Jens Grossklags

Jens Grossklags
Technische Universität München | TUM · Faculty of Informatics

Ph.D.

About

169
Publications
51,841
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
4,780
Citations

Publications

Publications (169)
Article
Full-text available
Corporate credit reporting (CCR), which aims at increasing trust in corporates, constitutes an intriguing, yet understudied set of regulatory institutions as it is both a regulatory object and subject at the same time. Differences in national CCR systems pose challenges for multinational companies and have increasingly become a subject of internati...
Article
Privacy regulations such as the General Data Protection Regulation (GDPR) of the European Union promise to empower users of online services and to strengthen competition in online markets. Its Article 17, the Right to Erasure (Right to be Forgotten), is part of a set of user rights that aim to give users more control over their data by allowing the...
Article
Smart Home Devices are household objects and appliances that are augmented with network connectivity and interactive capabilities. However, the benefits and conveniences of such augmentation are tempered by corresponding increases in privacy and security threats. Studies of user perceptions of these threats and user practices for addressing them ar...
Article
Full-text available
The emergence of the COVID-19 pandemic in early 2020 has transformed how individuals work and learn and how they can apply cyber-security requirements in their, mostly remote, environments. This transformation also affected the university student population; some needed to adjust to new remote work settings, and all needed to adjust to the new remo...
Article
Full-text available
The Chinese social credit system (SCS) is a digital sociotechnical credit system that rewards and sanctions the economic and social behaviors of individuals and companies. This article uses classic social-control theories—the shaming theory and the labeling theory—to analyze the SCS, thereby contributing to a better understanding of the Chinese soc...
Article
This publication presents a psychological perspective on users‘ requirements concerning the right to data portability set out in the General Data Protection Regulation, that is, the possibility of retrieving data stored with one online service and having it transferred to another service, for example, when switching providers. The publication illus...
Article
Full-text available
Vertical federated learning (VFL), a variant of federated learning, has recently attracted increasing attention. An active party having the true labels jointly trains a model with other parties (referred to as passive parties ) in order to use more features to achieve higher model accuracy. During the prediction phase, all the parties collaborative...
Article
Federated Learning (FL) [31] is a decentralized learning mechanism that has attracted increasing attention due to its achievements in computational efficiency and privacy preservation. However, recent research highlights that the original FL framework may still reveal sensitive information of clients’ local data from the exchanged local updates and...
Article
The prevalence of insecure code is one of the main challenges security experts are trying to solve. We study behavioral patterns among developers which largely contribute to insecure software—googling and reusing code from the Web—and apply nudge theory to harness these behaviors and help developers write more secure code.
Article
Full-text available
Business intelligence and AI services often involve the collection of copious amounts of multidimensional personal data. Since these data usually contain sensitive information of individuals, the direct collection can lead to privacy violations. Local differential privacy (LDP) is currently considered a state-ofthe-art solution for privacy-preservi...
Conference Paper
Google Search is where most developers start their Web journey looking for code examples to reuse. It is highly likely that code that is linked to the top results will be among those candidates that find their way into production software. However, as a large amount of secure and insecure code has been identified on the Web, the question arises how...
Conference Paper
The neural network model is having a significant impact on many real-world applications. Unfortunately, the increasing popularity and complexity of these models also amplifies their security and privacy challenges, with privacy leakage from training data being one of the most prominent issues. In this context, prior studies proposed to analyze the...
Article
The ever increasing amount of data on people's smartphones often contains private information of others that people interact with via the device. As a result, one user's decisions regarding app permissions can expose the information of other users. However, research typically focuses on consequences of privacy-related decisions only for the user wh...
Conference Paper
Full-text available
Exploiting a program requires a security analyst to manipulate data in program memory with the goal to obtain control over the program counter and to escalate privileges. However, this is a tedious and lengthy process as: (1) the analyst has to massage program data such that a logical reliable data passing chain can be established, and (2) dependin...
Article
Full-text available
For almost three years, the General Data Protection Regulation (GDPR) has been granting citizens of the European Union the right to obtain personal data from companies and to transfer these data to another company. The so-called Right to Data Portability (RtDP) promises to significantly reduce switching costs for consumers in digital service market...
Conference Paper
Full-text available
The Chinese Social Credit System (SCS) is a novel digital socio-technical credit system. The SCS aims to regulate societal behavior by reputational and material devices. Scholarship on the SCS has offered a variety of legal and theoretical perspectives. However, little is known about its actual implementation. Here, we provide the first comprehensi...
Article
Full-text available
Data portability regulation has promised that individuals will be easily able to transfer their personal data between online service providers. Yet, after more than two years of an active privacy regulation regime in the European Union, this promise is far from being fulfilled. Given the lack of a functioning infrastructure for direct data portabil...
Article
Full-text available
