From July 8 to August 15, the internationally known Professor Roy Maxion from Carnegie Mellon University is visiting the Cluster of Excellence CASA - Cyber Security in the Age of Large-Scale Adversaries at Ruhr-Universität Bochum (RUB). His research includes Human-Computer Interaction, Machine Learning, Security and Privacy, Reliability and Research Methods. During his stay in Bochum, he is working intensively with Prof. Dr. Angela Sasse and other researchers from HUB D – Usability as part of the cluster's "Distinguished Partner" program. Besides the in-depth scientific exchange and discussions about current research topics and projects, a special highlight of his time in Bochum will be his Distinguished Lecture on August 9.
Discover more about his research, his residency and his perception of the Ruhr-Universität Bochum within this interview:
You are an expert in the field of human-computer interaction, more specifically for keystroke-biometrics. Why is a person's behavior at the keyboard important for IT security?
Biometrics relies on the idea that no two people behave (or even look) exactly the same – handwriting and gait (the way you walk) are said to be behaviors unique to individuals, and indeed these traits have been used as links to identities. The rhythm with which one types is also said to be unique to individuals. If instrumentation is developed that can sense behavioral traits and behavioral changes, then these characteristics can be used to identify a person. Such identification methods can be used to authenticate a person who seeks access to computer resources. One advantage of using behavioral biometrics for identification and authentication is that these techniques often require little to no extra equipment, as in using a keyboard and typing rhythm to determine a user's identity – the keyboard was already part of the system's standard equipment. Also, there is nothing to remember, as in a password or PIN, and nothing you need to have, like a phone or a physical security key; behavioral biometrics relies only on how you behave.
You are here to support the team in HUB D at our Cluster of Excellence CASA in setting up a model laboratory for conducting safety studies with biometric and physiological measurements. Could you describe such a lab in a few words?
A laboratory with the capability of measuring behavioral and physiological phenomena, particularly as related to computer security, will contain various instruments for measuring levels and changes in these phenomena. Such instruments can range from pencil-and-paper tools (e.g., the NASA TLX task-load index or the state-trait anxiety inventory) to simple devices (e.g., keyboard or mouse) to sophisticated sensors (e.g., electrocardiogram or electroencephalogram) for ascertaining stress, typing or mousing habits, and heart-rate or brain-wave activity. Some labs will host camera arrays for eye tracking or motion capture. The kinds of instruments in a lab depends on the hypotheses being entertained in the lab's current research.
One of your maxims is "pay attention to details". Why is this so important to you and how does this attitude enrich your field of research?
Perhaps this is best answered by an example: a person with a thermometer always knows the temperature; a person with two thermometers is never sure. The pertinent detail here is to ask two key questions: (1) how accurate is the thermometer, and (2) is one thermometer any different from another? These details can make or break an experiment that depends on temperature measurement. Another example of detail concerns measurement instruments that require calibration, and that fall out of calibration after a period of time and use. This can be illustrated by a piano – another kind of instrument – which needs to be tuned (calibrated) periodically, and will fall out of tune after a time of use, requiring a new tuning (re-calibration). Ignoring details such as these can ruin an experiment by delivering unreliable measures when instruments are "out of tune" or inaccurate. One should at least be aware of the limitations of one’s measuring apparatus.
Have you been to the Ruhr-Universität Bochum before? If not: how would you describe it to the people back home?
This is my first visit to RUB. I would say that there are two characteristics that are interesting to ponder. One is the physical spaces – the buildings and the campus layout. Some people have observed that the campus architecture is reminiscent of "brutalist" design. While it may be true that brutalist architecture lacks the graceful, sweeping curves of renaissance architecture, I appreciate its simple, rational, functional design. I have no complaints. Regarding the interiors of the buildings, however, they could benefit from some usability enhancement; it's not easy to find one's way around the insides.
A second characteristic would be not the physical spaces, but the intellectual spaces. In that regard there would appear to be few universities who equal RUB’s intellectual credentials. The faculties at RUB are diverse in extremely interesting ways, and there is vast opportunity for collaboration across disciplines, from human-computer interaction to security to medicine. Irrespective of the exterior appearance of RUB, my focus would be on the intellectual bearing of the institution, which appears to me to be delightfully diverse and substantial.
Would you say that the field of human-computer interaction, or usable security, enjoys a positive reputation within the it security research community?
I don't know anyone who looks unfavorably on HCI or usable security ... although there are many people who seem pitifully oblivious to it.
As an experienced scientist, what advice would you give to our cluster of excellence CASA?
I would mainly encourage critical thinking and careful observation, especially in advance of implementing programs or physical facilities; a little forethought can go a long way, and many mistakes can be avoided. As Frank Westheimer once said (perhaps with a dose of sarcasm), "A month in the laboratory can often save an hour in the library." Additionally, as far as I know, there is no substitute for testing in advance of deployment. These maxims, in addition to attending to details, will calm many future storms.
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.