Holding a wonderful
katana in the workshop of sword polisher Roberto Candido, in Tsurumi,
Yokohama-shi, Japan.

Frank Stajano, PhD (filologo disneyano — I used to run a comics podcast)

Reader in Security and Privacy (≈ associate professor)
Computer Laboratory, University of Cambridge
Security Group and Digital Technology Group

Head, Academic Centre of Excellence in Cyber Security Research, University of Cambridge

Hello and welcome to my home on the web!

My primary research project, Pico, aims to make the world a better place by getting rid of passwords. Thanks to the European Research Council I recruited a team of brilliant researchers to work with me on this problem.

Please read this before mailing me, and this if you want to become my student.
Maybe you're already at Cambridge and want to do your project with me?
Contact information is at the bottom of the page.

Things I... | am | 've written | teach | like | don't like | am on the program committee of | keep on my web page | said

My research interests revolve primarily around three interconnected themes:

I have a particular interest in the human aspects of systems security: many people like my 2009 work with Paul Wilson about understanding the psychology of scam victims to improve systems security. It was an invited talk at Usenix Security in August 2010 and an updated and abridged version of our technical report appeared in Communications of the ACM in March 2011, © ACM (cached).
I presented this work in 4 continents: America (Cambridge MA, Pittsburgh PA, New York NY, Washington DC), Europe (London (twice), Athens, Cambridge (twice), Munich, Zurich, Bucarest), Oceania (Gold Coast) and Asia (Fujisawa).

Lately, my research question has been: can we do better than passwords? In 2011 I wrote Pico: no more passwords! (blog post, Forbes coverage) which then became an invited talk at Usenix Security 2011 in San Francisco, USA and the opening keynote talk at RTCSA 2011 in Toyama, Japan. I have since received generous funding from the European Research Council, in the form of a prestigious and competitive ERC Starting Grant, to pursue my research on Pico. While revising that work I then decided that the ever-growing "related work" section of Pico was worth its own study, so I invited three expert coauthors for the project that became The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, the highest-scoring peer-reviewed paper at Oakland 2012 (watch me give the talk in San Francisco on 2012-05-23). An extended version, with full details and ratings for over 30 password replacement schemes, is available as a tech report.

In related threads, and with other coauthors, I also studied the security and privacy of forensic genomics and of social networking web sites such as Facebook. See the web page of my brilliant former graduate student Jonathan Anderson for more on privacy in social networks.

Historically, my most significant research contributions include works on

I also enjoy coming up with quirky, eyebrow-raising uses of security protocols (sometimes with a serious aside), such as

I worked with civil engineers on the real-world security of wireless sensor networks to monitor the structural health of subway tunnels and suspension bridges. Other topics of interest include wireless technologies (efficient MAC protocols, 4G systems, Bluetooth security), context-aware software, distributed multimedia and so on: see further down for a full publications list. Book cover

Although I now have a permanent faculty post at the University of Cambridge, I have a mixed academic and industrial background, having been employed by the R&D centres of major electronics, telecommunications and software multinationals (Google, Toshiba, AT&T, Oracle, Olivetti). Thanks to this, my research has always retained a strong practical orientation. Since my academic appointment I have continued to consult for industry in Europe and Asia on systems security, strategic research planning, creativity and innovation. I am the author of the well-regarded research monograph Security for Ubiquitous Computing (Wiley, 2002).

I am a popular public speaker and I was called upon as invited or keynote speaker over 40 times on four continents (not counting the presentations of my refereed papers). I also served as program chair at 7 international conferences or workshops; as program committee member for over 30 events; as technical reviewer of book proposals for scientific publishers such as Wiley and Addison-Wesley; and as associate editor for an IEEE journal. I have authored or co-authored over 50 refereed publications, three book chapters, two patent applications, one book and I have edited two LNCS proceedings volumes.

I was elected a Toshiba Fellow in 2000. I was appointed to a Lectureship at the University of Cambridge in 2000, originally at the Department of Engineering, then transferred to the Computer Laboratory in 2004. In 2006 I was awarded academic tenure until retiring age and in 2007 I was promoted to a University Senior Lectureship.

