Luca Allodi, Assistant Professor at TU/e
The real voyage of discovery lies in not seeing new landscapes but in having new eyes. (Marcel Proust)
Luca Allodi
Home | Interests | Publications | Presentations | About Me | Contacts

Positions and projects


I am an Assistant Professor at the Security Group of the Technical University of Eindhoven, the Netherlands. Previously I worked and studied at the University of Trento, Italy, where graduated my PhD in 2015 with a thesis entitled: "Risk-based Vulnerability Management. Exploiting the economic nature of the attacker to build sound and measurable vulnerability mitigation strategies".

The gist of my research is to find the technical, economic, and strategic factors that drive vulnerability exploitation in the wild. To this aim I investigate the dynamic optimization problems the attacker solves when engineering a new attack, the underground markets in which the attackers operate, the technology they employ, and the rates at which attacks are delivered to the final users. My research draws from several field, including computer security, economics, risk analysis, and criminology.

I am also an acknowledged authoring member of the SIG Team for the upcoming CVSS v3 framework (the worldwide standard-de-facto for vulnerability assessment).

My almost-updated curriculum vitae can be found here.

Feel free to send me an e-mail if you need to contact me. If you want to do that privately my PGP fingerprint is 950E 3DC8 EB66 DFF3 B64D 7848 A0AD 0BB6 5DC4 98F1. Public key here.

In Trento I was the lecturer for the 2015-2016 Network Security course (website).

Office: MF6.122a

I DO NOT have a Facebook profile
My LinkedIn page (hardly updated) is this
My Twitter handle is @securescientist


Member of the CVSS v3 Standard Body

I was invited to join the SIG Team for the definition of the third revision of the worldwide standard for vulnerability assessment, the Common Vulnerability Scoring System (CVSS v3). My PhD work brought the University of Trento to be the only academic member (with CMU) of the team. I authored the analysis and the final definition of one of the CVSS v3 metrics. Further details upon official presentation of the standard.

March 2014: RAND Corporation report (domain expert)

I was one of the selected experts to be interviewed for RAND Corporation's report Markets for Cybercrime Tools and Stolen Data Hackers' Bazaar, published the 25th of March 2014.

August 2013: BlackHat USA 2013 (presentation)

BlackHat 2013
How CVSS is DOSsing your patching policy (and wasting your money).
Link to abstract
. Slides available. Want to come?
You can also see the video here (YouTube)

July 2013: Talk about us.. (

Vulnerability Severity Scores Make For Poor Patching Priority, Researchers Find.
Link to article by Robert Lemos.

September 2012: Talk about us.. (Rapid7 Seminar)

Vulnerabilities, Malwares and Beyond: Threat Modelling For a More Efficient Security.
When: 12th of September 2012.
Where: Rapid7 United Summit Meeting.
Speaker: Claudio Guarnieri.


  1. Luca Allodi, Fabio Massacci. The Work-Averse Attacker Model. In the Proceedings of the 2015 European Conference on Information Systems (ECIS 2015). PDF Updated version on SSRN

  2. Luca Allodi, Marco Corradin, Fabio Massacci. Then and Now: On The Maturity of the Cybercrime Markets. The lesson black-hat marketeers learned. To appear in the IEEE Transactions on Emerging Topics in Computing. Pre-print PDF

  3. Luca Allodi. The Heavy Tails of Vulnerability Exploitation In the Proceedings of ESSoS 2015. To be published by Springer by March 2015. PDF

  4. Luca Allodi, Fabio Massacci. Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security (TISSEC). 17, 1, Article 1 (August 2014), 20 pages. PDF

  5. Luca Allodi, Luca Chiodi, Marco Cremonini. Self-Organizing Techniques for Knowledge Diffusion in Dynamic Social Networks. in Proceedings of the 5th Workshop on Complex Networks. CompleNET 2014. PDF

  6. Luca Allodi. Attacker economics for Internet-scale vulnerability risk assessment (Extended Abstract) Research proposal, in Proceedings of Usenix LEET 2013. PDF

  7. Luca Allodi, Vadim Kotov, Fabio Massacci. MalwareLab: Experimentation with Cybercrime Attack Tools. In Proceedings of Usenix CSET 2013. PDF

  8. Luca Allodi, Fabio Massacci. How CVSS is DOSsing your patching policy (and wasting your money). Presentation at BlackHat USA 2013. Slides | White paper to come too (end of Aug)

  9. Luca Allodi Fabio Massacci. Analysis of exploits in the wild. Or: do Cybersecurity Standards Make Sense? Poster at IEEE Symposium on Security & Privacy 2013. PDF

  10. Luca Allodi, Woohyun Shim, Fabio Massacci. Quantitative assessment of risk reduction with cybercrime black market monitoring. Proceedings of IEEE S&P 2013 International Workshop on Cyber Crime. PDF

  11. Woohyun Shim, Luca Allodi, Fabio Massacci. Crime Pays If You Are Just an Average Hacker. Proceedings of IEEE/ASE 2012 Cyber Security Conference. PDF
    Conference acceptance rate: 9%. Complementary publication in ASE Journal, 2012, Vol. 2. Journal acceptance rate: 3%. Best paper award.

