Welcome to the website of the Data and Application Security Group!
Paper accepted at S&P 26
Our paper entitled “LISA: A Scale-Optimized and Psychometrically-Validated Instrument for the Lightweight Assessment of Organizational Information Security Awareness in Heterogeneous Organizations” by David Langer, Jan Tolsdorf and Luigi Lo Iacono has been accepted at IEEE Symposium on Security and Privacy 2026!
New DAS Website
We proudly announce the launch of our redesigned website, using the fast and modern HUGO site generator!
Paper accepted at CCS 2025
Our paper entitled “Phishing Susceptibility and the (In-)Effectiveness of Common Anti-Phishing Interventions in a Large University Hospital” by Jan Tolsdorf, David Langer, and Luigi Lo Iacono has been accepted at ACM CCS 2025! The paper presents a large-scale phishing simulation at a German university hospital and systematically analyzes how phishing susceptibility varies across roles, how email characteristics—such as timing, tone, context, and persuasive framing—influence behavior, and to what extent widely used in-situ interventions reduce risky behavior in practice.
Paper accepted at ACNS 2025
Our paper entitled “Continuous Authentication Beyond Error Rates: Reviewing General System Properties” by Florian Dehling, Sebastian Kawelke, and Luigi Lo Iacono, has been accepted at ACNS 2025. The paper presents a systematic analysis of so-far proposed systems for continuous authentication. The analysis focuses on fundamental system properties, such as attacker models or deployment schemes, and highlights research and development needs.
Paper accepted at TrustCom 2024
Our paper entitled “You Are as You Type: Investigating the Influence of Timestamp Accuracy on the Robustness of Keystroke Biometrics” by Florian Dehling, Sebastian Koch, Luigi Lo Iacono and Hannes Federrath, has been accepted at TrustCom 2024. In the paper, we present the results of a study that examines how limiting the precision of time stamps affects the performance of algorithms for analysing typing behaviour, which can be used for continuous authentication systems as well as for tracking users.
Next stop: Giessen.
Following the promotion of our group leader, Luigi Lo Iacono, to the position of professor of IT security at Justus Liebig University Giessen, the ‘Data and Application Security’ group is also changing location. The updated contact information can be found under Members.
Mehrere Beiträge aus D'accord im DuD-Schwerpunktheft Datenschutz trifft Datenökonomie
In der Ausgabe 2/2024 widmet sich die Zeitschrift DuD Datenschutz und Datensicherheit dem Schwerpunktthema Datenschutz und Datenökonomie. Die Beiträge geben einen Überblick über aktuelle Arbeiten zum Thema Datenschutz im Kontext der Plattformökonomie – von der Erfassung des aktuellen Ist-Zustandes und Einführung in das Problemfeld, über die Analyse und Bewertung der Rahmenbedingungen, bis hin zu den Wegen für eine effektive praktische Umsetzung von gebrauchstauglichen Datenschutzfunktionen. Die Gruppe für Daten- und Anwendungssicherheit war an den folgenden Beiträgen beteiligt:
Master Thesis on EAP-TLS implementation and security in 5G systems accepted for the 20th German IT Security Congress
The master thesis entitled “Enabling EAP-TLS as authentication mechanism over non-3GPP access for private 5G networks” by Julius Röttger has been accepted for the 20th German IT Security Congress. The master thesis involves the creation and execution of a prototype incorporating EAP-TLS within a 5G-Core, with subsequent evaluation using a non-3GPP access in a built testbed. The assessment includes various attacks and Key Performance Indicator (KPI) measurements, providing initial insights into both the implementation and security aspects of EAP-TLS within a 5G system.
Paper on users' perceptions of privacy in continuous authentication accepted for PETS 2024
Our paper entitled “Internet Users’ Willingness to Disclose Biometric Data for Continuous Online Account Protection: An Empirical Investigation” by Florian Dehling, Jan Tolsdorf, Hannes Federrath, and Luigi Lo Iacono has been accepted for the 24th Privacy Enhancing Technologies Symposium (PETS 2024). The paper reports on a study with 830 participants from the U.S., aiming to investigate user perceptions towards continuous authentication across different classes of online services. The results provide valuable insights on human factors for the design and implementation of privacy conscious continuous authentication systems in practice.
Two book chapters published in Human Factors in Privacy Research (Open Access)
Two chapters (co-)authored by members of our research group have been published in the open access book Human Factors in Privacy Research. The chapter titled Achieving Usable Security and Privacy Through Human-Centered Design, co-authored by Jan Tolsdorf, Stephan Wiefling, and Luigi Lo Iacono, discusses practical methods to create usable security and privacy solutions using the human-centered design process. The chapter titled Data Cart: A Privacy Pattern for Personal Data Management in Organizations by Jan Tolsdorf and Luigi Lo Iacono introduces a privacy pattern called Data Cart, developed through a user-centered approach. The pattern assists in creating tailored technical and organizational data protection measures that align with employees’ requirements, ultimately enhancing privacy compliance.
