@TuftsCS is hiring multiple tenure track positions. We're particularly interested in #HCI. Our department has several people in HCI-related fields and we're looking to build on that expertise. Come join us. @TuftsUniversity is a great place to work!.

She’s going to hate me for doing this, but I just want to say how proud I am of my wife @RBnCoffee, the new President-Elect of #APAPP!

RT @Tanusree_Sharma: Thanks @GoogleResearch for the generous gift in supporting our research on “ Designing Accessible Tools for Blind and….

RT @lujobauer: Please consider sending your awesome computer security & privacy papers to @USENIXSecurity '25! The cycle 2 deadline is Jan….

RT @wentaochirps: I'll be presenting our paper "A Qualitative Analysis of Practical De-Identification Guides" at a 3:30pm CCS session today….

RT @tianshi_li: I’m planning to hire 2 PhD students in Fall25 at @KhouryCollege!. How do we make privacy easier for people?.How do we addre….

RT @AmritaRoyChowd8: I'll be recruiting PhD students this cycle! If you're interested in working at the intersection of cryptography, diffe….

RT @sarahradway: had so much fun yesterday hosting the first session of the policy red teaming working group @BKCHarvard !! truly a blast <….

RT @DrSanchariDas: Excited to see our work in print📚 .Read our work on telehealth privacy & security: Grateful to c….

Any chance anyone got a picture of @ZenW00kie presenting? I had to head home early, so I didn't catch it. I guess I'll just have to wait for USENIX to post the videos.

RT @MiuyinY: I am incredibly grateful to have had the opportunity to present our paper, “Comparing Malware Evasion Theory with Practice: Re….

RT @marvinkopo: If you are around, @PriyankaBadva will be presenting our paper today after lunch. Track 1 1:30 pm–2:45 pm. "Unveiling the H….

@ShannonLantzy @sethcarmody1 @HealthCyberWG @MedCrypt @ada95ftw @_peterney Adding some more tags @TuftsUniversity, @TuftsCS (Can you tell I'm not good at Twitter? 😅).

This extreme labor of love, which required 2-years of recruiting could not have been done without our partners in the medical device and threat modeling communities, @ShannonLantzy, @sethcarmody1, @HealthCyberWG, @MedCrypt, @ada95ftw, and @_peterney.

From these results, we create a two-phase threat modeling process model, for future researchers investigating threat modeling in other domains and empirically assessing the efficacy of novel threat modeling supports. To learn more, check out the paper:

They navigated the system in an ad-hoc fashion, sometimes working left-to-right, reviewing similar assets, or focusing on a single use case (a strategy with limited previous discussion). Also, they often used multiple approaches during a single threat modeling session.

We observed the questions they asked could be grouped according to threat modeling's 4 questions, and further divided into the common subquestions in this picture. Also, the question order is flexible, sometimes starting with threats, but other with mitigations or safety concern.

We observed which parts of the system they focused on, how they elicited threats and mitigations in specific system components, and if they relied on a specific approach to traverse the system and ensure they covered every part of the potential attack surface.

We take a first step to answer this question through interviews with 12 medical device security experts, asking them to develop threat models for mock systems. This community offers a unique opportunity to study threat modeling as the FDA introduced threat modeling requirements.

Last, but not least, @ZenW00kie will be presenting first thing tomorrow at #usesec2024 about our work investigating medical device manufacturers' threat modeling processes. We all have probably heard about some process for threat modeling, but how do people actually do it?.