Strategic game models of defense against stealthy, targeted attacks that cannot be prevented but only mitigated are the subject of a significant body of recent research, often in the context of advanced persistent threats (APTs). In these game models, the timing of attack and defense moves plays a central role. A common assumption, in this literatu...
Chapter
Written security policies are an important part of the complex set of measures to protect organizations from adverse events. However, research detailing these policies and their effectiveness is comparatively sparse. We tackle this research gap by conducting an analysis of a specific user-oriented sub-component of a full information security policy...
Article
In recent years, a plethora of well-known data scandals has led to calls for alternative forms of social media governance. What challenges of institutional design would have to be met for developing meaningful democratic governance structures for a social media platform? Intertwining philosophical and technological considerations, this article expl...
Article
Full-text available
The Chinese Social Credit System (SCS), known as the first national digitally-implemented credit rating system, consists of two parallel arms: a government-run and a commercial one. The government-run arm of the SCS, especially efforts to blacklist and redlist individuals and organizations, has attracted significant attention worldwide. In contrast...
Chapter
Process mining is a rapidly developing field of data science currently focusing on business processes. The approach involves many techniques that may contribute to cyber security analysis as well. In particular, the measurement of deviations from a defined process is a central topic in process mining, and could find application in the context of IT...
Chapter
In this paper, we study the update and security practices of individuals in private households with an exploratory interview study. In particular, we investigate participants’ awareness regarding KRACK, a patched key vulnerability in the WPA/WPA2 protocol, and similar vulnerabilities in the context of usage and management scenarios in Wi-Fi network...
Preprint
Full-text available
Mobile devices encroach on almost every part of our lives, including work and leisure, and contain a wealth of personal and sensitive information. It is, therefore, imperative that these devices uphold high security standards. A key aspect is the security of the underlying operating system. In particular, Android plays a critical role due to being...
Article
Full-text available
This paper addresses the role of personality characteristics in decisions on the timing of an action, such as in the context of security and safety choices. Examples of such decisions include when to check log files for intruders and when to monitor financial accounts for fraud or errors. Two behavioral studies (n = 461) are conducted. Individual r...
Conference Paper
Full-text available
Control-flow hijacking attacks are used to perform malicious computations. Current solutions for assessing the attack surface after a control flow integrity (CFI) policy was applied can measure only indirect transfer averages in the best case without providing any insights w.r.t. the absolute calltarget reduction per callsite, and gadget availabili...
Article
Purpose Colleges and universities across the USA have seen data breaches and intellectual property theft rise at a heightened rate over the past several years. An integral step in the first line of defense against various forms of attacks are (written) security policies designed to prescribe the construction and function of a technical system, whil...
Conference Paper
Data are crucial for tailoring health apps to personal needs. Nonetheless, a users' privacy and security need to be preserved, particularly since health technologies are able to gather a broad range of data over a long time period. In order to guarantee an appropriate level of security and privacy, the perceptions of end users need to be evaluated...
Article
Full-text available
Integer overflows have threatened software applications for decades. Thus, in this paper, we propose a novel technique to provide automatic repairs of integer overflows in C source code. Our technique, based on static symbolic execution, fuses detection, repair generation and validation. This technique is implemented in a prototype named IntRepair....
Preprint
Full-text available
Control-flow hijacking attacks are used to perform malicious com-putations. Current solutions for assessing the attack surface afteracontrol flow integrity(CFI) policy was applied can measure onlyindirect transfer averages in the best case without providing anyinsights w.r.t. the absolute calltarget reduction per callsite, and gad-get availability....
Chapter
Timing, a central aspect of decision-making in security scenarios, is a subject of growing academic interest; frequently in the context of stealthy attacks, or advanced persistent threats (APTs). A key model in this research landscape is FlipIt [1]. However, a limiting simplifying assumption in the FlipIt literature is that costs and gains are not...
Article
Full-text available
Ephemeral social vehicular networks allow for short‐lived communications between occupants. While such transient interactions may provide important usage benefits such as traffic warnings, the reality of short‐lived interactions also poses challenges for deciding to participate in such social networks. In this paper, we develop a game‐theoretic mod...
Conference Paper
Full-text available
User modeling has become an indispensable feature of a plethora of different digital services such as search engines, social media or e-commerce. Indeed, decision procedures of online algorithmic systems apply various methods including machine learning (ML) to generate virtual models of billions of human beings based on large amounts of personal an...
Preprint
Full-text available
In this paper, we perform a comprehensive study of 2,470 patched Android vulnerabilities that we collect from different data sources such as Android security bulletins, CVEDetails, Qualcomm Code Aurora, AOSP Git repository, and Linux Patchwork. In our data analysis, we focus on determining the affected layers, OS versions, severity levels, and comm...
Preprint
Full-text available
Cryptocurrency exchanges are frequently targeted and compromised by cyber-attacks, which may lead to significant losses for the depositors and closure of the affected exchanges. These risks threaten the viability of the entire public blockchain ecosystem since exchanges serve as major gateways for participation in public blockchain technologies. In...
Conference Paper
Full-text available
