Frank Stajano, PhD (filologo disneyano — I used to run a comics podcast)

Professor of Security and Privacy

Department of Computer {Science and Technology} (This new name encourages incorrect parsing. Read as "Department of the science and technology of computers", not as "Department of computer science (first topic) and of technology (second topic)".)
Computer Laboratory, University of Cambridge
Security Group and Digital Technology Group

Head, Academic Centre of Excellence in Cyber Security Research, University of Cambridge

Fellow of Trinity College, Cambridge

CEO and co-founder, Cambridge Cyber Ltd

Dojo leader, University of Cambridge Kendo Society

cl-krenew -f --maxout

for h in $(host -t ptr slogin-serv|sed -n 's/$//;s/.*domain name pointer //p'); do scp /tmp/krb5cc_1616 $h:/tmp/& done &

Hello and welcome to my home on the web!

Highlights, in a nutshell: Happy dad. Author of a few books, and of 3 papers with over 1000 citations each. CEO and startup founder. Kendo dojo leader. Comics philologist. Youtuber. Personal web page since 1994. Erdös number 3. And I used to share my Trinity office with a Nobel laureate in physics.

I run a Youtube channel, Frank Stajano Explains (.com), for students of computer science and for younger people whom I hope to inspire to become students of computer science in the future. The same lectures I give to my Cambridge students are now available to everyone in the world, at no charge. Check it out and subscribe!

In this video I talk about entrepreneurship and commercialisation of research from the academic viewpoint. In this other one I introduce Pico, my project to replace passwords. If you prefer reading papers to watching videos, this highly cited one explains why replacing passwords is hard and this one gives insights on the psychology of scam victims, with lessons for security system designers.

I founded a national (Inter-ACE) and an international (Cambridge2Cambridge) cyber security competition and ran them for three years, as a contribution towards raising a new generation of cyber-defenders (Poster). The international competition was a collaboration with MIT CSAIL. The successor to Cambridge2Cambridge is an even more international Country2Country, which I helped create, and I serve on its Steering Committee.

I am the CEO and co-founder of Cambridge Cyber, a security consultancy offering competent, trustworthy and discreet services in the areas of training, penetration testing and security analysis (open for business: myfirstname at cambridge cyber dot com).

Please read this before mailing me, and this if you want to become my student.
Maybe you're already at Cambridge and want to do your project with me?
Contact information is at the bottom of the page.

Things I... | am | 've written | teach | like | don't like | am on the program committee of | keep on my web page | said

My research interests revolve primarily around three interconnected themes:

I have a particular interest in the human aspects of systems security: many people like my 2009 work with Paul Wilson about understanding the psychology of scam victims to improve systems security. It was an invited talk at Usenix Security in August 2010 and an updated and abridged version of our technical report appeared in Communications of the ACM in March 2011, © ACM (cached).
I presented this work in 4 continents: America (Cambridge MA, Pittsburgh PA, New York NY, Washington DC), Europe (London (twice), Athens, Cambridge (twice), Munich, Zurich, Bucarest), Oceania (Gold Coast) and Asia (Fujisawa).

Lately, my research question has been: can we do better than passwords? In 2011 I wrote Pico: no more passwords! (blog post, Forbes coverage) which then became an invited talk at Usenix Security 2011 in San Francisco, USA and the opening keynote talk at RTCSA 2011 in Toyama, Japan. I have since received generous funding from the European Research Council, in the form of a prestigious and competitive ERC Starting Grant, to pursue my research on Pico. While revising that work I then decided that the ever-growing "related work" section of Pico was worth its own study, so I invited three expert coauthors for the project that became The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, the highest-scoring peer-reviewed paper at Oakland 2012 (watch me give the talk in San Francisco on 2012-05-23). An extended version, with full details and ratings for over 30 password replacement schemes, is available as a tech report.

In related threads, and with other coauthors, I also studied the security and privacy of forensic genomics and of social networking web sites such as Facebook. See the web page of my brilliant former graduate student Jonathan Anderson for more on privacy in social networks.

