Frank Stajano, PhD (filologo disneyano — I used to run a comics podcast)

Professor of Security and Privacy

Department of Computer {Science and Technology} (This new name encourages incorrect parsing. Read as "Department of the science and technology of computers", not as "Department of computer science (first topic) and of technology (second topic)".)
Computer Laboratory, University of Cambridge
Security Group and Digital Technology Group

Former Head, Academic Centre of Excellence in Cyber Security Research, University of Cambridge

Fellow of Trinity College, Cambridge

CEO and co-founder, Cambridge Cyber Ltd

Dojo leader, University of Cambridge Kendo Society

Regional coach (Level 3), British Kendo Association

cl-krenew -f --maxout

for h in $(host -t ptr slogin-serv|sed -n 's/$//;s/.*domain name pointer //p'); do scp /tmp/krb5cc_1616 $h:/tmp/& done &

Fix 00~ problem with Ctrl-Opt-R

Hello and welcome to my home on the web!

Highlights, in a nutshell: Happy dad. Author of a few books, and of 3 papers with over 1000 citations each. CEO and startup founder. Kendo dojo leader. Comics philologist. Youtuber. Personal web page since 1994. Erdös number 3. And I used to share my Trinity office with a Nobel laureate in physics.

I run a Youtube channel, Frank Stajano Explains (.com), for students of computer science and for younger people whom I hope to inspire to become students of computer science in the future. The same lectures I give to my Cambridge students are now available to everyone in the world, at no charge. Check it out and subscribe!

In this video I talk about entrepreneurship and commercialisation of research from the academic viewpoint. In this other one I introduce Pico, my project to replace passwords. If you prefer reading papers to watching videos, this highly cited one explains why replacing passwords is hard and this one gives insights on the psychology of scam victims, with lessons for security system designers.

I founded a national (Inter-ACE) and an international (Cambridge2Cambridge) cyber security competition and ran them for three years, as a contribution towards raising a new generation of cyber-defenders (Poster). The international competition was a collaboration with MIT CSAIL. The successor to Cambridge2Cambridge is an even more international Country2Country, which I helped create, and I serve on its Steering Committee.

I am the CEO and co-founder of Cambridge Cyber, a security consultancy offering competent, trustworthy and discreet services in the areas of training, penetration testing and security analysis (open for business: myfirstname at cambridge cyber dot com).

Please read this before mailing me, and this if you want to become my student.
Maybe you're already at Cambridge and want to do your project with me?
Contact information is at the bottom of the page.

Things I... | am | 've written | teach | like | don't like | am on the program committee of | keep on my web page | said

My research interests revolve primarily around three interconnected themes:

I have a particular interest in the human aspects of systems security: many people like my 2009 work with Paul Wilson about understanding the psychology of scam victims to improve systems security. It was an invited talk at Usenix Security in August 2010 and an updated and abridged version of our technical report appeared in Communications of the ACM in March 2011, © ACM (cached).
I presented this work in 4 continents: America (Cambridge MA, Pittsburgh PA, New York NY, Washington DC), Europe (London (twice), Athens, Cambridge (twice), Munich, Zurich, Bucarest), Oceania (Gold Coast) and Asia (Fujisawa).

Lately, my research question has been: can we do better than passwords? In 2011 I wrote Pico: no more passwords! (blog post, Forbes coverage) which then became an invited talk at Usenix Security 2011 in San Francisco, USA and the opening keynote talk at RTCSA 2011 in Toyama, Japan. I have since received generous funding from the European Research Council, in the form of a prestigious and competitive ERC Starting Grant, to pursue my research on Pico. While revising that work I then decided that the ever-growing "related work" section of Pico was worth its own study, so I invited three expert coauthors for the project that became The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, the highest-scoring peer-reviewed paper at Oakland 2012 (watch me give the talk in San Francisco on 2012-05-23). An extended version, with full details and ratings for over 30 password replacement schemes, is available as a tech report.

In related threads, and with other coauthors, I also studied the security and privacy of forensic genomics and of social networking web sites such as Facebook. See the web page of my brilliant former graduate student Jonathan Anderson for more on privacy in social networks.

