Community Research and Development Information Service - CORDIS

FP7

COURAGE Report Summary

Project ID: 607949
Funded under: FP7-SECURITY
Country: Italy

Final Report Summary - COURAGE (Cybercrime and cyberterrOrism (E)Uropean Research AGEnda)

Executive Summary:
The COuRAGE (Cybercrime and cyberterrOrism (E)UropeanResearch AGEnda ) consortium has aimed to deliver a measured, comprehensive, relevant research agenda for Cybercrime and Cyberterrorism (CC/CT) guided by the knowledge and experience of the highly experienced and exceptionally qualified consortium and Advisory Board members. The Final Research Agenda identifies major challenges, reveals research gaps, and identifies and recommends detailed practical research approaches to address these gaps through strategies that are aligned to real-world needs. These strategies are supported by test and evaluation recommendations and schemes. The purpose of COuRAGE has been to significantly improve the security of citizens and critical infrastructures and to support crime investigators.
The key challenges addressed in the Research Agenda include:
• The speed of technological change: although the CC/CT regulatory, societal and technological research environment is evolving, it remains dispersed across regions and institutions;
• A lack of a clear strategy on the best method to address the multi-disciplinary nature of CC/CT;
• A lack of common terminology across disciplines hampers the multidisciplinary approach;
• A need to focus on the development of concrete solutions with detailed test and evaluation solutions including complementary guidelines.
The COuRAGE approach was built on three pillars, namely:
• A user centric methodology, to identify gaps, challenges and barriers based on real-world needs and experiences;
• An analytical and semantic approach, to deliver a taxonomy and create a common understanding of the subject with all stakeholders;
• A competitive and market oriented approach, to foster practical implementations of counter-measures using effective test and validation solutions.
COuRAGE has obtained accurate, robust and validated user requirements which are reflected in the Final Research Agenda and which improve the participation of citizens in the sharing of information and by sustained focus on cybercriminals and cyberterrorist activities. This agenda has been elaborated through a progressive and collaborative approach, consolidating contributions from the legislative, law enforcement, research and industrial communities represented by the COuRAGE consortium and the COuRAGE advisory board.
The agenda was delivered through the following incremental steps:
• A taxonomical categorisation of CC/CT after 6 months;
• An analysis of end-users’ requirements and of research gaps after 12 months;
• A draft release of the research agenda after 18 months ;
• A final and validated research agenda, including roadmap and requirements for tests and evaluation after 24 months.
The agenda is further supported by an online secure platform (CyberConnector), fostering a collaborative approach during the elaboration phase offering a multi-lingual, advanced search interface to allow stakeholders to query the content of the agenda and acquire domain specific knowledge including statistical information about the most pertinent topics.

Project Context and Objectives:
Cybercrime is an increasingly important concern for policy makers, businesses and citizens. In many countries, societies have come to rely on cyberspace to do business, consumer products and services or exchange information with others online. Between 2000 and 2012 the growth of Internet users was estimated at 393.4% . Smart phones can access high-speed data networks, enabling people to surf the Internet when on the move and developments such as cloud computing are helping to realise the possibilities of limitless data storage. Khoo Boon Hui, former President of Interpol, announced in May 2012 a figure of €750 billion lost globally per year due to Cybercrime. Cybercrime doesn’t only costs money to society, it also puts at risk our critical infrastructures, citizens and businesses, and our security, identity and privacy. Strategic and comprehensive action is therefore needed.
The uniqueness of COuRAGE has been to address the domain from a multidisciplinary perspective, combining the work of researches in law and regulation, sociology and economy, computer and systems technologies. The result is a set of holistic recommendations for the development of research in CC / CT. The COuRAGE Research Agenda addresses a wide set of issues including those pertinent to protection of citizen and protection of critical infrastructure against CC / CT.
COuRAGE has combined bottom-up and a top-down approaches to identify research topics that require attention. It has carried out a needs assessment as well as a collection of existing research with active stakeholder participation (including government, judiciary, and law enforcement, private sector, civil society and citizens). To carry out the assessment COuRAGE has created a state-of-the-art CC / CT Research Knowledge Repository, containing a comprehensive inventory of existing CC / CT research, categorised through an agreed CC / CT taxonomy. Gaps in research were identified using the stakeholders’ input, applying sophisticated semantic analysis technologies, designed to make use of the taxonomy as a searchable structure and to incorporate the extensive experience of the consortium and the high-level Advisory Board. The multi stage comprehensive gap analysis ensured the identification of the most significant requirements for CC / CT research by cross-validating the outputs of the various approaches. Identification of required research was further enhanced by the consortium's strong awareness of current and developing European and international CC / CT research agendas (e.g. Europol, DG CONNECT, US DHS, FBI etc). This ensured that the output is complementary in building additional value to other past and current approaches.

The objectives and subsequent outcomes of COuRAGE are described in the following:

1. Sub-dividing CC/CT into categories:
COuRAGE has created a state-of-the-art, real-life based, CC / CT Research Knowledge Repository, containing a comprehensive inventory of existing CC / CT research, subdivided into categories through an agreed CC / CT taxonomy (WP 3)

2. Find the major research gaps:
The CC / CT Research Knowledge Repository was analysed by applying sophisticated semantic analysis technologies designed to make use of the taxonomy as a searchable structure. Combined with the extensive experience of the consortium and the high-level advisory board, COuRAGE has identified research gaps in a systematic manner (WP 4)

Major research gaps have been further identified by active participation of stake-holders including government, judiciary, law enforcement, private sector, infrastructure operators, academia, and civil society. They have collaborated in a multidisciplinary, cooperative exercise (including workshops, focus groups and the use of social media) to elicit agreed research topics, according to their needs.

Cross-validation of the outputs of the gap-analysis methods has ensured that the most significant gaps in research were identified.

This gap analysis was further enhanced by the consortium's strong awareness of current and developing European CC / CT research agendas (e.g. Europol, DG CONNECT, US DHS, FBI, other FP7 research projects, etc.). This has ensured that the COuRAGE agenda is complementary and proactively engaged with other existing and on-going approaches.

3. Address the challenges facing CC / CT research:
COuRAGE has identified clear challenges and has directly addressed each of them through a structured approach. This has been the transversal contribution of COuRAGE, consolidated into the final research agenda (All WPs)
a) Speed of technological change: COuRAGE has developed an agile aspect to the research agenda, so that it can be open and proactive to change. This is supported by the COuRAGE research knowledge repository, online tool, and ongoing work to develop a consolidated roadmap with the CAMINO and CyberROAD projects (WP4, WP5). COuRAGE will further sustain the CC / CT Research Knowledge Repository, via the online portal and project website, to be used as a research monitoring mechanism. This enables integration of the latest research outcomes at an international level, monitoring the COuRAGE Research Knowledge Repository and using the integrated statistical and analytics features will provide monitoring of emerging CC / CT research interests.
b) Difficulty of realistic testing, validation and pre-certification: COuRAGE has proposed recommendations and measures for blueprints and guidelines for realistic test-beds for evaluating the outputs of technical and non-technical CC / CT research (WP6). Test and evaluation methods, techniques and tools have also been recommended for non-technical CC / CT solutions, including legal, societal and policy ones, based on the best practice found in the CC / CT Knowledge Repository and feedback from the stakeholder groups.
Initial recommendations for European certification / accreditation approach for evaluation of research and innovation results (including looking at the possibility to use the European Security Label model for this, with the example of ERNCIP addressing critical infrastructures – as an important element of the EU Security Industrial Policy) (WP6)
c) Working in a multidisciplinary environment: A user centric and cross-disciplinary approach has underpinned all the activities of the consortium.
This is based upon extensive prior research by partners that specifically focused on the current state-of-the-art in cross disciplinary working as well as applying this to on-going projects. The project team therefore started from a well-developed model of the process of establishing successful cross-disciplinary work. It is expected that such interdisciplinary problems lead to innovations within, among and between disciplines and stakeholders. We therefore view the overall COuRAGE project as being a potential example of trans-disciplinary working – within which individual interdisciplinary and multidisciplinary teams function (WP3,4,5,6)
d) Issues in international co-operation in CC / CT research: The COuRAGE CC / CT Research Knowledge Repository will be maintained and deployed at an international level (through CyberConnector) to assist and encourage cooperation and collaboration. The partners have been selected also in terms of the links they provide to international networks (all WP's).
COuRAGE language has provided translation solutions and is therefore able to include research documentations from Pan-European projects. The CC/CT domain engine is specifically tailored to the cyber specific taxonomy.

