• Contact Info
  • +61 0424457049
  • +61 3 9479 2212
  • Websites

Dr Nalin Gamagedara Arachchilage Senior Research Fellow, Comp Sci & Info Tech

My name is Nalin Asanka Gamagedara Arachchilage (too long, isn't it? I admit that this can be confusing sometime). I am a Senior Research Fellow (Level C/6) in Cyber Security (Research Associate Professor in US) within the Department of Computer Science and Information Technology at La Trobe University, Australia, where I currently lead the Usable Security Engineering Research Laboratory (USERLab) in the Optus La Trobe Cyber Security Research Hub. Previously, I was a Lecturer in Cyber Security in the School of Engineering and Information Technology of the University of New South Wales at the Australian Defence Force Academy (ADFA), where I led the Usable Security research group. Apart from my teaching at UNSW, I also researched in the area of usable security and privacy (i.e. designing secure (and also privacy) systems that people can use) and supervised postdoctoral researchers and postgraduate students (PhD/MPhil) with refereed publications and thesis.

I hold a PhD in Usable Security entitled “Security Awareness of Computer Users: A Game Based Learning Approach” from Brunel University London, UK (External examiner: Professor David Benyon). My research focused on developing a game design framework to protect computer users against "phishing attacks". I obtained a BSc (MIS) Hons from University College Dublin, National University of Ireland and have completed a master's degree, MSc in Information Management and Security at the University of Bedfordshire, UK. I'm a Sun Certified Java Programmer (SCJP) at Sun Microsystems (now Oracle), USA. I am also a professional member of Association for Computing Machinery (MACM), The Institute of Electrical and Electronics Engineers (MIEEE) and The Australian Computer Society (MACS).

Prior to undertaking my current position at the University of New South Wales (UNSW at ADFA), I worked as Research Fellow in Usable Security and Privacy in the Laboratory of Education and Research in Software Security Engineering (LERSSE) at the University of British Columbia (UBC), Canada. Before moving to Vancouver, I was a Postdoctoral Researcher in Systems Security Engineering in the Cyber Security Center, Department of Computer Science at Oxford University.

My main research interests are Usable Security and Privacy, Cyber Security, Security Economics, Trust, Cybercrime, Human Computer Interaction, Serious Games for Cyber Security Education and e-Learning Security. My research is inter-disciplinary in nature and has published numerous articles at reputed international conferences and journals. I have also presented my research at Facebook Headquarters, Menlo Park, California, USA and collaborated with HP in a research capacity at the HP Lab, Bristol, UK. I have been an invited speaker for conferences both nationally and internationally. I served as demos and works in progress chair, publicity chair, programme committee member, technical/web-master in a number of reputed international conference as well as regularly review articles (in the area of usable security and privacy) at reputed international conferences and high impact factor journals.

Our paper entitled "Why developers cannot embed privacy into software systems?: An empirical investigation" has received the best paper award in the 22nd International Conference on Evaluation and Assessment in Software Engineering 2018, ACM (EASE'18). [CORE/ERA ranking - A]

I have an extensive teaching experience across all levels of teaching in relatively small (size of cohort: 20) as well as large classes (size of cohort more than 250). I currently work on developing, updating managing and delivering the curriculum for a number of courses (ZEIT3120 Programming for Security, ZEIT8036 Humans and Security and ZEIT8037 Cyber Security Risk Management) at UNSW. I am the course convenor for the Chief of Army Honours students and convened the ZEIT8029 Network and Mobile Device Forensics in 2016.

I worked on a number of academic positions in Computer Science at Brunel University, University of Bedfordshire, Westminster University and Central Bedfordshire College in the UK. Before moving to UNSW Canberra, I briefly worked as Sessional Lecturer in Computer Science at Deakin University, Victoria University and Central Queensland University (CQUniversity) in Melbourne, Australia. Apart from my academic career, I also worked on a number of software engineering roles ranging from Programmer, Software Engineer to IT Manager, where I gained hands-on experience and skills on various technologies such as Java, Java EE, Java ME, Php, HTML, XML, R-DBMS, Oracle, MySQL, UML, Linux (Ubuntu), Android SDK, Netbeans and Eclipse. I have also gone through a professional Linux Network Administration training program.

