PhD-TA Position on the development of models and measures for contextual cyber-risk assessment
The Eindhoven University of Technology, the Netherlands, is looking for a PhD-TA student at the Security Group of the Department of Computer Science and Mathematics.
The candidate will work in a dynamic and diverse environment on the definition of novel risk assessment models, techniques, and measures for cyber-risk that can be derived and automated at the organization level. The candidate will have the opportunity to work on both practical and theoretical aspects of computer security. This work is expected to directly impact industry best practice through collaboration with the Common Vulnerability Scoring System standard body, and contribute in the field of cyber-risk metrics by proposing novel scientific models and measures for risk of cyber-attacks as a function of the organization's environment.
This is a five-year full time position with 0.7 FTE research and 0.3 FTE teaching.
Department of Mathematics & Computer Science
Evaluation starts on the 20th of March 2017 and will continue until a suitable candidate is recruited.
A full description of the position and application procedure follows.
As cyber-attacks and criminal activities online are on the rise, the need to accurately estimate cyber-risk in organizations and stand-alone software and systems becomes of primary importance. Several standard-de-facto metrics in the industry, such as the Common Vulnerability Scoring System (CVSS), have the purpose of providing an indication of the "severity" of the vulnerability and are currently used as indicators to prioritize patching work. Some indications on how to tailor these metrics to an organization's operative environment exist, but these are very difficult and expensive to implement in practice. As a result, the "baseline" vulnerability estimations are often used, which results in poor risk management implementations.
In this project, the candidate will devise new temporal and contextual vulnerability metrics based on current state-of-the-art practices, aiming at their partial or complete automation at the organization level. The project involves both practical aspects of attack and defense deployment (e.g. automated exploit deployment and testing, network and vulnerability mapping, measurement of security controls), as well as theoretical aspects of risk modelling and measurement (e.g. automated attack graph generation and labelling, exploitability models).
The project will unfold around three focal points:
This is a full-time PhD-TA position for a five-year research (0.7 FTE) and teaching (0.3 FTE) program.
Conditions of employment
Information and application
For more information about the project, please contact dr. L. Allodi, e-mail: email@example.com For information about employment conditions please contact the HR advisor drs. C.M. Kuiters, e-mail: firstname.lastname@example.org
The application should consist of the following parts:
To apply send an email to email@example.com