China's Social Credit System (SCS, 社会信用体系 or shehui xinyong tixi) is expected to become the first digitally-implemented nationwide scoring system with the purpose to rate the behavior of citizens, companies, and other entities. Thereby, in the SCS, "good" behavior can result in material rewards and reputational gain while "bad" behavior can lead to...
Preprint
Full-text available
Stack Overflow (SO) is the most popular online Q&A site for developers to share their expertise in solving programming issues. Given multiple answers to certain questions, developers may take the accepted answer, the answer from a person with high reputation, or the one frequently suggested. However, researchers recently observed exploitable securi...
Chapter
Full-text available
Vendors in the Android ecosystem typically customize their devices by modifying Android Open Source Project (AOSP) code, adding in-house developed proprietary software, and pre-installing third-party applications. However, research has documented how various security problems are associated with this customization process.
Chapter
Full-text available
White hat hackers, also called ethical hackers, who find and report vulnerabilities to bug bounty programs have become a significant part of today’s security ecosystem. While the efforts of white hats contribute to heightened levels of security at the participating organizations, the white hats’ participation needs to be carefully managed to balanc...
Conference Paper
Full-text available
Software upgrades play a pivotal role in enhancing software performance, and are a critical component of resolving software bugs and patching security issues. However, consumers' eagerness to upgrade to the newest operating system is often tempered after release. In this paper, we focus on the upgrade perceptions and practices of users utilizing Mi...
Article
This editorial introduces the special issue on the economics of security and privacy. The global adoption of the Internet has transformed economies and societies. However, Internet technologies have also resulted in heightened societal concerns about information security and privacy. Insufficient safeguards—actual or perceived—have become a barrier...
Chapter
Full-text available
Programs aiming for low runtime overhead and high availability draw on several object-oriented features available in the C/C++ programming language, such as dynamic object dispatch. However, there is an alarmingly high number of object dispatch (i.e., forward-edge) corruption vulnerabilities, which undercut security in significant ways and are in n...
Chapter
Full-text available
C++ object type confusion vulnerabilities as the result of illegal object casting have been threatening systems’ security for decades. While there exist several solutions to address this type of vulnerability, none of them are sufficiently practical for adoption in production scenarios. Most competitive and recent solutions require object type trac...
Article
Full-text available
In a networked system, the risk of security compromises depends not only on each node’s security but also on the topological structure formed by the connected individuals, businesses, and computer systems. Research in network security has been exploring this phenomenon for a long time, with a variety of modeling frameworks predicting how many nodes...
Preprint
Modern operating systems such as Android, iOS, Windows Phone, and Chrome OS support a cooperating program abstraction. Instead of placing all functionality into a single program, programs cooperate to complete tasks requested by users. However, untrusted programs may exploit interactions with other programs to obtain unauthorized access to system s...
Preprint
Full-text available
Integer overflows have threatened software applications for decades. Thus, in this paper, we propose a novel technique to provide automatic repair of integer overflows in C source code. Our technique, based on static symbolic execution, fuses detection, repair generation and validation. This technique is implemented in a prototype named IntRepair....
Article
Genetics and genetic data have been the subject of recent scholarly work, with significant attention paid towards understanding consent practices for the acquisition and usage of genetic data as well as genetic data security. Attitudes and perceptions concerning the trustworthiness of governmental institutions receiving test-taker data have been ex...
Chapter
Despite its known inadequacies, notice and consent is still the most common privacy practice on social media platforms. Indeed, conceptualizing alternative privacy strategies for the social media context has proven to be difficult. In 2009, Facebook implemented a participatory governance system that enabled users to vote on its privacy policy. Howe...
Article
Full-text available
Users are often educated to follow advices from security experts. For example, using a password manager is considered an effective way to maintain a unique and strong password for every website. However, user surveys reveal that most users are not willing to adopt this tool. They feel uncomfortable when they grant password managers the privilege to...
Chapter
Full-text available
An insurer has to know the risks faced by a potential client to accurately determine an insurance premium offer. However, while the potential client might have a good understanding of its own security practices, it may also have an incentive not to disclose them honestly since the resulting information asymmetry could work in its favor. This inform...
Article
Full-text available
Vendors in the Android ecosystem typically customize their devices by modifying Android Open Source Project (AOSP) code, adding in-house developed proprietary software, and pre-installing third-party applications. However, research has documented how various security problems are associated with this customization process. We develop a model of the...
Conference Paper
The continued acceptance of enhanced security technologies in the private sector, such as two-factor authentication, has prompted significant changes of organizational security practices. While past work has focused on understanding how users in consumer settings react to enhanced security measures for banking, email, and more, little work has been...
Article
Full-text available
Cybersecurity has become a key factor that determines the success or failure of companies that rely on information systems. Therefore, investment in cybersecurity is an important financial and operational decision. Typical information technology investments aim to create value, whereas cybersecurity investments aim to minimize loss incurred by cybe...