Bio

Katja Tuma (PhD, 2021) is an Assistant Professor at Eindhoven University of Technology within the SET cluster. She obtained her Ph.D. in Computer Science and Engineering from the University of Gothenburg. She is co-founder and coordinator of Hack4Her, the national women-focused hackathon, co-founder and coordinator of the national working group on AI for security and security for AI, and co-organizer of the international workshop DeMeSSAI. Her research is at the intersection of software engineering, security and AI, and risk analysis.

From 2021-2025 she was Assistant Professor at the Foundational and Experimental Security research group within the Department of Computer Science at Vrije Universiteit Amsterdam, an active member of EUGAIN (WG3: From Ph.D. to Professor), and diversity officer for CSE department at the VU.

Research

I am passionate about building and evaluating methods for analyzing security threats and vulnerabilities in software systems. I like to work on solving practical problems with direct impact. I particularly focus on:

Security4AI and AI4Security. Investigating how to secure AI, how AI could be used safely for security risk management and secure software development.
Empirical methods for security. Evidence-based research is my passion. In my research I design and conducting controlled experiments, industrial case studies and studies involving human participants.
Measuring human aspects. We are building secure software for people. In my research I also study what human factors (e.g., risk perception, gender bias) play a deciding role in the technical security domain.

Are you interested to do a thesis with me? Check the topics on TU/e Master assignments repository. You can find more example thesis topics here!

Awards & Impact

Won the 4TU.NIRICT fund to lift Hack4Her hackathon to a truly national event from 2026 onwards by bringing it to the TU/e campus and opening the participation and volunteering to 4TU students and staff,
Best Reviewer Award at the International Conference on Evaluation and Assessment in Software Engineering (EASE),
The Amsterdam Young Academy (AYA) Award in the category for societal impact.

Students

At TUe, I am advisor of Gloria Isedu working on Evaluation of Threat Assessment using AI.
At the VU, I advise and work closely with Winnie Mbaka, Francesco Minna, Emanuele Mezzi, Aurora Papotti, and Sarah van Garwen.

I served on the grading committee for the PhD defense of Engla Rencelj Ling on the topic of Cyber Security Threat Modeling of Power Grid Substation Automation Systems, supervised by Mathias Ekstedt at KTH, Stockholm, Sweden.

Projects

Active

Co-PI and leader of one out of the two scientific WPs in the National Growth Fund NWONXT GEN Hightech project ECHoFAIR.
Co-PI in the Horizon2022 Sec4AI4Sec project.
Co-PI in the NWO-KIC HEWSTI project.

Past

Lead an interdisciplinary project with two students on the topic of diversity in social engineering threats in collaboration with University of Twente.
Lead an interdisciplinary project with two students on the topic of diversity in threat analysis in context of the Network Institute Academy Assistant (NIAA) program.
Involved in the Horizon2020 AssureMOSS project.

Talks

October 2024, invited speaker at Alice&Eve 2024 in Leiden.
October 2023, research talk at the Annual Meeting of Society for Risk Analysis in Benelux in Brussels, Belgium.
September 2023, research talk at the Institute for Programming research and Algorithmics (IPA) Fall Days in Zeewolde, the Netherlands.
December 2022, research talk at the Annual Meeting of Society for Risk Analysis see video in Tampa, Florida, US.
November 2021, invited talk at research seminar organised by DIGISEC at the Technical University of Denmark (DTU).
October 2021, invited talk at research seminar organised by the RGSE group at the University of Koblenz Landau.
September 2021, speaker at the Aurora Research Conference on the Digital Society and Global Citizenship. Watch video.

Selected publications

Articles

For a more updated list, check my Google Scholar profile.

F. Minna, F. Massacci, K. Tuma, Analyzing and mitigating (with LLMs) the security misconfigurations of Helm charts from Artifact Hub , in Empirical Software Engineering
E. Mezzi, A. Papotti, F. Massacci, K. Tuma, Risks of ignoring uncertainty propagation in AI-augmented security pipelines, in Risk Analysis
K. Tuma and M. Widman, Seven pain points of threat analysis & risk assessment in the automotive domain (IEEE), in IEEE Security & Privacy Magazine
K. Tuma, S. Peldszus, R. Scandariato, J. Jürjens, Checking Security Compliance between Models and Code (PDF), in Journal on Software and Systems Modeling (SoSyM)
K. Tuma, C. Sandberg, U. Thorsson, M. Widman, T. Herpel, R. Scandariato, Finding Security Threats That Matter: Two Industrial Case Studies (PDF), in Journal of Systems and Software (JSS)
Á Milánkovich, K Tuma. Delta Security Certification for Software Supply Chains IEEE Security & Privacy Magazine

