Research

My research bridges usable security and systems security in healthcare. I investigate how clinicians, engineers, and patients navigate security decisions in clinical environments, how practitioners design and threat-model secure systems, and the structural challenges of vulnerability management at scale. Methods include qualitative fieldwork, experimental design, and large-scale data analysis.

Peer-Reviewed Conference Proceedings

Thompson, R. E., Khalid, H., Fisher, H., Votipka, R., & Votipka, D. “Your imaging may be stone-cold normal, but if they look sick, they’re going to get admitted”: An Investigation of Clinicians’ Perceptions of Impact & Likelihood of Security Failures. Proceedings of the 35th USENIX Security Symposium (USENIX Security ’26). [Acceptance Rate: 14%]

Paper

Bottom Line Up Front

Why it matters: Hospital security investments overwhelmingly target data confidentiality, yet the failures clinicians fear most involve patient safety. Nobody had asked the people who actually deliver care what they think the risks are, or whether the defences in place match them.

The big finding: In a survey of 315 clinicians across seven specialties, perceived harm and deployed defences pointed in opposite directions. The security controls hospitals invest most heavily in protect against breaches clinicians rated as least harmful, while the failures clinicians judged most dangerous receive the least systematic protection.

Healthcare Clinician Studies Qualitative Analysis

Thompson, R. E., Sweet, H., Dameff, C., Tully, J., & Votipka, D. Beyond Clinical Risk: An Experimental Study of Cybersecurity Informed Consent and Patient Choice for Connected Medical Devices. Proceedings of the 2026 Conference on Human Factors in Computing Systems (CHI ’26).

Paper

Bottom Line Up Front

Why it matters: Patients are routinely asked to consent to connected medical devices, implants included, without receiving any information about their cybersecurity risk profile. There was no empirical evidence on whether or how such disclosures would influence patient decisions.

The big finding: In a 2,666-person vignette experiment, trust in the recommending physician overwhelmed every other factor in the decision. Framing risk in terms of physical safety rather than data privacy shifted choices, and initial decisions anchored strongly, resisting subsequent information.

Informed Consent Medical Devices Patient Choice Experimental Design

Thompson, R. E., Boshar, L., Vasserman, E. Y., & Votipka, D. Navigating the Patchwork: Investigating the Availability & Consistency of Security Advisories. Proceedings of the 2025 IEEE Secure Development Conference (SecDev ’25).

Paper IEEE

Bottom Line Up Front

Why it matters: Security advisories are the primary mechanism asset owners use to learn about and prioritise vulnerability remediation. If the advisory ecosystem is fragmented or inconsistent, defenders cannot triage effectively.

The big finding: Fewer than half of 718 ICS vendors published public security advisories. Of those who did, 93% used unstructured formats, and severity scores varied widely across sources for the same vulnerabilities.

Vulnerability Management Security Advisories CVSS Data Analysis Systems Security

Kaur, H.*, Powers, C.*, Thompson, R. E., Fahl, S., & Votipka, D. “Threat modeling is very formal, it’s very technical, and also very hard to do correctly”: Investigating Threat Modeling Practices in Open-Source Software Projects. Proceedings of the 34th USENIX Security Symposium (USENIX Security ’25). (*Co-first authors)

Paper USENIX

Bottom Line Up Front

Why it matters: The overwhelming majority of modern software depends on open-source components maintained by volunteers and small teams. Despite regulatory and industry pressure to adopt threat modeling, there was no empirical research on how OSS developers approach it.

The big finding: Nearly all 25 developers interviewed relied on informal, ad-hoc approaches. Most lacked the time, expertise, or tooling to conduct systematic threat modeling, and many overestimated what their existing practices achieved.

Threat Modeling Open-Source Software Qualitative Analysis

Thompson, R. E., McLaughlin, M., Powers, C., & Votipka, D. “There are rabbit holes I want to go down that I’m not allowed to go down”: An Investigation of Security Expert Threat Modeling Practices for Medical Devices. Proceedings of the 33rd USENIX Security Symposium (USENIX Security ’24). [Acceptance Rate: 18.3%]

Paper Slides Talk USENIX

Bottom Line Up Front

Why it matters: FDA regulations require medical device manufacturers to submit threat models as part of premarket submissions, yet nobody had studied how the security experts responsible for this work actually practise threat modeling.

The big finding: Experts do not follow the structured, linear methods prescribed by standards and frameworks. They work fluidly and ad hoc, reason through clinical workflows rather than technical architectures, and treat patient safety as inseparable from device security.

Threat Modeling Medical Devices Usable Security Qualitative Analysis Process Model

Workshop Papers

Thompson, R. E., McLaughlin, M., Powers, C., & Votipka, D. (2024). An Investigation of Security Expert Threat Modeling Practices for Medical Devices. Proceedings of the 2nd International Workshop on Re-design Industrial Control Systems with Security (RICSS), Co-located with ACM CCS.

Threat Modeling Medical Devices Industrial Control Systems

Thompson, R. E., Red, M., Zhang, R., Kwon, Y., Dang, L., Pellegrini, C., … & Votipka, D. (2024). The Threat Modeling Naturally Tool: An Interactive Tool Supporting More Natural Flexible and Ad-Hoc Threat Modeling. Proceedings of the Workshop on Security Information Workers (WSIW ’24), Co-located with USENIX SOUPS 2024.

Paper Presentation

Bottom Line Up Front

Why it matters: Existing threat modeling tools impose rigid, linear workflows that do not match how security architects actually think and work, as observed in our empirical studies.

The big finding: TMNT is the first threat modeling tool designed around observed practitioner behaviour rather than prescriptive methodology. It supports modular, non-linear analysis and works with incomplete information, matching the fluid approach experts naturally adopt.

Threat Modeling Tooling Domain-Specific Language

Posters & Abstracts

Thompson, R. E., Boshar, L., Vasserman, E. Y., & Votipka, D. Navigating the Patchwork: Investigating the Availability & Consistency of Security Advisories. Poster presented at the 34th USENIX Security Symposium (USENIX Security ’25).

Poster
Security Advisories Vulnerability Management

Thompson, R. E., McLaughlin, M., Powers, C., & Votipka, D. “There are rabbit holes I want to go down that I’m not allowed to go down”: An Investigation of Security Expert Threat Modeling Practices for Medical Devices. Poster presented at the Twenty-First USENIX Symposium on Usable Privacy and Security (SOUPS ’25).

Poster
Threat Modeling Medical Devices

Thompson, R. E., Koring’ura, S., Chetty, M., & Votipka, D. (2022). A Comparison of Account-Focused and Content-Focused Warnings on User Trust of Twitter Content. Poster presented at the USENIX Symposium on Usable Privacy and Security (SOUPS 2022).

Poster Abstract
User Trust Security Warnings Social Media

Fun Fact

The computer password was invented at MIT in the 1960s, not for iron-clad security, but as a polite way for multiple people to share one giant computer. This new-fangled security was immediately proven to be less than stellar when, in 1962, a Ph.D. student who wanted more computer time simply printed the entire password file. He then shared the list with friends, one of whom began logging into the lab director's account to leave "taunting messages." Learn more.