Cybersecurity, AI and the Questions That Matter

CISPA and UCT: Putting the MoU into practice

Researchers from CISPA Helmholtz Center for Information Security visited the University of Cape Town (UCT) in February 2026 for a two-day programme of lectures, faculty meetings, and research exchange, capped by a three-day summer school that drew nearly 40 postgraduate students and early-career researchers from around the world.

The visit was not the beginning of the UCT-CISPA relationship; it was the first major milestone in one that had already been carefully built. In September 2025, UCT and CISPA researchers met at CISPA's main site in Saarbrücken for a Knowledge Exchange Workshop, bringing together cybersecurity researchers from UCT and the University of the Witwatersrand (WITS) for three days of presentations, breakout sessions, and research discussions. That workshop, supported by the EU Horizon Europe-funded SEADE Twinning Programme, led directly to the signing of a Memorandum of Understanding (MoU) between CISPA and UCT in October 2025.

The February visit was the MoU coming to life. Over two days, 12 and 13 February, the CISPA delegation met with UCT's School of IT, the Cybersecurity Capacity Centre for Southern Africa (C3SA) and the UCT AI Initiative. Three public-facing events anchored the programme: a guest lecture for Information Systems Honours students, public talks for the wider UCT community, and the summer school itself.

The Visiting Team

The CISPA delegation brought together faculty whose work spans mobile security, usable privacy, human-centred AI, and the social dimensions of cybersecurity. Alongside the three researchers who delivered public-facing talks, Faith Blakemore, CISPA's Head of International Affairs and Science Relations, presented CISPA's Africa strategy, and Dr Lea Schönherr, who is CISPA's South Africa faculty champion, gave an overview of CISPA's research mission.

What They Talked About

Should you trust that permission pop-up?

Dr Sven Bugiel's lecture for Information Systems Honours students on 12 February 2026 took a critical look at something most smartphone users encounter daily: the permission request. For over a decade, mobile operating systems have asked users to decide, in real time, whether to grant apps access to their location, camera, contacts, and more. The web platform has recently adopted the same approach for sensitive hardware access.

The research is not flattering to this model. Studies consistently show that users experience decision fatigue, develop habits that bypass genuine consideration, and often have inaccurate mental models of what permissions actually allow. Dr Bugiel presented recent empirical work on "rationale messages", the short explanations apps can show before a permission prompt, and asked whether better framing actually improves decision-making, or whether it just adds to the noise users are already drowning in.

Security advice that makes things worse

In one of the public talks on Friday, 13 February 2026, Dr Jonas Hielscher examined a problem that gets less attention than it deserves: bad security advice. Not all guidance from security experts and authorities is helpful, usable, or even grounded in evidence. Some of it actively contributes to anxiety and riskier behaviour.

Hielscher drew on findings from a 12-country study with 12 000 participants, including 1 000 from South Africa, to map how security misconceptions spread, why they persist, and what the consequences are when users act on them. The South African data point was a reminder that this is not a distant, abstract problem.

When AI built for good causes harm

Dr Krikamol Muandet's public talk addressed a tension at the heart of applied AI development: the gap between what an AI system is designed to do and what it actually does when deployed in a complex, high-stakes environment. Well-intentioned AI systems can produce unintended harm when they encounter data limitations, misaligned incentives, or uncertainty the system was never designed to handle.

Rather than offering easy fixes, Muandet argued for a more honest starting point: one that is epistemically humble about what AI can know, attentive to the mechanisms through which interventions play out, and clear about where human accountability must remain.

Cybersecurity for Schools: A Day of Outreach

Running alongside the institutional programme on 13 February, C3SA hosted a full-day Colloquium on Cybersecurity for Schools at the All-Africa House Conference Room on UCT's middle campus. Organised by Prof Wallace Chigona, the colloquium brought together the CISPA CySec Lab, C3SA, education authorities, and educators, alongside researchers from Limpopo University, NMU, and WITS. The event reflected a commitment to extending the reach of the visit beyond the university and into schools and broader educational communities.

The Summer School

Running across three intensive days from 16 to 18 February 2026, the CISPA-UCT Summer School brought together nearly 40 postgraduate students and early-career researchers from around the world at the Thathu Lab in the Leslie Social Building. It was the first summer school CISPA has organised with UCT as a partner institution and covered four core themes: security risks in AI, privacy-preserving systems, trust in generative AI, and web tracking.

Dr Schönherr and Dr Wouter Lueks served as scientific leads for the programme. The CISPA CySec Lab, run by Ms Andrea Rufing, handled the bulk of the organising, working closely with Zainab Ruhwanya from UCT's School of IT and C3SA on the ground. The result was a programme designed not just for knowledge transfer, but for genuine collaboration, one where new research ideas and working relationships could form across institutional and national boundaries.

Two Days of Institutional Exchange

Beyond the public events, the two-day programme moved from institutional introductions to focused research exchange. Departments across the School of IT, Information Systems, and Computer Science presented alongside CISPA's Africa strategy overview, while the afternoon of the first day brought in research centres including CITANDA, CAIR, C3SA, and the African Hub on AI Safety, Peace and Security. The second day centred on reciprocal research presentations, closing with a roundtable led by Deputy Vice-Chancellor for Research and Internationalisation, Prof Thokozani Majozi, on future collaboration, funding pathways, and exchange opportunities.

Prof Majozi framed the discussions around sustainability, impact, and long-term strategic alignment. He challenged both institutions to define what success would look like, emphasising the need for a clear funding model, defined institutional commitments, robust intellectual property provisions, and measurable outcomes. Longer-term ambitions discussed included the potential establishment of a Chair in Cyber Security. As Prof Majozi put it: "Any agreement flowing from the MoU should therefore be grounded in principles of comparability, equity, and measurability to ensure mutual benefit and accountability."

The February visit was the first major in-person event on UCT's campus since the MoU was signed, but it will not be the last. Both sides have already committed to ongoing research collaboration, student exchange, and joint events — with the shared ambition of building a partnership that is not a short-lived initiative, but part of a longer-term strategic vision.