CMM Ambassador

A/Prof. Atif Ahmad

Connect with Atif

Dimensions 1 and 3

Atif is an Associate Professor at the School of Computing & Information Systems, University of Melbourne. He serves as Deputy Director for the Academic Centre of Cyber Security Excellence and leads a unique team of Cybersecurity Management researchers drawn from information systems, business administration, security intelligence, and information warfare.

Atif’s research looks at how organisations protect their information resources. He has published extensively in cybersecurity risk and strategy, incident response and crisis management, policy and training. Atif has published over 90 scholarly articles in cybersecurity, a number of which have been featured in high-quality, high-impact journals such as the Journal of the Association for Information Science and Technology,  Computers & Security and the International Journal of Information Management, and leading conferences such as the International Conference on Information Systems.

Atif has been awarded grants in excess of AUD$4M from the Australian Research Council, the Australian Department of Education, Skills and Employment, the Oceania Cyber Security Centre, and various industry partners. Atif is an Associate Editor for the leading IT security journal, Computers & Security as well as the Journal of Information Warfare. He has previously served as a cybersecurity consultant for WorleyParsons, Pinkerton and SinclairKnightMerz. He is a Certified Protection Professional with the American Society for Industrial Security.

D1 Cybersecurity Policy and Strategy CV

Atif’s research and practice experience in developing cybersecurity strategy and policy spans over two decades. His strategy research looks at how organizations develop situation awareness of the threat environment and learn from their past experiences in incident response to improve their defensive posture.

Work in Practice

Atif has lead a large-scale cybersecurity review of Melbourne’s power infrastructure involving mapping cyber-physical infrastructures, assessing the risk of worst-case scenario cyber-attacks and security countermeasures for risk mitigation. He has conducted in-depth reviews of cybersecurity policies and practices of leading firms such as Verisign Corporation and the International Corporation for Assigned Names and Numbers (ICANN).

Atif’s most recent research has looked at the incident response capability of leading multi-national firms in the finance and telecommunications sectors.

Dimension 1 Journal Publications

  • Ahmad, A., Webb, J., Desouza, K.C., and Boorman, J. (2019). “Strategically-Motivated Advanced Persistent Threat: Definition, Process, Tactics and a Disinformation Model of Counterattack,” Computers & Security. Vol 86, pp. 402-418. [Top 25% ‘A’ ranked journal, Impact Factor 3.58]. Pre-Print Public Version
    and the official publication Science Direct.

    Abstract: “Advanced persistent threat (APT) is widely acknowledged to be the most sophisticated and potent class of security threat. APT refers to knowledgeable human attackers that are organized, highly sophisticated and motivated to achieve their objectives against a targeted organization(s) over a prolonged period.

    Strategically-motivated APTs or S-APTs are distinct in that they draw their objectives from the broader strategic agenda of third parties such as criminal syndicates, nation-states, and rival corporations. In this paper we review the use of the term “advanced persistent threat,” and present a formal definition. We then draw on military science, the science of organized conflict, for a theoretical basis to develop a rigorous and holistic model of the stages of an APT operation which we subsequently use to explain how S-APTs execute their strategically motivated operations using tactics, techniques and procedures.

    Finally, we present a general disinformation model, derived from situation awareness theory, and explain how disinformation can be used to attack the situation awareness and decision making of not only S-APT operators, but also the entities that back them.”

  • Desouza, K. C., Ahmad, A., Naseer, H., & Sharma, M. (2020). Weaponizing Information Systems for Political Disruption: The Actor, Lever, Effects, and Response Taxonomy (ALERT). Computers & Security. Vol 88. (pp. 1-15). [Top 25% ‘A’ ranked journal, Impact Factor 3.58].

  • Ahmad, A., Maynard, S.B., & Shanks, G. (2015). A Case Analysis of Information Systems and Security Incident Responses. International Journal of Information Management. 35(6), (pp. 717 -723). [Top 8% ‘A*’ journal, Impact Factor 8.21].

D3 Cyber Education, Training and Skills CV & Experience in Practice

Atif has unique expertise and experience in developing innovative education and training materials for cybersecurity. This ranges from writing fictional case studies that describe organizations with cybersecurity challenges, to running workshops and tutorials aimed at generating intellectual excitement and reflective learning on cybersecurity management, to producing short films aimed at training industry executives. Atif has published a number of scholarly articles on cybersecurity teaching and training techniques.

Dimension 3 Journal Publications

  • Alshaikh, M., Naseer, H., Ahmad, A., & Maynard, S. (2019). Toward Sustainable Behaviour Change: An Approach for Cyber Security Education Training and Awareness. Paper presented at the European Conference on Information Systems, Stockholm & Uppsala, Sweden, (pp. 1-14).

    Abstract: “Effective information security education, training and awareness (SETA) is essential for protecting organisational information resources. Whilst most organisations invest significantly in implementing SETA programs, the number of incidents resulting from employee noncompliance with security policy are increasing. This trend may indicate that many current SETA programs are not as effective as they should be. We argue that existing SETA programs are not optimal in changing employee behaviour to comply with security policy as they lack a theoretical base that can inform and guide the development of SETA programs. This study draws on knowledge from the medical domain on the use of theory to design an intervention to bring about sustainable behaviour change. The paper therefore adopts an intervention design process, based on the behaviour change wheel (BCW) framework, to develop a theory-informed SETA development process. The paper demonstrates the use of BCW in the analysis of the target behaviour and the selection of suitable strategies and techniques to change the target behaviour. The proposed SETA development process provides a sound basis for future empirical work including focus groups and action research.”

  • Alshaikh, M., Maynard, S. B., Ahmad, A., & Chang, S. (2018, Jan). An Exploratory Study of Current Information Security Training and Awareness Practices in Organizations. Paper presented at the Hawaiian Conference on Information Systems (HICSS), (pp.1-10)

  • Ahmad, A., & Maynard, S.B. (2014). Teaching Information Security Management: Reflections and Experiences, Information Management & Computer Security. 22(5), (pp. 513-536).

For more professional and academic information on Atif, please visit www.atifahmad.me