I am one of the authoring member of the v3/3.1 First.org/NIST Common Vulnerability Scoring System Standard. First.org CVSS Special Interest Group (Authoring member). Common Vulnerability Scoring System (CVSS) v3. Published at http://www.first.org/cvss.
Some highlights
- Burda, P., Allodi, L., & Zannone, N. (2024). Cognition in social engineering empirical research: a systematic literature review. ACM Transactions on Computer-Human Interaction, 31(2), 1-55. PDF.
- Campobasso, M. and Allodi, L. (2023), Know Your Cybercriminal: Evaluating Attacker Preferences by Measuring Profile Sales on an Active, Leading Criminal Market for User Impersonation at Scale. In Proceedings of USENIX Security 2023. Preprint.
- Marin, I. and Burda, P. and Zannone, N. and Allodi, L. (2023), The Influence of Human Factors on the Intention to Report Phishing Emails In Proceedings of the 2023 ACM CHI Conference on Human Factors in Computing Systems. Preprint.
- Allodi, L., Massacci, F., Williams, J. The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures. (2021) Risk Analysis. Open Access, doi:10.1111/risa.13732.
- Martin Rosso, Michele Campobasso, Ganduulga Gankhuyag, Luca Allodi. SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers. In Proceedings of the 36th Annual Computer Security Applications Conference (ACSAC 2020). Distinguished Paper with Artifacts Award. Preprint.
- Amber van der Heijden, Luca Allodi. Cognitive Triaging of Phishing Attacks. In Proceedings of Usenix Security 2019 Preprint.
Journals
- Burda, P., Allodi, L., & Zannone, N. (2024). Cognition in social engineering empirical research: a systematic literature review. ACM Transactions on Computer-Human Interaction, 31(2), 1-55. PDF.
- Genga, L., Allodi, L., & Zannone, N. (2022). Association Rule Mining Meets Regression Analysis: An Automated Approach to Unveil Systematic Biases in Decision-Making Processes. Journal of Cybersecurity and Privacy, 2(1), 191-219. Publisher.
- Allodi, L., Massacci, F., Williams, J. The Work-Averse Cyber Attacker Model: Theory and Evidence From Two Million Attack Signatures. (2021) Risk Analysis. Open Access, doi:10.1111/risa.13732.
- Allodi, L., Cremonini, M., Massacci, F. et al. Measuring the accuracy of software vulnerability assessments: experiments with students and professionals. Empirical Software Engineering (2020). Open Access, doi:10.1007/s10664-019-09797-4.
- Allodi, L. and Massacci, F. (2017), Security Events and Vulnerability Data for Cybersecurity Risk Estimation. Risk Analysis, 37: 1606–1627. doi:10.1111/risa.12864 Pre pub version.
- Luca Allodi, Marco Corradin, Fabio Massacci. Then and Now: On The Maturity of the Cybercrime Markets. The lesson black-hat marketeers learned. IEEE Transactions on Emerging Topics in Computing, 4(1):35–46, Jan 2016. Prepub version.
- Luca Allodi, Fabio Massacci. Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security (TISSEC). 17, 1, Article 1 (August 2014), 20 pages. PDF.
Policy (white) papers
- Winnona DeSombre, James Shires, JD Work, Robert Morgus, Patrick Howell O’Neill, Luca Allodi, and Trey Herr. Countering cyber proliferation: Zeroing in on Access-as-a-Service. Atlantic Council, 2021. Available on the Atlantic Council’s website.
- Winnona DeSombre, Michele Campobasso, Luca Allodi, Dr. James Shires, JD Work, Robert Morgus, Patrick Howell O’Neill, and Dr. Trey Herr. A primer on the proliferation of offensive cyber capabilities. Atlantic Council, 2021. Available on the Atlantic Council’s website.
Conferences
- Kersten, L. et al. A Security Alert Investigation Tool Supporting Tier 1 Analysts In Contextualizing and Understanding Network Security Events. In Proceedings of ACSASC 2024.
- Burda, P., Allodi, L., Serebrenik, A., & Zannone, N. (2024, August). ‘Protect and Fight Back’: A Case Study on User Motivations to Report Phishing Emails. In European Symposium on Usable Security. ACM Press. PDF.