Before that, I had the privilege of doing a security PhD here at Cambridge under the supervision of Ross Anderson. I completed it in exactly three years: matriculated in January 1998, submitted in December 2000, approved with no corrections in January 2001. My PhD was nominated for the British Computer Society "distinguished dissertation" award and was later turned into the book mentioned above. The first few steps of my academic lineage are all at the Cambridge Computer Laboratory and go back to its founder Sir Maurice Wilkes, who built the first stored-program computer in the world: Frank Stajano - Ross Anderson - Roger Needham - David Wheeler - Maurice Wilkes.

I have taught a variety of core computing subjects to engineers and computer scientists, including operating systems, computer architecture, security, data structures and algorithms, as well as more specialized subjects such as hardware design, FPGA programming, assembly language programming and ubiquitous computing. I greatly enjoy lecturing and helping other people reach "lightbulb moments".

I love Japan! I lived in Japan for one year and I maintain strong ties to the Toshiba Corporate Research and Development Center in Kawasaki and Keio University.

In my spare time I am a comics scholar with a particular interest in Disney material. I have coauthored a few books, book chapters and articles on this subject. Although not as frequently as I'd like, I offer audio interviews with comics authors on my comics podcast.

I have a strong interest in kendo (Japanese swordsmanship). Since October 2002 I am the leader of Tsurugi Bashi, the kendo dojo of the University of Cambridge. I am 3rd dan and a BKA-licenced "regional coach" (meaning that I run courses to train and license other kendo instructors). I attended the gruelling one-week "Foreign Kendo Leaders" seminar in Kitamoto, Japan in July 2008. I haven't kept an exact count but by now a few hundred people have started kendo as my students. Over a dozen of them (Michael Gratzke*, Theo Rutter, Jake Barber, Adam Jackson*, Min Lin*, Daisy Chen*, Ivy Ko, Mikyung Jang*, Eng Tin Aw*, Matt Marley*, Periklis Akritidis, Eric Tung, Damien Vadillo) now hold Dan grades and those with a star also hold BKA coach licences; several of them even started new dojo. Since I became dojo leader, Cambridge defeated Oxford seven times at the annual Varsity match, and also won first place at the 2009 British inter-university championship.

Things I am

Things I've written

(Legend: most of these are papers and articles but these are books or book chapters and these are programs.)

Things I teach

Courses and projects

I used to run the Computer and Communications Technology Reading Club, perhaps better known as the LCE Monday Meetings.

Current students

Computer Science Tripos (BA)

MPhil in Advanced Computer Science

Former graduate students who completed under my supervision

Former graduate students whom I also supervised for part of their course

PhD: Eli Katsiri, Zheng Li, Matthew Johnson, Joong-Woong Kim, Bogdan Roman, Saad Aloteibi, Omar Choudary

MPhil: Omar Choudary, Miltiadis Allamanis, Bogdan Matican, Max Nicosia, Junayed Mizan

Former undergraduate students whose final year project I supervised

George Danezis
Julian Dale, David Stern, Mark Victory
Grant Oddoye
Peng Yuan Fan, Arun Rakhra
Bo Tian, Oliver Stannard

Former undergraduate students whose coursework I supervised

Lent 1999, Security:
Chris Reed, John Hall, Ross Younger, Ari Krakauer, Martin Thorpe, Ben Waine, Katie Bebbington, Ciaran McNulty, Matthew Slyman, Dominic Crowhurst, Matt Cobley, Alfredo Gregorio, Andrei Serjantov, Jacob Nevins, Theo Honohan, Ben Mansell, Alastair Beresford, Richard Sharp, David Scott.
Lent 2000, Security:
Siraj Khaliq, Julian Brown, George Danezis, Mark Shinwell, Patrick Wynn, Bruno Bowden, Justin Siu, Paul Gotch.