4. Recommend desirable approaches to CC / CT research:
The COuRAGE CC / CT Research Knowledge Repository has provided partners and stakeholders with access to a repository of current research expertise. This has enabled them to explore approaches used in existing research and research results. The relationships between results and approaches can be examined. For specific categories of CC / CT, with enough examples of existing research in the Repository, new insight can be gained regarding good practice (WP3,5)

5. Recommend what needs to be in place for test and evaluation:
Produced guidelines and recommendations for test-beds, show-case scenarios and simulations for testing and evaluating real solutions (WP3,5,6). The COuRAGE CC / CT Research Knowledge Repository has provided stakeholders with access to a repository of current research expertise. This has enabled them to explore test and evaluation methods used in existing research and research results. The relationships between results and evaluation methods can be examined. For specific categories of CC / CT, with enough examples of existing research in the Repository, new insight can be gained regarding good practice (WP3)

6. Determine the extent to which we can test real solutions:
Determined the feasibility and boundaries of realistic, competitive, testing and evaluation within EU legal and ethical constraints, relevant to the test-beds, simulations and scenarios. For the research items on the agenda, examined existing successful testing mechanisms for real solutions in the same category.
Evaluated the feasibility with the industry, including critical infrastructure operators (WP2, 6)

7. Produce complementary guidelines on enhancing the surveillance of Cybercrime in order to ensure the security of citizens and of critical infrastructures against cyber threats:
Developed a set of complementary guidelines to monitor CC/CT (e.g. collect information to be able to inform potential targets about current trends) for stakeholders’ operating in this field (citizens, businesses including critical infrastructures operators, etc.). These guidelines were developed with the respective experts in CC/CT, for the different disciplines: societal, ethical, technological and/or legal and will be targeted for each specific community (the citizens, the Critical Infrastructures and services providers, the businesses etc.) (WP7)

Project Results:
COURAGE Final Research Agenda and Roadmap

Beginning in April 2014, the COURAGE (Cybercrime and cyberterrOrism (E)Uropean Research AGEnda) project undertook to deliver a research an agenda defining and informing the priorities for future cybercrime and cyberterrorism research. The agenda identifies major challenges, reveals research gaps and recommends practical research approaches to address these gaps through strategies that are aligned to the real-world needs and requirements of practitioners, policy makers, citizens and other stakeholder groups. These strategies are supported by test and evaluation schemes defining metrics and performance indicators used to assess the impact of actions taken as a result of the project's research roadmap. In this regard, COURAGE's work was carried out with the overall objective of defining practical, grounded approaches that will assist in supporting private business and critical infrastructures, the capability of crime investigators and enhancing the security of European society as a whole. To achieve this, COURAGE undertook to address a broad range of key challenges, such as the speed and implications of technological change, raising awareness and education levels, the transnational scope and nature of cybercrime, data protection, cooperation and information sharing issues, amongst others. In the final research agenda, the final prioritized research topics, trends and challenges identified throughout the process are presented, along with other key supporting outputs - such as the COURAGE research roadmap, a summary of the legal, ethical and societal considerations associated with conducting research in the field and also an introduction to and overview of the consolidated research agenda developed in collaboration with the CAMINO and CyberRoad Projects, an output which serves as a collective cornerstone of the results of each of the projects.

In order to establish the research items, the project adopted a wideband Delphi approach as its primary means of electing and prioritising topics for research from the extensive network of stakeholders associated the project. In total, more than 70 stakeholders, representing a wide variety of professions and backgrounds including law enforcement, academia, critical infrastructure, security professionals, and other bodies were consulted. The approach, consisting of four main rounds; an initial survey acting as a boundary setting exercise, followed by three rounds of focus groups, was used to bring together opinions from a broad range of stakeholder groups in order to identify the key contemporary challenges faced by domain practitioners, researchers and other stakeholders. These findings were then subsequently cross-validated, using a literature survey that analysed existing works and initiatives targeted at these areas to identify where gaps still remained. Based upon the findings from this process, the research topics were selected and presented, which provide insight into a number of areas where there is scope for research to make a significant impact in enhancing society's overall resilience to threats emerging from the cybercrime and cyberterrorism landscape.

The final list of research topics agreed upon by the COURAGE project consists of 12 items that cover a broad range of issues that have been a) identified as priorities throughout the project's stakeholder consultation process, and b) established as containing challenges that, as of the time of writing, are not yet being comprehensively addressed by ongoing or existing research and initiatives. These final research topics were developed and iteratively refined throughout the duration of the project, primarily during the tasks associated with WP4 and the stakeholder engagement process.
The following descriptions provide an overview of each of the identified topics. The full topic descriptions, using the topic structure used by the H2020 work programme, are included in the appendix of the final research agenda document (deliverable D5.6).

Topic 1: Legitimacy and effectiveness of blocking illegal content (including governance, regulatory and criminal procedures)
Blocking illegal content currently consists of two main approaches; removing it through notice and takedown procedures at the source or provider side and applying filtering and blocking techniques to prevent access at the destination or user side. The specific challenges that arise from these actions are associated with the difference in various nations’ laws and policies in relation to human rights and data protection, in particular. Illegal content incidents typically affect more than one country, and therefore will be defined and dealt with differently according to the nation’s approach to illegal content and human rights. There needs to be a balance achieved between these different approaches so that cybercrime occurring across several jurisdictions can be dealt with more effectively. Research under this topic should evaluate different legal systems’ effectiveness in blocking illegal content and how different laws affect cross-border evidence gathering and the potential application of technology in determining geo-location. However, it is often difficult to identify offenders in order to bring them to justice; therefore, research should address ways of overcoming this challenge. Transparency is also an important aspect to be addressed under this topic. Efficient methods for achieving transparency would provide information about what content is blocked and why.

Topic 2: Preventing and countering hate speech and other content-related offences that support terrorism
Work carried out by high-level European institutions and organisations such as, Europol and the Council of Europe, has identified the extensive use of the internet by extremists, terrorists and hate groups to spread fear and violence, including psychological warfare, distribution of propaganda and indoctrination of ‘lone wolf’ terrorists. It has been shown to be particularly effective in furthering the cause of such groups and has resulted in exposing many people, particularly those considered to be most vulnerable in society, to such content. Response to these activities poses a number of challenges including those associated with deficiencies in definitional and legal consistency, a shortage of reliable data and uncertainty in how to respond most effectively. Effective ways to prevent and counter illegal content are needed, as some actions have been shown to be ineffective and counterproductive, effectively providing a list of blocked sites which can be reverse-engineered. Human considerations associated with both offenders and audiences should also be addressed by research proposals. It is important to understand the characteristics and behaviours of offenders, but also those of audiences. Research which uses profiling and monitoring of users of extremist sites might be of great value, although the legal, social and ethical implications of this kind of research would need to be considered extremely carefully.

