Skip to main content

Sample research topics

Sample research topics

Our research topics take advantage of the CDT's interdisciplinary nature to tackle major challenges in many different areas of cyber security. Below are some sample areas of research. These are not the only topics we supervise, but they do demonstrate the range of research areas we cover.

Note that applicants need not have a specific project to apply for the CDT, as a research project can be determined towards the end of the first year of the programme.

Cryptography is a field that actively interrogates its foundations. These foundations are, unsurprisingly and sensibly, understood to be of the complexity-theoretic and mathematical variety. However, cryptographic security notions -- and everything that depends on them -- do not exist in a vacuum, they have reasons to be. While the immediate objects of cryptography are not social relations, it presumes and models them. This fact is readily acknowledged in the introductions of cryptographic papers which illustrate the utility of the work by reference to some social situation where several parties have conflicting ends but a need or desire to interact. Yet, this part of the definitional work has not received the same rigour from the cryptographic community as complexity-theoretic and mathematical questions.

This project aims to take first steps towards remedying this situation by grounding cryptographic security notions in findings emerging from ethnographic fieldwork in adversarial situations. In particular, it considers protesters in large-scale protests and aims to understand their security needs, practices and the technologies they rely upon. The project then also analyses these technologies, i.e. attempts to break their security, and proposes new solutions based on the findings from fieldwork. By bringing cryptographic security notions to *the field*, the project provokes a series of security questions about, for example, confidentiality and anonymity in online and offline networks, trust relations and how to establish them, onboarding and authentication practices.

We seek applicants with either a background in mathematics and/or computer science or related disciplines or a background in ethnography or experience using related qualitative social science methods.

Further Reading
What does “secure” mean in Information Security? 
Mesh Messaging in Large-scale Protests: Breaking Bridgefy  

Prospective applicants are welcome to discuss with Dr Rikke Jensen and Prof Martin Albrecht

Fully homomorphic encryption enables the evaluation of arbitrary functions on encrypted data, without requiring access to the secret key. This cryptographic primitive can enable a variety of practical applications in secure outsourced computation, for example, in the setting of privacy-preserving machine learning. On the theoretical side, homomorphic encryption can be a useful tool to construct advanced primitives and protocols including indistinguishability obfuscation, electronic voting, and Private Information Retrieval.

Research in fully homomorphic encryption has moved swiftly since the first scheme was presented by Gentry in 2009, with modern schemes being many orders of magnitude faster than early schemes. In 2017, a community effort involving researchers from government, industry and academia was launched towards standardising homomorphic encryption. Researchers from the Information Security Group at Royal Holloway have been actively involved in this effort and have strong connections with other research groups in this area.

Moreover, researchers from the Information Security Group have been involved in all aspects of developing homomorphic encryption, including cryptanalysis, noise growth analysis, encoding, implementation, and investigating specific practical applications. We are seeking interested students to further push forward the state of the art in this area of growing importance.

Applicants should have a background in mathematics, computer science, or a related discipline.
Prospective applicants are welcome to discuss with Dr Rachel Player.

The threat of large-scale, general-purpose quantum computers to existing public-key cryptographic solutions has lead to global efforts to standardise post-quantum cryptography as a replacement. In particular, the NIST Post-Quantum Cryptography is now in its third and final round. One of the front-runners for problems to base post-quantum cryptography on are hard problems on lattices. Five out of seven finalists of the NIST processes are based on lattices.

Thus, it is a natural question to ask how long it actually takes to solve these problems on lattices. The better we understand this problem the more confidence we can have in the cryptographic solutions soon to be deployed globally.

The security of lattice-based cryptography is a pressing research question for a second reason. Many innovations in the field of cryptography in recent years rely on lattices as their foundation. For example, all the ways in which we know how to compute arbitrary functions on encrypted data – homomorphic encryption – are based on lattices.

The Information Security Group at Royal Holloway has a strong track record in this area and we are seeking students to join our efforts to address this pressing research question. The directions this PhD can go into are manifold: (asymptotic) algorithm design and analysis, implementations, experimental validation, quantum computing, side-channel analysis, active attacks against protocols using lattice-based primitives, studying special cases relevant in practic.

We seek applicants with a background in mathematics and/or computer science or related disciplines.
Prospective applicants are welcome to discuss with Prof Martin Albrecht.

Trusted Execution Environments (TEEs) such as Intel SGX and ARM Trustzone along with their underlying platforms claim secure application execution. However, as the underlying hardware resources are often shared the paramount context isolation is enforced, mostly, by software means through the underlying platform. This has resulted in a number of software-based attacks on the underlying technologies.