Historically, my most significant research contributions include works on the following topics (presented in papers that have since attracted over a thousand citations each):

I also enjoy coming up with quirky, eyebrow-raising uses of security protocols (sometimes with a serious aside), such as

I worked with civil engineers on the real-world security of wireless sensor networks to monitor the structural health of subway tunnels and suspension bridges. Other topics of interest include wireless technologies (efficient MAC protocols, 4G systems, Bluetooth security), context-aware software, distributed multimedia and so on: see further down for a full publications list. Book cover

Although I now have a permanent faculty post at the University of Cambridge, I have a mixed academic and industrial background, having been employed by the R&D centres of major electronics, telecommunications and software multinationals (Google, Toshiba, AT&T, Oracle, Olivetti). Thanks to this, my research has always retained a strong practical orientation. Since my academic appointment I have continued to consult for industry in Europe and Asia on systems security, strategic research planning, creativity and innovation. I am the author of the well-regarded research monograph Security for Ubiquitous Computing (Wiley, 2002).

I am a popular public speaker and I was called upon as invited or keynote speaker over 50 times on four continents (not counting the presentations of my refereed papers). I also served as program chair at over a dozen international conferences or workshops; as program committee member for over 50 events; as technical reviewer of book proposals for scientific publishers such as Wiley and Addison-Wesley; and as associate editor for an IEEE journal. I have authored or co-authored over 50 refereed publications, guest chapters in three books, two patent applications, one book and I have edited about a dozen Springer LNCS proceedings volumes.

I was elected a Toshiba Fellow in 2000. I was appointed to a Lectureship at the University of Cambridge in 2000, originally at the Department of Engineering, then transferred to the Computer Laboratory in 2004. In 2006 I was awarded academic tenure until retiring age. In 2007 I was promoted to a University Senior Lectureship, in 2013 to a Readership and in 2017 to a Professorship. I was also elected to a Fellowship at Trinity College in 2015, where I serve as a Director of Studies in Computer Science, a Senior Lecturer and the Chair of the IT Committee.

Before that, I had the privilege of doing a security PhD here at Cambridge under the supervision of Ross Anderson. I completed it in exactly three years: matriculated in January 1998, submitted in December 2000, approved with no corrections in January 2001. My PhD was nominated for the British Computer Society "distinguished dissertation" award and was later turned into the book mentioned above. The first few steps of my academic lineage are all at the Cambridge Computer Laboratory and go back to its founder Sir Maurice Wilkes, who built the first stored-program computer in the world: Frank Stajano - Ross Anderson - Roger Needham - David Wheeler - Maurice Wilkes. These were all people I knew well on a personal basis. According to the Mathematics Genealogy Project, my lineage then continues upwards to John Ratcliffe, Edward Appleton, JJ Thomson, John Strutt (Lord Rayleigh), Edward Routh, William Hopkins, Adam Sedgwick, Thomas Jones, Thomas Postlethwaite, Stephen Whisson, Walter Taylor, Robert Smith, Roger Cotes, Isaac Newton, Isaac Barrow, Vincenzo Viviani, Galileo Galilei, Ostilio Ricci, Nicolò Tartaglia, with additional non-linear detours through such eminent figures as Rutherford and Torricelli among others.

I have taught a variety of core computing subjects to engineers and computer scientists, including operating systems, computer architecture, security, data structures and algorithms, as well as more specialized subjects such as hardware design, FPGA programming, assembly language programming and ubiquitous computing. I greatly enjoy lecturing and helping other people reach "lightbulb moments".

I love Japan! I lived in Japan for one year and I maintain strong ties to the Toshiba Corporate Research and Development Center in Kawasaki and Keio University.

In my spare time I am a comics scholar with a particular interest in Disney material. I have coauthored a few books, book chapters and articles on this subject. Although not as frequently as I'd like, I offer audio interviews with comics authors on my comics podcast.

I have a strong interest in kendo (Japanese swordsmanship). Since October 2002 I am the leader of Tsurugi Bashi, the kendo dojo of the University of Cambridge. I am 5th dan and a BKA-licenced "Level 3 Regional Coach" (meaning that I run courses to train and license other kendo instructors). I attended the gruelling one-week "Foreign Kendo Leaders" seminar in Kitamoto, Japan in 2008 and 2014. I haven't kept an exact count but by now about a thousand people have started kendo as my students. At least a couple dozen of them have obtained dan grades; some of them also hold BKA coaching licences and some even started their own dojo.

Things I am

Things I've written

(Legend: most of these are papers and articles but these are books or book chapters and these are programs.)

Things I teach

Courses and projects

I used to run the Computer and Communications Technology Reading Club, perhaps better known as the LCE Monday Meetings.

