research on cyber risks in switzerland€¦ · national science and technology council, published...

Federal Department of Finance FDF

Federal IT Steering Unit FITSU

NCS Coordination Unit

Research on cyber risks in Switzerland

2017 expert report on identification of the most important research topics

Expert report on identification of the most important research topics

2

Publication November 2017

Authors Isabelle Augsburger-Bucheli, Endre Bangerter, Luca Brunoni,

Srdjan Capkun, Eoghan Casey, Jacques De Werra, Myriam Dunn Cavelty, Martin Eling, Sébastian Fanti, Solange Ghernaouti, David-Olivier Jaquet-Chiffelle, Markus Kummer, Vincent Lenders, Gustav Lindstrom, Martin Gwerder, Rolf Oppliger, Evelyne Studer, Manuel Suter

Mandate State Secretariat for Education, Research and Innovation

SERI Federal IT Steering Unit FITSU

Responsible for Federal Department of Finance FDF publication

Federal IT Steering Unit FITSU

Schwarztorstrasse 59

CH-3003 Bern

Tel +41 (0)58 462 45 38 Email: [email protected]


3

Contents

1 Introduction ................................................................................................... 4

2 Mandate, goals, and approach .................................................................... 5

2.1 Context ................................................................................................................... 5 2.1.1 National context: Strategies and political specifications ............................................ 5 2.1.2 International context: Research agendas of other countries and international

organisations ............................................................................................................ 5

2.2 Goals ....................................................................................................................... 6 2.3 Approach ................................................................................................................ 6

3 Research topics ............................................................................................ 7

3.1 Classification of research topics .......................................................................... 7 3.2 Research areas....................................................................................................... 8 3.2.1 Protection of privacy and personal data ................................................................... 8 3.2.2 Security of computer networks ................................................................................. 9 3.2.3 Legal framework..................................................................................................... 10 3.2.4 Prevention and prosecution of cybercrime.............................................................. 11 3.2.5 Incident detection, incident response, digital forensics ........................................... 12 3.2.6 Management of cyber risks .................................................................................... 14 3.2.7 Economics of cybersecurity .................................................................................... 15 3.2.8 Security of cyber-physical systems......................................................................... 16 3.2.9 Cybersecurity in international relations ................................................................... 17 3.2.10 Human and social factors in cybersecurity ............................................................. 18

3.3 Focus topics: Especially relevant areas, technologies, and applications ....... 19 3.3.1 Big data .................................................................................................................. 19 3.3.2 Cyber risks and cloud computing ........................................................................... 20 3.3.3 Security in fintech ................................................................................................... 21

4 Conclusion .................................................................................................. 22


4

1 Introduction

For governments, public institutions, businesses, and also for the individual citizen, cyber

risks long ago ceased to be simply a potential threat. Instead, they have become a reality

that gives rise to high costs and diminishes trust in the use of new technologies overall. The

spectrum of cyber risks now ranges from the defacement of websites to criminal activities

such as phishing and extortion using denial-of-service attacks, and even very targeted

espionage attacks and sabotage aimed at governments, critical infrastructures, and

businesses.

For universities and other research institutions, the rapid development of cyber risks has

made it difficult to focus research activity in a way that improves understanding of the

problem. While many universities have recognised the importance of the topic and expanded

their research in this field, it must unfortunately still be noted that the necessary specialised

knowledge has not yet been generated to a sufficient extent in many areas. This is due not

only to the very dynamic developments of cyber risks, but also to the difficulty of doing justice

to a strongly interdisciplinary field such as cyber risks. Traditionally, questions relating to

cyber risks are primarily investigated in computer science. This technical research continues

to be important for understanding the problem, but technical insights about cyber risks alone

are not sufficient to do justice to the topic as a whole. It is just as important to understand

what economic and political incentives lead to the widespread diffusion of cyber risks, how

society can be educated to deal with cyber risks, and what legal steps must be taken to

contain the problem.

For university research with its strongly disciplinary approach, dealing with new cross-

disciplinary topics is a challenge. For one, there is often a lack of common understanding of

the topic; at the same time, research policy still often lacks incentives for interdisciplinary

research. For society, the economy, and the state, however, it is of the utmost importance

that the available competences in many different disciplines be further expanded and utilised

together with the knowledge from other disciplines so that research can make a contribution

to the better understanding of cyber risks.

This report aims to make such a contribution. It lists possible research topics that an

interdisciplinary group composed of experts from many different Swiss academic institutions

believe to be especially relevant. The experts briefly describe each topic and then identify

important research areas and possible research questions. This not only aims to show

researchers in the various disciplines where potentially interesting research questions

relating to cyber risks may be found, but also to enhance a common understanding for

relevant interdisciplinary research. Not least of all, the report also aims to give an impetus for

research policy to promote specifically interdisciplinary research projects in the field of cyber

risks.


5

2 Mandate, goals, and approach

Before presenting the identified research topics and questions, this chapter will explain the

context in which this expert report was prepared, what goals it pursues, how it was

developed, and wherein the challenges consisted for identifying the most important research

topics in the field of cyber risks.

2.1 Context

2.1.1 National context: Strategies and political specifications

This report was prepared in the context of the national strategy for the protection of

Switzerland against cyber risks (NCS). This strategy attaches great importance to

competence building. In sphere of action 1, the strategy defines the following measure:

«New risks in connection with cyber crime are to be researched so that informed

decisions can be made at an early stage in the private sector and political and

research circles. Research focuses on technological, social, political and economic

trends that could affect cyber risks.»

The State Secretariat for Education, Research and Innovation (SERI), jointly with the NCS

Coordination Unit, was mandated to implement this measure. Together with other federal

offices interested in research on cyber risks, the importance was first recognised of

identifying the most relevant research topics with the help of experts. This report is the result

of that work.

Alongside the NCS, other strategies and programmes of the federal government are also

relevant to research in the field of cyber risks.

- Digital Switzerland Strategy of the Federal Council: One of the goals of the

Federal Council's strategy is to promote research and education relating to

digitalisation. The strategy states, «In order to meet the needs of our digital society

and economy [...], there should be a targeted approach to the promotion of new

education and training opportunities, university teaching positions and research

centres, taking into account division of skills and university autonomy. The objective

is to ensure the availability of specific skills in the fields of data analytics, data-driven

innovation, artificial intelligence, robotics and the Internet of Things. Research into the

consequences and social impact of these technologies shall be considered as part of

an assessment of the consequences of technology.»