This project should examine how TEEs should enhance their underlying security offering and provide demonstrable recommendations for improvements in the overall integrity and confidentiality of the executed applications.

More specifically, this project will focus on TEEs and Secure Elements (SEs) and explore how their underlying software platforms can be potentially enhanced with micro kernel attestation mechanisms, and software (and hardware) countermeasures that will safeguard secure application and life cycle management (e.g. installation, execution, decommission). Furthermore, it will address issues surrounding the interplay between hardware and software based secure application execution mechanisms, hardware and software binding, control-flow verification, and integrity of the executed instructions for the protection of run-time data, for avionics, automotive, and Internet-of-Things.

We are now looking for highly talented applicants with a Computer Science, Information Security or electronic/computer engineering skills. The successful candidate will ideally have good practical skills (such as experience in software development, appreciation of the underlying hardware characteristics of execution environments, FPGA programming is desirable, but not essential), communication and team working skills. A strong interest in information security problems that aim to bridge theory and practice in embedded systems, IoTs, mobile devices, smart cards is essential.
Prospective applicants are welcome to discuss this project with Prof Konstantinos Markantonakis.

Since the global spread of the COVID19 virus, a number of countries across the world have implemented their own form of a testing, track and trace services. Some of these different national contexts have developed what have become known as COVID tracing apps. Whilst these systems have worked very differently - Israel used the powers of its intelligence and security agency Shin Bet and emergency law in what the Israel Democracy Institute has characterised as a ‘Central Mandatory mass surveillance system’ - there are other systems in the Republic of Ireland, Australia, Singapore, Germany, Switzerland, South Korea and elsewhere. Two broad approaches have coalesced around the systems underlying the function of the app. The decentralised approach (as advocated by large tech firms Google and Apple together), which stores data locally on phones, and the centralised approach, which reports data to a centralised server potentially under government control. The differences between these approaches have led to heated debates about privacy and where to place trust in large-scale digital systems handling sensitive data.

The UK government, already late to lock-down in contrast to neighbouring European countries, has so far failed to deliver a national track and trace app, its development seemingly pushed into the long-grass. This is in favour of a massive recruitment drive to recruit thousands of track and trace personnel to call and guide members of the population who have come into contact with people who have tested positive for the virus.

Although some university research groups have developed their own apps which are available to download and use, the UK’s initial proposal for a national app – which was piloted on the Isle of White and developed by the NHS’s digital unit NHSX - was beleaguered by technical issues. It’s design was also controversial, with a group of information security and cyber security specialists signing an open letter expressing numerous concerns, not least about the possibility of the app for mass social surveillance given the extensive information the app could hold over social contacts (the ‘social graph’). Others have expressed concern that the app will not be widely used by the poorest and most vulnerable, perhaps without access to a smart phone, who cannot afford data plans, who share a mistrust for government and state authority, or the systems which they are already marginalised by.

The project will investigate the historic and continued development of a UK tracing app and examine key issues including:

- The cryptographic debates and the control over personal information
- Trust in government systems during the COVID crisis
- The role of publics and communities weighing their obligations to so called ‘public duty’ and personal self-care.
- The construction and representation of scientific and (cyber)security knowledges through the app and its development.
- The mediatisation of health surveillance through personal apps and smart phones.
- Digital marginality and social inequalities.

We seek applicants with an interest in cyber-security but come from a social science or humanities discipline, with at least an undergraduate degree in a field cognate to Human Geography; Politics and IR; Sociology; Criminology; Science and Technology Studies; Social Studies of Health or Medicine, or the Medical or Digital Humanities. Ideally, applicants will have experience in the collection, handling and ethical treatment of qualitative data, and experience of research methodologies such as ethnography and participant observation, semi-structured interviews, policy and documentary analysis.

Prospective applicants are welcome to discuss with Prof Peter Adey and Prof Keith Martin.

App-enabled ecosystems have taken over most of the ways we interact with devices and the internet. Users can now find and install apps on their smart devices (phones, watches, TVs, etc.), browsers (as extensions and webapps) or within other applications (suites, productivity tools, etc.). The huge popularity of these ecosystems along with poor privacy and security privacy practices has led to a proliferation of malware and apps that don’t handle the user’s information in a transparent and secure manner.

Research in this area has already covered ecosystems such as Android in detail, and have started to look at others such as IoT platforms and browser extensions. Results show that despite many efforts in these areas, apps with poor security and privacy practices are still widely available and being downloaded by users. Researchers in the Information Security group have been involved in malware and app analysis for the Android ecosystem and are expanding to other ecosystems.

