Nicolás E. Díaz Ferreyra

Institute of Software Security

Blohmstr. 15

21079 Hamburg, Germany

I am a senior researcher and lecturer at the Institute of Software Security of Hamburg University of Technology. My main research focus stands at the intersection of human-computer interaction and privacy engineering. Particularly, I seek to create technological solutions for supporting the cybersecurity decisions of social network users and software developers. For this, I elaborate on digital nudging applications, their personalization by means of Artificial Intelligence (AI), and ethical issues arising from combining persuasion with AI.

Before joining the Hamburg University of Technology, I worked as a postdoctoral fellow at the University of Duisburg-Essen. From January 2020 to October 2021 I was the coordinator of the RTG “User-Centered Social Media” funded by the German Research Foundation (DFG). Between August 2018 and September 2021 I participated in the H2020 project “PDP4E: Methods and Tools for GDPR Compliance through Privacy and Data Protection Engineering”. In the past, I have worked as a software engineer in Denmark and as an undergraduate research assistant in Argentina.

Besides conducting my research, I am involved in multi-stakeholder forums for the discussion of public policies and Internet governance issues. Particularly, in debates concerning the users’ right to privacy and control over their private information.

news

May 20, 2022	I am co-organizing the 1st Workshop on Mining Software Repositories Applications for Privacy and Security at `ESEC/FSE '22`
Mar 4, 2022	I am co-organizing the 2nd Workshop on Adverse Impacts and Collateral Effects of AI Technologies at `IJCAI '22`
Dec 8, 2021	IGF 2021 Town Hall #19 Paving the Road for the European Regulation on AI
Aug 16, 2021	I4ADA: Dialogues on Accountability in the Digital Age

selected publications

QRS ’22

GitHub Considered Harmful? Analyzing Open-Source Projects for the Automatic Generation of Cryptographic API Call Sequences

Tony, Catherine, Díaz Ferreyra, Nicolás, and Scandariato, Riccardo

In 2022 IEEE 22nd International Conference on Software Quality, Reliability and Security Companion (QRS-C) 2022

arXiv Bib

@inproceedings{tony2022github,
  author = {Tony, Catherine and D\'{i}az Ferreyra, Nicol\'{a}s and Scandariato, Riccardo},
  booktitle = {2022 IEEE 22nd International Conference on Software Quality, Reliability and Security Companion (QRS-C)},
  title = {GitHub Considered Harmful? Analyzing Open-Source Projects for the Automatic Generation of Cryptographic API Call Sequences},
  year = {2022},
  volume = {},
  number = {},
  pages = {},
  doi = {},
}

EuroUSEC ’22
ENAGRAM: An App to Evaluate Preventative Nudges for Instagram

Díaz Ferreyra, Nicolás E., Ostendorf, Sina, Aïmeur, Esma and 2 more authors

In 2022 European Symposium on Usable Security (EuroUSEC 2022) 2022

Abs arXiv Bib

Online self-disclosure is perhaps one of the last decade’s most studied communication processes, thanks to the introduction of Online Social Networks (OSNs) like Facebook. Self-disclosure research has contributed significantly to the design of preventative nudges seeking to support and guide users when revealing private information in OSNs. Still, assessing the effectiveness of these solutions is often challenging since changing or modifying the choice architecture of OSN platforms is practically unfeasible. In turn, the effectiveness of numerous nudging designs is supported primarily by self-reported data instead of actual behavioral information. OBJECTIVE: This work presents ENAGRAM, an app for evaluating preventative nudges, and reports the first results of an empirical study conducted with it. Such a study aims to showcase how the app (and the data collected with it) can be leveraged to assess the effectiveness of a particular nudging approach. METHOD: We used ENAGRAM as a vehicle to test a risk-based strategy for nudging the self-disclosure decisions of Instagram users. For this, we created two variations of the same nudge (i.e., with and without risk information) and tested it in a between-subjects experimental setting. Study participants (N=22) were recruited via Prolific and asked to use the app regularly for 7 days. An online survey was distributed at the end of the experiment to measure some privacy-related constructs. RESULTS: From the data collected with ENAGRAM, we observed lower (though non-significant) self-disclosure levels when applying risk-based interventions. The constructs measured with the survey were not significant either, except for participants’ External Information Privacy Concerns (EIPC). IMPLICATIONS: Our results suggest that (i) ENAGRAM is a suitable alternative for conducting longitudinal experiments in a privacy-friendly way, and (ii) it provides a flexible framework for the evaluation of a broad spectrum of nudging solutions.
@inproceedings{diaz2022eusec, author = {D\'{i}az Ferreyra, Nicol\'{a}s E. and Ostendorf, Sina and A\"{i}meur, Esma and Heisel, Maritta and Brand, Matthias}, year = {2022}, doi = {https://doi.org/10.1145/3549015.3555674}, title = {ENAGRAM: An App to Evaluate Preventative Nudges for Instagram}, booktitle = {2022 European Symposium on Usable Security (EuroUSEC 2022)}, }
OSNEM
Community Detection for Access-Control Decisions: Analysing the Role of Homophily and Information Diffusion in Online Social Networks