Things I like

Things I don't like

Things I am (or have been) on the program committee of

  1. IPC9 aka 9th International Python Conference (5-8 March 2001, Long Beach, CA, USA)
  2. IPC10 aka 10th International Python Conference (4-7 February 2002, Alexandria, VA, USA)
  3. IWSAWC 2002 aka The 2nd International Workshop on Smart Appliances and Wearable Computing (2 July 2002, Vienna, Austria)
  4. Mobicom 2002 aka The Eighth ACM International Conference on Mobile Computing and Networking (23-28 September 2002, Atlanta, GA, USA)
  5. WiSe aka Workshop on Wireless Security (28 September 2002, Atlanta, GA, USA)
  6. SPC 2003 aka 1st International Conference on Security in Pervasive Computing (12-14 March 2003, Boppard, Germany)
  7. PerSec 2004 aka First IEEE International Workshop on Pervasive Computing and Communication Security, held in conjunction with PerCom 2004 (14-17 March 2004, Orlando, FL, USA)
  8. ICDCS 2004 aka 24th International Conference on Distributed Computing Systems (23-26 March 2004, Tokyo, Japan)
  9. Uk-Ubinet 2004 aka 2nd UK-UbiNet Workshop, Security, trust, privacy and theory for ubiquitous computing (5-7th May 2004, Cambridge, UK)
  10. ESAS 2004 aka 1st European Workshop on Security in Ad-Hoc and Sensor Networks (5-6 August 2004, Heidelberg, Germany)
  11. Mobiquitous 2004 aka First Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services (22-25 August 2004, Boston, MA, USA)
  12. UCS 2004 aka 2nd International Symposium on Ubiquitous Computing Systems (8-9 November 2004, Tokyo, Japan)
  13. PerSec 2005 aka 2nd IEEE International Workshop on Pervasive Computing and Communication Security, held in conjunction with PerCom 2005 (8-12 March 2005, Hawaii, USA) (Program co-chair)
  14. SPC 2005 aka 2nd Conference on Security in Pervasive Computing (6-8 April 2005, Boppard, Germany)
  15. LoCa 2005 aka International Workshop on Location- and Context-Awareness, in cooperation with Pervasive 2005 (12-13 May 2005, Oberpfaffenhofen near Munich, Germany)
  16. TSPUC 2005 aka First International Workshop on Trust, Security and Privacy for Ubiquitous Computing (13 June 2005, Taormina, Italy), affiliated with IEEE WOWMOM 2005
  17. PerSec 2006 aka 3rd IEEE International Workshop on Pervasive Computing and Communication Security, held in conjunction with PerCom 2006 (13-17 March 2006, Pisa, Italy) (Program co-chair)
  18. HPCC-06 aka The Second International Conference on High Performance Computing and Communications (13-15 September 2006, Munich, Germany) (Program vice-chair)
  19. ESAS 2006 aka Third European Workshop on Security and Privacy in Ad Hoc and Sensor Networks (20-21 September 2006, Hamburg, Germany)
  20. UCS 2006 aka 2006 International Symposium on Ubiquitous Computing Systems (11-13 October 2006, Seoul, Korea)
  21. ICUCT 2006 aka International Conference on Ubiquitous Convergence Technology (6-8 December 2006, Jeju, Korea) (Program co-chair)
  22. PerSec 2007 aka 4th IEEE International Workshop on Pervasive Computing and Communication Security, held in conjunction with PerCom 2007 (26 March 2007, New York, USA) (Program co-chair)
  23. PerCom 2007 aka 5th Annual IEEE International Conference on Pervasive Computing and Communications, (26-30 March 2007, New York, USA)
  24. ESAS 2007 aka Fourth European Workshop on Security and Privacy in Ad Hoc and Sensor Networks (2-3 July 2007, Cambridge, UK) (General chair)
  25. SecureComm 2007 aka Third International Conference on Security and Privacy in Communication Networks (17-21 September 2007, Nice, France)
  26. WiSec 2008 aka First ACM Conference on Wireless Network Security (31 March - 2 April 2008, Alexandria, VA, USA)
  27. WiSec 2009 aka Second ACM Conference on Wireless Network Security (16 - 18 March 2009, Zurich, Switzerland)
  28. IWSSI/SPMU 2009 aka Second International Workshop on Security and Privacy in Spontaneous Interaction and Mobile Device Use, held in conjunction with Pervasive 2009 (11 May 2009, Nara, Japan)
  29. SPW 2009 aka Seventeenth International Workshop on Security Protocols (1-3 April 2009, Cambridge, UK)
  30. WISTP 2009 aka Workshop in Information Security Theory and Practices on Smart Devices, Pervasive Systems, and Ubiquitous Networks (2-4 September 2009, Brussels, Belgium)
  31. DWSAN4CIP 2009 aka International Workshop on Dependable Wireless Sensor and Actuator Networks for Critical Infrastructure Protection (18-19 October 2009, St. Petersburg, Russia), held in conjunction with ICUMT 2009.
  32. WISEC 2010 aka Third ACM Conference on Wireless Network Security (March 2010, New York, USA) (Program co-chair)
  33. SPW 2010 aka Eighteenth International Workshop on Security Protocols (24-26 March 2010, Cambridge, UK)
  34. SEC 2010 aka International Information Security Conference 2010: Security & Privacy - Silver Linings in the Cloud (20-23 September 2010, Brisbane, Australia)
  35. WISEC 2011 aka Fourth ACM Conference on Wireless Network Security (14-17 June 2011, Hamburg, Germany)
  36. SPW 2011 aka Nineteenth International Workshop on Security Protocols (March 2011, Cambridge, UK)
  37. SPW 2012 aka Twentieth International Workshop on Security Protocols (April 2012, Cambridge, UK)
  38. WRIT 2013 aka Workshop on Research for Insider threat, a workshop of Oakland 2013 (24 May 2013, San Francisco, CA, USA)
  39. Oakland 2014 aka 35th IEEE Symposium on Security and Privacy (18-21 May 2014, San Jose, CA, USA)