Topic 3: Detection and prevention of computer-related fraud
Computer-related fraud can be defined as an act of deceit to gain an unfair advantage through illegal access to, or interference with, a computer system. Typical acts include deception to obtain economic benefit, evading liability or the creation of false data as a result of interfering with a computer system. Preventing or minimising damage and loss are the main objectives of those dealing with computer fraud and therefore methods for early detection, particularly in relation to user and system behaviour, anomalies and deceitful characteristics, and also sustained response need to be further explored. Although laws exist to deal with this type of offence they are ineffective unless offences are noticed and reported. Victims are often oblivious to their details being stolen or are reluctant to report incidents. Research which adopts victims’ point of view and explores reasons for lack of reporting would enable a clearer picture of the nature and extent of fraud to be revealed. In turn, research could also be carried out which focuses on awareness raising and training. With this foundation, computer fraud detection methods for private users could be developed. Working together to combat fraud is another key area; research proposals should identify better ways for law enforcement agencies and vulnerable/targeted sectors to collaborate. With new methods of committing fraud being developed all the time, it is essential that current and emerging threat types are included in research proposals which would support continuing education, training and awareness and enable a more effective response to be developed.

Topic 4: Understanding challenges to the securitisation of copyright and enhancing the effectiveness of detection and prevention methods
Online copyright infringement is a complex area of cybercrime, due to the wide range of perpetrators and victims involved and the different levels of offending. Competing interests and diverse approaches to dealing with the problem add to this complexity. Equally strong and opposing arguments are made in relation to the general criminalisation of copyright infringement and the protection of net neutrality and freedom of information. Many difficulties largely stem from the fact that copyright infringement is a general term for a wide range of actions; from accidental, unintentional or negligent small-scale activities to the large-scale activities of corporations that undermine industries and are viewed as a threat to economies. There is a need for research to define categories of offences based on generally agreed upon criteria, taking into account different types of impact (e.g. social, economic) and providing, in collaboration with legal and ethical bodies, a sliding scale of severity of crime which can then be understood and dealt with appropriately. Large-scale copyright infringement should be researched at an international level to create a common understanding and to facilitate international cooperation of all stakeholders. There is also a need for research to provide knowledge about different types of offenders and their methods in order to provide increased awareness and training for those tackling this form of cybercrime.

Topic 5: Definition, characteristics and behaviour of the offenders and victims in cybercrime events
The scale and proliferation of internet use as a means to facilitate crime has also introduced new challenges for the social and behavioural sciences in addition to the technological and criminological disciplines we normally associate with studies in the domain. Due to the potential overlaps and absences of clarity in distinguishing between cybercrime, cyberterrorism, cyber warfare, and often the inability to identify the origin of an attack means that there is significant benefit in assessing the impact of an attack and discerning the potential motivations behind it. The significant and widespread impact exerted by modern cybercrime means that individuals and groups involved in committing, responding to, and, preventing events, is equally expansive. The sheer quantity and diversity of the number of criminals and victims of cybercrime means that despite the importance of analysing the various categories of actors, there has been little progress to date. In order to develop, deliver and improve intervention and prevention measures, this topic proposes research to help build our understanding of the diverse range of actors involved. Existing research has shown that cybercrime is no longer the preserve of technically skilled individuals and groups, so more work is needed to establish the underlying factors that contribute to the profiles of victims and offenders alike, in addition to establishing human, environmental and other factors that drive cybercrime.

Topic 6: Advanced tools for digital investigation in compliance with privacy legislation and regulation
This research area acknowledges the competing challenges faced by law enforcement agencies investigating cybercrime and cyberterrorism. There is a need to achieve a balance between privacy and data protection and effective law enforcement techniques necessary to tackle cybercrime and cyberterrorism. The nature of the offences often requires LEAs to collect and analyse large amounts of (sensitive) personal data. High-profile incidents involving large internet providers, has led to increased suspicion and mistrust by the public in relation to data collection by public authorities. Therefore, investigation tools, including computer forensics, which proactively respect privacy and data protection rights, need to be developed. This will serve to reassure the public and ensure investigations are compliant with legislation. The ways in which Privacy-enhancing technologies and Transparency Enhancing Technologies can be used in an investigative context needs to be researched. Research should adopt a pan-European approach and take into account upcoming legislative changes in the area of data protection. Reassurance and trust between digital service providers, data controllers and LEAs also needs to be increased. This would assist in creating mutual understanding and long-lasting cooperation.

Topic 7: Preventing and countering CC/CT activities on the dark-web and similar networks
Part of the internet known as the ‘Dark Web’ has become infamous due its use as a vector for the proliferation of a wide range of illegal activity. This is facilitated by the use of applications and network protocols for access, encryption and anonymisation making it largely inaccessible using traditional investigative tools and technologies. Many different types of crime, often including the most serious and organised, are supposed to be carried out in this environment. In recent years, drug and weapon trafficking, terrorist activity and child sexual abuse among others have all been alleged to make use of ‘dark-web’ services. There are also indications that the dark-web is increasingly being used to host botnet command-and-control infrastructures. Research in this area needs to focus on the nature and behaviour of those engaging in illegal activity in this environment and the development of tools and technologies to discover and counter such activity. This would also help to create a manual of standards, norms and good practices for further research. Research under this topic can ensure maximum impact and exploitation of results by involving relevant end-users, such as law enforcement agencies.

Topic 8: Definition and harmonisation of CC/CT Terminology throughout the EU
The definitions and understanding of terminology used in reference to cybercrime and cyberterrorism are, in some instances, inconsistent across EU Member States, potentially causing confusion and in extreme cases hinder the effectiveness of law enforcement, prosecution and international cooperation efforts due to the ambiguity surrounding the subject area in general. Harmonising terminology in both areas of cybercrime and cyberterrorism is crucially important in defining how the law enforcement sector should cooperate in an EU and broader international context. Without a clear understanding of the characteristics that distinguish them, these areas will be hard to addresses properly across all relevant levels. The absence of equal representation and understanding of terms from both areas of cybercrime and cyberterrorism, the lack of definition of terms and the different taxonomies in current use in the field have been identified as problems by academia, LEAs, and by entities representing legal and ethical organisations as well as from the critical infrastructure stakeholders. In this topic, it is proposed that efforts must be made to increase levels of knowledge exchange among stakeholders, leading to the provision of harmonised and standardised terms through the development of a new taxonomy framework that involves all aspects of cybercrime and cyberterrorism, specifying their differences and commonalities.

Topic 9: Standardisation of methods for enhancing preventative tools and strategies pertaining to CC/CT
Reliance on computerised information systems is an everyday feature throughout every sector of society. Despite this fact, cyber and information security are frequently considered to be IT problems, rather than appreciated as the wider organisational risk that it is. The adoption of appropriate standards can play an important part in establishing practices for auditing, risk assessments and assuring information security not only from a technical but also a broader, organizational perspective. Such measures also serve to create harmonised standards and a common language for managing cyber-security risks across the wider business supply chain. Research should adapt existing approaches and propose new holistic ones. The benefits of responding to cybercrime could then be understood in the context of specific requirements of different sectors, of small and medium enterprises and of the critical infrastructure. Road-mapping the pathways to this type of activities requires engagement with standardisation and other EU bodies so that challenges related to cyber-security, cybercrime and cyberterrorism can be addressed comprehensively.

Topic 10: Managing different levels of legal frameworks for illegal content: questions of geolocation and jurisdiction
Cybercrime is increasingly a cross-border issue, potentially involving a number of different countries and territories each with their own legal frameworks and jurisdictions. This 'internationalisation' of crime creates new challenges for law enforcement. This includes issues such as the reporting and deletion of illegal content, the collection of court evidence, cross-border accessibility of data and other issues. Related to the problem of gathering court admissible evidence in this context, is the issue of locating offenders in order to bring a prosecution. Geolocation technology has been only partly successful in this respect and more research is required to understand and address the ability of cybercriminals to act anonymously. The location of criminal activity and the location of the victims also raises issues about investigating and prosecuting offences. In the absence of harmonised international and national legal frameworks, which country enforces laws and whether the online content is deemed illegal in all countries that it affects are important complications to be addressed. In this research topic, the identification and development of new methods that enable LEAs to gather and share information across geographic borders resulting in improved cross border cooperation among international and public/private authorities is required, which will support the development of new standards for harmonising collaboration between the private sector and law enforcement.