- National Strategy for Critical Infrastructure Protection: One of the goals of the

strategy is to develop scientifically sound foundations for the integral protection of

critical infrastructure. As part of the strategy, «technological and environmental

developments shall be observed that may lead to new risks.»

2.1.2 International context: Research agendas of other countries and international organisations

Several countries have already published research strategies, programmes, and agendas

relating to cyber risks. The following recent examples show what topics other countries

regard as especially relevant in the field of cyber risks:

- Germany: «Self-determined and secure in the digital world 2015-2020», research

framework programme of the federal government, published January 2016.

- Netherlands: «National Cyber Security Research Agenda II», report of an academic

expert group mandated by the government, published 2014.


6

- United States: «Federal Cybersecurity Research and Development Strategic Plan»,

National Science and Technology Council, published 2016.

Several projects also exist at the EU level to promote research on cyber risks. The following

two projects are especially relevant to identifying research topics:

- European Union Agency for Network and Information Security (ENISA):

«Cybersecurity Strategic Research Agenda», published 2015.

- CyberROAD project of the European Commission: a project to list all relevant

research relating to cybercrime, ongoing.

2.2 Goals

Building on the NCS mandate and the context described above, this report pursues three

goals:

1) Identification of research in the specialist disciplines: The listing of research

topics and questions aims to encourage researchers in the specialist disciplines to

undertake relevant research projects. The research report aims to serve as an

inspiration and motivation for professors, researchers, and students to examine one

of the many aspects of cyber risks. 2) Motivation for interdisciplinary research: The listing of research questions in the

various disciplines aims to help create a common understanding of the topic of cyber

risks and thus to promote interdisciplinary research. Because the report looks at the

topic from a variety of perspectives, it helps specialists understand in what other

disciplines similar questions are being raised and where interdisciplinary cooperation

is possible and useful. 3) Sensitisation of research policy to the topic of cyber risks: Because the topic has

a distinctly interdisciplinary character, every discipline must figure out for itself where

and why research in this field is relevant. The report attempts to convey an overall

view to policymakers in order to illustrate that research on cyber risks requires a

broad and, where possible, interdisciplinary approach and that it should be supported

accordingly.

Everyone involved is aware that the report can only be a first step toward attaining these

goals. But it is important to take that first step in order to achieve more coherence in cyber

risk research in Switzerland and to strengthen the network of researchers in the various

disciplines.

2.3 Approach

To fulfil the NCS mandate to promote research, an interdepartmental committee was

established under the leadership of the State Secretariat for Education, Research and

Innovation (SERI) to coordinate research promotion in the field of cyber risks. The committee

members quickly realised that experts from many different Swiss academic institutions

should be included to identify the most important research topics. A large majority of the

approached experts agreed to participate in the project. The expert group consists of the

following 16 persons:

- Prof. Isabelle Augsburger-Bucheli, Haute école de gestion Arc, Neuchâtel (HES-SO)

- Prof. Endre Bangerter, Bern University of Applied Sciences

- Luca Brunoni (LL.M / MA), Haute école de gestion Arc, Neuchâtel (HES-SO)

- Prof. Srdjan Capkun, ETH Zurich

- Prof. Eoghan Casey, University of Lausanne

- Prof. Jacques De Werra, University of Geneva

- Dr Myriam Dunn Cavelty, ETH Zurich


7

- Prof. Martin Eling, University of St. Gallen

- Sébastian Fanti (lawyer), Canton of Valais

- Prof. Solange Ghernaouti, University of Lausanne

- Prof. Martin Gwerder, Fachhochschule Nordwestschweiz

- Prof. David-Olivier Jaquet-Chiffelle, University of Lausanne

- Markus Kummer (diplomat), ICANN Board of Directors

- Dr Gustav Lindstrom, Geneva Centre for Security Policy

- Prof. Rolf Oppliger, University of Zurich

- Evelyne Studer, Master of Laws, University of Geneva

The composition of this expert group took account of the need to include different disciplines

and to represent both universities and universities of applied sciences. A balanced

representation of language communities and genders was also ensured. In four joint

meetings in 2016, the experts first agreed on the most important research topics before

developing them and submitting them for mutual review.

3 Research topics

The comprehensive digitalisation of society and the economy entails that cyber risks have

become an important topic in many different domains. Accordingly, the potential research

topics in this field are innumerable. Choosing the most important topics and classifying them

in a comprehensible way was the most difficult challenge for the expert group. The topics

presented here are the result of open discussions within the interdisciplinary group. The

listing in no way claims to be complete and should not be considered exhaustive. But it does

aim to provide an overview of interesting and relevant topics and in that way to serve as an

inspiration for researchers and as information for decision-makers in politics and the private

sector.

The first section of this chapter presents the method for structuring the research topics. For

the purpose of understanding the report, it is important to know why which topics have been

included in which subchapters. The following sections contain the listing of research topics.

General research topics are described in a first part of the inventory, followed in a second

part by research topics on specific applications and technologies.

3.1 Classification of research topics

There are many different possibilities for classifying research topics in the field of cyber risks.

The expert group discussed these possibilities and agreed to divide the listing into two parts.

The first part contains the general research areas, including all general and overarching

research areas (such as research on risk management or research on data protection and

privacy). In a second part – the focus topics – topics relating to specific technologies or

applications are listed that the expert group has identified as especially relevant in

connection with cyber risks. Examples of focus topics are research on fintech and cloud

computing.

This classification was chosen for the following three reasons:

1) Research on cyber risks is cross-disciplinary

An overview of research topics would typically be structured according to the

traditional academic disciplines. In the field of cyber risks, however, this would be

introducing artificial boundaries. Cyber risks are a many-faceted phenomenon and at

the same time concern a wide range of different areas, so that cross-disciplinary

approaches are necessary to analyse them. For instance, many technological

research topics are directly connected with legal questions and vice-versa. The

expert group therefore decided not to rely primarily on academic disciplines when


8

compiling the list of research topics.