Research Synopsis:

My primary research interests are at the intersection of computer security, human computer interaction (HCI), and on-line privacy, in an area known as usable security and privacy. Many aspects of computer security synthesize technical and human factors. If a highly secure system is unusable, users will try to by pass the system or move entirely to less secure but more usable systems. Problems with usability contribute to many high-prole security failures today in the technology-filled world. Nevertheless, usable security is not well-aligned with traditional usability for some reasons. First, security is not very often the primary task of the user. In most cases, security is not the primary purpose of using a computer. People use computers to shop, socialize, communicate, and be educated and entertained. Many applications handle security issues through security alerts that interrupt users primary task. Therefore, users represent security as a secondary task. Whenever security is secondary, it opposes the usability of the primary task: users find it is distracting and therefore they would rather ignore, circumvent, or even defeat. Second, securing information is about understanding risk and threats. Unlike traditional research in HCI, (usable) security and privacy focuses on the context of an adversary whose goals are to manipulate the user rather than breaking into the system straightaway. Therefore, this poses a great challenge for researchers, who need to model and reason about how the adversaries (i.e. bad guys) will make their attacks successful. Of course, it is rather important to understand how the user behaviours can be leveraged to protect themselves from cyber attacks. Such communication is most often unwelcome in the HCI community. Increasing unwelcome interaction is not a goal of usable security and privacy design. Third, discrete technical problems are all well-understood under the umbrella of on-line security and privacy (e.g., attacks such as phishing, malware, spyware, social engineering, Distributed Denial-of-Service or DDoS attack). A broader concept of both security and usability is therefore required for usable security. My goals are to investigate how users manage their security and privacy in existing systems in order to design new systems that achieve better privacy and security solutions by taking end users into account.

Future Research:

In future work, I plan to apply my research expertise and skills to applications that are likely to have high social value and impact. In particular, my expertise is in user requirements analysis, data collection, data analysis functional interface design and development, experimental design, and information visualization. I will continue to apply this expertise to the many real world research problems on the human aspects of computer security and privacy. My immediate research goal is to continue my work on studying: improving security APIs, serious games for cyber security education (e.g. designing games to thward phishing attaks, usable access control games), personal cyber risk management planning, security and privacy in wearable embedded systems, privacy-preserving e-healthcare system and fall-back authentication mechanism.

*** "I'm always looking for good PhD students and Postdoctoral Researchers to work on "usable security and privacy" research, especially "designing secure systems that people can use" ***

Media Contributions:
My research has been featured in numerous media outlets including ABC News Radio, 2GB 873 AM Radio, SYN Radio 90.7 FM, Sky News Australia, Daily show on Radio 2SER 107.3, Choice - Australia, Guardian labs (sponsored by Intel Corporation, Australia) and UNSW TV:

2GB 873AM: I was involved in a live discussion on "Theres a push for police to have
the power to crack encryption apps but what does that mean?" with 2GB 873AM Radio.| 24 November 2018

SBS Radio: I was involved in a live discussion on "Best practices for Smartphone Security" with SBS Radio Melbourne.| 2 November 2017

SBS Radio: I was involved in a live discussion on "Why cybercrimes are increasing and what we should do to protect ourselves from Cybercrimes?" with SBS Radio in Melbourne.| 12 October 2017

"ABC Breakfast program" with Joseph Thomsen on ABC Radio: I was involved in a live discussion on "The risky things that we post on social media, that we may not have realised is risky". "ABC Breakfast" is typically a free-owing, conversational program on ABC Goulburn Murray Radio.| 25 September 2017

ABC News: I spoke to ABC News (Alle McMahon) about risks of posting photos on social media, (& not risks you'd assume). | 22 September 2017

Daily show on Radio 2SER 107.3: I was involved in a discussion on "The Petya ransomware attack". "Daily Show" is typically a free-owing, conversational program on Radio 2SER 107.3. | 29 June 2017

"ABC NEWS Afternoons" with Mandy Presland on ABC NEWS Radio: I was involved in a discussion on "Phishing Scams". "ABC NEWS Afternoons" is typically a free-owing, conversational program on ABC NEWS Radio. | 19 June 2017.