Topic 11: International and public / private cooperation
The importance of cooperation between national authorities and the various public and private sector organizations in the fight against cybercrime and cyberterrorism has been widely acknowledged. Tackling the complexity of such criminality is no longer the sole remit of law enforcement; but rather the responsibility and commitment of all those involved. In particular, the private sector is well positioned to carry out proactive tasks such as botnet takedowns and discovering and blocking online illegal content as well as providing technical support and specialist software to law enforcement. Although some positive steps have been taken to facilitate strong cooperation, holistic success is still some way off and encouraging cooperation and identifying practical ways to increase levels of information sharing between those involved remains a key area for research, policy makers and practitioners alike. Differences on many levels create challenges in this regard; willingness to share data, different legal systems, language barriers, and cultural and policy differences are key difficulties. Another important issue is the perception of those involved with and affected by actions and more needs to be done to raise awareness in order to find a pathway through the uneven legal landscape and foster a culture of genuine cooperation. Frequently, the private sector is reluctant to share the personal data of their customers and there have been several instances where public opinion has opposed the introduction of measures that facilitate it. Thus, the requirement for a balance between ensuring public safety and the respect of what are seen as the fundamental rights of individuals is needed. Research focusing on specific issues within this area needs to explore current barriers to international and public / private cooperation so that the roles and limitations, in respect of legal restrictions and societal acceptance, are fully understood. Best practice guidelines, incorporating greater incentives and safeguards, can then be provided to achieve better collaboration and so increase cyber-resilience on an international scale.

Topic 12: Collective awareness and education for increased societal resilience to CC/CT threats
This topic focuses on the identification and facilitation of new approaches to enable the enhanced resilience of society to cybersecurity threats through increasing the awareness and education. All levels of stakeholders across society will have to be involved, ranging from citizens through to security professionals, policy makers and the private sector, with special focus on the critical infrastructure. Prevention strategies, and in this context, particularly those associated with increasing awareness and standards related to online safety and information security play an important role in improving societal resilience to cybercrime, while 'human security' specifically is an import factor as popular attack vectors such as social engineering and phishing continue to exploit human security vulnerabilities. Under this topic, research will focus on the identification of new approaches to increasing societal awareness, and subsequently readiness, to deal with cybersecurity threats and cybercrime. Where necessary, the impact of new and emerging technologies and behavioural changes that occur because of them should be identified and considered. The research proposed should identify and address awareness and education needs across levels and sectors, such as national teaching curricula for citizens, training for law enforcement and other public and private sector institutions, etc.

The COURAGE Research Roadmap (D5.5) provides a description of different stakeholder roles and an outline of recommended actions for each of the COURAGE research items. The roadmap proposes a number of short, mid, and longer term actions to enable the achievement of the expected impacts outlined within each of the research topics. These recommended actions are presented across three primary target groups (law enforcement agencies (LEAs), solution providers, and research and technology organisations (RTOs)) and four areas of focus (legal, ethical and societal issues, policy, accreditation and certification, and education and awareness-raising). The following summary outlines the key actions suggested for road-mapping the implementation of the COURAGE research agenda across each of these categories. The complete set of recommendations and actions can be found in D5.5.

Solution providers
Private sector solutions providers have a key role to play in the implementation of the proposed research agenda, as the services and products they offer are often those employed by other public and private sector organisations in the management of day-to-day operations. Therefore solutions providers have a key role to play in the research domain in closing the gap between the security challenges posed by the external environment, the requirements of the end-user and breakthroughs in research and technology. The private sector also harnesses the individual and collective expertise needed in order to bring innovative and state-of-the-art products to market. They can have a positive impact in a collaborative capacity through exposing data and expertise with other key stakeholders, such as providing information on how vulnerabilities affect their systems and software, and offering insights into capacity to design, administer and maintain secure products.

One of the primary recommended avenues for private sector collaboration is with LEAs by working more directly with them to develop new ways to detect and monitor illegal usage and to identify technologies that can be exploited to facilitate cross-border evidence acquisition and in bridging cross-border jurisdictional and information sharing issues.

Examples of the ways in which solution providers could contribute to the implementation of a CC/CT research agenda include proposing solutions for:
- Monitoring users and content associated with identified extremist groups
- Recognising hate speech and content related offences that support terrorism in communication among monitored users on the web and social media platforms
- Combatting computer related fraud
- Improving the early detection of cyber threats and new vulnerabilities that can be exploited to breach the security of computer systems
- Detection and prevention of copyright infringements
- For categorising and classifying CC/CT acts with regards to a common taxonomy cataloguing the different criminal applications of the Internet and the different types of hacking
- Automatic data acquisition tools, including accessing data from the Dark Web and Darknets
- Improving the interoperability of enterprise information systems

They can also provide tools and techniques for identifying patterns of suspicious online behaviour, monitoring victims and crime actors, big data analysis, indexing and searching the saved contents of the Dark Web or Darknet, and implementing shared knowledge repositories of standardised terms of the CC/CT taxonomy. Concerning standardisation, software assurance, systems security engineering, and supply-chain (or value chain) risk management should be the focus for providers with the ultimate aim of achieving a EU security label for products and a EU cybersecurity certification for services.
Law Enforcement Agencies
LEAs across all Member States face new challenges, posed by the proliferation of new and emergent forms of criminality, particularly those further enabled by, and in some cases dependent on the penetration of the web and information systems into almost all facets of business and the everyday lives of citizens. The scope of online crimes such as fraud and identity theft has increased, while recent analyses have suggested trends towards more aggressive overt forms of crime, with the use of extortion becoming commonplace via the use of crypto-lockers. Furthermore, cybercrime is no longer the sole remit of skilled, technically literate, or well-resourced criminal enterprises, with tools that enable DDOS and other attacks available to those with basic levels of competence. The challenges faced by law enforcement are further-compounded by austerity measures, which have resulted in significant funding cuts across many European police forces.

For these reasons, the inclusion and involvement of LEAs serves two broad purposes: Firstly, in developing competitive advantage in terms of preventative and investigatory capability, and secondly, as a means of increasing efficiency in response to the aforementioned spending cuts. The actual value proposition of LEA involvement comes in the form of contributing information on actual trends in criminal behaviour, existing practices, and requirements. It is worth noting that there have been multiple signs of positive development and progression that can be built upon further. COURAGE stresses that such practices should be further reinforced alongside additional best practices and recommendations. In particular, current promising practices include:
• Specialised CC/CT task forces and units
• Embedding of specialist skills standard normal police units
• Community cyber-policing
• Ongoing cooperation with ISP's
• University partnerships
• Internal cyber-skills development
• Involvement in community education
• Increased awareness and capabilities of technical requirements and training through cooperation with industry
• Increasing trans-national LEA cooperation and information sharing, greater coherence and interdependence of CERTs

Research and Technology Organisations
RTOs play a vital role in the realisation of many of the threats associated with the continued challenges of cybercrime and the emerging threat of cyberterrorism. Academic institutions play two roles in this regard, firstly in unpacking the theoretical and practical challenges identified in the domain towards enabling and facilitating the development of practical solutions, recommendations and contributing to society's wider knowledge pool. Second, as well as housing many worldwide experts on the subject matter, academia is also responsible for educating the next generation of experts, and other professionals, and developing the teaching curriculum for future generations. RTOs also play host to Computer Emergency incident Response Teams (CERTs), and regularly lead the development of state-of-the-art technological breakthroughs in security.
With respect to the solution providers, RTOs have a unique complementary position in being able to channel, test, and transfer innovation with a longer-term perspective. In cooperation with European legislative authorities, they are also able to support the definition and proposal of policies by providing environments in which the potential impact of regulations can be tested. This second aspect has been consistently detailed across the different items of this document is an important development that is required to ensure that policies and regulations are realistic.
Indeed, one of the key cyber-related challenges we are facing builds on the fact that the traditional mechanisms of evolution, identification, prosecution are not applicable in practice. Firstly, because CC and CT propagate at speeds that we cannot easily oversee. Secondly, because it is inherently a cross border issue, thereby creating the need for a trans-national legal framework that does not yet exist. Finally, because it leaves a trail of electronic data and information the uptake and usage of which as a valid base in prosecutions are neither fully defined nor agreed upon. In this context, RTOs could play a key role both in deploying test beds and innovative approaches and in linking the interests and activities of the private sector and public authorities.