We are seeking students to expand our efforts in these new platforms and how they interconnect. In particular we see opportunities for both security and privacy characterisation of apps in emerging ecosystems (browser extensions, productivity tools, etc.), malware studies, and inter-ecosystem communication security among others.

Applications should have a background in Computer Science or a related discipline with interests in security, privacy and static analysis techniques.
Prospective applicants are welcome to discuss with Dr Jorge Blasc.

The research in this project will focus on the design, analysis and implementation of efficient privacy-preserving cryptographic techniques and their applications. Secure computation methods enable the computation on encrypted data without decryption. Main cryptographic techniques for constructing secure computation schemes include homomorphic encryption, multi-party computation, private set operation protocols and functional encryption. In this project, the student will consider secure computation applications, for example privacy-preserving cybersecurity analysis. Cybersecurity systems (e.g. IDS, IPS) typically collect large amounts of data in order to detect security events or anomaly events. Analysis of this data may however pose a significant threat to the privacy of users. A privacy-preserving cybersecurity system attempts to alleviate this threat by carrying out the analysis over encrypted data. The goal of the project is to research the design and security of privacy-preserving cybersecurity systems, and may consider (among other research problems) the enhancement for the basic secure computation techniques, their optimisation for computation over large datasets, as well as novel applications.

The Information Security Group (ISG) at Royal Holloway has a strong track record in cryptographic research, including algorithm design and analysis, post-quantum cryptography, homomorphic encryption and applications of secure computation. KDDI Research is the research and innovation arm of KDDI Corporation, one of the largest Japanese telecommunications operators. The ISG and KDDI have a long-term collaboration in the area of cryptography, and the student recruited for this project will work closely with researchers from the two groups.

Applicants are expected to have a background in mathematics, computer science, or a related discipline. Prospective applicants are welcome to contact Professor Carlos Cid to discuss the project.

Grounded in ethnography, this project explores how (information) security is understood, negotiated, shaped and practised among people living and/or working on what we might call 'the edge' of societies. More specifically, it engages the often hidden, unvoiced and/or marginalised groups and communities not generally considered in the design of security technologies. 'The edge' is loosely defined and can be understood in cultural, economic, geographical, occupational, social terms. As such, the PhD can take multiple directions, engaging a diversity of groups, communities and/or specific sites of study. 

The starting point for this project is an understanding of information security as a collective endeavour, grounded in trust relations within groups and shared security goals; where security for the group is negotiated between group members and where individual security notions are shaped by those of the group. In other words, information security experienced and practised collectively.

Ethnography is uniquely placed to uncover such collective practices through extended field studies, driven by immersion and observation with and within the groups it aims to understand. It enables long-term explorations of, for example, what security looks and feels like for the groups under study. How security is experienced and voiced and how it is negotiated and shared between group members. How security technologies are used and for what purpose within groups. What security expectations are held within groups and how they manifest themselves as well as the socio-materiality of their existence.

Qualitative social science is a key research area in the Information Security Group at Royal Holloway, with previous and current work engaging distinct communities, including refugees and migrants, seafarers, Greenlandic women, protesters. We seek PhD students to collaborate on, contribute to and extend this body of work. Applicants should thus have an interest in (information) security but come from a social science background, with at least an undergraduate degree in a field cognate to Anthropology, Human Geography, Sociology or Science and Technology Studies. Ideally, applicants will have experience in conducting ethnographic fieldwork, engaging in participant observation and/or collecting and analysing qualitative data.

Prospective applicants are welcome to discuss with Dr Rikke Bjerg Jensen.

The Centre for Doctoral Training in Cyber Security for the Everyday seeks to recruit a PhD student to study the wider security implications of increased technological automation and datafication for supply communities. Through this, the aim is to contribute to the development of technologies that meet the needs and expectations of mobile labour working in different supply sectors, including road haulage, maritime, delivery, agriculture and warehousing.

A growing number of both established and emerging industries are turning to AI-driven automation to respond to global changes and challenges, as well as to improve efficiency and productivity throughout the supply chain, with significant implications for those who work in these sectors. Supply communities are thus at the cutting-edge of these developments, evidenced by large-scale UK government and industry investments into AI and robotics. This project aims to explore how such developments manifest themselves in the often hidden and intrinsically mobile communities that support these industries, with a focus on security broadly defined – the security of infrastructure and supply chains; systems and data; the security of employment, rights, benefits and welfare; the security of communities. It explores the extent to which such technologies impact upon the ways in which members of these communities build trust, maintain work identity and establish security in their daily lives, while their work and living environments are turning increasingly technological and more automated.

