Luca Allodi, Assistant Professor at TU/e
The real voyage of discovery lies in not seeing new landscapes but in having new eyes. (Marcel Proust)
Luca Allodi
Publications | Presentations | Interests | About Me | Contacts
l.allodi at
PGP fingerprint: 950E 3DC8 EB66 DFF3 B64D 7848 A0AD 0BB6 5DC4 98F1
Public key.
Office: MF6.122a
P.O. Box 513, 5600 MB, Eindhoven, The Netherlands
2017-2018: Offensive Computer Security Laboratory (TU/e) (To come).
2016: Network Security (Trento) (website).
Details (CV)

I DO NOT have a Facebook profile
My LinkedIn page (hardly updated) is this
My Twitter handle is @securescientist

Positions and projects

Master thesis projects


I am an Assistant Professor at the Security Group of the Eindhoven University of Technology, in the Netherlands. Previously I worked and studied at the University of Trento, Italy, where graduated my PhD in 2015 with a thesis entitled: "Risk-based Vulnerability Management. Exploiting the economic nature of the attacker to build sound and measurable vulnerability mitigation strategies".

The gist of my research is to find the technical, economic, and strategic factors that drive vulnerability exploitation in the wild. To this aim I investigate the dynamic optimization problems the attacker solves when engineering a new attack, the underground markets in which the attackers operate, the technology they employ, and the rates at which attacks are delivered to the final users. My research draws from several field, including computer security, economics, risk analysis, and criminology.

I am also an acknowledged authoring member of the SIG Team for the upcoming CVSS v3 framework (the worldwide standard-de-facto for vulnerability assessment).




  1. Allodi, L. and Massacci, F. (2017), Security Events and Vulnerability Data for Cybersecurity Risk Estimation. Risk Analysis, 37: 1606–1627. doi:10.1111/risa.12864 Impact factor: 2.225, ISI Journal Citation Reports Ranking: 2015: 6/49 (Social Sciences Mathematical Methods); 17/101 (Mathematics Interdisciplinary Applications). Pre pub version

  2. Luca Allodi, Marco Corradin, Fabio Massacci. Then and Now: On The Maturity of the Cybercrime Markets. The lesson black-hat marketeers learned. IEEE Transactions on Emerging Topics in Computing, 4(1):35–46, Jan 2016. Impact factor: 4.12 (2016 Scopus CiteScore). Pre pub version

  3. Luca Allodi, Fabio Massacci. Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security (TISSEC). 17, 1, Article 1 (August 2014), 20 pages. Impact factor: 3.45 (2014 Scopus CiteScore); flagship ACM journal on security. PDF

  4. Conferences and magazines

  5. Luca Allodi. Underground Economics for Vulnerability Risk. Usenix ;login: (2018), Vol 43, no. 1. Link to publisher Preprint

  6. Luca Allodi, Marco Cremonini, Fabio Massacci, Woohyun Shim. The effect of security education and expertise on security assessments: the case of software vulnerabilities. Presented at WEIS 2018, Innsbruck, AT. Preprint

  7. Jukka Ruohonen, Luca Allodi. A bug bounty perspective on the disclosure of web vulnerabilities. Presented at WEIS 2018, Innsbruck, AT. Preprint

  8. Tho Le, Roland van Rijswijk-Deij, Luca Allodi and Nicola Zannone. Economic Incentives on DNSSEC Deployment: Time to Move from Quantity to Quality. To appear in the Proceedings of the 16th IEEE/IFIP Network Operations and Management Symposium (NOMS 2018). Preprint

  9. Luca Allodi and Sandro Etalle. 2017. Towards Realistic Threat Modeling: Attack Commodification, Irrelevant Vulnerabilities, and Unrealistic Assumptions. In Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense (SafeConfig '17). ACM, New York, NY, USA, 23-26. DOI: Preprint

  10. Luca Allodi. 2017. Economic Factors of Vulnerability Trade and Exploitation. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). ACM, New York, NY, USA, 1483-1499. DOI: (Acc. rate 18%). Preprint

  11. Luca Allodi, Fabio Massacci. Attack potential in Impact and Complexity. In the Proceedings of ARES 2017. Preprint

  12. Allodi, L., Biagioni, S., Crispo, B., Labunets, K., Massacci, F., & Santos, W. (2017, November). Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment. In International Conference on Future Data and Security Engineering (pp. 23-39). Springer, Cham.

  13. Luca Allodi, Fabio Massacci, Julian Williams. The Work-Averse Cyber Attacker Model. Evidence from two million attack signatures. Presented at WEIS 2017. SSRN version

  14. Luca Allodi, Fabio Massacci. The Work-Averse Attacker Model. In the Proceedings of the 2015 European Conference on Information Systems (ECIS 2015). PDF

  15. Luca Allodi. The Heavy Tails of Vulnerability Exploitation In the Proceedings of ESSoS 2015. To be published by Springer by March 2015. PDF

  16. Luca Allodi, Luca Chiodi, Marco Cremonini. Self-Organizing Techniques for Knowledge Diffusion in Dynamic Social Networks. in Proceedings of the 5th Workshop on Complex Networks. CompleNET 2014. PDF

  17. Luca Allodi. Attacker economics for Internet-scale vulnerability risk assessment (Extended Abstract) Research proposal, in Proceedings of Usenix LEET 2013. PDF

  18. Luca Allodi, Vadim Kotov, Fabio Massacci. MalwareLab: Experimentation with Cybercrime Attack Tools. In Proceedings of Usenix CSET 2013. PDF