David Langer successfully defended his dissertation
David Langer successfully defended his dissertation entitled “The Structuration of Moral Capital and Unethical Behavior: When the Organization Hits an Ethical Meltdown” in Wuppertal on 12 July 2023. David has successfully completed the PhD Programme of the Schumpeter School of Business and Economics at the Bergische Universität Wuppertal. Congratulations!
Stephan Wiefling successfully defended his dissertation
Stephan Wiefling successfully defended his dissertation entitled “Usability, Security, and Privacy of Risk-Based Authentication” in Bochum on 08 May 2023. His dissertation project was carried out as part of a collaboration between the DAS-Group of Prof. Luigi Lo Iacono at H-BRS and the Usable Security and Privacy research group of Prof. Markus Dürmuth. Stephan has successfully completed the PhD Programme of the Faculty of Computer Science at the Ruhr-University Bochum. Congratulations!
Jan Tolsdorf gives a talk at the Stammtisch of the Cyber Security Cluster Bonn
Jan Tolsdorf will give an invited talk (in German) on our ongoing research project MedISA. In the project, a catalog of measures for increasing information security awareness is being developed specifically for medical care facilities. The presentation will introduce the project in more detail, present initial research results, and provide an outlook on future work. Date and time: February 28, 2023 at 4pm - 5:30 pm Further information and registration can be found here.
Jan Tolsdorf received the Doctoral Thesis Award 2022 by the Bonn-Rhein-Sieg University Society
Congratulations to Jan Tolsdorf for receiving the the Doctoral Thesis Award 2022 by the Bonn-Rhein-Sieg University Society (“Promotionspreis Hochschulgesellschaft Bonn-Rhein-Sieg 2022”), funded by the Industrie- und Handelsclub Bonn e. V. With this award the society honors Jan Tolsdorf’s work in the context of his dissertation “Investigation of Information Privacy in Employment: Fundamental Knowledge and Practical Solutions for the Human-Centered Design of Measures to Preserve the Right to Informational Self-Determination in Employment”.
Stephan Wiefling gives a talk at the Stammtisch of the Cyber Security Cluster Bonn
Stephan Wiefling will give an invited talk (in German) on how risk-based authentication (RBA) can protect our accounts with better usability. Participation is free and online. The presentation shows how popular online services use RBA how users perceive it how you can implement it in a privacy-compliant way and how it can be configured for best possible security and usability on a large online service. Date and time: January 17, 2023 at 4pm - 5:30 pm
Open Data Impact Award for Members of DAS Group
The Stifterverband awarded Stephan Wiefling and Luigi Lo Iacono with the Open Data Impact Award 2022. The award recognizes the release of our open Login Data Set for Risk-Based Authentication (RBA), and its innovation potential for science and society. The prize money of 10,000 euros will be used to move RBA forward. You can download the data set and the corresponding publication at our RBA website.
New article accepted for publication in IEEE Security & Privacy
The article “Eight Lightweight Usable Security Principles for Developers” by Peter Leo Gorski, Luigi Lo Iacono, and Matthew Smith has been accepted for inclusion in IEEE Security & Privacy. The article proposes eight usable security principles that provide software developers with a lightweight framework to help them integrate security in a user-friendly way. The principles are supposed to help developers who must weigh usability and security tradeoffs to facilitate adoption.
Paper on an interview study with data protection officers on privacy challenges in digital ecosystems accepted for presentation at SPOSE 2022
The paper entitled “Data Protection Officers’ Perspectives on Privacy Challenges in Digital Ecosystems” by Stephan Wiefling, Jan Tolsdorf, and Luigi Lo Iacono has been accepted for presentation at the 4th Workshop on Security, Privacy, Organizations, and Systems Engineering (SPOSE). The paper presents the result of an interview study with seven data protection officers from Germany on challenges in implementing data protection requirements and data subject rights in digital ecosystems.
Jan Tolsdorf successfully defended his dissertation
Jan Tolsdorf successfully defended his dissertation entitled “Investigation of Information Privacy in Employment: Fundamental Knowledge and Practical Solutions for the Human-Centered Design of Measures to Preserve the Right to Informational Self-Determination in Employment” in Göttingen on 08 August 2022. His dissertation project was carried out as part of a collaboration between the DAS-Group of Prof. Luigi Lo Iacono at H-BRS and the Computer Security and Privacy Research Group of Prof. Delphine Reinhardt at the University of Göttingen. Here Jan has undergone the PhD Programme in Computer Science at the Georg-August University School of Science. Congratulations!
Risk-Based Authentication (RBA) Studied on 3.3 Million Users: Paper and Data Set Published
The DAS Group cooperated with the multinational telecommunications provider Telenor to study how RBA behaves on a large-scale online service with 3.3 million users and more than 30 million login attempts per year. The results of this study are published in the ACM Transactions on Privacy and Security journal. To foster RBA development and research in the wild, we published the data set in synthesized form on GitHub and Kaggle. This data set, which is based on real-world data, can be used to improve and test RBA implementations.