2) Unavoidable overlaps among topics

Another structuring option would have been to classify research topics according to

areas of application and technologies. But this choice would have resulted in

numerous repetitions because similar research topics are relevant to many different

areas of application and technologies. Overlaps remain even when the list is

structured according to topic area, but these overlaps can be made transparent in the

chapter, making it clear where which topics are dealt with.

3) Different degrees of specification: Research areas vs. focus topics

New research topics in the field of cyber risks generally arise when new technologies

have been developed, when existing technologies are used in different areas of

application, or when new applications entail that existing technologies are used in

new ways. Examples of such developments include cloud computing, the internet of

things, or big data analytics. Developments of this kind must be taken into account

when compiling an overview of research topics. The expert group decided to list

these important developments and resulting specific research questions as focus topics in separate chapters.

3.2 Research areas

The expert group identified ten general research areas:

1) Protection of privacy and personal data

2) Security of computer networks

3) Legal framework

4) Prevention and prosecution of cybercrime

5) Incident detection, incident response, digital forensics

6) Management of cyber risks

7) Economics of cybersecurity

8) Security of cyber-physical systems

9) Cybersecurity in international relations

10) Human and social factors in cybersecurity

Each of these topics is discussed in a separate subchapter below. Each subchapter begins

with a general description of the research area, followed by a discussion of the relevance of

the research area and a list of the possible interfaces with other areas. Finally, possible

research topics in all the relevant disciplines are listed, and examples of interesting research

questions are given. Neither the listing of topics nor of the questions should be considered

exhaustive or complete, but rather they are intended to convey an impression of potential

research projects.

3.2.1 Protection of privacy and personal data

Description of research area:

The strongly increased capacities for the collection, storage, and analysis of data pose

new challenges for the protection of privacy and of the data itself. By using services on

the internet, users share a large amount of data – sometimes deliberately (e.g. through

social media), but often also unwittingly because their data is tacitly being collected,

stored, and commercialised. Large companies and some governments are able to

sweepingly monitor user behaviour. The situation is made worse by the fact that data no

longer vanishes, and the «right to be forgotten» – i.e. the deletion of data and information

– is hardly enforceable for the user anymore.

Research on the topics of data protection and privacy is relevant to a wide range of


9

disciplines. Described here are the research topics in computer science and

cryptography. In these disciplines, the central challenge lies in the fact that data is

increasingly being collected and managed on a decentralised basis. Physical protection

of systems is therefore no longer sufficient to ensure appropriate protection of privacy. It

must be replaced by logical protection using cryptological methods for authentication,

access control, and usage control.

Relevance:

Protection of privacy and data is increasingly coming under pressure due to the progress

of digitalisation. Data – which is often personal – can easily be misused, and the

prevalent lack of transparency in the decentralised collection and management of data

causes users to lose their sense of security. Research at various levels is thus absolutely

necessary to find solutions for improving the current situation.

Related research areas

Incident detection, incident response, digital forensics; Legal framework; Prevention and

prosecution of cybercrime; Management of cyber risks; Security of cyber-physical

systems

Possible research topics

Cryptological research: The development of cryptological methods to ensure

anonymity or pseudonymity is still an important research area. It forms the basis for

providing users with alternatives to protect their data. The development of Tor and e-

voting applications are based on these technologies.

Data-minimising identity management: For the systems currently in use to identify

users, certificates are transmitted that contain a lot of information about the user (e.g.

PKI certificates). To improve data protection, new identification methods should be

developed that contain as little data as possible about the user.

Privacy by design: When developing new technologies and applications, the

protection of privacy and data should already be taken into account during the

development phase. Research should establish suitable foundations and demonstrate

the technological possibilities.

Examples of research questions:

- What new technologies can help ensure that users regain control of their data?

- How can traceability of the use of data be ensured?

- What is the significance of quantum computing for existing encryption techniques?

- How can the protection of privacy and data be taken into account better in systems

design?

- What technical standards can be developed and applied in the field of data protection?

3.2.2 Security of computer networks


The internet has revolutionised our society over the past 30 years. Industry, private

individuals, and governments have become increasingly dependent on continuously

functioning, secure communication infrastructure. Today's communication protocols and

the hardware/software running on the connected computer systems are very fragile,

however, and can be misused by malicious actors with simple means. As a consequence,

denial-of-service attacks, data thefts, and extortions of organisations and individuals have

become daily occurrences.

The vulnerability of networks, in combination with our high level of dependency on these

infrastructures, has become a central challenge of cybersecurity. Research must show

how the resilience and robustness of computer networks can be strengthened

accordingly. It must be considered which existing components of networks can be made

secure with which methods, and what components have to be completely rethought and

redesigned.

Relevance:

Research can make an important contribution to the development of resilient and robust


10

computer networks. New network technologies must be developed that already integrate

security into their design, but also methods must be found to protect the existing

computer networks, given that the installed infrastructures cannot simply be replaced

from one day to the next.

Possible research topics:

Architectures for secure networks: Network architecture must be organised and

operated in a way that ensures monitoring of data traffic so that unwanted activity can

be identified quickly. As the complexity of networks increases, the demands on

architecture increase as well. Research should show what solutions are suitable for

what networks and should develop innovative architectures.

Securing existing network protocols: Many of the protocols used today do not

encrypt the transmitted data. This entails the risk that data can be read or even

manipulated by unauthorised parties. But because of their widespread use, it will take

a long time to replace these protocols. Research is therefore necessary on technical

solutions to secure these protocols.

New, secure network protocols: The development of new, secure network protocols

is an important contribution of research to improving the security of data transmission

within and across networks.

Minimisation of hardware support: Abstracting and virtualising hardware can at

least partially defuse the problem of security of terminal devices. Minimising hardware

dependency can therefore be a path toward strengthening network security. The

possibilities and limits of this approach must be further analysed.

Secure integration of applications: Network security includes the question of how

various applications can be integrated securely. Research can develop new methods

for validating and monitoring the data transmitted by applications and for restricting

use and user groups.


- How can our communication infrastructures be made more robust against denial-of-

service attacks?

- How can application and systems software/hardware be checked and verified for

vulnerabilities?

- How can secure software for applications and communication infrastructure be

developed?

- How can computer networks be protected better against malware and data theft?

- How can hacker attacks be detected more quickly?

