Katja Tuma

In 2021 I joined the Foundational and Experimental Security research group as Assistant Professor (Universitair docent 2) and am working at the Department of Computer Science at Vrije Universiteit Amsterdam within the Computer Systems group. I hold a Ph.D. in Computer Science and Engineering, which I completed at the University of Gothenburg. I am an active member of EUGAIN (WG3: From Ph.D. to Professor), and diversity co-officer for CSE department at the VU.

News & Impact

Are you a driven student and want to innovate and develop something cool? Hack4Her is the place for you: here. Join us at the Vrije Universiteit in June!

• Excited to share that I will be speaking at this year's Alice & Eve.
• Humbled to have received this year's AYA award in the category for societal impact!

Research

I am passionate about building and evaluating methods for analyzing security threats and vulnerabilities in software systems. I like to work on solving practical problems with direct impact. I particularly focus on:

• Empirical methods for security. Designing and conducting controlled experiments, industrial case studies and studies involving human participants.
• Measuring human aspects (e.g., diversity) in security threat analysis. Risk perception, gender bias, diversity processes in technical (i.e., security) domain.
• Security4AI and AI4Security. Investigating how to secure AI, how AI could be used to support security activities, and which human factors that play a key role in practice.

Are you interested to do a thesis with me? Find the current thesis topics here!

Students

I have the pleasure to work closely with Winnie Mbaka, Emanuele Mezzi, and co-supervise Francesco Minna, Sarah van Garwen, and Aurora Papotti, all brilliant young minds undertaking their PhD studies at the VU.

Active projects

• Co-PI in the Horizon2022 Sec4AI4Sec project.
• Co-PI in the NWO-KIC HEWSTI project.
• Leading an interdisciplinary project with two students on the topic of diversity in social engineering threats in collaboration with University of Twente.

Past projects

• Lead an interdisciplinary project with two students on the topic of diversity in threat analysis in context of the Network Institute Academy Assistant (NIAA) program.
• Involved in the Horizon2020 AssureMOSS project.

Talks

• ***upcoming*** October 2024, invited speaker at Alice&Eve 2024 in Leiden.
• October 2023, research talk at the Annual Meeting of Society for Risk Analysis in Benelux in Brussels, Belgium.
• September 2023, research talk at the Institute for Programming research and Algorithmics (IPA) Fall Days in Zeewolde, the Netherlands.
• December 2022, research talk at the Annual Meeting of Society for Risk Analysis see video in Tampa, Florida, US.
• November 2021, invited talk at research seminar organised by DIGISEC at the Technical University of Denmark (DTU).
• October 2021, invited talk at research seminar organised by the RGSE group at the University of Koblenz Landau.
• September 2021, speaker at the Aurora Research Conference on the Digital Society and Global Citizenship. Watch video.

Selected publications

Articles

• W Mbaka, S Gerwen and K. Tuma. Human Factors in Security Risk Analysis of Software Systems: A Systematic Literature Review, in submission to Computers and Security
• Á Milánkovich, K Tuma. Delta Security Certification for Software Supply Chains IEEE Security & Privacy Magazine
• K. Tuma and M. Widman, Seven pain points of threat analysis & risk assessment in the automotive domain (IEEE), in IEEE Security & Privacy Magazine
• K. Tuma, S. Peldszus, R. Scandariato, J. Jürjens, Checking Security Compliance between Models and Code (PDF), in Journal on Software and Systems Modeling (SoSyM)
• Finding Security Threats That Matter: Two Industrial Case Studies (PDF), K. Tuma, C. Sandberg, U. Thorsson, M. Widman, T. Herpel, R. Scandariato, in Journal of Systems and Software (JSS)