This project focuses attention on the security needs and practices - the practical security features, including the diverse ways in which strategies and techniques for governing security are experienced, taken up, embodied, resisted and augmented by members of supply communities - at a time of rapid technological transformation. It is thus solidly grounded in these communities at a time when advanced technologies are becoming enmeshed in their work environments, often assisting and/or replacing human interactions, and re-shaping bodily capacities.

We seek applicants with an interest in (information) security but come from a social science background, with at least an undergraduate degree in a field cognate to Anthropology, Human Geography, Sociology or Science and Technology Studies. Ideally, applicants will have experience in the collection and analysis of qualitative data, and experience of conducting ethnographic fieldwork, including participant observation and semi-structured interviews.

Prospective applicants are welcome to discuss with Dr Rikke Bjerg Jensen, Prof Peter Adey and Dr Anna Jackman.

The project will investigate the contemporary home as a key site for everyday engagement with technologies associated with the 'smart home', including IoT and networked devices controlling, for example, lighting, heating, energy, domestic appliances, access control, and audio-visual. The project will focus on the booming 'smart home' industry and lived (in)security experiences of its capturing and remaking of domestic life in various guises. It could be grounded in feminist human-computer interactions (HCI), security scholarship, feminist geography, and/or feminist geopolitics, and will draw on notions of intimacy, identity, and the everyday.

Foci could include:
* Critically reworking threat modelling in the 'smart home' and cyber security more widely as an embodied process through which security threats and vulnerabilities are identified and addressed
* Sensory, emotional, and affective experiences of living with smart devices;
* Gendered technologically-facilitated domestic violence and sexual abuse in the home (e.g. via spyware ecosystem);
* Automated futures of social reproduction and care in the 'smart home';
* 'Smart home' seductions and commercial cultures of homemaking.

We seek applicants with an interest in cyber-security but come from a social science or humanities discipline, with at least an undergraduate degree in a field cognate to Human Geography; Politics and IR; Sociology; Criminology; Science and Technology Studies; Social Studies of Health or Medicine, or the Medical or Digital Humanities. Ideally, applicants will have experience in the collection, handling and ethical treatment of qualitative data, and experience of research methodologies such as ethnography and participant observation, semi-structured interviews, policy and documentary analysis.

Prospective applicants are welcome to discuss with Prof Katherine Brickell and Dr Jorge Blasco Alis.

Serverless is relatively new paradigm that simplifies distributed application development by allowing application developers to focus on their business logic and reduce infrastructure configuration and maintenance efforts. Serverless deployments can sometimes produce very complex systems of interconnected functions and associated services. This can result in new issues that may affect the performance and security of the deployment such as: state explosion, information leakage or overprivileged applications.

This project will focus on developing techniques to help developers understand and automatically identify security vulnerabilities within serverless applications. The project will be carried out within the Information Security Group and Computer Science Departments at Royal Holloway. Researchers from these departments have extensive experience in distributed system security and information-flow analysis via static and dynamic analysis techniques.

Students pursuing this project are expected to develop new static and dynamic analysis techniques to analyse serverless deployments. We are seeking applicants with a background in Computer Science or a related discipline. Prospective applications are welcome to discuss this project with Dr Jorge Blasco Alis and Dr Daniel O’Keeffe.

Behavioural aspects in cyber security have been drawing increasing attention in both academia and the industry. The diversity of ever-increasing cyber security attacks includes targeting humans for obtaining unauthorized access to systems and information. Traditional security awareness training campaigns are not sufficiently effective in protecting digital assets. In the same way that medical professionals urge their patients to quit smoking and exercise more, security professionals urge users to be cautious of phishing attacks and use strong passwords. Both attempts are largely unsuccessful. Thus, there is a need for behaviour change in the form of interventions which nudge and shape cyber habits of individuals long-term. In order to be successful, these interventions, however, need to be tailored to the individual’s characteristics in terms of knowledge, skills, personal traits and environment.  

With tech companies collecting user meta-data (which, however, can allow for the identification of individuals indirectly) through a variety of services, privacy violations are a valid concern today. Consequently, any customised behavioural intervention requires ethical designs to ensure the individual’s autonomy and privacy.  