3.2.3 Legal framework


Legal questions relating to regulation of the digital world are becoming increasingly

important and are posing difficult challenges for lawmakers. The complexity and

multidimensional nature of the topics in the field of cybersecurity make it difficult to

anticipate legislative developments and to recognise and comprehensively cover new

topics as they arise.

Research can make an important contribution in this regard, however, by gathering and

analysing fundamental data. Research makes a deeper understanding of the existing

challenges and future developments possible. Building on this, it can be determined how

existing laws can be improved, where it's necessary to enact new laws, and what impact

should be expected from changes to the legal framework. The goal of research efforts

should be to develop an appropriate legal framework in the field of cyber risks.

Relevance:

The legal framework directly influences how cyber risks are dealt with. Missing or

deficient legal foundations and difficulties in the application of existing laws to questions

in the field of cyber risks lead to legal uncertainty. Research is therefore important on the

possibilities of legislation. An analysis of the legislative action needed is also of great


11

practical relevance.

Related research areas:

Privacy and data protection (1); Prevention and prosecution of cybercrime (3);

Management of cyber risks (5); Cybersecurity in international relations


Legal aspects relating to the protection of privacy and data: Automatic collection

of data has become a core business of many business models. The legal framework

for that purpose is insufficiently developed, however. It must be analysed how the

legal foundations should be designed in order to strengthen transparency and

accountability.

Legal foundations for state action: The possibilities and limits of governmental

responses to cyber attacks are a hotly discussed topic. The focus is on questions

concerning the legal preconditions and consequences of governmental surveillance or

active governmental countermeasures in the case of cyber espionage. In the Swiss

context, the new Intelligence Service Act (IntelSA) and the Federal Act on the

Surveillance of Postal and Telecommunications Traffic (SPTA) must be analysed.

Allocation of liability: Many complex questions relating to the allocation of liability

arise in the field of cybersecurity. It must be examined who should be liable for what

areas of cybersecurity (and what can be laid down in civil and criminal law). This

requires political decisions about the desired economic and legal incentives for

different actors. For instance, it must be clarified to what extent the victims of an

attack should be held responsible (especially in the case of data theft), which in turn

raises the question of what minimum standards of prevention should apply.

(Alternative) dispute resolution methods: Switzerland has a long tradition of

dispute settlement. It could become an important venue for dispute resolution

procedures relating to the protection of data and privacy. Research can supply ideas

and proposals for global dispute resolution methods.


- What are the legal preconditions for introducing an obligation to report cyber incidents?

What would be the consequences of such a reporting obligation?

- What legal foundations exist for specifications in the field of encryption technologies?

- What legal incentives are possible for ensuring better consideration of security in software

development in future?

- How should liability issues be allocated among users, manufacturers, and third parties?

- Should transparency be required of software manufacturers in regard to possible security

vulnerabilities?

- What means are legal for defending against cyber attacks? What are the limits?

3.2.4 Prevention and prosecution of cybercrime


We live in an era in which the prefix «cyber» has become omnipresent in crime.

Computers and networks lead to new approaches by criminals and also change

prosecution methods accordingly. New technologies are constantly opening up new

opportunities for cybercriminals. From a legal perspective and especially in order to

maintain legal certainty, it is crucial that criminal acts be investigated, prosecuted, and

punished also in this new environment.

A solid legal framework is an initial prerequisite for reducing cybercrime. But a good

prevention strategy is also needed. Research in the disciplines of psychology,

anthropology, criminology, and sociology can help develop tailored prevention campaigns

for different population groups.

Finally, cooperation is needed for effective prosecution. Cooperation includes information

exchange between victims and authorities, but also cooperation at the international level.

Relevance:

Efficient prevention and prosecution of cybercrime requires continuous effort on all sides.


12

This also relies on valuable insights from research.


Privacy and data protection; Legal framework; Incident response and forensics;

Management of cyber risks; Cybersecurity in international relations; Human factors of

cybersecurity.


Modernisation of criminal law: Many offences in cyberspace are covered by

existing provisions of criminal law, but some take place in a grey area or take targeted

advantage of legal loopholes. It is often enough to extend interpretation of existing law

to cover these cases. One example is identity theft, which is not directly addressed by

criminal law but is nevertheless criminalised under existing articles. In other cases,

this approach is not enough. It should thus be clarified when and under what

conditions new legislative provisions are necessary.

Adjustments in prosecution: Authorities must have the means to investigate and

prosecute offences committed by cybercriminals in an efficient and timely manner. At

the same time, a balance must be found between this need and the individual

freedoms of citizens. This challenge is especially relevant when gathering and

securing evidence in the digital world. It must accordingly be examined what

adjustments are necessary in regard to prosecution methods.

International cooperation: Cybercrime knows no borders. For that reason,

international cooperation in prosecution is essential. It must be examined how this

cooperation can be designed in the most efficient way. An important example of a

research subject is the European Convention on Cybercrime, which was signed 10

years ago. At the same time, it is interesting in this context to carry out comparative

examinations of the measures taken by other countries in the field of cybercrime in

order to gain an overview of possible activities against cybercrime.

Darknets: The isolated networks used to establish peer-to-peer connections offer an

attractive market for criminal activities, because they are difficult for prosecution

authorities to access and because they provide greater protection of anonymity. It

should be examined as a research topic what influence darknets have on criminal

activities and how prosecutors might be able to prosecute criminal activities in these

networks.

Examples of research questions: - Should new forms of crime such as identity theft be governed by new legal provisions, or

do the existing provisions suffice? - Are the existing prosecution methods suitable for solving cybercrime? - How effective is current international cooperation in the fight against cybercrime? - What opportunities will new technologies create for criminals? - What means do other countries employ against cybercriminals?

3.2.5 Incident detection, incident response, digital forensics


The growing specialisation and complexity of cyber attacks is making it increasingly

difficult to detect and analyse incidents. Modern attack methods and malware are

designed so that they can circumvent security mechanisms, including antivirus programs

and incident detection systems. Even organisations with a high security awareness, such

as banks and governmental institutions, are frequently the targets of successful attacks.

The ability to detect and respond effectively and quickly to incidents is thus of crucial

importance for the mitigation of cyber risks. Accordingly, cybersecurity research has

moved away from its original focus on defensive and protective measures and is

developing methods to detect, respond to, and analyse incidents. These methods also

make an important contribution to prevention, because information about the identity and

methods of perpetrators is crucial in determining the appropriate protective measures to

be taken.