Panorama show on SYN Radio 90.7 FM: I was involved in a discussion on "WannaCry ransomware (cyber) attack and what we can do about it in Australia". "Panorama" is SYN's agship news and current aairs show, covering news, politics and culture. | 15 May 2017.

Daily show on Radio 2SER 107.3: I was involved in a discussion on "How Do The New Data Notication Laws Aect You?". "Daily Show" is typically a free-conversational program on Radio 2SER 107.3. | 16 February 2017.

The Sydney Morning Herald and UNSW TV: In the age of phishing and hacking, here are three steps to help you become a cybersecurity expert, Dr Nalin Asanka Gamagedara Arachchilage. | 28 December 2016.

"Cyber in Business" - Addressing the cyber skills shortage: I was involved in a panel discussion on addressing the cyber skills shortage in Australia. "Cyber in Business conference" in Melbourne, Australia. | 09 December 2016.

"Sunday Live" with Janine Perrett on Sky News: I was involved in a panel discussion (Sky News studio in Parliament House in Canberra) on cyber security in Australia. "Sunday Live" is typically a free-owing, conversational program on Sky News. | 30 October 2016.

Insurance tracker apps - good for the consumer?: I was interviewed by Choice, Australia. CHOICE is the consumer advocate that provides Australians with information and advice, free from commercial bias. | 6 October 2016.

How safe are you from hackers?: I was interviewed by Guardian labs, Australia. The article was sponsored by Intel Corporation, Australia. | 29 September 2016.

eLifeMagazine: I was interviewed by eLife Magazine at the University of Bedfordshire, UK, 2011.

Invited Talks:
I have been an invited speaker for conferences both nationally and internationally.

Sysco Labs 2019: I am invited speaker at the HSBC Sri Lanka to talk about "Why Johnny still finds usable security and privacy engineering so hard?", Sri Lanka | Tuesday, 22 January 2019

HSBC 2019: I am invited speaker at the HSBC Bank Sri Lanka to talk about "Why Johnny
still nds usable security and privacy engineering so hard?", Sri Lanka | Thursday, 17 January 2019

University of Ja na 2019: I am invited speaker at the University of Ja na, Sri Lanka to talk about "Why Johnny still finds usable security and privacy engineering so hard?", Sri Lanka | Saturday, 12 January 2019

ALCSI 2018: I am invited speaker at the Australasian Lab for Cyber Security Ideas to talk about "De fining the Cyber Security Skills Gap:", Adelaide | Thursday - Friday, 29 - 30 November 2018

Cyber Security for the Public Sector 2018: I am invited to speaker at 8th Annual Cyber Security for the Public Sector Summit to about "Developing a Threat Model for Organisations through a Gamified Approach to Thwart Phishing Attacks", Sydney | Tuesday - Wednesday, 26 - 27 November 2018

OpenGov 2018: I am invited to deliver a keynote speech at OpenGov 2018: Malaysia Public Sector CIO Convex "Need For A Paradigm Shift In Cybersecurity", Malaysia | Tuesday - Wednesday, 13 - 14 November 2018

DEV DAY 2018: I am an invited speaker at Developer Day conference to talk about "Why Johnny still nds usable security and privacy engineering so hard?", Sri Lanka | Wednesday, 6 November 2018

12th Annual Technology in Government Conference: I am an invited speaker to talk about "PANEL DISCUSSION: Cyber Human Factors - Why employees are still a security risk", Canberra | Tuesday, 7 August 2018

EduTECH Tertiary Ed IT Leaders Congress: I am an invited speaker to give a talk about "Human Factors for Cyber Security: How universities can reduce exposure to cyber threats", Sydney | Friday, 8 June 2018

