Cyber Security Studentship

Closing Date
Monday, 13th December 2021
Computer Science

The Cyber Security (CybSec) group at the University of Nottingham is pleased to offer a fully-funded 3.5year doctoral studentship (including stipend) to support one of a series of relevant research project ideas. CybSec is a centre of interdisciplinary research and education, securing the digital environment through combined advances in formal and human-centric cyber security research. 

Applications are invited for any of the ideas proposed below, with the selection of the funded project to be based upon whichever proposal secures the most suitably qualified applicant

Internet of Things Security

Dr Ying He and Dr Xavier Carpent

The fast-paced adoption of Internet of Things (IoT) devices within safety/security critical systems offers enormous benefits through improving resources and service utilisation. However, IoT ecosystems are facing key cyber security challenges, as most IoT devices are designed to be inexpensive, with little consideration for security. By exploiting vulnerable IoT devices, cyber threats can enter the integrated IoT systems and propagate to larger systems, resulting in the failure of whole ecosystems. The spread and scale of IoT devices also dramatically increase the attack surface.

In addition, humans are an important component in such systems, and they often end up being the weakest link in the IoT chain. For example, human’s perception of risk and trust towards these systems could modify their behaviour and potentially have an impact on how they interact with these IoT devices. There is little research on designing IoT devices with the user in mind. This oversight has great consequences for the safety/security of such systems. A multidisciplinary approach is required to study the relationships between human and IoT and how they function together within the IoT ecosystems

The research objectives of this project are to:

  • establish user perception of risks of IoT as well as the trust towards these systems.
  • investigate how the above can modify people’s behaviour and their interaction with the IoT systems.
  • design and build safe/secure systems with a human-centric focus, that address the problems identified above.
  • evaluate the secure systems, and assess the acceptability of these systems.

Applicant attributes

  • Good skills of programming, 
  • The skills of HCI experimental design, and user studies are desirable. 
  • A Cyber Security or Human Computer Interaction background is desirable. 

Cyber security metrics and decision making

Dr Ying He and Dr Tim Muller

Cyber security decision making is challenging due to its multi-disciplinary nature, as, typically, multiple stakeholders (e.g. security analyst, board members) are involved in assessing and mitigating the cyber security risks. They often have different interpretation of cyber security risks and different priorities in decision making. There are technical barriers between security experts (e.g. security analyst) and non-experts (e.g. board member). In particular, non-experts may not appreciate the adversarial nature of attacks: that having a weakness that is currently not a threat may attract attention, resulting in an increased risk down the line. There are a number of security metrics (qualitative and quantitative) in the research and business communities to assist decision making, however, none of these systematically address the multi-disciplinary and adversarial nature, hampering the relevance and adoption of these metrics. A better metric is able to robustly translate between cyber security risks and the other priorities a non-expert may have. 

The research objectives of this project are to:

  • identify the quantitative and qualitative metrics used by cyber security decision makers through interviews or surveys or literature research.
  • research the multi-disciplinary nature of risk assessment and identify the technical barriers between security expert (e.g. security analyst) and non-expert (e.g. board member)
  • create a robust security metric incorporating the multi-discipline nature of decision making, quantifying experts’ views on the use of the cyber security metrics together with a number of novel algorithms for leveraging multi-expert’s opinions in decision making. The threat-level of certain risks may change when the decisions change as a result of the metric – a robust metric takes into account that attackers adjust their behaviour.
  • apply the metrics in a cyber security investment decision making scenario, ideally in a realistic industrial environment. There are industrial partners available for this purpose. 

Applicant attributes

  • Good skills of programming, 
  • The skills of HCI experimental design, and user studies are desirable. 
  • A Cyber Security or Human Computer Interaction background is desirable.

Maintaining privacy without sacrificing accountability

Dr Tim Muller and Dr Xavier Carpent 

Reputation is a mechanism used to hold people accountable for their actions. It also helps other people avoid interacting with untrustworthy strangers. Reputation is typically strongly linked with identity and requires a large degree of transparency. It is, therefore, difficult to combine reputation with anonymity or pseudonymity. The purpose of this project is to develop a system that supports both privacy (via pseudonymity) and accountability (via reputation).
 Normally, an interaction with a user provides public feedback to a central entity, which results in an increase or decrease of the reviewed user's reputation. For this project however, the feedback is not public, but rather some ciphertext which outsiders do not understand. This ciphertext is recorded in a public ledger (e.g. blockchains). At some later point, the reviewed user wishes to prove that their reputation meets a threshold, and can securely reveal the value of the reputation in the ciphertext. The main challenge is to allow users to transfer reputation between different pseudonyms without outsiders being able to link the pseudonyms together. Solutions may apply cryptographic techniques such as zero-knowledge proofs, multi-party computation, homomorphic encryption, or mix-nets. Analysis requires an appreciation of privacy, anonymity and pseudonymity.

Applicant attributes

An ideal candidate has an interest in protocol design and analysis, as well as privacy analysis. A candidate must have some prior exposure to cryptography and computer security during their studies, but no specific expertise on the topics in this PhD are required.

Modelling the security of dynamic shared-ownership systems 

Dr Xavier Carpent and Dr Tim Muller

The shared ownership of an asset (e.g. account, service, device) allows multiple owners to independently perform pre-determined actions on the asset. These owners may have different capabilities, based on certain established policies (e.g. a repository maintainer versus a regular contributor). In many instances the ownership is not static: owners may be added, removed, or have their capabilities change over time. The relationship between owners may also not be static: their mutual trust or willingness to let others perform certain actions may fluctuate.
 This project consists in modelling the security of dynamic shared-ownership systems, and to explore the limits and solutions that arise in their study. Some expected challenges include quantitatively modelling trust in that context, maintaining security properties through various dynamic changes, and designing solutions that scale.

Applicant attributes

The ideal candidate has an interest in modelling and protocol design and analysis, and a good understanding and sensibility to systems security.

You will be required to meet the University PhD requirements as outlined below. Alongside these you must meet the additional requirements as stated under your chosen topic.




2:1 or masters in computer science or another relevant area 

International and EU equivalents 

We accept a wide range of qualifications from all over the world. 

For information on entry requirements from your country, see our country pages


6.5 (6.0 in each element) 

English language requirements 

As well as IELTS (listed above), we also accept other English language qualifications

This includes TOEFL iBT, Pearson PTE, GCSE, IB and O level English. 

Application process: 

Please check your eligibility against the entry requirements prior to proceeding. 

If you are interested in applying, please contact the named supervisors under your chosen project theme to discuss your research proposal. 

If the supervisor wishes to support your application post interview, they will direct you to make an official application through the MyNottingham system. You will be required to state the name of your supervisor and the studentship reference number of (insert ref) in your application. 

Do not submit your application via the My Nottingham platform without having confirmed support of a supervisor first.