Legal/ethical/societal
European and national legislative authorities have an essential role to play in the areas of regulating the blocking of illegal content, defining the different scales of copyright infringement, providing a constitutional balance between surveillance and privacy, as well as defining appropriate data retention obligations.

Recent events have only escalated the privacy vs. security argument among security stakeholders and commenters, re-emphasising a number of issues around the legal and ethical challenges associated with cyber-security. Part of this involves the legality (and ethics) associated with the use of encryption and anonymisation tools to access the internet and legislation to support the protection of fundamental rights.

Encryption appears to be at the core of privacy, whereas anonymity seems to be more at privacy’s periphery and perhaps eligible to be curbed by legislation. Under the umbrella of privacy is also the area of data protection which is about to be reshaped by the future EU Data Protection Regulation. A further fundamental human right thrown into the difficult and challenging constitutional balancing act is the freedom of expression.

Another challenge is the lack of societal acceptance for copyright law in the digital environment. This raises the ethical question whether a large part of society should be criminalised as end-user or whether there are perhaps alternatives for raising money to remunerate creators for their protected work.

All these aspects require thorough research if adequate legislation is to evolve for these areas. This research includes looking in more depth into the responsibilities and liabilities of internet service providers and their interplay with prosecution and intelligence services.

Policy
From a policy perspective, the implementation of the research agenda should be mainly supported through mechanisms of collaboration between relevant EU and Member State agencies, and key CC/CT stakeholders.

The involvement of policy actors in implementing CC/CT research serves the following main purposes:
• To provide policy frameworks, legislations, and regulations that can support and provide the legal basis for a pan-European implementation of research priorities.
• To ensure that existing and newly implemented frameworks, legislations and regulations are flexible, applicable, and able to withstand the velocity and dynamicity of emerging cybersecurity threats, vulnerabilities and technological changes. This includes ensuring such policies are not too vague - as to allow for loopholes, which may be both damaging to human rights (MacAskill et al., 1992), or exploitation by criminals, nor to be too strict and specific that they quickly become insufficient.
• To provide the necessary collaboration mechanisms and platforms for stakeholders to come together and share information about CC/CT issues.
• To consolidate and share best practices across Member States
• To support EU standardisation efforts: policy-makers should continue to encourage vendors to agree on the use of standards, and encourage both private and public sector organisations to include references to these standards in procurement processes. Governments should incorporate standardisation as part of their national cyber security strategies. Emphasis should be put to improving the coordination between policy and operational levels, and enhancing the role of public-private partnerships in standardisation processes. Member State Regulatory Authorities should make greater use of standards as a point of reference in enforcing regulations.
• To support and encourage funding for CC/CT research
• To promote harmonisation of terms and approaches related to CC/CT

These efforts should be strengthened through the setup of a public-private partnership; the public side being led by the European Commission with support from Europol/EC3, and the private side being led by representative organisations such as the European Organisation for Security (EOS).

Accreditation/certification
Any adoption of certifications and standards needs to address certain challenges, motivators, incentives, and barriers and constraint, which should be taken into account when implementing the suggested research agenda items.
Current challenges within the area of accreditation and certification include the fact that there are few cyber-security standards relating to products and services as well as a lack of assured products and services available in the EU market. Some organisations are concerned this leaves them to function at risk or mitigate these risks at cost to themselves. There is also a perceived lack of information and guidance relating to the implementation of standards as well as a lack of clarity on what standards to comply with to best suit their organisational demographic and needs. The lack of mandate or legislation of cyber security for organisations means a lack of incentive to invest for many organisations who find it difficult to identify a business case to do so. Finally, many organisations (specifically SME’s) struggle to know what standard or guidance to refer to for ‘best practice’ as the industry is overwhelmed in certain areas – specifically organisational related standards and significantly underwhelmed in other types such as products, services and people.
The current drivers should motivate the implementation of research:
• Prevention of an internal breach
• Compliance with laws and regulations
• Protection of own and customer interests
• Transferring or reducing risk through reliance on a third party supplier and ensuring that this service provides compliance for the organisation
There are also clear incentives when addressing accreditation and certification in research. This includes proactive incentives such as implementing standards as a result of identifying a perceived risk to the organisation and reactive incentives to implement standards as a result of the organisation experiencing a cyber security breach. Affordable certification is achieved through a range of standards that provide a suitable option for the companies’ needs at a representative price and a clear articulation of the return on investment for cyber security standards is an added advantage. Clear guidance on how to achieve internal implementation of the right standard should be an incentive as well as access to new markets and customers through the attainment of certification. It should be noted that companies with a dominant position have few incentives to adopt interoperable standards, because it would only reinforce the position of their competitors. For a dominant vendor there are advantages to using proprietary standards, because they lock the customer in. This lock-in means that the customer cannot buy or integrate compatible products from competitors, which generates more revenue for the provider, while it is hard for customers to switch to another supplier, because they cannot easily move their data and processes to a competitor.
Finally, the following barriers and constraints should be considered for accreditation and certification of research:
• Sub optimal level of awareness of the associated risk
• Cost and difficulty to calculate return on investment
• A lack of incentive or clear business case to invest
• Affordability of standards compliance and certification
• Small organisations generally feel their footprint is not big enough and didn’t carry enough risk to warrant an extensive expenditure in cyber security standards
• Some large organisations feel that compliance to standards is not the most important indicator in justifying their operational success in cyber security
• Lack of management direction and suitable support from executive boards
• Global organisations fear that legislating standards could slow down operational output as the process to constantly remain current could be exhaustive and counterproductive in protecting their organisations assets from cyber threats
• Resource intensive to implement
• Although some providers see their use of recognized standards as a unique selling point, there are also many cases of companies with a dominant position, who insist on their own proprietary standards and fail to constructively support and implement standards for their products
• In some areas of information security there are several different groups of standards that are defined. To some extent, these standards are competing with each other for adoption and it is often difficult for the end user to judge which is best for their particular requirements. Occasionally, it is necessary to mix and match standards from different families in order to achieve the goal. For instance, when implementing Public Key Infrastructure (PKI), it is not unusual to see organizations adopt a combination of standards (for example X.509 (ITU) for the certificate format, PKIX (IETF) standards for core PKI and PKCS (RSA) standards for interfacing to secure devices)

Education/awareness-raising
In terms of education we should differentiate between the needs of end users, students and professionals continuing education requirements. In each of these categories we could identify different groups and their ever evolving needs, whilst also maintaining an ongoing analysis of what factors help to make training and awareness initiatives effective towards the development of more robust mechanisms. Recommended actions:

• End-user education: a focus should be placed upon Internet safety and on the safe use of information and communication technologies. The educational programmes should take into consideration the latest technological developments and the particular target group needs.
• Student education: these educational agendas should emphasise on building a network of highly educated specialists in the area of CC/CT. University curricula should be adjusted in accordance with digital market needs and include disciplines covering forensics, critical information infrastructure protection and open source intelligence techniques. Furthermore, it is important for additional stakeholders, such as the legal, ethical, LEA, and standardisation sectors to take an interest in, and actively work alongside future talent pools. This will provide a two-way benefit scheme, and help to reinforce education and also reinforce future cybersecurity trends and technologies.
• Professional education: this category could be divided into different professional groups: law enforcement, prosecutors, judges and other government representatives responsible for combating cybercrime and strengthening cyber security, industry experts, and military representatives. Efforts should be made to increase the inter-departmental and inter-sector awareness of each other’s capabilities, limitations, and methods for enhancing future abilities through greater cooperation.