Díaz Ferreyra, Nicolás E., Hecking, Tobias, Aïmeur, Esma and 2 more authors

Online Social Networks and Media 2022

Abs Bib HTML

Access-Control Lists (ACLs) (a.k.a. “friend lists”) are one of the most important privacy features of Online Social Networks (OSNs) as they allow users to restrict the audience of their publications. Nevertheless, creating and maintaining custom ACLs can introduce a high cognitive burden on average OSNs users since it normally requires assessing the trustworthiness of a large number of contacts. In principle, community detection algorithms can be leveraged to support the generation of ACLs by mapping a set of examples (i.e. contacts labelled as “untrusted”) to the emerging communities inside the user’s ego-network. However, unlike users’ access-control preferences, traditional community-detection algorithms do not take the homophily characteristics of such communities into account (i.e. attributes shared among members). Consequently, this strategy may lead to inaccurate ACL configurations and privacy breaches under certain homophily scenarios. This work investigates the use of community-detection algorithms for the automatic generation of ACLs in OSNs. Particularly, it analyses the performance of the aforementioned approach under different homophily conditions through a simulation model. Furthermore, since private information may reach the scope of untrusted recipients through the re-sharing affordances of OSNs, information diffusion processes are also modelled and taken explicitly into account. Altogether, the removal of gatekeeper nodes is further explored as a strategy to counteract unwanted data dissemination.
@article{diaz2022osnem, volume = {29}, pages = {100203}, year = {2022}, issn = {2468-6964}, doi = {https://doi.org/10.1016/j.osnem.2022.100203}, title = {Community Detection for Access-Control Decisions: Analysing the Role of Homophily and Information Diffusion in Online Social Networks}, journal = {Online Social Networks and Media}, author = {Díaz Ferreyra, Nicolás E. and Hecking, Tobias and Aïmeur, Esma and Heisel, Maritta and Hoppe, H. Ulrich}, keywords = {information diffusion, access control, online social networks, community detection, homophily} }
ARES ’22

SoK: Security of Microservice Applications: A Practitioners’ Perspective on Challenges and Best Practices

Billawa, Priyanka, Bambhore Tukaram, Anusha, Díaz Ferreyra, Nicolás E. and 3 more authors

In International Conference on Availability, Reliability and Security (ARES) 2022
MSR ’22

Vul4J: A Dataset of Reproducible Java Vulnerabilities Geared Towards the Study of Program Repair Techniques

Bui, Quang-Cuong, Scandariato, Riccardo, and Díaz Ferreyra, Nicolás E.

In International Conference on Mining Software Repositories (MSR) 2022
preprint
Cybersecurity Discussions in Stack Overflow: A Developer-Centred Analysis of Engagement and Self-Disclosure Behaviour

Díaz Ferreyra, Nicolás E., Vidoni, Melina, Heisel, Maritta and 1 more author

2022

Abs arXiv Bib

Stack Overflow (SO) is a popular platform among developers seeking advice on various software-related topics, including privacy and security. As for many knowledge-sharing websites, the value of SO depends largely on users’ engagement, namely their willingness to answer, comment or post technical questions. Still, many of these questions (including cybersecurity-related ones) remain unanswered, putting the site’s relevance and reputation into question. Hence, it is important to understand users’ participation in privacy and security discussions to promote engagement and foster the exchange of such expertise. Objective: Based on prior findings on online social networks, this work elaborates on the interplay between users’ engagement and their privacy practices in SO. Particularly, it analyses developers’ self-disclosure behaviour regarding profile visibility and their involvement in discussions related to privacy and security. Method: We followed a mixed-methods approach by (i) analysing SO data from 1239 cybersecurity-tagged questions along with 7048 user profiles, and (ii) conducting an anonymous online survey (N=64). Results: About 33% of the questions we retrieved had no answer, whereas more than 50% had no accepted answer. We observed that "proactive" users tend to disclose significantly less information in their profiles than “reactive” and “unengaged” ones. However, no correlations were found between these engagement categories and privacy-related constructs such as Perceived Control or General Privacy Concerns. Implications: These findings contribute to (i) a better understanding of developers’ engagement towards privacy and security topics, and (ii) to shape strategies promoting the exchange of cybersecurity expertise in SO.
@article{diaz2022sodis, title = {{Cybersecurity Discussions in Stack Overflow: A Developer-Centred Analysis of Engagement and Self-Disclosure Behaviour}}, year = {2022}, author = {D\'{i}az Ferreyra, Nicol\'{a}s E. and Vidoni, Melina and Heisel, Maritta and Scandariato, Ricardo}, note = {{Submitted for publication}}, }
EASE ’22
Conversational DevBots for Secure Programming: An Empirical Study on SKF Chatbot

Tony, Catherine, Balasubramanian, Mohana, Díaz Ferreyra, Nicolás E. and 1 more author

In Evaluation and Assessment in Software Engineering (EASE) 2022

Abs Bib HTML

Conversational agents or chatbots are widely investigated and used across different fields including healthcare, education, and marketing. Still, the development of chatbots for assisting secure coding practices is in its infancy. In this paper, we present the results of an empirical study on SKF chatbot, a software-development bot (DevBot) designed to answer queries about software security. To the best of our knowledge, SKF chatbot is one of the very few of its kind, thus a representative instance of conversational DevBots aiding secure software development. In this study, we collect and analyse empirical evidence on the effectiveness of SKF chatbot, while assessing the needs and expectations of its users (i.e., software developers). Furthermore, we explore the factors that may hinder the elaboration of more sophisticated conversational security DevBots and identify features for improving the efficiency of state-of-the-art solutions. All in all, our findings provide valuable insights pointing towards the design of more context-aware and personalized conversational DevBots for security engineering.
@inproceedings{tony2022ease, title = {{Conversational DevBots for Secure Programming: An Empirical Study on SKF Chatbot}}, booktitle = {Evaluation and Assessment in Software Engineering (EASE)}, publisher = {ACM}, year = {2022}, doi = {https://doi.org/10.1145/3530019.3535307}, author = {Tony, Catherine and Balasubramanian, Mohana and D\'{i}az Ferreyra, Nicol\'{a}s E. and Scandariato, Riccardo}, }