Current students

Computer Science Tripos (BA)

MPhil in Advanced Computer Science

Former graduate students who completed under my supervision

Former graduate students whom I also supervised for part of their course

PhD: Eli Katsiri, Zheng Li, Matthew Johnson, Joong-Woong Kim, Bogdan Roman, Saad Aloteibi, Omar Choudary

MPhil: Omar Choudary, Miltiadis Allamanis, Bogdan Matican, Max Nicosia, Junayed Mizan

Former undergraduate students whose final year project I supervised

George Danezis
Julian Dale, David Stern, Mark Victory
Grant Oddoye
Peng Yuan Fan, Arun Rakhra
Bo Tian, Oliver Stannard
Alex Chadwick, Jonathan Millican
Daniel Low
Gábor Szarka
Harry Jones
Joe O'Connor, Weronika Wiech, Viktor Mirjanic

Former undergraduate students whose coursework I supervised

Lent 1999, Security:
Chris Reed, John Hall, Ross Younger, Ari Krakauer, Martin Thorpe, Ben Waine, Katie Bebbington, Ciaran McNulty, Matthew Slyman, Dominic Crowhurst, Matt Cobley, Alfredo Gregorio, Andrei Serjantov, Jacob Nevins, Theo Honohan, Ben Mansell, Alastair Beresford, Richard Sharp, David Scott.
Lent 2000, Security:
Siraj Khaliq, Julian Brown, George Danezis, Mark Shinwell, Patrick Wynn, Bruno Bowden, Justin Siu, Paul Gotch.

(...then stopped keeping track...)