At EU level, responsible organisations for this topic could include EC3, ENISA, CEPOL, Eurojust. Their activities are also supported by pan European networks such as ECTEG, 2Centre Network, Global Alliance against Child Sexual abuse online. Finally, more emphasis should be put on synergies between civilian and military approaches to protect CIIP.

Consolidated Roadmap (with CAMINO and CyberROAD)

In response to formal recommendations made by the EC following the joint first review meeting of the CAMINO, COURAGE and CyberROAD projects, held at the offices of the European Commission, Brussels on June 4th 2015, the three projects undertook to consolidate the respective outputs of each project into a single, unified and easily digestible research roadmap that can be distilled to form the basis of future European related policies and funding initiatives. In order to facilitate the consolidation of the three respective research agendas/roadmaps, each project committed to the development or adaptation of its research items in a normalised format and within an agreed framework (e.g. such as CAMINO THOR - Technical, Human, Organizational, Regulatory, the CyberROAD road-mapping methodology or COURAGE research agenda and test-beds). In this respect, an agreed template was produced by the COURAGE consortium. Each respective research agenda item developed was done so within this template, describing the following characteristics for each in line with the format used by the European Commission to describe topics under the Horizon 2020 funding mechanism:
• Specific Challenge - Provide background information and insights into the problem domain, the specific challenges and issues being faced as a result, and an overview of what the proposed research should address.
• Scope - Set the boundary for what the research should aim to achieve and the specific outcomes which are expected / needed of the research in order to sufficiently address the specific challenge previously outlined.
• Expected Impact(s) - Outline explicitly the expected beneficiaries of the research, and how it will provide value.
• Key Objectives - Provides a set of targeted objectives for the research in line with the expected impacts, scope and specific challenge(s).
• Timeline for actions - The provision of short (1-2 years) and medium (5 years) term milestones, in terms of impact and realisation for the each of the research objectives.
• Barriers and risks to achievement - Outline any risks and barriers that exist in relation to the research topic which may prevent the objectives from being achieved, and measures that could be implemented to mitigate them.

The items resulting from each project were subsequently distilled, qualitatively analysed and where appropriate aggregated in order to form the consolidated research roadmap.

The Consolidated Research Topics

The exact process for defining research items is dependent on the project from which they are derived. This is discussed in detail in the respective outputs of the CyberRoad, CAMINO and COURAGE projects. In order to distil and consolidate these outputs a basic thematic analysis was conducted. The basic premise of the thematic analysis was to identify thematic similarity across different data. The overview of the research topics is then provided again categorised using the four 'THOR' (Technical, Human, Organisational and Regulatory) dimensions.

Research Topic Descriptions

Technical
Strengthening emerging tools for big data analysis, cloud forensics and security

Cyber-attacks are not always immediately visible due to their nature or intensity (e.g., amount of traffic they introduce). Therefore, recently techniques using big data tools have been adapted. Recent research has shown that in depth analysis of large volumes of data (received from different segments of IT networks) has a unique capability of revealing interesting patterns. This concept can potentially be adapted and applied to many cyber-security areas, namely: spam detection, botnets detection, malwares analysis, web-based infection, network intrusion detection systems.

This topic is focused particularly on the correlation of capabilities for big data analysis and scalability of big data tools and methods. The topic also includes consideration on the challenges related to the realistic workload conditions of currently used test-beds that have to operate in real-time or near real-time. Moreover security of big data infrastructures is also addressed.

As a result of the recommendations given in this topic, we expect that typical network monitoring solutions will evolve to context aware systems which allow the user to identify current cyber-security problems and what is more important – their roots. The second important expectation is the test beds community using a wide variety of data samples (data sets) containing different malwares, real and synthetic network traffic characteristics (or other challenging problems) that will be widely available to researchers.

Establishing metrics and frameworks for cyber security testing
One of the most important and demanded aspects in every product, system or even organisations is quality; guaranteeing fundamental characteristics such as reliability or availability in any system. Moreover if it is a security one, is an essential part of revealing the development team’s confidence in their system or product. Therefore, activities focused on maintaining and improving this quality are needed, and the most effective ones are testing and simulation processes. Concepts such as automated tools or cyber exercises between companies will help to raise the awareness of not only cyber security responsible people, but also of the rest of the staff. And finally, in order to promote and encourage the realisation of all these necessary actions, proper regulations and standards should be made and discussed, and thus achieve a desirable and prepared environment to benefit all these good practices.

Therefore, the key points of this topic include Security-by-Design issues, development of representative security metrics, sharing of information about vulnerabilities, and building open test beds for testing cyber-security. On the other hand, issues of access control and trust management in distributed environments are also addressed. Finally, the ultimate goal of development and implementation of the specified topic milestones is objectiveness and measurability of cyber security for assurance purposes.

Countering cybercrime affecting mobile and IoT devices
Nowadays, one of the main challenges affecting countering cybercrime is large and still increasing amount of malware samples. Evolution and changeability of malwares and botnets (e.g. new, fast-evolving botnet architectures) are also factors that should be addressed by the research communities to more effectively fight against cybercrime. This is particularly important in the context of limitations of existing signature-based scanners and malware detectors. On the other hand, cybercrime affects also mobile devices, and in the near future will affect micro devices (now not often connected to the Internet), that will be exposed to cyberattacks in conjunction with growing popularity of IoT (Internet of Things) concept.

Primarily, this topic focuses on development of new paradigms for fighting against malware targeting mobile and small/micro devices, including new ways to counter evolving and robust botnets and their detection. Investment in large-scale (even Internet-scale) testing environment is also one of the points addressed in this topic, due to the need for prediction of botnet evolvement, safe observation of malware spreading directions and timing, as well as setting up the most effective containment strategies.

Human

Collective awareness and education for increased societal resilience to CC/CT threats
This topic focuses on the identification and facilitation of new approaches to enable the increased resilience of society to cybersecurity threats through increasing the awareness and education levels of stakeholders across society; ranging from citizens through to security professionals, policy makers and the full spectrum of private sector and critical infrastructure providers. Prevention strategies, and in this context, particularly those associated with increasing awareness and standards related to online safety and information security play an important role in improving societal resilience to cybercrime, while 'human security' specifically is an import factor as popular attack vectors such as social engineering and phishing continue to exploit human security vulnerabilities.

Under this topic research should focus on the identification of new approaches to increasing societal awareness, and subsequently readiness, to deal with cybersecurity threats and thus cybercrime. Where necessary, the impact of new and emerging technologies and behavioural changes that occur because of them should be identified and considered. The research proposed should identify and address awareness and education requirements across levels and sectors, such as national teaching curricula, law enforcement and other public and private sector institutions.

New standards for private data minimisation, appropriate use and re-use of data and Privacy-enhancing technologies
With surveillance powers and techniques a very current topic, both from the perceived excessive use in some quarters and the inadequate interpretation of available evidence in others, the roadmap towards more effective implementation of Privacy-enhancing technologies is inexorably entwined with the development of forthcoming legislation, and the regulatory interpretation of these. In particular DPR, eIDAS, and Payment Services Directive 2’s early adoption through SecuRe Pay, introduce requirements for the adoption of PETs (Privacy-enhancing technologies), albeit through the adoption of undetermined techniques or technologies, even in advance of their formal ratification into EU or Member State legislation. These advance regulatory roadmaps provide an interesting, and often unexpected, set of requirements to the organisations handling sensitive personal data.

Another raised in this topic is the fact that under a range of current regulations and industry standards, across a wide and varied range of industries, the use of data is frequently, but not universally, restricted to the use originally intended when data was collected. Users also face a range of opt-ins or opt-outs to the use, or subsequent re-use, of this data. The advent of big data has made the search for new uses of data held on existing systems a growth industry, but there are strong human and ethical concerns raised through this re-use. The application of these existing data sets for LEA purposes has caused some debate, and our Roadmap will provide pointers to those issues that need to be addressed and to what timescale.

