STAST

It is no longer to be disputed that security and trust are inherently interdisciplinary, both if looked at as problems to solve or as properties to enforce. If we consider them as problems, then we must keep a broad eye at how the technical system intertwines with their users, whose paths of practice could be driven by a plethora of factors. Some come from society, its social, psychological, ethical and legal inputs, others come from the individual features, and all intertwine shaping up the persona that each individual exhibits in front of a specific piece of technology at a specific occasion.

Even looking at security and trust as properties at the abstract level, perhaps separately from a socio-technical system that might benefit from them, they must be reviewed to account for the human factor. For example, secrecy in traditional (technological) terms will not stand blatant human behaviour that shares passwords. The "law" comes into play here, for example with the article 32 (1) of the General Data Protection Regulation (EU Regulation 679/2016) calling for "appropriate technical and organisational measures to ensure a level of security appropriate to the risk".

And it is then the turn of the ISO/OSI 27000 series standards, stating more specific measures and how to conduct security risk assessment. The human factor reiterates here. Even a security risk assessment exercise ought to be specifically tailored to threats that manifest that human factor. For example, the risk of password sharing or reuse over different platforms cannot be assessed by any clever methodology without due consideration of how humans approach this particular technological item. So, we are, once more this year, advocating a socio-technical approach to establishing security and trust --- at any rate, at any level. And we are confident that (also) this year's programme goes straight in this direction.