Things I like

Things I don't like

Things I am (or have been) on the program committee of

  1. IPC9 aka 9th International Python Conference (5-8 March 2001, Long Beach, CA, USA)
  2. IPC10 aka 10th International Python Conference (4-7 February 2002, Alexandria, VA, USA)
  3. IWSAWC 2002 aka The 2nd International Workshop on Smart Appliances and Wearable Computing (2 July 2002, Vienna, Austria)
  4. Mobicom 2002 aka The Eighth ACM International Conference on Mobile Computing and Networking (23-28 September 2002, Atlanta, GA, USA)
  5. WiSe aka Workshop on Wireless Security (28 September 2002, Atlanta, GA, USA)
  6. SPC 2003 aka 1st International Conference on Security in Pervasive Computing (12-14 March 2003, Boppard, Germany)
  7. PerSec 2004 aka First IEEE International Workshop on Pervasive Computing and Communication Security, held in conjunction with PerCom 2004 (14-17 March 2004, Orlando, FL, USA)
  8. ICDCS 2004 aka 24th International Conference on Distributed Computing Systems (23-26 March 2004, Tokyo, Japan)
  9. Uk-Ubinet 2004 aka 2nd UK-UbiNet Workshop, Security, trust, privacy and theory for ubiquitous computing (5-7th May 2004, Cambridge, UK)
  10. ESAS 2004 aka 1st European Workshop on Security in Ad-Hoc and Sensor Networks (5-6 August 2004, Heidelberg, Germany)
  11. Mobiquitous 2004 aka First Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services (22-25 August 2004, Boston, MA, USA)
  12. UCS 2004 aka 2nd International Symposium on Ubiquitous Computing Systems (8-9 November 2004, Tokyo, Japan)
  13. PerSec 2005 aka 2nd IEEE International Workshop on Pervasive Computing and Communication Security, held in conjunction with PerCom 2005 (8-12 March 2005, Hawaii, USA) (Program co-chair)
  14. SPC 2005 aka 2nd Conference on Security in Pervasive Computing (6-8 April 2005, Boppard, Germany)
  15. LoCa 2005 aka International Workshop on Location- and Context-Awareness, in cooperation with Pervasive 2005 (12-13 May 2005, Oberpfaffenhofen near Munich, Germany)
  16. TSPUC 2005 aka First International Workshop on Trust, Security and Privacy for Ubiquitous Computing (13 June 2005, Taormina, Italy), affiliated with IEEE WOWMOM 2005
  17. PerSec 2006 aka 3rd IEEE International Workshop on Pervasive Computing and Communication Security, held in conjunction with PerCom 2006 (13-17 March 2006, Pisa, Italy) (Program co-chair)
  18. HPCC-06 aka The Second International Conference on High Performance Computing and Communications (13-15 September 2006, Munich, Germany) (Program vice-chair)
  19. ESAS 2006 aka Third European Workshop on Security and Privacy in Ad Hoc and Sensor Networks (20-21 September 2006, Hamburg, Germany)
  20. UCS 2006 aka 2006 International Symposium on Ubiquitous Computing Systems (11-13 October 2006, Seoul, Korea)
  21. ICUCT 2006 aka International Conference on Ubiquitous Convergence Technology (6-8 December 2006, Jeju, Korea) (Program co-chair)
  22. PerSec 2007 aka 4th IEEE International Workshop on Pervasive Computing and Communication Security, held in conjunction with PerCom 2007 (26 March 2007, New York, USA) (Program co-chair)
  23. PerCom 2007 aka 5th Annual IEEE International Conference on Pervasive Computing and Communications, (26-30 March 2007, New York, USA)
  24. ESAS 2007 aka Fourth European Workshop on Security and Privacy in Ad Hoc and Sensor Networks (2-3 July 2007, Cambridge, UK) (General chair)
  25. SecureComm 2007 aka Third International Conference on Security and Privacy in Communication Networks (17-21 September 2007, Nice, France)
  26. WiSec 2008 aka First ACM Conference on Wireless Network Security (31 March - 2 April 2008, Alexandria, VA, USA)
  27. WiSec 2009 aka Second ACM Conference on Wireless Network Security (16 - 18 March 2009, Zurich, Switzerland)
  28. IWSSI/SPMU 2009 aka Second International Workshop on Security and Privacy in Spontaneous Interaction and Mobile Device Use, held in conjunction with Pervasive 2009 (11 May 2009, Nara, Japan)
  29. SPW 2009 aka Seventeenth International Workshop on Security Protocols (1-3 April 2009, Cambridge, UK)
  30. WISTP 2009 aka Workshop in Information Security Theory and Practices on Smart Devices, Pervasive Systems, and Ubiquitous Networks (2-4 September 2009, Brussels, Belgium)
  31. DWSAN4CIP 2009 aka International Workshop on Dependable Wireless Sensor and Actuator Networks for Critical Infrastructure Protection (18-19 October 2009, St. Petersburg, Russia), held in conjunction with ICUMT 2009.
  32. WISEC 2010 aka Third ACM Conference on Wireless Network Security (March 2010, New York, USA) (Program co-chair)
  33. SPW 2010 aka Eighteenth International Workshop on Security Protocols (24-26 March 2010, Cambridge, UK)
  34. SEC 2010 aka International Information Security Conference 2010: Security & Privacy - Silver Linings in the Cloud (20-23 September 2010, Brisbane, Australia)
  35. WISEC 2011 aka Fourth ACM Conference on Wireless Network Security (14-17 June 2011, Hamburg, Germany)
  36. SPW 2011 aka Nineteenth International Workshop on Security Protocols (March 2011, Cambridge, UK)
  37. SPW 2012 aka Twentieth International Workshop on Security Protocols (April 2012, Cambridge, UK)
  38. WRIT 2013 aka Workshop on Research for Insider threat, a workshop of Oakland 2013 (24 May 2013, San Francisco, CA, USA) (Program co-chair)
  39. Oakland 2014 aka 35th IEEE Symposium on Security and Privacy (18-21 May 2014, San Jose, CA, USA)
  40. SPW 2013 aka Twentyfirst International Workshop on Security Protocols (April 2013, Cambridge, UK)
  41. SPW 2014 aka Twentysecond International Workshop on Security Protocols (April 2014, Cambridge, UK)
  42. Passwords14 aka 7th international conference on passwords (8-10 December 2014, Trondheim, Norway).
  43. SPW 2015 aka Twentythird International Workshop on Security Protocols (April 2015, Cambridge, UK)
  44. SOUPS 2015 aka Symposium On Usable Privacy and Security (22-24 July 2015, Ottawa, Canada).
  45. Passwords 2015 aka 9th international conference on passwords (7-9 December 2015, Cambridge, UK) (Program co-chair)
  46. SPW 2016 aka Twentyfourth International Workshop on Security Protocols (6-8 April 2016, Brno, Czech Republic)
  47. SOUPS 2016 aka Twelfth Symposium on Usable Privacy and Security (22-24 June 2016, Denver, CO, USA)
  48. EuroUSEC 2016 aka First European Workshop on Usable Security (18 July 2016, Darmstadt, Germany).
  49. Passwords 2016 aka 11th International Conference on Passwords (5-7 December 2016, Bochum, Germany) (Program co-chair)
  50. EuroS&P 2017 aka Second IEEE European Symposium on Security and Privacy (26-28 April 2017, Paris, France)
  51. SPW 2017 aka Twentyfifth International Workshop on Security Protocols (20-22 March 2017, Cambridge, UK) (Program chair)
  52. SPW 2018 aka Twentysixth International Workshop on Security Protocols (19-21 March 2018, Cambridge, UK) (General chair)
  53. SPW 2019 aka Twentyseventh International Workshop on Security Protocols (10-12 April 2019, Cambridge, UK) (General chair)
  54. EuroS&P 2019 aka Fourth IEEE European Symposium on Security and Privacy (17-19 June 2019, Stockholm, Sweden) (Program co-chair)
  55. SPW 2020 aka Twentyeighth International Workshop on Security Protocols (April 2020, Cambridge, UK) (General chair) CANCELLED
  56. EuroS&P 2020 aka Fifth IEEE European Symposium on Security and Privacy (June 2020, Genova, Italy) (Program co-chair)
  57. SPW 2023 aka Twentyeighth International Workshop on Security Protocols (27-28 March 2023, Cambridge, UK) (Program Chair and General Chair)