Definition, characteristics and behaviours of the offenders and victims in cybercrime
The scale and proliferation of Internet use as a means to facilitate crime has also introduced new challenges for the social and behavioural sciences, in addition to the technological and criminological disciplines we normally associate with studies in the domain. Due to the potential overlaps and absences of clarity in distinguishing between cybercrime, cyberterrorism, cyber warfare, and often the inability to immediately identify the origin of an attack means that there is significant benefit in assessing the impact of an attack and discerning the potential motivations behind it. The enormous widespread impact exerted by modern cybercrime means that individuals and groups involved in committing, responding to, and, preventing events, is equally expansive. The sheer quantity and diversity of the number of criminals and victims of cybercrime means that despite the importance of analysing the various different actors, there has been little progress to date.

In order to develop and deliver improve intervention and prevention measures, this research topic proposes research to help build our understanding of the diverse range of actors involved. Research has shown that cybercrime is no longer the reserve of technically skilled individuals and groups, so more work is need to establish the underlying factors that contribute to the profiles of victims and offenders a like, in addition to establishing human, environmental and other PESTLE factors that drive cybercrime.

Organisational

Adapting organisations to the cross-border nature of the Internet and cybercrime/ terrorism
Nowadays, competitiveness is global, so any company or system can receive an attack from anywhere on the planet. Therefore, it is vitally important that regulatory differences between countries are known and understood, and in consequence organisations should be aware of this fact and protect their assets and intellectual property taking this into account. Organisations need to adapt to think, protect their systems and networks, and cooperate without borders. Therefore, key research points of this topic concern homogenisation of law, cooperation between Law Enforcement Agencies (LEAs), CERTs, governmental cooperation in terms of cross-border monitoring and information sharing. Top priority milestones include also interoperability of forensic tools and best practices.

Creating user-friendly terminology, language and features to assure a better understanding of cyber security challenges
The definitions and understanding of terminology used in reference to cybercrime and cyberterrorism are, in some instances, inconsistent across EU Member States, potentially causing confusion and in extreme cases hindering law enforcement, prosecution and international cooperation efforts due to the ambiguity surrounding the subject area in general. Harmonising terminology in both areas of cybercrime and cyberterrorism is crucially important in defining how the LEA sector should cooperate in an EU and broader international context. Without a clear understanding of the characteristics that distinguish them, these areas will be hard to addresses properly across all relevant levels. The absence of equal representation and understanding of terms from both areas of cybercrime and cyberterrorism, the lack of definition of terms and the different taxonomy in current use in the field is identified as a problem by academia, LEAs, and by entities representing legal and ethical organisations as well as from the critical infrastructure stakeholders.

In this topic, it is proposed that efforts must be made to increase levels of knowledge exchange among stakeholders, leading to the provision of harmonised and standardised terms through the development of a new taxonomy framework that involves all aspects of cybercrime and cyberterrorism, specifying their differences and commonalities.

Promoting EU Institutional support to generic challenges and obstacles at the enterprise/ company/ SME level including incentives for cyber insurance
Common / unified institutional support is needed to promote changes at the enterprise, company and SME levels. The creation of an expert committee at the request of the main involved countries can contribute to overcoming these obstacles and challenges at a European level. In addition, an information sharing platform can help the approach and collaboration between interested parties, making quick and efficient ideas/problems sharing possible. This support will assure the minimum protection needed in these organisations.

On the other hand, it is widely accepted that achieving perfect security is impossible. Security accidents and data breaches will occur regardless the amount of security controls and practices applied (though with much lower frequency). Thus, organisations have to deal with the residual risk. Recently, insurance, a usual treatment approach for residual risk, was applied to the cyber world. The developing cyber insurance market faces a number of unique as well as usual (for insurance) challenges. In particular, heavy information asymmetry, lack of statistical data, interconnected security and correlated risks, rapid change of risk landscape, unclear underwriting language, etc.

Regulatory

Dealing with different levels of legal frameworks for illegal content: questions of geolocation and jurisdiction
Cybercrime is inherently a cross border issue, potentially involving a number of different countries and territories each with their own legal frameworks and jurisdictions. This 'internationalisation' of crime creates new challenges for law enforcement. This includes issues such as the reporting and deletion of illegal content, the collection of court evidence, cross-border accessibility of data and other issues.

In this research topic, the identification and development of new methods that enable LEAs to gather and share information across geographic borders resulting in improved cross border cooperation among international and public/private authorities and to support the development of new standards for harmonising collaboration between the private sector and law enforcement.

Electronic identity and trust services for data protection across borders
The research community will need to address the technical standards to be agreed for the degrees of identity and authentication, and the circumstances under which each is appropriate. The research community will play a vital role in this area as what is perceived to be ‘uncrackable’ in some Member States (or nations outside the European Union) could have relatively trivial flaws when looked at from outside. A majority of classes and applications of cybercrime and terrorism contain a misrepresentation of identity or attempt to authenticate access to goods or services that the attacker has no legitimate use for. Currently a plethora of standards exists that enable the identification and authentication of genuine users. At present there is no interoperability of these, and poor controls over the degree to what constitutes ‘strong authentication’ sufficient for each respective application.

The proposed research identified in this topic includes the timetable for the implementation of eIDentity, Authentication & Signature regulations, and the steps necessary to ensure its impact internationally. Equally, with the payments industry now being required to look at early adoption of the Second Payment Services Directive (PSD2), the Identity/Authentication roadmap has moved forward dramatically as one of the key cybercrime asset classes, and one of the most likely candidates for higher level eIDAS requirements.

Comprehensive legal system to fight against CC/CT
This topic reflects the current needs and challenges that facilitate requirements for improvements to the legal systems and related processes that impact upon all phases of cybercrime cases. One of the main efforts to be done in this area is the improvement of digital forensic products, services and procedures. In particular, it is important to ensure an adequate flow of information at the different stages of the investigation - from disclosure of crime, securing and preserving evidence and its processing, up to the judicial decision.

In this context it is also important to ensure and develop appropriate levels of knowledge and expertise across all the actors involved in the judicial process. The major improvement in information sharing and cooperation between victims, LEAs (the Police), the prosecution and forensic experts and finally the judges/courts is needed.

Potential Impact:
COuRAGE will substantively contribute to EU and international CC/CT research through a strong stakeholder focused set of coordination actions. These actions have included the identification of current research challenges, research gaps, development of a research agenda, knowledge repository, evaluation criteria, research roadmap and complimentary guidelines.

The COuRAGE project has also maintained a constant focus on:
• Addressing the technological issues as well as the cooperation and regulatory ones – with a clear complementary link into the specific communication and IT issues addressed by the relevant DGs
• Existing and future high level and strategic objectives in terms of future European capabilities
• Existing and future requirements from the end-users’ community / citizens and the regulatory / Legal / societal and ethical context

The COuRAGE Research Agenda includes a detailed taxonomy to include sub-divisions of CC / CT, and is complemented by a clear roadmap addressing the following challenges:
• Obtaining accurate, robust and validated user requirements which can be reflected on the proposed research agenda;
• Increasing the involvement of citizens in the sharing of information and by building a permanent and continuous support focus against cyber criminals and cyber-terrorist activities;
• Supporting the speeding up of the “time to market” of innovations;
• Creating a coherent model of the benefits of CC/CT research across public authorities and private stakeholders, including incentives for these private stakeholders to increase their commitment to researching, delivering and deploying novel approaches.
Based on the above, COuRAGE’s contribution to the coordination of high quality research in CC/CT can be classified into 5 categories:
➢ Political, economic, social, ethical, legal disciplines and technology (including activities of regional and international organisations)
➢ User centric methodological approach
➢ Extended network of industry, NGOs, international organisations regulators, and law enforcement agencies (LEA)
➢ LEA context and terrorist use of internet (e.g. Cyberterrorism)
➢ Technological components including realistic testing and evaluation scenarios for industrial uptake including critical infrastructure operators

