Awais Rashid’s research while affiliated with University of Bristol and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (345)


“When Data Breaches Happen, Where Does the Buck Stop?... and where should it stop?”
  • Conference Paper

January 2025

·

5 Reads

Partha Das Chowdhury

·

·

Awais Rashid






Figure 1: Naiakshina's end-user password storage assessment criteria [21], copied verbatim. A score ≥ 6 indicates industrial best practice.
Saltzer & Schroeder for 2030: Security engineering principles in a world of AI
  • Preprint
  • File available

July 2024

·

41 Reads

·

1 Citation

Writing secure code is challenging and so it is expected that, following the release of code-generative AI tools, such as ChatGPT and GitHub Copilot, developers will use these tools to perform security tasks and use security APIs. However, is the code generated by ChatGPT secure? How would the everyday software or security engineer be able to tell? As we approach the next decade we expect a greater adoption of code-generative AI tools and to see developers use them to write secure code. In preparation for this, we need to ensure security-by-design. In this paper, we look back in time to Saltzer & Schroeder's security design principles as they will need to evolve and adapt to the challenges that come with a world of AI-generated code.

Download



Figure 12: Parallel Controls
Assessing Effectiveness of Cyber Essentials Technical Controls

June 2024

·

87 Reads

Cyber Essentials (CE) comprise a set of controls designed to protect organisations, irrespective of their size, against cyber attacks. The controls are firewalls, secure configuration, user access control, malware protection & security update management. In this work, we explore the extent to which CE remains robust against an ever-evolving threat landscape. To that end, we reconstruct 45 breaches mapped to MiTRE ATT&CK using an Incident Fault Tree ( IFT ) approach. Our method reveals the intersections where the placement of controls could have protected organisations. Then we identify appropriate Cyber Essential controls and/or Additional Controls for these vulnerable intersections. Our results show that CE controls can effectively protect against most attacks during the initial attack phase. However, they may need to be complemented with additional Controls if the attack proceeds further into organisational systems & networks. The Additional Controls (AC) we identify include back-ups, security awareness, logging and monitoring. Our analysis brings to the fore a foundational issue as to whether controls should exclude recovery and focus only on pre-emption. The latter makes the strong assumption that a prior identification of all controls in a dynamic threat landscape is indeed possible. Furthermore, any potential broadening of technical controls entails re-scoping the skills that are required for a Cyber Essentials (CE) assessor. To that end, we suggest human factors and security operations and incident management as two potential knowledge areas from Cyber Security Body of Knowledge (CyBOK) if there is any broadening of CE based on these findings.


Citations (58)


... Unfortunately, little research has investigated the security threats posed by knowledge base poisoning in the RACG systems. Previous research has mainly focused on the security of code directly generated by LLMs [32,56,74], leaving a critical gap in understanding the security of code generated by RACG systems, particularly when the knowledge base is poisoned by attackers. As RACG rapidly becomes a mainstream paradigm in modern LLM-based systems [45,50,71], this knowledge gap becomes even more pressing. ...

Reference:

Exploring the Security Threats of Knowledge Base Poisoning in Retrieval-Augmented Code Generation
Using AI Assistants in Software Development: A Qualitative Study on Security Practices and Concerns
  • Citing Conference Paper
  • December 2024

... The management of knowledge helps organizations to identify gaps in knowledge and experience in the context of cybersecurity. There are many studies conducted to evaluate employee skills, knowledge, awareness and continuous skill development of cybersecurity in organizations [10][11][12][13]. Typically, cybersecurity incidents occur within organizations due to employees who unintentionally get involved in breach of data integrity and cybersecurity [14]. ...

A framework for mapping organisational workforce knowledge profile in cyber security
  • Citing Article
  • July 2024

Computers & Security

... The widespread integration of machine learning in software quality and security brings new societal and legal considerations [112]. As software systems become increasingly complex and large-scale, novel security challenges arise, underscoring the need for advanced methods in secure software engineering and cybersecurity [128]. ...

Saltzer & Schroeder for 2030: Security engineering principles in a world of AI

... Modern E2E encryption are failing to protect privacy, allowing malactors to perform spying activities. The use of desktop clients with shared system states that are open to compromise further questions the robustness of these systems [1]. ...