13

Digital forensics and incident analysis are very similar disciplines. Traditionally, digital

forensics deals with cases in which the attacker has committed criminal offences in the

physical world. The focus of such investigations is on evaluating data carriers. Incident

analysis, in contrast, is concerned with the attacks against IT infrastructures. The crime

scene is the IT infrastructure, and accordingly the data to be evaluated is of a technical

nature, for instance log data, network traffic, malicious code, system modifications, etc.

Both disciplines have in common that they demand deeper understanding of the

technologies. The most important research challenge in both disciplines consists in

analysing and contextualising large amounts of data from frequently disparate sources.

Especially important is research on digital forensics and incident analysis in special

domains such as mobile devices, networks, data storages, and health systems.

Many illegal markets and activities now have a digital equivalent: counterfeit documents,

pharmaceuticals, watches and the like are offered on the darknet. They have a direct

negative impact on border protection, health care, and even the competitiveness of the

Swiss economy. For this reason, techniques must be developed to counter these

phenomena by combining methods of digital forensics with methods of Open Source

Intelligence (OSINT), with strong support from social and human sciences.

Relevance: Relevance arises from the increasing digitalisation of society. Cyber attacks have become a serious problem, and their methods are becoming increasingly sophisticated. At the same time, teaching and research relating to incident response and analysis are not very well developed in Switzerland, even though Switzerland is an attractive target for cybercriminals.


Protection of privacy and data; Big data; Cloud computing; Legal foundations;

Management of cyber risks


Automation: (Partial) automation of the activities relating to incident detection and

analysis can decisively speed up the processes. This can also result in immediate

detection of attacks and give rise to new security systems that facilitate adaptable

defences against new attacks or malware variants.

Consolidation, correlation, and presentation of data: How can incidents be

captured and described in a way that goes beyond the mere collection of usual

indicators such as indicators of compromise? Examples for solutions include

analytical methods and systems that detect attacks on the basis of behavioural

patterns, not only on the basis of individual indicators. Also of interest may be

systems that analyse non-obvious relationships between attacks.

Share and make use of available knowledge: The rapid development of

technologies and attack methods make it difficult to know all the new forensic

possibilities or to find those that are already known. Research can help develop a

systematic approach to compiling new knowledge and maintaining existing

knowledge.

Integration of digital forensics into prosecution methods and intelligence

analyses: The use of highly developed analytical methods for gaining insights about

attackers must be further expanded. Using digital forensics, attackers can be

identified on the basis of their digital traces and with the help of behavioural profiles.

Forensics and incident analysis in relation to new technologies: New methods

are needed to apply digital forensics to new technologies such as the internet of

things.

Monitoring: Many technologies and activities of criminals can be understood better if

the exchanges of the groups in question on web forums, social networks, or the

darknet are examined carefully. The extent of information available on the various

platforms is steadily increasing. It is accordingly important to develop a systematic

approach to the analysis of this information.

Identification: On the basis of behavioural patterns, the characteristics of attackers


14

can be identified. Combined with methods of traditional forensics, it is possible to

identify the persons responsible for attacks.

Visualisation: Visualisation of large amounts of information is an important challenge

for incident analysis. Visualisation helps detect patterns and anomalies.

Examples of research questions: - How can tactics, approaches, and processes of attackers be identified? - How can behavioural patterns and other characteristics of attackers be used to identify

perpetrators? - How can incident analyses be sped up? What processes can be automated? - How can we make more effective use of incident analysis and digital forensic analysis to

support risk management? - How can the knowledge gained from incident analysis be used better for prevention? - How can information be collected in a systematic and targeted manner from online

forums, social networks, and the darknet relating to actors and their tactics?

3.2.6 Management of cyber risks


Cyber risks are developing in a very dynamic and extremely complex way. The dynamics

are a result of the rapid technological development, due to which certain risks become

more (or less) important very quickly. The complexity is a consequence of the many

interdependencies in modern systems, which make it difficult or even impossible to gauge

the consequences of successful attacks.

These characteristics are the central challenges for the management of cyber risks.

Research in this area must first consider the theory and methods of risk management in

the field of cyber risks. It must be investigated if and how the existing methods of risk

analysis should be adjusted to take account of the dynamics and complexity of cyber

risks.

At an operational level, research is needed on the instruments of risk analysis and

management, such as possible threat maps, threat matrices, or scenario-based planning.

Research of this kind should also help develop indicators to make the risks themselves

measurable, as well as the effectiveness of countermeasures.

Finally, there is a strategic-political level to the management of cyber risks. This level is

concerned with how cyber risks can be dealt with collectively. Important topics include the

potential of public-private partnerships, the limits and possibilities of information

exchange, and regulatory questions such as the option of introducing a duty to report

incidents.

Relevance:

Cyber attacks cannot be prevented entirely. Risk management is therefore necessary to

help assess the situation realistically and set the right priorities. New challenges arise for

the traditional methods of risk management when applied to cyber risks. Because risk

management should establish the framework for all actions to protect against cyber risks,

research in this area is of the utmost importance.


Protection of privacy and data; Legal framework; Economics of cybersecurity; Human

factors of cybersecurity


Theory and methodology of risk management: Because cyber risks develop very

dynamically and are extremely complex, it is very difficult to gauge their likelihood and

potential for damage. Research is therefore necessary on the possibilities and limits

of existing risk analysis approaches. It should be investigated how cyber risks can be

compared with other risks and integrated into existing risk catalogues.

Instruments of risk management: Research should also help develop instruments

for the management of cyber risks, such as risk maps, scenarios, and simulations.

The measurability of risks and countermeasures is an important topic in this regard.


15

Better measurability might help practitioners determine the right level of protection for

their organisation.

Information exchange: A major challenge for the management of cyber risks is the

lack of information about the risks and possible countermeasures. To address this

deficit, organisations and platforms have been created for information exchange.

Research should investigate how these platforms and organisations can be operated

effectively and efficiently. A special focus should be on information exchange between

public and private actors in the context of public-private partnerships.

