E-mail: lchen at pace dot edu Department of Information Systems
I am an assistant professor in the Department of Information Systems, School of
Computer Science and Information Systems, Pace University. Prior to Pace, I worked with Professor Kathleen Carley in CASOS, School of
Computer Science, Carnegie Mellon University (CMU), in
My research interests have been focused on information security management and policy. In particular, I am interested in policy and managerial solutions to mitigate cyber security threat and risk, such as computer viruses/worms, denial of service attacks and phishing. Human factors have been regarded as the weakest link in computer security. How do we leverage human factors in strengthening cyber security? I have tried to study this problem through three distinct but complimentary approaches: computational simulations for theory grounding, conceptual model building verified by empirical studies, and the development of educational tools. Using computational simulations, I was able to build theoretical grounds on analyzing the policy and managerial solutions regarding computer viruses and denial of service problems. Through conceptual model building and empirical studies, I was able to verify various hypotheses on individual risk perception towards cyber security from a micro perspective. By developing educational tools for cyber security, I was intended to provide users/developers some guidance on security awareness.
The specific research projects that I have conducted are described below. My papers can be downloaded from the publications page.
Modeling Distributed Denial of Service Attacks and Defenses: This study investigated the service models and the public policies needed to facilitate the provision of defenses against distributed denial of service attacks on computer networks.
Modeling the Spread of Computer Viruses and Countermeasures: Based on both an epidemiological model and a network model, this study investigated the propagation of computer viruses and the strategies to respond against the spread of new computer viruses. This study found that early warning and short patch development time are the two key factors to slowing down virus infections.
Multi-agent Models for Simulating Biological Attacks and Surveillance: I was a member of a team that is developing a multi-agent network model of weaponized biological attacks called BioWar. The team was composed of researchers from Carnegie Mellon, University of Pittsburgh and the Pittsburgh Supercomputer Center. I had worked on the validation of the model using empirical data on biological attacks, medical records, and drug purchases.
Detection of Anomalous Web Server Access Patterns: This work focused on a relatively new aspect of anomaly detection: temporal and relational interdependencies among the attributes of dynamic relational data records. Web server access logs are used as an example for anomalous patterns detection.
Individual Risk Perception on Computer Security Related Risk: I have developed a conceptual model and conducted an empirical survey that examined how end users make decisions involving cyber security risk. This study allowed us to gather empirical evidence in order to verify the hypotheses regarding individual computer security risk perception. This research project is ongoing and more follow-up studies are planned to be conducted. This project is supported by Verizon Foundationˇ¦s Thinkfinity grant (sub-awarded through Pace University).
Web Security Education: Educating users and IT professionals on cyber security risk is one of the ways to strengthen cyber security. I am currently leading a research project called SWEET (Secure WEb dEvelopment Teaching modules) to design teaching modules for users/developers about web application threats and vulnerabilities. SWEET is an ongoing project, supported by a grant from National Science Foundation. SWEET research team is consisted of two other faculty members from the Seidenberg School and two faculty members from City University of New York. In addition, I am also working on an effort to develop a new curriculum on web application security. The new curriculum development is supported by a grant from Department of Defense.
Information Technology Auditing: IT Auditing involves understanding the auditing process to provide technology audit services in accordance with audit standards, guidelines, and best practices. Thus, IT Auditing requires interdisciplinary domain of knowledge across information technology, information systems security and Accounting/Auditing. This on-going project aims to develop interdisciplinary Information Technology (IT) Auditing teaching modules. This project is supported by Verizon Foundationˇ¦s Thinkfinity grant (sub-awarded through Pace University).
Last Modified: November 1st, 2009