  19. Luca Allodi, Fabio Massacci. How CVSS is DOSsing your patching policy (and wasting your money). Presentation at BlackHat USA 2013. Slides | White paper to come too (end of Aug)

  20. Luca Allodi Fabio Massacci. Analysis of exploits in the wild. Or: do Cybersecurity Standards Make Sense? Poster at IEEE Symposium on Security & Privacy 2013. PDF

  21. Luca Allodi, Woohyun Shim, Fabio Massacci. Quantitative assessment of risk reduction with cybercrime black market monitoring. Proceedings of IEEE S&P 2013 International Workshop on Cyber Crime. PDF

  22. Woohyun Shim, Luca Allodi, Fabio Massacci. Crime Pays If You Are Just an Average Hacker. Proceedings of IEEE/ASE 2012 Cyber Security Conference. PDF
    Conference acceptance rate: 9%. Complementary publication in ASE Journal, 2012, Vol. 2. Journal acceptance rate: 3%. Best paper award.

  23. Luca Allodi, Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild. Proceedings of BADGERS 2012 CCS Workshop. PDF

  24. Luca Allodi, Fabio Massacci, Woohuyn Shim. Crime payes if you are just an average hacker. Accepted Poster at GameSec 2012.

  25. Luca Allodi. The dark side of vulnerability exploitation. Proceedings of the 2012 ESSoS Conference Doctoral Symposium. link [PDF]

  26. Luca Allodi, Marco Cremonini, Luca Chiodi. The asymmetric diffusion of trust between communities: Simulations in dynamic social networks. Proceedings of the 2011 Winter Simulation Conference. June 13, 2011. Finalist "Best Theoretical Paper Award Wintersim 2011" link

  27. Luca Allodi, Marco Cremonini, Luca Chiodi. Modifying Trust Dynamics through Cooperation and Defection in Evolving Social Networks. Springer LNCS 6740, pp. 131-145, 2011. link

Presentations, invited talks and seminars

  1. (Oct 2014) Luca Allodi. Efficient Vulnerability Management: Measuring Vulnerabilities and Exploits for Better Security Strategies. Seminar on Road-Mapping Cybersecurity Research and Innovation, Florence, IT.

  2. (May 2014) Luca Allodi. My software has a vulnerability, should I worry? An empirical validation of the industry standard. Seminar at Durham University, Durham, UK.

  3. (Aug 2013) Luca Allodi, Fabio Massacci. My software has a vulnerability, should I worry?(An Empirical Study on Symantec Threats and Exploit Kits). Seminar at Accenture Labs, Washington D.C.

  4. Luca Allodi. My Software has a vulnerability, should I Worry? An empirical validation of an industry standard. Seminar at George Mason University, Fairfax, VA.

  5. (Aug 2013) Luca Allodi. Attacker Economics for Internet-scale vulnerability Risk Assessment (Extended Abstract). Presentation at Usenix Security LEET Workshop 2013.

  6. (Aug 2013) Luca Allodi. MalwareLab: Experimenting with Cybercrime Attack Tools. 2013 Usenix Security CSET Workshop. Presentation at Usenix Security CSET Wrkshop 2013.

  7. (Aug 2013) Luca Allodi. How CVSS is DOSsing your patching policy (and wasting your money). Presentation at BlackHat USA 2013.

  8. (Apr 2013) Luca Allodi. Risk Metrics for Vulnerabilities exploited in the wild. Lecture at the University of Milan, DTI Crema.

  9. (Feb 2013) Luca Allodi. Exploitation in the Wild. What attacks do, and what should(n't) we care about. Seminar at the University of Rome, Tor Vergata.

  10. (Dec 2012) Woohyun Shim, Luca Allodi, Fabio Massacci. Crime Pays If You Are Just an Average Hacker. Presentation at the 2012 CyberSecurity Conference in Alexandria, Virginia (U.S.).

  11. (Oct 2012) Luca Allodi, Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild. Presentation at 2012 CCS BADGERS Workshop, Raleigh North Carolina (U.S).

  12. (July 2012) Luca Allodi, Fabio Massacci. Economics of cybercrime. Joint meeting with Ufa State Aviation University, Russia. Trento, Italy.

  13. (June 2012) Luca Allodi. A quick analysis on data quality for risk evaluation. Rump session at WEIS 2012. Berlin.

  14. (April 2012) Luca Allodi, Fabio Massacci. Some preliminary analysis of the economics of malware kits and traffic brokers. Workshop on “Collaborative Security and Privacy Technologies”. Berlin.

  15. (June 2011) Luca Allodi, Marco Cremonini. Dynamic Social Networks. Modeling Trust, Shocks and Hype. University of Bologna. Engineering department of Cesena, Italy.

Interests & Current Work

During my Master degree thesis I got interested in Social Network Dynamics, the diffusion of information within networks, and the different roles of nodes.

I am now working on new ways to integrate security metrics with cyber attacks economics; in particular, I am interested in understanding if analysis of new trends in cybercrime attacks (APTs, black markets, botnet rentals..) can be exploited to improve current metrics for security.

Other activities

On my free time, I am an avid mid-long distance (20+ kms) trail runner. Back in Trento I ran on several peaks; Rosengarten/Catinaccio group (↑ ~2300-2700mt), Marzola (↑ ~1700mt), Bondone (↑ ~2200mt), Calisio (↑ ~1000mt) and Chegul (↑ ~1400mt) are some examples.