Regulation: In practice, risk management is heavily influenced by the regulatory

context. Governments can specify the practices and standards of risk management by

way of legislation and ordinances. An important example of such regulatory

intervention is a duty to report incidents. Researchers should investigate when and

under what conditions a reporting obligation can effectively contribute to improving

cyber risk management.


- What impact do the high level of dynamics and great complexity of cyber risks have on

the applicability of existing practices and methods of risk management?

- How can the probability of occurrence and the extent of the damage of cyber risks be

estimated?

- What methods can be used to determine the optimal scope of investments in

cybersecurity?

- What incentives result in greater exchange of information about cyber risks?

- How can cooperation between private and public actors be strengthened?

- What regulations make sense? What would the potential consequences be of state audits

or a duty to report cyber incidents?

3.2.7 Economics of cybersecurity


The economic perspective on cybersecurity analyses the relationship between financial

losses due to cyber incidents and the costs for security measures. The lack of

cybersecurity is explained in terms of a fundamental problem of incentives and insufficient

information regarding the costs of cyber risks.

The false incentives are a direct consequence of the nature of cyberspace as a very

dense and complex network of information systems and users. For individual users and

companies, integration of their systems into networks means that the systems always will

be vulnerable to a certain extent, regardless of the individual investments made in

security. In some ways, cybersecurity has the character of a public good, and accordingly

investments in cybersecurity lead to high positive externalities. This gives rise to a

coordination problem consisting in the fact that the utility of an actor's investments in

cybersecurity depends on the investments made by all other actors. Moreover, the lack of

data regarding the costs of cyber risks makes it more difficult to determine the right level

of necessary investments in security measures. So far, there are hardly any models for

calculating cyber risks. Models of this sort would not only help practitioners engage in risk

management, but also favour the emergence of a market for insuring against cyber risks.

So far, the data situation regarding losses due to cyber attacks is not sufficient for

insurers to calculate premiums, capital, and reserves. The market is accordingly still

underdeveloped. It should be expected, however, that insurers will establish themselves

in the field of cyber risks over the coming years.

Relevance:

It is now undisputed that cyber risks have become an economically relevant problem.

Despite this, there is still relatively little research from an economic perspective on how

costs resulting from cyber risks can be reduced. In-depth insights on the costs of cyber

risks are also a precondition for a functioning market of insurances against cyber risks to

emerge.


16


Legal framework; Prevention and prosecution of cybercrime; Management of cyber risks


Costs of cyber risks: Estimates of the costs of cyber risks diverge considerably and are often not independent, since they are published by the providers of countermeasures. Researchers can contribute to the development of a better systematic approach to estimating costs and thus create the basis for risk models in the field of cyber risks.

Analysis of cybersecurity as a public good: It should be examined in what respects cybersecurity can be described as a public good and what consequences arise for the management of cyber risks.

Insurability of cyber risks: It should be examined in what way cyber risks can be insured and what preconditions must be established for that purpose. Incident databases are an important instrument for the development of cyber insurances. Researchers can help create such databases.

Regulation: In terms of economic research, the effects of existing or potential regulatory interventions to promote cybersecurity should be examined from a cost-benefit standpoint.


- Could the availability of insurances against cyber risks lead to greater investments in

cyber risk management?

- How can the modelling and cost calculation of cyber risks be improved in light of the lack

of data, the dynamic developments, and the high degree of complexity?

- To what extent can instruments such as alternative risk transfer or insurance-linked

strategies be used to increase the sustainability of cyber risks through insurances?

- What are the economic costs and benefits of regulatory interventions?

- How can extreme risks be dealt with in cyber risk management?

3.2.8 Security of cyber-physical systems


Cyber-physical systems are spreading very quickly across a wide range of areas of

application. In the field of building control and automation, these systems are already very

widespread, but they are also being increasingly found in medical applications or – as a

prominent example – in self-driving cars.

All of these systems undoubtedly offer many advantages, but they also entail new

security vulnerabilities due to their dissemination and capacities. Crucial in this regard is

that in order to function, all these systems require a multitude of sensors that continuously

gather data. At the same time, the systems are often not secured or only poorly, which

makes them a very attractive target for attacks. Improved security measures are

necessary, as well as increased awareness by users so that these systems are better

protected against attackers.

Cyber-physical systems also entail new challenges in dealing with data protection. An

evaluation of the data gathered by such systems can generate a great deal of information

about users. It must be analysed what impact these developments have on data

protection.

Relevance:

The rapid spread of cyber-physical systems in all areas of application (from industry to

health care and entertainment electronics) makes research on the security of these

systems very important, because it will become increasingly difficult in future to draw

clear boundaries between the physical world and cyberspace.


Protection of privacy and data; Incident detection, incident response, and digital forensics;

Legal framework; Prevention and prosecution of cybercrime; Management of cyber risks


Security in the internet of things: The most important security challenges of the


17

internet of things must be analysed systematically and proposals developed for how

to improve the situation. Apart from possible technological solutions, measures to

raise the awareness of users should also be taken into account.

Security in special areas of application: Cyber-physical systems are employed in

many different areas of application. Depending on the context of these applications,

various research questions arise.

Security of critical infrastructures and their services: Security of critical

infrastructures is relevant to society as a whole. The impact of the increasing

networking of these systems on security must be examined. The mutual

dependencies of different infrastructures must be taken into account in particular.


- What new technologies can help to improve the security of cyber-physical systems?

- How can decentralised systems be protected from misuse without introducing centralised

infrastructures?

- On the basis of what criteria can the security of cyber-physical systems be measured,

and how can certification procedures be applied to such systems?

- How can updates be uploaded to cyber-physical systems, and how can this process be

automated?

3.2.9 Cybersecurity in international relations


Cybersecurity is increasingly on the political agenda and the role of nation-states in

securing cyberspace is a key concern. Several possibilities are currently being discussed,

from introducing codes of conduct to conventions governing norms and rules in

cyberspace. Complementing these efforts, confidence-building measures are being taken

to strengthen international cooperation and to identify joint mechanisms for countering

cyber threats.

Relevance

The strategic discourse examines cyberspace both as a target of attacks (risk to

cyberspace) and as a means of attack (risk through cyberspace). This combination and

the flood of incidents have resulted in cyberspace becoming a main topic of national and

international security debates. Cybersecurity cannot be viewed simply as a technical or

legal problem, but rather as an issue for diplomacy and for foreign and military policy.

