogues, the role and extent of the risk analysis in practice.
    • Information classification - subjective judgement, implicit knowledge and documentation.