I encourage you to submit papers to those of the events above for which the submission date is still in the future. The Calls for Papers are available from the links.

I also served as associate editor for IEEE Transactions on Dependable and Secure Computing.

Things I keep on my web page

...and sometimes on my door; many items here are in the form of little A4 posters that you can print and attach to your own door too!

Things I said (in theory I should wait to be dead before putting this up, but...)

Contact Information

Professor Frank Stajano
William Gates Building
15 JJ Thomson Avenue
Cambridge CB3 0FD
United Kingdom

ORCID: 0000-0001-9186-6798
SCOPUS: 10041405900

Fax: +44 1223 334611

Telephone contact is generally not encouraged but, if you are a friend or if you have a good reason, with a little homework you can find my number in the departmental directory. Don't, if you're a salesperson, or I may be rude to you.

Time zone info: the UK uses the UTC+0 time zone and goes to UTC+1 during the summer (actually from the last Sunday in March to the last Sunday in October); most other EU countries, instead, are on UTC+1 and UTC+2 respectively, but the change is synchronised, so the time difference with Central Europe is now always 1 hour (this used to be different). Japan is on UTC+9 and, in its wisdom, stays there all year long.


These days, I get a lot of email. A long time ago I used to reply to almost every message. I soon stopped doing that, but for many years I kept on carefully reading every message. In the late 1990s I stopped doing that too, because of spam: initially it was a big shock for me to delete stuff without having read it ("what if it was important?"), but then I got over it. Nowadays I ask the Bayesian filter in Thunderbird (not as good as the wonderful Python-powered Spambayes, but more conveniently accessible) to throw away messages on my behalf without even showing them to me. The stuff that gets through I usually read, except if it's too long or if it contains Microsoft attachments.

DON'T send me Microsoft attachments, which are notorious virus vehicles; ideally, if you want to be kind, please don't send me any attachments at all. Unless I already know you have a good reason for sending it to me, mail with attachments may be discarded unread, or actually not even downloaded from the server. I am happiest when people send me plain text or, at most, a pointer to a pdf.

Even after all this filtering, I still get way too much mail. I write over 10 replies per workday (often many more), but course I can't hope to keep up with an influx that is an order of magnitude larger. As Joachim Posegga once wrote, "response time tends to be an exponential function of message length".

If you want to write to me because you want to become my student at Cambridge, please read this helpful and instructive page. If you don't (and I will be able to tell from your message) I might just silently ignore you; or, if you're lucky, just point you again to this page.

Having said all that, my university email address is

I use and encourage the use of PGP (or its free equivalent GPG, to which I even once contributed a minor bug fix). My PGP keys are on the keyservers. I prefer to receive encrypted mail messages as inline ascii-armoured text as opposed to attachments.

HTML advice of the day: don't misuse tables for page layout purposes and, above all, avoid browser-specific crap!

"With HTML 4.0, any Web application can be vendor independent. There really is no excuse for tying yourselves or your partners to proprietary solutions."
--Tim Berners-Lee, inventor of the World Wide Web

Valid HTML 4.0! (recheck) Valid CSS! (recheck) Best Viewed With Any Browser