Many international cybersecurity initiatives are accordingly being pursued today. Most

focus on regulating cyberspace so that it becomes a stable and reliable place.

For research, these developments are a very good opportunity to investigate formal and

informal international initiatives and to examine existing lines of conflict. Understanding

these factors is a precondition for finding international solutions to the problem of

cybersecurity.


Legal foundations, Prevention and prosecution of cybercrime; Human factors in

cybersecurity


Cyberpower: Theoretical approaches must be developed to define the concept of

«power» in cyberspace and to understand the corresponding dynamics. This includes

analysing the potential impact of offensive capabilities (also as a means against

cybercrime and cyberterrorism) and the associated legal and ethical questions.

Cyber deterrence: It must be examined whether and how the theory of mutual

deterrence can also be applied to power politics in cyberspace. In that context, the

important role of non-state actors in the use of cyber capabilities must also be taken

into account.

Escalation of conflicts: The special dynamic of conflicts in cyberspace must be

better understood.

Norms, conventions, institutions, and structures: Although international


18

cooperation is still in its infancy in many areas, numerous norms, conventions,

institutions, and structures already exist. Their effects, their modus operandi, and their

weaknesses are an important area of research. Research should help identify

possible forms of institutional frameworks in the field of cybersecurity.

Internet governance: Research should compare the various models of internet

governance and describe their advantages and disadvantages. The important role of

private actors should be given special attention.

Examples of research questions: - What does «cyberpower» mean, and how can it be measured? - What are the specific characteristics of conflicts in cyberspace? What are the typical

dynamics of such conflicts? What developments should be expected? - What impact do cyber incidents have on the development of international relations? - How are the rules, decision-making processes, and power positions developing in the

existing models of internet governance? Are these models effective and efficient? - What confidence-building measures are possible, and how can they contribute to

stability? - What is the role of private actors in internet governance and in the institutions for the

promotion of cybersecurity? - What are «offensive cyber capabilities»? What could arms control look like in

cyberspace? What technologies would be necessary for that purpose? - How could attribution of cyber attacks be improved?

3.2.10 Human and social factors in cybersecurity


Many, if not even most, cyber incidents can be traced back directly or indirectly to

misconduct by the user. Examples include using weak passwords, opening emails with

malicious code, or divulging data and information in response to bogus requests.

Research on cyber risks should therefore also take account of the human factor in

cybersecurity. Such research includes psychological, sociological, anthropological, and

cultural studies. The focus of research is on the behaviour of both victims and

perpetrators. It is important to understand the behaviour of both groups so that the right

measures can be taken to make it more difficult to exploit user vulnerabilities.

Relevance:

Research on the behaviour of potential victims and perpetrators in cyberspace is

important, given that the origin of attacks can always be found in human intentions or

human errors. Cyber risks can be mitigated only if the human factor is taken into account

appropriately, alongside technical, economic, and legal questions. It is also important to

investigate whether user behaviour is influenced by cyber risks and by the debate about

security and surveillance on the internet.


Protection of privacy and data; Prevention and prosecution of cybercrime; Management of

cyber risks


Perception of cyber risks: It should be investigated how cyber risks are perceived in

society and whether there are relevant differences among different user groups.

User behaviour: Research should try to explain the behaviour of users in regard to

cyber risks. It should be analysed how aware users are of cyber risks, what influence

cyber risks have on users' behaviour, and how autonomous usage can be ensured.

Attacker motivation: The motivation of attackers is not solely economic. The

psychological, anthropological, and cultural context of these perpetrators must be

investigated in order to gain a better understanding of the non-economic factors.

Ethics in cyberspace: It should be investigated what the ethics are in the

predominantly anonymous environment of cyberspace, what standards are generally

practiced, and what boundaries are crossed.


19

Examples of research questions: - How can different user groups be sensitised better to cyber risks? - How can behavioural-psychological factors be integrated into risk management? - How do systems have to be designed so that users can better understand and observe

the security requirements? - What psychological effects do cyber attacks have on victims? - How do attackers mutually influence each other? Are there role models? - How are cyber risks portrayed in popular culture (cinema, literature, videos, music,

painting)? To what extent does this contribute to awareness of cyber risks? And what influence does this have on attackers?

- How can universal ethical codes of conduct be developed and applied in globalised cyberspace?

- How can the internet be prevented from contributing to the radicalisation of different groups?

3.3 Focus topics: Especially relevant areas, technologies, and applications

This chapter lists the focus topics. These are the areas and applications that have attracted a

lot of attention in the discussion of cyber risks. All of these topics influence the debates in their

own way, and an overview of research topics would not be complete without examining these

focus topics. At the same time, these topics cannot be attributed directly to one of the areas

described above, given that they concern several of those areas. The expert group has

therefore decided to describe the following focus topics separately:

1) Big data

2) Cyber risks and cloud computing

3) Security in fintech

3.3.1 Big data

Description of focus topic:

The comprehensive collection and analysis of very large amounts of data has become

known as «big data». The term refers both to the new technologies that make such

evaluations possible in a short period of time, but also more broadly to the phenomenon

that data evaluation is playing an increasingly important role in the transformation toward

a digital society.

Data is continuously being captured, collected, exchanged, evaluated, and (commercially)

utilised via the internet. This entails important questions in the field of cyber risks relating

to the protection, life cycle, and storage of this data. But data analysis technologies can

also serve as valuable tools in solving crimes, and they often play an important role in the

attribution of cyber attacks to perpetrators.

Relevance

The new possibilities for rapidly analysing large amounts of data and for comparing and

correlating different sets of data are relevant to all research areas in the field of cyber

risks. The topic will strongly shape the future of the digital society and thus is an important

element of research on cyber risks.


Big data and the role of data monopolies: It should be analysed what impact the

emergence of data monopolies has on the economy and society. It should in

particular be investigated to what extent states are already dependent on companies

with data monopolies in certain areas.

Big data as an instrument for cybersecurity: The potential of big data for


20

preventing and solving cyber attacks is huge. Research should explore this potential

and show how the possibilities can be utilised in future.

Legal challenge of big data: The possibilities for collecting and analysing huge

volumes of data have hardly been taken into account in the legal framework. The

decentralised infrastructures of big data pose an additional challenge. It should be

examined how to deal with this problem.

