Socio-Technical Aspects in Security and Trust (STAST) Workshop

Program Details

Hosted by the 32nd Annual Computer Security Applications Conference (ACSAC). ACSAC will be held at the Hilton Los Angeles/Universal City.



Successful attacks on information systems often combine social engineering practices with technical skills, exploiting technical vulnerabilities, insecure user behavior, poorly designed user interfaces, and unclear or unrealistic security policies. To improve security, technology must adapt to the users, because research in social sciences and usable security has demonstrated that insecure behavior can be justified from cognitive, emotional, and social perspectives. However, also adherence to reasonable security policies and corresponding behavioral changes should augment and support technical security.

Finding the right balance between the technical and the social security measures remains largely unexplored, which motivates the need for this workshop. Currently, different security communities (theoretical security, systems security, usable security, and security management) rarely work together. There is no established holistic research in security, and the respective communities tend to offload on each other parts of problems that they consider to be out of scope, an attitude that results in deficient or unsuitable security solutions.


The workshop intends to stimulate an exchange of ideas and experiences on how to design systems that are secure in the real world where they interact with non-expert users. It aims at bringing together experts in various areas of computer security and in social and behavioral sciences.


Why Can't We Do Security Right?
Matt Bishop (University of California Davis)

The lack of security and assurance in our computer systems and supporting network and system infrastructure is clear. What to do about it is not clear. The difficulty is rooted in the social, political and economic environment in which computing occurs. Marketing forces, societal pressures, and most especially peoples' varying needs for safety and security exacerbate the difficulties of applying technical remediations to improve security. Numerous solutions have been proposed, each dealing with one or more aspects of the problems in security but none of which engage with what it means to be safe and secure in contemporary society. We have to simultaneously understand security from the societal, individual and technical perspectives and wrestle a position on information security from those three perspectives. This talk takes a historical position to understand how environmental forces influence security technology, policy, and procedures. It asks how information security grew as a practice and where it will go. It will also provide thoughts on how to improve information security.


Relevant topics include but are not limited to:

  • Requirements for socio-technical systems
  • Feasibility of policies from the socio-technical perspective
  • Threat models that combine technical and human-centred strategies
  • Technical and social factors that influence decision making in security and privacy
  • Balance between technical measures and social strategies in ensuring security and privacy
  • Studies of real-world security incidents from the socio-technical perspective
  • Social and technical factors that influence changes in security policies and processes
  • Lessons learned from holistic design and deployment of security mechanisms and policies
  • Models of user behaviour and user interactions with technology
  • Perceptions of security, risk and trust and their influence on human behaviour
  • Social engineering, persuasion, and other deception techniques
  • Root cause analysis and analysis of incidents for socio-technical security incidents
  • Strategies, methodology and guidelines for socio-technical and cyber-security intelligence analysis
  • Nudging to improve security
  • User experience with security technologies


Programme Chairs

Zinaida Benenson (Univ. of Erlangen-Nurnberg)
Carrie Gates (Independent Contractor)

Workshop Organizers

Giampaolo Bella (Univ. of Catania)
Gabriele Lenzini (Univ. of Luxembourg)

Programme Committee

  • Blocki, Jeremiah (Purdue University)
  • Budurushi, Jurlind (Univ. of Darmstadt/Secuso)
  • Coventry, Lynne (Northumbria University)
  • Jakobsson, Markus (Agari)
  • Jenkinson, Graeme (Univ. of Cambridge)
  • Kowalski, Stewart (Stockholm Univ.)
  • Mannan, Mohammad (Concordia Univ.)
  • Montoya, Lorena (Univ. of Twente)
  • Neumann, Stephan (Univ. of Darmstadt/Secuso)
  • Oliveira, Daniela (Univ. of Florida)
  • Parkin, Simon (Univ. College London)
  • Petrocchi, Marinella (IIT-CNR)
  • Probst, Christian W. (DTU)
  • Radomirović, Saša (ETH Zurich)
  • Renaud, Karen (Univ. of Glasgow)
  • Ryan, Peter (Univ. Luxembourg)
  • Stobert, Elizabeth (ETH Zurich)
  • Weippl, Edgar (SBA Research)
  • Yan, Jeff (Lancaster Univ.)
  • You, Ilsun (Soonchunhyang University)

For more information, please visit the workshop's web page

Workshop Registration

If you are interested in attending, please check off the appropriate box on the conference registration form and add in the Socio-Technical Aspects of Security and Trust (STAST) Workshop fee. Lunch will be included as part of the workshop fee.

Hosted by the 32nd Annual Computer Security Applications Conference (ACSAC). ACSAC will be held at the Hilton Los Angeles/Universal City, on Monday, December 5, 2016.

Additional ACSA Events:
NSPW – New Security Paradigms Workshop
LASER – Learning from Authoritative Security Experiment Results