- Burda, P., Kokkini, M. E., Allodi, L., & Zannone, N. (2024, July). The (Relative) Impact of Email Cues on the Perceived Threat of Phishing Attacks: A User Perspective on Phishing Deceptiveness. In 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 67-84). IEEE. Publisher link.
- Rosso, M., Allodi, L., Zambon, E., & den Hartog, J. (2024, July). A Methodology to Measure the “Cost” of CPS Attacks: Not all CPS Networks are Created Equal. In 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 112-129). IEEE. Publisher link.
- Kempinski, S., Sciancalepore, S., Zambon, E., & Allodi, L. (2024, July). Attacking Operational Technology Without Specialized Knowledge: The Unspecialized OT Threat Actor Profile. In 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 146-159). IEEE. Publisher link.
- Burda, P., Altawekji, A. M., Allodi, L., & Zannone, N. (2023, July). The Peculiar Case of Tailored Phishing against SMEs: Detection and Collective DefenseMechanisms at a Small IT Company. In 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 232-243). Publisher link.
- Campobasso, M., Rădulescu, R., Brons, S., & Allodi, L. (2023). You can tell a cybercriminal by the company they keep: A framework to infer the relevance of underground communities to the threat landscape. Presented at the 22nd Workshop on Economics of Information Security (WEIS 2023). Preprint PDF.
- Kersten, L., Mulders, T., Zambon, E., Snijders, C., & Allodi, L. (2023). ‘Give Me Structure’: Synthesis and Evaluation of a (Network) Threat Analysis Process Supporting Tier 1 Investigations in a Security Operation Center. In Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023) (pp. 97-111). PDF.
- Campobasso, M. and Allodi, L. (2023), Know Your Cybercriminal: Evaluating Attacker Preferences by Measuring Profile Sales on an Active, Leading Criminal Market for User Impersonation at Scale. In Proceedings of USENIX Security 2023. Preprint.
- Marin, I. and Burda, P. and Zannone, N. and Allodi, L. (2023), The Influence of Human Factors on the Intention to Report Phishing Emails In Proceedings of the 2023 ACM CHI Conference on Human Factors in Computing Systems. Preprint.
- Campobasso, Michele, and Luca Allodi. THREAT/crawl: a Trainable, Highly-Reusable, and Extensible Automated Method and Tool to Crawl Criminal Underground Forums. In Proceedings of APWG eCrime (2022). Preprint.
- Zangrandi, L. M., Van Ede, T., Booij, T., Sciancalepore, S., Allodi, L., & Continella, A. (2022, December). Stepping out of the MUD: Contextual threat information for IoT devices with manufacturer-provided behaviour profiles. In 38th Annual Computer Security Applications Conference, ACSAC 2022 (pp. 467-480). Preprint (ext).
- Meijer, M., Petrucci, G. T., Schotsman, M., Morgese, L., van Ede, T., Continella, A., … & Sciancalepore, S. (2022, October). Federated Lab (FedLab): An Open-source Distributed Platform for Internet of Things (IoT) Research and Experimentation. In IEEE World Forum on IoT. Preprint (ext).
- Kersten, L., Burda, P., Allodi, L., & Zannone, N. (2022, June). Investigating the Effect of Phishing Believability on Phishing Reporting. In 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 117-128). IEEE. Publisher.
- Tommasini, M., Rosso, M., Zambon, E., Allodi, L., & den Hartog, J. (2022, June). Characterizing Building Automation System Attacks and Attackers. In 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 139-149). IEEE. Publisher.
- Pavlo Burda, Luca Allodi, Nicola Zannone. Dissecting Social Engineering Attacks Through the Lenses of Cognition. Proceedings of the EuroS&P 2021 3rd Workshop on Attackers and Cybercrime Operatioins (WACCO 2021). Pre-print.
- Yoram Meijaard, Peter-Paul Meiler, Luca Allodi. Modelling Disruptive APTs Targeting Critical Infrastructure using Military Theory. Proceedings of the EuroS&P 2021 3rd Workshop on Attackers and Cybercrime Operatioins (WACCO 2021).