Threat models over space and time: A case study of end‐to‐end‐encrypted messaging applications
  • Citing Article
  • May 2024

Software Practice and Experience

... San Biagioe ta l. [161]r eferst om ultiples tudies that confirmt he prevalence of organized terrorism on social mediap latforms.T hese studies highlight theu se of thei nternet by terrorist groups to disseminate theirp ropaganda andr ecruitn ew members. The onlinep ropaganda,w hich is part of thel asts ocio-technicalc omponent,t argets oftent he offlinew orld.A nother usable social mediaf eature is theu se of hashtags on shared content whichterrororganizations have also largelyexploited to target individuals [161] [171]. ...

Analysing The Activities Of Far-Right Extremists On The Parler Social Network
  • Citing Conference Paper
  • March 2024

... With the close integration of embedded computing, network communication and real-time control technologies, CPS is rapidly developing into a new field [1][2][3]. CPS integrates physical and cyber components and has a wide range of applications in intelligent transportation systems [4], healthcare [5], smart manufacturing [6], energy management [7], and other fields. However, because CPS requires real-time data transmission and high connectivity, it is highly susceptible to cyber interference, which can threaten system security. ...

Who will keep the lights on? Expertise and inclusion in cyber security visions of future energy systems
  • Citing Article
  • December 2023

Energy Research & Social Science

... Likewise, social computing scholarship has reflected many parallels. Researchers have extensively reported on AI risks, errors, and failures (Domínguez Hernández et al. 2023;Ntoutsi et al. 2020;Dolata, Feuerriegel, and Schwabe 2022) and in response have created an abundance of RAI artifacts for assessment and mitigation, and to foster better communication between non-industry audiences who contend with the governance of AI. Unlike other industries, RAI artifacts have largely pre-dated AI regulation. ...

Co-creating a Transdisciplinary Map of Technology-mediated Harms, Risks and Vulnerabilities: Challenges, Ambivalences and Opportunities
  • Citing Article
  • October 2023

Proceedings of the ACM on Human-Computer Interaction

... Notably, an advanced worm, Stuxnet, a sophisticated worm, utilises rootkits to conceal itself and exploits static or hard-coded default passwords in IIoT devices like PLC and industrial sensors, leveraging zero-day vulnerabilities in the Windows operating system to impact interconnected nodes [69]. PLCs represent the prime focal points in IIoT integrated systems [70], evident in notable malware attacks like Stuxnet affecting Iranian nuclear facilities, Industroyer causing power outages in Ukraine, and TRITON targeting a Saudi Arabian petrochemical plant [71]. Security breaches targeting IIoT devices may arise from shared communication channels like Wi-Fi, linking various devices, including sensors, PLCs, and other industrial equipment. ...

A Digital Forensic Taxonomy For Programmable Logic Controller Data Artefacts
  • Citing Conference Paper
  • July 2023

... Privacy engineering has become an imperative part of modern software development due to the emergence of strict legal frameworks such as the General Data Protection Regulation (GDPR) in the European Union [1]. Overall, it involves multiple activities (e.g., privacy requirements elicitation and threat modeling) that, altogether, seek to (i) bring privacy to the forefront of the development pipeline and (ii) facilitate compliance with these legal provisions and data protection standards alike [2]. Nonetheless, it remains a challenging task for many developers who do not count on extensive privacy training from either a technical or a legal perspective [3,4]. ...

Privacy Engineering in the Wild: Understanding the Practitioners' Mindset, Organisational Aspects, and Current Practices

IEEE Transactions on Software Engineering

... Relative to usability, accessibility demands that any human-centered security design does not disproportionally impact people with disabilities [3]. Relative to inclusivity, accessibility also demands that everyone is involved to the greatest extent possible, that is, factoring not just for their disabilities, but also their basic capabilities (e.g., access to the Internet, computer literacy, economic situation, etc.) when designing security technologies [5,8]. While the security and usability dimensions are well established, accessibility has seldom been considered in a security context. ...

From Utility to Capability: A New Paradigm to Conceptualize and Develop Inclusive PETs
  • Citing Conference Paper
  • June 2023