I encourage you to submit papers to those of the events above for which the submission date is still in the future. The Calls for Papers are available from the links.

I also served as associate editor for IEEE Transactions on Dependable and Secure Computing.

Things I keep on my web page

...and sometimes on my door; many items here are in the form of little A4 posters that you can print and attach to your own door too!

Things I said (in theory I should wait to be dead before putting this up, but...)

Contact Information

Frank Stajano, Dr. Ing., Ph.D.
Computer Laboratory
University of Cambridge
William Gates Building
15 JJ Thomson Avenue
Cambridge CB3 0FD
United Kingdom

Fax: +44 1223 334611

Telephone contact is generally not encouraged but, if you are a friend or if you have a good reason, with a little homework you can find my number in the departmental directory. Don't, if you're a salesperson, or I may be rude to you.

Time zone info: the UK uses the UTC+0 time zone and goes to UTC+1 during the summer (actually from the last Sunday in March to the last Sunday in October); most other EU countries, instead, are on UTC+1 and UTC+2 respectively, but the change is synchronised, so the time difference with Central Europe is now always 1 hour (this used to be different). Japan is on UTC+9 and, in its wisdom, stays there all year long.


These days, I get a lot of email. A long time ago I used to reply to almost every message. I soon stopped doing that, but for many years I kept on carefully reading every message. In the late 1990s I stopped doing that too, because of spam: initially it was a big shock for me to delete stuff without having read it ("what if it was important?"), but then I got over it. Nowadays I ask the Bayesian filter in Thunderbird (not as good as the wonderful Python-powered Spambayes, but more conveniently accessible) to throw away messages on my behalf without even showing them to me. The stuff that gets through I usually read, except if it's too long or if it contains Microsoft attachments.

DON'T send me Microsoft attachments, which are notorious virus vehicles; ideally, if you want to be kind, please don't send me any attachments at all. Unless I already know you have a good reason for sending it to me, mail with attachments may be discarded unread, or actually not even downloaded from the server. I am happiest when people send me plain text or, at most, a pointer to a pdf.

Even after all this filtering, I still get way too much mail. I write over 10 replies per workday (often many more), but course I can't hope to keep up with an influx that is an order of magnitude larger. As Joachim Posegga once wrote, "response time tends to be an exponential function of message length".

If you want to write to me because you want to become my student at Cambridge, please read this helpful and instructive page. If you don't (and I will be able to tell from your message) I might just silently ignore you; or, if you're lucky, just point you again to this page.

Having said all that, my email address is givenname.familyname@cl.cam.ac.uk.

I use and encourage the use of PGP (or its free equivalent GPG, to which I even once contributed a minor bug fix). My PGP keys are on the keyservers. I prefer to receive encrypted mail messages as inline ascii-armoured text as opposed to attachments.

HTML advice of the day: don't misuse tables for page layout purposes and, above all, avoid browser-specific crap!

"With HTML 4.0, any Web application can be vendor independent. There really is no excuse for tying yourselves or your partners to proprietary solutions."
--Tim Berners-Lee, inventor of the World Wide Web

Valid HTML 4.0! (recheck) Valid CSS! (recheck) Best Viewed With Any Browser