Conference papers

E. Mezzi, F. Massacci, K. Tuma, Large Language Models Are Unreliable for Cyber Threat Intelligence , in International Conference on Availability, Reliability and Security
W Mbaka and K Tuma, Role of Gender in the Evaluation of Security Decisions, IEEE Security & Privacy
A Palheiros da Silva, W Mbaka, J Mayer, JW Bullee, K Tuma, Does trainer gender make a difference when delivering phishing training? A new experimental design to capture bias, International Conference on Evaluation and Assessment in Software Engineering (EASE)
F Minna, F Massacci, K Tuma, Analyzing and Mitigating (with LLMs) the Security Misconfigurations of Helm Charts from Artifact Hub: Registered Report, International Symposium on Empirical Software Engineering and Measurement (ESEM)
F Minna, F Massacci, K Tuma, Towards a Security Stress-Test for Cloud Configurations International Conference on Cloud Computing (CLOUD)
Automating the Early Detection of Security Design Flaws (PDF), K Tuma, L. Sion, R. Scandariato, and K. Yskout, International Conference on Model Driven Engineering Languages and Systems (MODELS)
Flaws in flows: Unveiling design flaws via information flow analysis (PDF), K Tuma, M. Balliu, R. Scandariato, International Conference on Software Architecture (ICSA)

Dissertation

Efficiency and Automation in Threat Analysis of Software Systems (PDF), K. Tuma, Department of Computer Science and Engineering (University of Gothenburg), defended in January 2021

Teaching

Course design and teaching

Software Threat Analysis: Build-It-Break-It-Fix-It, is offered on the MSc of Computer Science at TU/e
Data Structures and Algorithms for AI, was taught to BSc course with 300 students at the VU
Software Threat Analysis: Build-It-Break-It-Fix-It, was taught to MSc of Computer Security at the VU

Co-teaching:

Security Experiments and Measures, MSc of Computer Security
Guest lecture in the M.Sc course Software Oriented Design (405061) coordinated and taught by at the Software and Sustainability (S2) research group.

Co-creation, coordination and assistance in teaching the B.Sc flipped classroom course Mathematical Foundations or Software Engineering (DIT022).

Service

Organizer

Co-founder and organizer of the ACCSS working group on Security & AI
Co-organizer of the 2026 SEN symposium
Co-chair of the new Euromicro SEAA 2026 conference track: EXTRA - Explainable and Trustworthy Applications
Co-organizer of the 5th International Workshop on Designing and Measuring Security in Software with AI (DeMeSSAI 2026) - co-colated with EuroS&P 2026
Co-organizer of the 4th International Workshop on Designing and Measuring Security in Software with AI (DeMeSSAI 2025) - co-colated with EuroS&P 2025
Co-organizer of the International Workshop on Designing and Measuring Security in Software Architecture, DeMeSSA 2023
Co-organizer of the International Workshop on Designing and Measuring Security in Software Architecture, DeMeSSA 2022

Reviewer

the Information and Software Technology journal (IST)
the Empirical Software Engineering journal (EMSE)
the Journal of Systems and Software (JSS)
the International Journal on Software and Systems Modeling (SoSyM)
Computers and Security (COSE)
the Software Quality journal
IEEE Vehicular Technology

PC Member

International Conference on AI Engineering – Software Engineering for AI (CAIN) @ ICSE
International Conference on Evaluation and Assessment in Software Engineering (EASE)
International Conference on the Foundations of Software Engineering (FSE) Industry, Demo Track
International Conference on Availability, Reliability, and Security (ARES)
International Conference on Model Driven Engineering Languages and Systems (MODELS)
International Workshop on Continuous Software Evaluation and Certification, IWCSEC 2022 at ARES
ACM Cloud Computing Security Workshop (CCSW'21) in conjunction with CCS'21
International Workshop on Graphical Models for Security (GraMSec'20)
International Workshop on Security for and by Model-Driven Engineering (SecureMDE'20)

Shadow PC

Mining Software Repositories Conference (MSR'21)

Where to find me

My office is in the MetaForum, 5612 AZ Eindhoven, room 6.098.