Votipka receives NSF CAREER Award

Lin Family Assistant Professor Dan Votipka of the Department of Computer Science recently received a National Science Foundation Faculty Early Career Development (NSF CAREER) Award for his work in human-centered threat modeling. The NSF CAREER Program supports exceptional early-career faculty who have the potential to drive innovative advances in research while serving as academic role models and leaders.

Threat modeling is an essential component of developing systems to safeguard against potential hackers. Since much of the practice revolves around predicting what might happen, it can be challenging to create reliable threat modeling procedures. Votipka’s project, “Increasing Human-Centered Threat Modeling Research’s Reliability,” will build on his previous work creating a theoretical threat modeling process and will develop a human-centered threat modeling methodology.

Cybersecurity is increasingly becoming a top priority for many organizations, but there are several challenges that can inhibit effective threat modeling experiments. Software threats are constantly shifting and difficult to anticipate. Additionally, test results could be biased due to unrealistic constraints that don’t effectively mirror the threat modeling industry. Tests typically involve student participants since cybersecurity professionals are often not available to participate in experiments. Finally, developer threat modeling is a wide-ranging field. Threat modelers in the medical device industry and threat modelers in open-source software could face different primary issues and human factors concerns that would benefit from different approaches.

Votipka plans to develop a rigorous methodology for human-centric threat modeling research that takes these factors into consideration. His model will balance accuracy and efficiency to produce a method that would be widely applicable across the threat modeling industry. Using interviews and focus groups, Votipka will refine his current model. Then, he will investigate the impact of various threat modeling task design decisions including how tasks are presented and the study environment. Finally, he will evaluate different metrics for threat modeling performance to determine which ones should be used. He will incorporate his findings into a set of guidelines that threat modelers can rely on when they are testing software.

The results have potential to support safer software. His project advances security before devices or software are released, instead of relying on a reactive approach to fix issues after a cyberattack has already occurred. Votipka plans to share his guidelines widely through a publicly available online resource and training for researchers, professionals, and students.

Votipka earned his PhD in 2020 from the University of Maryland. At Tufts, his research focuses on computer security, with an emphasis on the human factors affecting security professionals. Votipka is interested in understanding the processes and mental models of professionals who perform security-related tasks such as vulnerability discovery, network defense, and malware analysis to provide research-based recommendations for education, policy, and automation changes to best leverage human intelligence against challenging computer security problems. He co-directs the Tufts Security and Privacy Lab (TSP) which focuses on how people build, operate, use, and defend systems. 

The content of this article is solely the responsibility of the authors and does not necessarily represent the official views of the National Science Foundation. Research reported in this article was supported by the National Science Foundation under the following award number: 2440353