Editors: Javier Lopez, Fabio Martinelli and Pierangela Samarati
Cyber-security and privacy are very active areas of research, and experts in this field are in growing demand by companies. Research in this area is highly relevant in today’s world - many aspects of our daily life depend on ICT - from mobile phones (more than one billion devices currently have the same operating system), computers in offices and programmable machines in factories, and intelligent surveillance cameras contributing to our safety (and infringing on our privacy). The pervasiveness of ICT increases the potential attack surface available to attackers, expanding the opportunities and potential for damage. Both the number of attackers and motivations for attacks are on the increase, indicating that cyber-security attacks can be a prosperous business.
Cyber-security is a long-standing research topic with many success stories represented in the literature and in the industry standards and products. Yet, cyber-attacks are increasing and their impacts becoming increasingly significant. There is no doubt that this is related to the expansion of the role of ICT and the fact that threats evolve along with technology.
Cyber-attacks receive regular media coverage, thus raising awareness and concern about the issue within society. The protection of personal information is also a key concern. Many consider this to be a lost battle already, since most of our everyday life can be monitored by private companies (in addition to states). It should not be necessary, however, to forgo one’s privacy in order to enjoy technology. Work is needed to enable users to benefit from technological advances without compromising on privacy. Technological solutions should be developed to empower users with full control over their own data as well as to provide technological support to assist in regulating the protection of data.
This document identifies research areas that could provide significant contributions to reduce cyber-insecurity and where ERCIM Institutions have significant research and innovation capabilities able to drive cooperative research efforts in the field. The following areas were identified: system security; security engineering; security operation management; data protection; security and big data; access control; quantitative aspects of security; practical and usable security; cryptography; trust management systems; digital freedom; network security.
In particular, we make the following recommendations for research activities in cyber security and privacy:
- Research activities are necessary in the area of system security in particular related to malware detection and protection as well as to security and privacy aspects of social networks.
- Another relevant area for security is related to the secure engineering processes and methodologies. Significant emphasis should be placed on the *-by-design aspects (where * stands for security, privacy, trust, etc).
- In addition, attention should be devoted to operational security. In particular, it is important to improve the qualification of the personnel, applied methods for cyber attack detection and response, and sharing the gained information and experience in public/private partnerships.
- More research is needed to ensure proper protection of data controlled by a third party (social network, cloud provider, outsourcer, etc.) during transmission, processing or storage.
- Big data analysis also imposes novel challenges on security research. On the one hand, the analysis itself should be secure and privacy-aware, on the other, the analysis can be used to improve security of systems and services.
- A distributed world requires efficient adaptation of well-known technologies such as access control. Access control models should become more flexible, rely less on dynamic identities, and use advance solutions for efficient key management.
- Research activities are required to develop more precise measuring in cyber security. These measurements should be reliable and realistic, supporting decision-makers at different levels: from low level technical personnel setting specific security controls properly to high level managers considering risk mitigation strategies for the whole system.
- Research is also needed to improve the usability of security by understanding the behaviour of users and developing controls which are easy to apply. User-centric research should also reduce social engineering attacks.
- Cryptography is another high profile area, which is still of paramount importance. It is important that we pay attention not only to the most advanced directions, i.e., post-quantum cryptography, but also to the correct and trustable implementation of classical methods.
- Research activities are also needed to adapt and enhance trust management. The activities should consider establishing trust in a dynamic environment, where identities may be unknown, only few anchors of trust exist, and different trust models should interact.
- More research is required into enforcing the digital rights of individuals: protecting their privacy; empowering users in the management of their own data; balancing user identification and anonym usage and similar issues.
- Research is required into better protection of established networks, by protection of internal communications, secure interaction with other networks, and ensuring vulnerability-free design.
We also considered the following more general concerns :
- The technical and legal aspects of security are interdependent, and collaboration between researchers and practitioners of both areas should be established from the outset of any project.
- Reporting of cyber incidents should be made easier, since such events may impact the well-being of citizens. Such reports should be obligatory and provide enough information for a thorough analysis of causes and consequences.
- Last but not least, activities are required into raising public awareness of all aspects of cyber-security and privacy.
In accordance with the initial appointment of the ERCIM BoD, the white paper was put together based on the outcomes of expert group workshops and consensus building. Thus, we planned the focus expert group workshop on 9 September 2014, prior to the ERCIM STM WG meeting (10-11 September 2014) in Wroclaw, in cooperation with the 19th European Symposium on Research in Computer Security (ESORICS). Before the workshop, members of the expert group supplied short position statements. Based on the position statements and the follow-up discussion, a set of relevant technological areas were identified, together with application domains and other non-technical issues. The initial findings of the expert group were presented during the ERCIM STM workshop, where we received additional feedback on the research challenges to be addressed. Follow-up meetings were carried out via teleconference between the expert group members. The white paper was then collaboratively prepared by the expert group members (about 30, with an even split between research and industry expertise).
The White Paper is available for download at
Fabio Martinelli, IIT-CNR, Italy
Tel: +39 050 3153425
ERCIM launched an initiative to identify emerging grand challenges and strategic research topics in Information and Communication Science and Technology (ICST).
In 2014, two initial Task Groups were formed to investigate topics related to “Big Data Analaytics” and “Cyber-Security and Privacy”respectively. Further topics are currently being identified. The groups were composed of researchers representing a broad cross-section of interests, affiliations, seniority, and geography. Their results are published in two White Papers, which are briefly presented in the following two articles.
The full version of both White Papers is available for download from
the ERCIM web site at http://www.ercim.eu/publications/strategic-reports