La Trobe University: I am invited speaker to give a talk about "Why Johnny still
finds usable security and privacy so hard?", Melbourne | Monday, 28 June 2018

Defence Cyber Research Networking Forum (DST and Data61): I have been selected to speak at the Defence Cyber Research Networking Forum at the National Wine Centre, Adelaide | Tuesday, 28 November 2017

Australian Computer Society (ACS): I am an invited speaker (represented ACCS/SEIT
at UNSW Canberra) for the Workshop on Usable Security and Privacy Engineering, which is organised by ACS Canberra | Tuesday, 24 October 2017

Department of Human Services (DHS): I am an invited speaker (represented ACCS/SEIT at UNSW Canberra) for Technology Innovation Directorate - CTO Group at the Department of Human Services, where I talked about \Human Factors in Cyber Security" | Friday, 8 September 2017

Office of the Government CISO in Australia: I was invited to deliver a talk (represented ACCS and SEIT at UNSW Canberra) about "Human Factors in Cyber Security: A gamied approach for cyber security education" to an industry audience at the Office of the Government Chief Information Security Ocer (GCISO), Sydney. The audience consisted of representatives from major industries in Australia including Data 61. | Thursday, 17 August 2017.

Australian Computer Society (ACS) Annual Conference: I am an invited speaker (represented ACCS and SEIT at UNSW Canberra) for the ACS Annual Conference, where I talked about "Human Factors in Cyber Security" | Tuesday, 15 August 2017.

CSO LiveWebinar | Email Fraud: Why you can't trust your emails anymore: I am an invited speaker (represented ACCS and SEIT at UNSW Canberra) for the CSO Live Webinar, sponsored by Proofpoint in Australia, where I talked about "Business Email Compromise" | Tuesday, 13 June 2017.

ERM for Government 2017 in Australia: I am an invited speaker (represented ACCS and SEIT at UNSW Canberra) for the 11th annual ERM for Government 2017 in Australia, where I talked about “Leveraging Cyber Enterprise Risk Management to Mitigate Risk of Cyber-Attacks" | Wednesday, 26 April 2017.

Cyber in Business Conference, Australia: I am a panelist (represented ACCS and SEIT at UNSW Canberra) at the University Leaders Panel | 1 December 2016.

GovInnovate: Digital Government Conference, Australia: I am panelist (represented ACCS and SEIT at UNSW Canberra) at “Human factors in cyber security and thwarting phishing attacks" | 14 - 16 November 2016.

Government Digital Transformation Conference, Australia: I am panelist (represented ACCS and SEIT at UNSW Canberra) at “Human factors in cyber security" | 24 - 25 October 2016.

Australian Information Security Association (AISA) National Conference, Australia: I am panelist (represented ACCS and SEIT at UNSW Canberra) at “National cyber security education" | 18 - 20 October 2016.

Australasian Simulation Congress 2016, Australia: I was panelist (represented ACCS and SEIT at UNSW Canberra) “It's Not Just Entertainment, The Many Faces of Games in Society" | 29 September 2016.

Sydney Financial Information and Technology Summit, Australia: I was a panelist (represented ACCS and SEIT at UNSW Canberra) at “Getting ahead of Cybercrime" | 17 August 2016.

ANZ bank, Australia: I was invited to deliver a talk (represented ACCS and SEIT at UNSW Canberra) about “Serious Games for Cyber Security Education" to an industry audience at ANZ bank, Melbourne. The audience consisted of representatives from major industries in Australia including Telstra, NBN, NAB, Auspost, Sportsbet, Medibank and MCG. | Monday, 11 January 2016.

ERM for Government 2016 in Australia: I am an invited speaker (represented ACCS and SEIT at UNSW Canberra) for the 10th annual ERM for Government 2016 in Australia, where I talked about “Increasing awareness and education around cyber security" | Friday, 29 April 2016.

The British Council, Sri Lanka: I am an invited speaker (followed by an interview) at the Education UK unit at the British Council, Sri Lanka, where I talked about “How to conduct research in the UK" (over 200 participants), 2011.

Positions

Research Areas research areas