Political, social, and economic context of big data: The phenomenon of big data

can be understood only if the political, social, and economic context is included in the

investigation. It should be analysed who uses big data technologies and why.

Examples of research questions: - What in general are the consequences of big data for cybersecurity? Do these

technologies improve the situation, or on the contrary do they further increase the risks? - What role should the state play in regard to big data? Is stronger regulation needed? - Is the free market working, or are monopolies of major companies too strong? - What legal foundations are needed for big data? - What is the potential of big data in preventing and solving cyber attacks? - How can big data influence the risk management of cyber risks?

3.3.2 Cyber risks and cloud computing


Cloud services have become very popular in recent years. Many services use central

memory storage to collect data, allowing the user to access information independently of

location. Other services actually use decentralised data storage, which more directly

corresponds to the original idea of cloud computing. Services made possible by the cloud

can be found in applications in many different areas, from the control of cyber-physical

systems to office applications and e-voting systems.

Storing data in a cloud is not without risks, however. Malfunctions or manipulations can

entail that third parties gain access to the data, leading to inconveniences but also

serious data protection problems and even financial losses.

A characteristic of cloud services is that data is mobile in view of its function and is

therefore not tied to any individual computer system. The data and functions may be

distributed across several different countries. It is therefore not easy to exercise legal

control over cloud services. This can be seen, for instance, in the digital currencies made

possible by cloud computing (such as Bitcoin, Ethereum, Dodgecoin, Litecoin, and

others) and also in information platforms without centralised infrastructures.

Relevance

Cloud computing has become a very important technology with a direct impact on cyber

risks and possible countermeasures. For research in the field of cyber risks, it is important

to understand how cloud computing continues to develop and what the specific

consequences for cybersecurity are.


Protection of privacy and personal data in the cloud: It should be analysed what

impact the spread of cloud services has on the protection of privacy and personal

data. Technical security measures are needed for data storage, access control, and

transmission. Many important questions must also be clarified in regard to the rights

and duties of cloud service users and providers.

Forensics and cloud computing: Cloud computing may lead to challenges for

forensic analysis, because large amounts of data are stored in different places that

are hardly open to physical access. Appropriate technical instruments must be

developed and legal questions clarified.

User awareness: Many users are hardly aware of how and where their data is stored.

Possibilities should be identified for conveying a better understanding of cloud

technology to users.

Examples of research questions: - What legal questions arise in regard to use of the cloud?


21

- How can illegal activities in the cloud be discovered and attributed? - What challenges arise in regard to data protection? - How can the authenticity and integrity of data in the cloud be ensured?

3.3.3 Security in fintech


The financial industry was always quick to adopt and advance the digital transformation of

society and the economy. The introduction of digital technologies and complex financial

products massively changed the business in the 1970s and 80s, for instance. Today,

digital technologies for econometric analysis, modelling, recording, and execution of

transactions have long been the standard.

The next big step in this development can now be seen in the emergence of the fintech

industry (the combination of finance and technology). The most important applications are

currently social trading (investment advice on social platforms), robo-advisory services

(automated investment advice), and peer-to-peer lending (direct lending from private

individuals to other private individuals).

The market potential of these applications is often still unclear, and the risks of these new

applications have hardly been researched so far. Substantial basic research is needed in

this field to clarify what the impact of fintech will be on the financial industry and on cyber

risks.

Relevance:

Fintech is attracting great interest worldwide in the media and from practitioners.

Switzerland is willing to play an important role in fintech. Although the importance of

fintech is undisputed among practitioners and policymakers, there is hardly any academic

discourse so far about the significance and influence of this technology. There is a clear

need for research in this field.


Impact of fintech on the financial industry: It is still unclear how strongly and in

what way the new technologies will change the financial industry. Research should

help provide a better assessment of the fintech phenomenon and illuminate possible

consequences.

Greater dependency: Even stronger digitalisation of the financial industry also

increases its dependency on IT service providers. A large-scale disruption of IT would

threaten to trigger a collapse of the financial system. It should be investigated how

systemic risks increase with the spread of fintech.

New risks: The new technologies also entail new risks. Also in this respect, there are

only few insights so far. But the earlier potential risks are recognised, the better the

financial industry will be able to prepare for them.

Examples of research questions: - Will financial intermediaries such as banks and insurers be displaced by fintech? What

potential do blockchain technology and peer-to-peer lending have in this regard? - How does fintech change the systemic risks in the financial sector? Does fintech increase

systemic risks because of the great dependency on IT services, or does it reduce them because of the decentralised structure?

- Will human advice still be necessary in the financial industry? What is the client acceptance of robo-advisors?

- What influence do big data analyses have on trading? Are algorithms more effective at trading than humans in light of the available data volumes?


22

4 Conclusion

This expert report aimed to achieve three goals: an overview of the most important research

topics in different disciplines, promotion of an understanding of the research in the different

disciplines, and finally sensitisation of research policy for the topic of cyber risks. With the

abundance and diversity of the listed topics, the report has certainly succeeded in making a

contribution to the first two goals. It illustrated how broad the topic is, and how many

demanding research questions must be addressed in the various disciplines. We hope that

many researchers are motivated to tackle the complex – but also important and interesting –

topics in their work. But it should again be emphasised that the report does not claim to be

complete. There are other research questions not included in the report that may be just as

relevant. Moreover, the rapid advancement of technological development means that new

challenges are continuously arising.

As an instrument for sensitising research policy, this report helps by presenting the whole

range of topics. Research on cybersecurity must not be reduced to technical questions, and

it will lead to relevant results mainly if an interdisciplinary approach is taken. The report aims

to serve as a foundation for designing further research promotion in the field of cyber risks.

In conclusion, we would like to appeal to everyone – researchers and research promoters –

to advance research in the topics listed above. If we as a society use digital technologies,

then we depend on their security. Security in turn can be ensured only if the existing

problems are analysed thoroughly and innovative solutions are developed. Switzerland is

home to excellent academic institutions that already conduct research on many of the topics

listed here. The goal is to use and further advance this potential so that Switzerland can play

an important role in the development and application of technologies and methods in the field

of cybersecurity and at the same time is able to protect its own infrastructures from cyber

risks.

research on cyber risks in switzerland€¦ · national science and technology council, published...

Documents