It has been about a month since the CriM17 workshop in Oulu which gave me some time to process all the information received during the lectures and workshop sessions, and to think about how the different angles in which security was looked at fit together and how they relate to CS-AWARE. The CriM workshop is an event that has been organized by the University of Oulu in one way or another for more than 20 years – many of the lecturers are attending the event regularly to share the newest developments in their research with the workshop attendants – usually a mixture of students, academics and Industry representatives. To strengthen the cooperation even more, an Erasmus+ strategic partnership project with the aim to develop a European cybersecurity curriculum was formed and this year’s CriM was a multiplier event of SecTech with the aim to disseminate the first results of the content developed for the curriculum – much of what we have seen will be part of the SecTech curriculum in the very near future!

The three days of the CriM workshop were roughly organized into one and a half day of lectures and one and a half day of hands on workshops for some of the topics covered during the lectures. The first day started off with five lectures where we have seen that software is vulnerable and needs better testing mechanisms, many real-world systems (like critical infrastructures) consist of more than just the cyber systems that need protection; we have seen that security mechanisms are often not very user friendly, and we were shown why large organizations need good security management mechanisms. The last presentation of the first day was focusing on one of the currently hottest cybersecurity topics and has shown us how the new European security legislation – the general data protection regulation (GDPR) and the network and information security directive (NIS) – will impact the European security landscape. The lectures on the second day were focusing on topics related to privacy and trust, and in the afternoon we had a hands on workshop conducted by a representative from CERT-FI where the participants were guided through the forensic procedures that are used in practice to analyze malware and attacks and to uncover the criminals behind those attacks. The third day had two topical focuses: the blockchain and cryptocurrencies both in theory and in practice, and my own workshop session that was focusing on privacy and trust, in which I asked the students to assume different roles and to assess and present the privacy and trust needs associated to their roles. Check out a selection of the CriM lectures on the CS-AWARE Youtube channel!

Aside from the lectures and workshop sessions, the CriM is a place to discuss all aspects related to cybersecurity in a relaxed atmosphere. This year we were invited to a Sauna evening in the premises of a secuirty startup incubator, and I remember vivid discussions with students interested in becoming security experts, as well as with representatives from young and extremely innovative security startups from the Oulu area. There are a lot of interesting things happening in the cybersecurity area in Finland and particularly in Oulu.

What are the lessons that we can learn for the CS-AWARE project? Cybersecurity has many bits and pieces that need to work together in order to protect local public administrations, and the personal employee and citizen data that are managed in those administrations, from cyber attacks. If comprehensive cybersecurity is to be provided, experts, administrators and users of a system have to work together in order to pinpoint, observe and counteract cyber attacks and vulnerabilities. As we have seen during the workshops with our pilot partners, this is a hard task that might even be in contrast to the organizational structure of those administrations. So an awareness system that would present a top down view of the cybersecurity situation in a local public administration, like the one we are developing in CS-AWARE, will help the security responsibles to detect incidents more quickly and to identify the right place and people in the system to counteract the incident – which might be related to any of the security topics we have been hearing about during the CriM. So while we will not be able solve all the security problems discussed during the CriM, we can at least raise the awareness of those problems and set it into context with new developments in the security area. One of the main realizations I gained from the CriM relating to CS-AWARE is that with this project we are very much in line with the major developments in the security area, and specifically with the major changes in the European legal framework in form of the NIS and the GDPR. I am very enthusiastic about the future of our project!

Thomas Schaberreiter
University of Vienna