  12. Luca Allodi, Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild. Proceedings of BADGERS 2012 CCS Workshop. PDF

  13. Luca Allodi, Fabio Massacci, Woohuyn Shim. Crime payes if you are just an average hacker. Accepted Poster at GameSec 2012.

  14. Luca Allodi. The dark side of vulnerability exploitation. Proceedings of the 2012 ESSoS Conference Doctoral Symposium. link [PDF]

  15. Luca Allodi, Marco Cremonini, Luca Chiodi. The asymmetric diffusion of trust between communities: Simulations in dynamic social networks. Proceedings of the 2011 Winter Simulation Conference. June 13, 2011. Finalist "Best Theoretical Paper Award Wintersim 2011" link

  16. Luca Allodi, Marco Cremonini, Luca Chiodi. Modifying Trust Dynamics through Cooperation and Defection in Evolving Social Networks. Springer LNCS 6740, pp. 131-145, 2011. link

Presentations, invited talks and seminars

  1. (Oct 2014) Luca Allodi. Efficient Vulnerability Management: Measuring Vulnerabilities and Exploits for Better Security Strategies. Seminar on Road-Mapping Cybersecurity Research and Innovation, Florence, IT.

  2. (May 2014) Luca Allodi. My software has a vulnerability, should I worry? An empirical validation of the industry standard. Seminar at Durham University, Durham, UK.

  3. (Aug 2013) Luca Allodi, Fabio Massacci. My software has a vulnerability, should I worry?(An Empirical Study on Symantec Threats and Exploit Kits). Seminar at Accenture Labs, Washington D.C.

  4. Luca Allodi. My Software has a vulnerability, should I Worry? An empirical validation of an industry standard. Seminar at George Mason University, Fairfax, VA.

  5. (Aug 2013) Luca Allodi. Attacker Economics for Internet-scale vulnerability Risk Assessment (Extended Abstract). Presentation at Usenix Security LEET Workshop 2013.

  6. (Aug 2013) Luca Allodi. MalwareLab: Experimenting with Cybercrime Attack Tools. 2013 Usenix Security CSET Workshop. Presentation at Usenix Security CSET Wrkshop 2013.

  7. (Aug 2013) Luca Allodi. How CVSS is DOSsing your patching policy (and wasting your money). Presentation at BlackHat USA 2013.

  8. (Apr 2013) Luca Allodi. Risk Metrics for Vulnerabilities exploited in the wild. Lecture at the University of Milan, DTI Crema.

  9. (Feb 2013) Luca Allodi. Exploitation in the Wild. What attacks do, and what should(n't) we care about. Seminar at the University of Rome, Tor Vergata.

  10. (Dec 2012) Woohyun Shim, Luca Allodi, Fabio Massacci. Crime Pays If You Are Just an Average Hacker. Presentation at the 2012 CyberSecurity Conference in Alexandria, Virginia (U.S.).

  11. (Oct 2012) Luca Allodi, Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild. Presentation at 2012 CCS BADGERS Workshop, Raleigh North Carolina (U.S).

  12. (July 2012) Luca Allodi, Fabio Massacci. Economics of cybercrime. Joint meeting with Ufa State Aviation University, Russia. Trento, Italy.

  13. (June 2012) Luca Allodi. A quick analysis on data quality for risk evaluation. Rump session at WEIS 2012. Berlin.

  14. (April 2012) Luca Allodi, Fabio Massacci. Some preliminary analysis of the economics of malware kits and traffic brokers. Workshop on “Collaborative Security and Privacy Technologies”. Berlin.

  15. (June 2011) Luca Allodi, Marco Cremonini. Dynamic Social Networks. Modeling Trust, Shocks and Hype. University of Bologna. Engineering department of Cesena, Italy.

Interests & Current Work

During my Master degree thesis I got interested in Social Network Dynamics, the diffusion of information within networks, and the different roles of nodes.

I am now working on new ways to integrate security metrics with cyber attacks economics; in particular, I am interested in understanding if analysis of new trends in cybercrime attacks (APTs, black markets, botnet rentals..) can be exploited to improve current metrics for security.

Other activities

On my free time, I am an avid mid-long distance (20+ kms) trail runner. Back in Trento I ran on several peaks; Rosengarten/Catinaccio group (↑ ~2300-2700mt), Marzola (↑ ~1700mt), Bondone (↑ ~2200mt), Calisio (↑ ~1000mt) and Chegul (↑ ~1400mt) are some examples.


Faculty of Mathematics and Computer Science
Eindhoven Technical University
P.O. Box 513, 5600 MB
Eindhoven, the Netherlands