- Bram van Dooremaal, Pavlo Burda, Luca Allodi, and Nicola Zannone. 2021. Combining Text and Visual Features to Improve the Identification of Cloned Webpages for Early Phishing Detection. In The 16th International Conference on Availability, Reliability and Security (ARES 2021). DOI: https://doi.org/10.1145/3465481.3470112
- Simone Pirocca, Luca Allodi, Nicola Zannone. A Toolkit for Security Awareness Training Against Targeted Phishing. In proceedings of the 2020 International Conference on Information Systems Security (ICISS 2020) Publisher link, Preprint.
- Martin Rosso, Michele Campobasso, Ganduulga Gankhuyag, Luca Allodi. SAIBERSOC: Synthetic Attack Injection to Benchmark and Evaluate the Performance of Security Operation Centers. In Proceedings of ACSAC 2020. (acc. rate 23%) Distinguished Paper with Artifacts Award Preprint.
- Michele Campobasso, Luca Allodi. Impersonation-as-a-Service: Characterizing the Emerging Criminal Infrastructure for User Impersonation at Scale. In Proceedings of the ACM Conference on Computer and Communications Security (ACM CCS 2020). (acc. rate 17%) Preprint.
- Pavlo Burda, Luca Allodi, Nicola Zannone. Don’t Forget the Human: a Crowdsourced Approach to Automate Response and Containment Against Spear Phishing Attacks. In Proceedings of EuroSP WACCO 2020. Proceedings version .
- Giorgio Di Tizio, Fabio Massacci, Luca Allodi, Stanislav Dashevskyi, Jelena Mirkovic. An Experimental Approach for Estimating Cyber Risk: a Proposal Building upon Cyber Ranges and Capture the Flags. 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). Publisher version.
- Pavlo Burda, Tzouliano Chotza, Luca Allodi, Nicola Zannone. Testing the effectiveness of tailored phishing techniques in industry and academia: a field experiment. In Proceedings of ARES 2020. Preprint .
- Amber van der Heijden, Luca Allodi. Cognitive Triaging of Phishing Attacks. In Proceedings of Usenix Security 2019 (Acc. rate 16%). Preprint .
- Luca Allodi, Tzouliano Chotza, Ekaterina Panina, and Nicola Zannone. On the need for new anti-phishing measures against spear phishing attacks. IEEE Security & Privacy, 18(2), 23-34 (2019).. Preprint.
- Pavlo Burda, Cohen Boot, Luca Allodi. Characterizing the Redundancy of DarkWeb .onion Services. In Proceedings of the 2019 International Conference on Availability, Reliability, and Security (ARES). Proceedings version.
- Donatello Luna, Luca Allodi, and Marco Cremonini. Productivity and patterns of activity in bug bounty programs: Analysis of hackerone and google vulnerability research. In Proceedings of the 2019 International Conference on Availability, Reliability and Security (ARES)
- Michele Campobasso, Pavlo Burda, Luca Allodi. CARONTE: Crawling Adversarial Resources Over Non-Trusted, High-Profile Environments. In Proceedings of the 2019 IEEE EuroS&P Workshop on Attackers and Cyber-Crime Operations. Preprint.
- Laura Genga, Luca Allodi, Nicola Zannone. Unveiling Systematic Biases in Decisional Processes. An Application to Discrimination Discovery. In Proceedings of ASIACCS 2019. PDF.
- Roland van Rijswijk-Deij, Gijs Rijnders, Matthijs Bomhoff, Luca Allodi. Privacy-Conscious Threat Intelligence Using DNSBLOOM. 2019 IFIP/IEEE International Symposium on Integrated Network Management (IM 2019). Link to open access paper.
- Luca Allodi. Underground Economics for Vulnerability Risk. Usenix ;login: (2018), Vol 43, no. 1. Link to publisher. Preprint .
- Luca Allodi, Marco Cremonini, Fabio Massacci, Woohyun Shim. The effect of security education and expertise on security assessments: the case of software vulnerabilities. Presented at WEIS 2018, Innsbruck, AT. Preprint.
- Jukka Ruohonen, Luca Allodi. A bug bounty perspective on the disclosure of web vulnerabilities. Presented at WEIS 2018, Innsbruck, AT. Preprint.
