Keynotes Keynote 1 - Professor Ross Anderson Professor of Security Engineering, University of Cambridge The psychology of security Abstract: A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and uncertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as security engineering gets better, it's easier to mislead people than to hack computers or hack through walls. Many frauds can be explained in terms of the heuristics and biases that we have retained from our ancestral evolutionary environment. At an even deeper level, the psychology of security touches on fundamental scientific and philosophical problems. The `Machiavellian Brain' hypothesis states that we evolved high intelligence not to make better tools, but to use other monkeys better as tools: primates who were better at deception, or at detecting deception in others, left more descendants. Yet the move online is changing the parameters of deception, and robbing us of many of the signals we use to make trust judgments in the "real" world; it's a lot easier to copy a bank website than it is to copy a bank. Many systems fail because the security usability has not been though through: the designers have different mental models of threats and protection mechanisms from users.  And misperceptions cause security markets to fail: many users buy snake oil, while others distrust quite serviceable mechanisms. Security is both a feeling and a reality, and they're different. The gap gets ever wider, and ever more important. Bio: Ross John Anderson, FRS is a researcher, writer, and industry consultant in security engineering. He is Professor in Security Engineering at the University of Cambridge Computer Laboratory,[3] where he is engaged in the Security Group. Anderson is the author of Security Engineering, published by Wiley in 2001, ISBN 0-471-38922-6. He was the founder and editor of Computer and Communications Security Reviews   Keynote 2 -  Professor Angela Sasse: Head of Information Security Research Director of the Science of Cyber Security Research Institute Director of the Academic Centre of Excellence for Cyber Security Research University College London  Want Effective Security Solutions?  Let's Re-Think The Design Approach Abstract:  In this talk, I will examine the most common reasons why users shortcut security measures.  Contrary to the thinking of many security professionals - expressed in statements such as the 'Users are the Weakest Link' and  'Given a choice between security and Dancing Pigs, users chose Dancing Pigs every time' - users make rational choices about the cost and benefit of security measures.  The lesson for designers is that they need to take more responsiblity - rather than just passing the buck by presenting users with time-and-effort consuming, impossible choices), and improve accuracy of detecting threats and communicate risks and consequences more precisely.  But most importantly, designers need to accept that, to make security low-effort and meaningful, different tasks and contexts need different security solutions, which support individual goals and organisation processes, rather than fighting them. Bio: M. Angela Sasse is the Professor of Human-Centred Technology and Head of Information Security Research in the Department of Computer Science at University College London (UCL), UK.  A usability researcher by training, she started investigating the causes and effects of usability issues with security mechanisms in 1996.  In addition to studying specific mechanisms such as passwords, biometrics, and access control, her research group has developed human-centred frameworks that explain the role of security, privacy, identity and trust in human interactions with technology. A list of projects and publications can be found at http://sec.cs.ucl.ac.uk/people/m_angela_sasse/