Conference papers

• W Mbaka and K Tuma, Role of Gender in the Evaluation of Security Decisions, IEEE Security & Privacy
• A Palheiros da Silva, W Mbaka, J Mayer, JW Bullee, K Tuma, Does trainer gender make a difference when delivering phishing training? A new experimental design to capture bias, International Conference on Evaluation and Assessment in Software Engineering (EASE)
• F Minna, F Massacci, K Tuma, Analyzing and Mitigating (with LLMs) the Security Misconfigurations of Helm Charts from Artifact Hub: Registered Report, International Symposium on Empirical Software Engineering and Measurement (ESEM)
• F Minna, F Massacci, K Tuma, Towards a Security Stress-Test for Cloud Configurations International Conference on Cloud Computing (CLOUD)
• Automating the Early Detection of Security Design Flaws (PDF), K Tuma, L. Sion, R. Scandariato, and K. Yskout, International Conference on Model Driven Engineering Languages and Systems (MODELS)
• Flaws in flows: Unveiling design flaws via information flow analysis (PDF), K Tuma, M. Balliu, R. Scandariato, International Conference on Software Architecture (ICSA)

Workshop papers

• The Role of Diversity in Cybersecurity Risk Analysis: An Experimental Plan (PDF), K. Tuma, R. Van der Lee, Third Workshop on Gender Equality, Diversity, and Inclusion in Software Engineering (GE@ICSE), 2022
• Towards security threats that matter (PDF), K. Tuma, R. Scandariato, M. Widman, C. Sandberg, Workshop On The Security Of Industrial Control Systems & Of Cyber-Physical Systems (CyberICPS), 2017
• Inspection Guidelines to Identify Security Design Flaws (PDF), K. Tuma, D. Hosseini, K. Malamas, and R. Scandariato, International Workshop on Designing and Measuring CyberSecurity in Software Architecture (DeMeSSA), 2019

Dissertation

Efficiency and Automation in Threat Analysis of Software Systems (PDF), K. Tuma, Department of Computer Science and Engineering (University of Gothenburg), defended in January 2021

Teaching

Course design and teaching

• Data Structures and Algorithms for AI (BSc course with 300 students)
• Software Threat Analysis: Build-It-Break-It-Fix-It, taught to MSc of Computer Security

Co-teaching at the VU:

• Security Experiments and Measures, taught by Fabio Massacci to MSc of Computer Security
• Guest lecture in the M.Sc course Software Oriented Design (405061) coordinated and taught by at the Software and Sustainability (S2) research group.

Co-creation, coordination and assistance in teaching the B.Sc flipped classroom course Mathematical Foundations or Software Engineering (DIT022).

Supervision

• Automatic Extraction of Security Relevant Information from Source Code for Formally Based Security Models. Neda Fahrad (M.Sc)
• Towards Automating a Risk-First Threat Analysis Technique. Karanveer Singh, Margit Saal, Andrius Sakalas (B.Sc)
• Design Flaws as Security Threats. Danial Hosseini, Kyriakos Malamas (M.Sc), co-supervisor

Service

Organizer

• Formed an ACCSS working group on Security & AI (upcoming first meeting in September 2024)
• The 4th International Workshop on Designing and Measuring Security in Software with AI (DeMeSSAI) - in submission to ACSAC
• The International Workshop on Designing and Measuring Security in Software Architecture, DeMeSSA 2023
• The International Workshop on Designing and Measuring Security in Software Architecture, DeMeSSA 2022

Proceedings Co-Chair

• International Conference on Evaluation and Assessment in Software Engineering (EASE) 2022

Reviewer

• the Information and Software Technology journal (IST)
• the Journal of Systems and Software (JSS)
• the International Journal on Software and Systems Modeling (SoSyM)
• the Software Quality journal
• IEEE Vehicular Technology

PC Member

• ESEC/FSE Industry Track 2022
• International Workshop on Continuous Software Evaluation and Certification, IWCSEC 2022 at ARES
• ACM Cloud Computing Security Workshop (CCSW'21) in conjunction with CCS'21
• International Workshop on Graphical Models for Security (GraMSec'20)
• International Workshop on Security for and by Model-Driven Engineering (SecureMDE'20)

Shadow PC

• Mining Software Repositories Conference (MSR'21)

Where to find me

Office

New University (NU) Building, Take entrance 1111, 11th floor, room 11A-57.

Postal address

Vrije Universiteit Amsterdam Faculty of Sciences, Dept. of Computer Science, De Boelelaan 1111, 1081 HV Amsterdam, The Netherlands

Fun

Foraging mushrooms. This is what I see when I look at a forest. Recently, also rock-climbing.