- Tho Le, Roland van Rijswijk-Deij, Luca Allodi and Nicola Zannone. Economic Incentives on DNSSEC Deployment: Time to Move from Quantity to Quality. Proceedings of the 16th IEEE/IFIP Network Operations and Management Symposium (NOMS 2018). Preprint.
- Luca Allodi and Sandro Etalle. 2017. Towards Realistic Threat Modeling: Attack Commodification, Irrelevant Vulnerabilities, and Unrealistic Assumptions. In Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense (SafeConfig ‘17). ACM, New York, NY, USA, 23-26. DOI: https://doi.org/10.1145/3140368.3140372 Preprint.
- Luca Allodi. 2017. Economic Factors of Vulnerability Trade and Exploitation. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS ‘17). ACM, New York, NY, USA, 1483-1499. DOI: https://doi.org/10.1145/3133956.3133960 (Acc. rate 18%). Preprint .
- Luca Allodi, Fabio Massacci. Attack potential in Impact and Complexity. In the Proceedings of ARES 2017. Preprint.
- Allodi, L., Biagioni, S., Crispo, B., Labunets, K., Massacci, F., & Santos, W. (2017, November). Estimating the Assessment Difficulty of CVSS Environmental Metrics: An Experiment. In International Conference on Future Data and Security Engineering (pp. 23-39). Springer, Cham.
- Luca Allodi, Fabio Massacci, Julian Williams. The Work-Averse Cyber Attacker Model. Evidence from two million attack signatures. Presented at WEIS 2017. SSRN version.
- Luca Allodi, Fabio Massacci. The Work-Averse Attacker Model. In the Proceedings of the 2015 European Conference on Information Systems (ECIS 2015). PDF.
- Luca Allodi. The Heavy Tails of Vulnerability Exploitation In the Proceedings of ESSoS 2015. To be published by Springer by March 2015. PDF.
- Luca Allodi, Luca Chiodi, Marco Cremonini. Self-Organizing Techniques for Knowledge Diffusion in Dynamic Social Networks. in Proceedings of the 5th Workshop on Complex Networks. CompleNET 2014. PDF.
- Luca Allodi. Attacker economics for Internet-scale vulnerability risk assessment (Extended Abstract) Research proposal, in Proceedings of Usenix LEET 2013. PDF.
- Luca Allodi, Vadim Kotov, Fabio Massacci. MalwareLab: Experimentation with Cybercrime Attack Tools. In Proceedings of Usenix CSET 2013. PDF.
- Luca Allodi, Fabio Massacci. How CVSS is DOSsing your patching policy (and wasting your money). Presentation at BlackHat USA 2013. Slides | White paper to come too (end of Aug)
- Luca Allodi Fabio Massacci. Analysis of exploits in the wild. Or: do Cybersecurity Standards Make Sense? Poster at IEEE Symposium on Security & Privacy 2013. PDF
- Luca Allodi, Woohyun Shim, Fabio Massacci. Quantitative assessment of risk reduction with cybercrime black market monitoring. Proceedings of IEEE S&P 2013 International Workshop on Cyber Crime. PDF
- Woohyun Shim, Luca Allodi, Fabio Massacci. Crime Pays If You Are Just an Average Hacker. Proceedings of IEEE/ASE 2012 Cyber Security Conference. PDF
Conference acceptance rate: 9%. Complementary publication in ASE Journal, 2012, Vol. 2. Journal acceptance rate: 3%. Best paper award. - Luca Allodi, Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild. Proceedings of BADGERS 2012 CCS Workshop. PDF.
- Luca Allodi, Fabio Massacci, Woohuyn Shim. Crime payes if you are just an average hacker. Accepted Poster at GameSec 2012.+ Luca Allodi. The dark side of vulnerability exploitation. Proceedings of the 2012 ESSoS Conference Doctoral Symposium. link [PDF].
- Luca Allodi, Marco Cremonini, Luca Chiodi. The asymmetric diffusion of trust between communities: Simulations in dynamic social networks. Proceedings of the 2011 Winter Simulation Conference. June 13, 2011. Finalist “Best Theoretical Paper Award Wintersim 2011” link
- Luca Allodi, Marco Cremonini, Luca Chiodi. Modifying Trust Dynamics through Cooperation and Defection in Evolving Social Networks. Springer LNCS 6740, pp. 131-145, 2011. link.