This project focuses on the gaps between theoretical models of behaviour and practical implementations of cyber behaviour change, drawing on behavioural, design, cultural and ethical angles to provide interdisciplinary solutions. In particular, the project includes: 

  • The analysis of perception and behaviour in online user activities;  
  • The gap between theory and practical applications of behaviour change; 
  • The creation of ethical frameworks for behaviour change interventions; 
  • The underpinnings and design of persuasive technologies; 
  • The formation of secure user habits.

We are looking for applicants with a background in or knowledge of behavioural economics or psychology or similar disciplines which study human perception, behaviour or habits. 

Prospective applicants are welcome to discuss with Dr Konstantinos Mersinas and Prof Dawn Watling.

Aims: Propose and develop methods that help make security more sustainable.

Background: Currently, when we think of sustainability in security today, models such as “planned obsolescence” and “security as a service” may spring to mind. However, very little work has been done to understand what makes security sustainable in the first place. For instance, to what degree do concepts such as durability, agility, autonomy, resilience and robustness of systems interact. Furthermore, what are the direct and indirect effects of implementing sustainable security? The purpose of this PhD is to investigate characteristics that make cyber security sustainable. Examples include, but are not limited to understanding the relationship between technical and non-technical aspects of security such as: patching, system monitoring, intrusion detection, system hardening, security policies, etc. The purpose of this work is to investigate whether such a term is meaningful in the context of cyber security, whether it ought to be formalised as a set of principles, guidelines, framework (such as a maturity model), text definition or making use of formal methods – dependent on the student’s skills and experience.

Prerequisites: This can be a computer science driven project or a software engineering driven project, and the project should have an awareness of the wider social, economic and political issues that frame sustainable cyber security. We would expect the student to have a strong background in programming and software development using languages such as Python, Java or C/C++ and some background in requirements gathering and analysis. For the social science part, we expect students to have a background in conducting questionnaires, interviews, focus groups, user studies and ethnographic studies. Ideally, the student will have an interest in hypothesis testing using tools such as SPSS (but this is not a requirement).

Early activities: A report describing the state of the art in security and sustainability; a clear work plan describing the set of tests to be performed, tools to be implemented and classes of techniques to be proposed and studied;

Research: The student will be free to tackle the problem as they see fit with guidance from the supervisors. We expect to see either some practical tools development to study the sustainability of security in systems, or studying of how people perceive concepts related to sustainability of security in real world systems. Around the midway point, we would expect the formulation of key (testable) hypotheses to eventually lead to a framework that developers, policy makers and other organisation stakeholders can use to improve sustainability of security in ICT systems and organisations.

Suggested Reading:

There is very little available on this topic. Ross Anderson has a few works on the subject: , but otherwise most of the work in this area focuses on related topics such as resilience and robustness of systems, including:

- Julia Allen. Measures for managing operational resilience. Technical Report, 2011.

- Julia Allen, Pamela Curtis, Nader Mehravari, Andrew Moore, Kevin Partridge, Robert Stoddard, and Randy Trzeciak.  Analyzing cases of resilience success and failure-a research study.  Technical report,Carnegie Mellon University, the Software Engineering Institute, 2012.

- Richard A Caralli, Julia Allen, and David W White. CERT resilience management model: A maturity model for managing operational resilience. Addison-Wesley Professional, 2010.

- Deborah Bodeau and Richard Graubart. Cyber resilience metrics: Key observations. Technical Report,2016.

- Ronald J Brachman, Richard E Fikes, and Hector J Levesque. Krypton: A functional approach to knowledge representation. Computer, (10):67–73, 1983.

- Linkov and Trump. The science and practice of resilience. 2019.

Prospective applicants are welcome to discuss with the project supervisors, 
Dr Jassim Happa and Professor Lizzie Coles-Kemp


Explore Royal Holloway

Get help paying for your studies at Royal Holloway through a range of scholarships and bursaries.

There are lots of exciting ways to get involved at Royal Holloway. Discover new interests and enjoy existing ones

Heading to university is exciting. Finding the right place to live will get you off to a good start

Whether you need support with your health or practical advice on budgeting or finding part-time work, we can help

Discover more about our 21 departments and schools

Find out why Royal Holloway is in the top 25% of UK universities for research rated ‘world-leading’ or ‘internationally excellent’

They say the two most important days of your life are the day you were born, and the day you find out why

Discover world-class research at Royal Holloway

Discover more about who we are today, and our vision for the future

Royal Holloway began as two pioneering colleges for the education of women in the 19th century, and their spirit lives on today

We’ve played a role in thousands of careers, some of them particularly remarkable

Find about our decision-making processes and the people who lead and manage Royal Holloway today