Historically, my most significant research contributions include works on the following topics (presented in papers that have since attracted over a thousand citations each):

I also enjoy coming up with quirky, eyebrow-raising uses of security protocols (sometimes with a serious aside), such as

I worked with civil engineers on the real-world security of wireless sensor networks to monitor the structural health of subway tunnels and suspension bridges. Other topics of interest include wireless technologies (efficient MAC protocols, 4G systems, Bluetooth security), context-aware software, distributed multimedia and so on: see further down for a full publications list. Book cover

Although I now have a permanent faculty post at the University of Cambridge, I have a mixed academic and industrial background, having been employed by the R&D centres of major electronics, telecommunications and software multinationals (Google, Toshiba, AT&T, Oracle, Olivetti). Thanks to this, my research has always retained a strong practical orientation. Since my academic appointment I have continued to consult for industry in Europe and Asia on systems security, strategic research planning, creativity and innovation. I am the author of the well-regarded research monograph Security for Ubiquitous Computing (Wiley, 2002).

I am a popular public speaker and I was called upon as invited or keynote speaker over 50 times on four continents (not counting the presentations of my refereed papers). I also served as program chair at over a dozen international conferences or workshops; as program committee member for over 50 events; as technical reviewer of book proposals for scientific publishers such as Wiley and Addison-Wesley; and as associate editor for an IEEE journal. I have authored or co-authored over 50 refereed publications, guest chapters in three books, two patent applications, one book and I have edited about a dozen Springer LNCS proceedings volumes.

I was elected a Toshiba Fellow in 2000. I was appointed to a Lectureship at the University of Cambridge in 2000, originally at the Department of Engineering, then transferred to the Computer Laboratory in 2004. In 2006 I was awarded academic tenure until retiring age. In 2007 I was promoted to a University Senior Lectureship, in 2013 to a Readership and in 2017 to a Professorship. I was also elected to a Fellowship at Trinity College in 2015, where I serve as a Director of Studies in Computer Science, a Senior Lecturer and the Chair of the IT Committee.

Before that, I had the privilege of doing a security PhD here at Cambridge under the supervision of Ross Anderson. I completed it in exactly three years: matriculated in January 1998, submitted in December 2000, approved with no corrections in January 2001. My PhD was nominated for the British Computer Society "distinguished dissertation" award and was later turned into the book mentioned above. The first few steps of my academic lineage are all at the Cambridge Computer Laboratory and go back to its founder Sir Maurice Wilkes, who built the first stored-program computer in the world: Frank Stajano - Ross Anderson - Roger Needham - David Wheeler - Maurice Wilkes. These were all people I knew well on a personal basis. According to the Mathematics Genealogy Project, my lineage then continues upwards to John Ratcliffe, Edward Appleton, JJ Thomson, John Strutt (Lord Rayleigh), Edward Routh, William Hopkins, Adam Sedgwick, Thomas Jones, Thomas Postlethwaite, Stephen Whisson, Walter Taylor, Robert Smith, Roger Cotes, Isaac Newton, Isaac Barrow, Vincenzo Viviani, Galileo Galilei, Ostilio Ricci, Nicolò Tartaglia, with additional non-linear detours through such eminent figures as Rutherford and Torricelli among others.

I have taught a variety of core computing subjects to engineers and computer scientists, including operating systems, computer architecture, security, data structures and algorithms, as well as more specialized subjects such as hardware design, FPGA programming, assembly language programming and ubiquitous computing. I greatly enjoy lecturing and helping other people reach "lightbulb moments".

I love Japan! I lived in Japan for one year and I maintain strong ties to the Toshiba Corporate Research and Development Center in Kawasaki and Keio University.

In my spare time I am a comics scholar with a particular interest in Disney material. I have coauthored a few books, book chapters and articles on this subject. Although not as frequently as I'd like, I offer audio interviews with comics authors on my comics podcast.

I have a strong interest in kendo (Japanese swordsmanship). Since October 2002 I am the leader of Tsurugi Bashi, the kendo dojo of the University of Cambridge. I am 4th dan and a BKA-licenced "Level 3 Regional Coach" (meaning that I run courses to train and license other kendo instructors). I attended the gruelling one-week "Foreign Kendo Leaders" seminar in Kitamoto, Japan in 2008 and 2014. I haven't kept an exact count but by now several hundred people have started kendo as my students. At least a couple dozen of them have obtained dan grades; some of them also hold BKA coaching licences and some even started their own dojo.

Things I am

Things I've written

(Legend: most of these are papers and articles but these are books or book chapters and these are programs.)