Current CC / CT legal research has several different strands, in which cybercrime and cyberterrorism are often not integrated. Cybercrime research tends to revolve around the Council of Europe Cybercrime Convention, looking at differences in implementation in Member States, efforts of countries to use the Convention as a model, and questions relating to updating the Convention in light of developments (and whether or not to complement it with UN-level legislation). The research tends to take existing jurisdictional limitations as a given, i.e., national states’ sovereignty implies that combatting cybercrime requires national legal powers and international mutual assistance. Legal cyberterrorism research sometimes takes a broader perspective, including issues of cyber security and cyber warfare, but sometimes also looks at more specific questions, for instance how to combat terrorism-related Internet content. Most research is deeply rooted within a specific scientific discipline taking on challenges that specific scientific communities forward. Results of such research often lack direct links with other scientific disciplines not to mention social issues with their inherent complex nature. One thus cannot tackle social issues through technology alone; knowledge on psychology, sociology, and ethical issues should also be included to be successful. This also holds true for the fast developing domains of cybercrime and cyberterrorism (CC/CT).

As ICTs continue to develop, they hold the potential to literally affect all individuals and layers of society. Whereas one‘s initial thoughts on cyber security may concern personal computers, the development of Smart (energy) Meters, Smart TV’s, cars, phones and so on, readily stretches the concept over other aspects of daily life. A typical aspect of CC/CT threats is moreover that they are not at all contained by national borders. CC/CT research should thus include psychological and sociological knowledge but also knowledge on strategy and policy, geo-politics and macroeconomics. Taking on CC/CT threats and developing a research agenda involves interacting with end users of ICTs, which can be institutions or civilians from all walks of life who interact with computers or other ICTs in numerous ways. It involves understanding the interplay between different organisations including terrorist groups, who hold different ideological frameworks and different incentives to act in any particular way. It also involves having an understanding of abstract concepts such as trust, identity and privacy. And it finally involves taking into account the strong competitiveness pressure under which organisations operate.

The COuRAGE Research Agenda takes into account all of these challenges and elements in order to be of use for the furthering of research in the field of cybercrime and cyberterrorism. Its use is further enhanced by the development of a consolidated roadmap with the CAMINO and CyberROAD projects.

COuRAGE Contribution:
Various organisations and institutions have developed projects and undertaken research. In order to go beyond state of the art and identify gaps that could be addressed in a research agenda including the political and legal issues, it is crucial to have a clear understanding and awareness of existing research. Already within the process of selecting members of the consortium, special attention was given to involving partners that have been and are involved in major research initiatives and in addition have a large network of institutions involved in research. Research relevant for the development of a research agenda is not limited to work carried out by international organisations and institutions. However, in addition to research undertaken by the private sector, the research undertaken by international organisations in the field of CC/CT has turned out to be particular relevant. COuRAGE is aware of existing research and has ensured that it is well reflected within the assessment of existing work. This includes the work of the United Nations (including UNODC and UNICRI), the International Telecommunication Union (ITU), the Council of Europe, the European Union, as well as past and on-going EU funded research on CC/CT such as CAMINO, CyberROAD, and CAPITAL.

The COuRAGE project has also utilised the contacts and networks through its industrial partners to reach out to sector-based associations in transport, control systems, finance, energy and supply chain to integrate a real-life approach to the testing needs. It has also exploited the access provided by EOS to the community of critical infrastructure operators, notably with the attendance of experts in this field at the stakeholder workshops.

In addition to dissemination activities foreseen in the DoW, such as the organisation of expert forums and collaboration workshops, the dissemination efforts of core partners has also led to two key dissemination results that contribute to the exploitation and sustainability of COuRAGE.

Cybercrime workspace in the CyberConnector (including the COURAGE research knowledge depository and taxonomy)

During the course of the COURAGE project, partners have operated online through a community portal open to the COURAGE partners, with a focus on creating deliverables, operating within the context of a funded European project. Beyond the end of the project, the approach is to evolve towards a more inclusive workspace, starting from the content generated through deliverables into a topic focused approach and a constituency interested in collaborating outside of the context of a project.
The CyberCrime workspace is an online space presenting the main results of COURAGE, CAMINO and CyberROAD and, essentially, fostering collaborations beyond the end of the project and widening the community of organisations. Its aim is to encourage future monitoring of CC/CT, in a controlled yet flexible manner.

Controlled => the CyberCrime space is members-based (each user is fully identified) and access controlled (each member has to be authenticated each time he / she accesses the online space). A number of indicators also enable the community monitoring of the quality of input added by a member, encouraging a “reputation based” self-management of the members by the members.
Flexible => the CyberCrime space includes a large number of interaction mechanisms that foster the creation of knowledge, discussion, analysis and their evolution.
Knowledge extraction oriented => the CyberCrime space builds on a fully pre-existing knowledge creation and sharing approach that supports innovative search capabilities starting from essentially unstructured “bits and pieces” of inputs.
The project uses the pre-existing CyberConnector online knowledge sharing environment focused on cyber-space related issues to incorporate a new workspace on CyberCrime.
CyberConnector is a comprehensive community portal open to private organisations, public administrations, CERTs, law-enforcement agencies and individuals to share, create and enhance collective knowledge on all topics related to cybersecurity.
CyberConnector today is a community of 280 users, including dedicated workspaces focused on a specific or sensitive topic and supporting previous and on-going collaborative European projects.
CyberConnector is open for new communities to join its environment - with the added value of immediately giving communities access to a wider network of individuals and organisations working together to speed up the identification, detection and mitigation of cyber-threats.
Across each of these cyber-related communities, the value proposition of the CyberConnector is the same, enabling all users to:

• CONNECT to a trusted world of expertise, technology, tools and people in order to share concerns and solutions to mitigate cyber-space related risks and threats and to improve the dialogue between the different communities involved (industry, research, policy makers, regulators);
• GET SUPPORT to achieve a deeper understanding about the cyber-space related risks they are facing and to improve threats detection and prioritisation, increasing their protection thanks to a more rational investment in solutions and strategies;
• COLLABORATE, working together in a protected environment to speed up the fight against cyber-attacks.

CyberConnector allows participants to share cybersecurity information in different and contained contexts designed with a modular approach organised in Public space, Network and Workspace, each one characterised by different visibility constraints, as detailed below.
The underlying approach is therefore a top-down management of knowledge and of interaction capabilities.
The Public is the least restricted context, and information placed here is publicly accessible on the web even for non-authenticated users. The Public context is useful to disseminate information related to European initiatives and projects, such as fully public project results, organisation of and participation to conferences, or news about the cyber domain.

The Network level is a virtual environment only available to registered users who can share information with all users. Differently from the Public environment, information placed in the Network context will be visible only by users who have registered to the platform and are therefore part of the community. This level is useful to discuss cybersecurity findings that are not yet in the public domain, or to spread early results of projects across the community for an initial feedback by other experts.

The Workspace level is dedicated and restricted to a subset of community members. Participation to workspaces is subject to approval by the workspace administrator, and contents shared in the workspace context will be accessible by the workspace participants only. Workspaces are dedicated to on-going projects, such as DOGANA, or to the projects that have been closed but whose communities continue and expand their activities. In this sense, the workspace evolves from a community of partners in a project to a community of stakeholders sharing a common interest, beyond the lifetime of a project. This continuation approach has proved successful already for ACDC and CYSPA. For instance, for CYSPA, the current evolution is towards a complete solution environment starting from the findings of what was originally a Coordination and Support Action (CSA). For ACDC, the on-going work is currently focusing on creating a dedicated association to pursue sharing of sensitive information such as IP addresses to detect botnets; this database is currently in operation, one year after the end of the project.
Members of a workspace are automatically members at the network level of CyberConnector. One organisation can be a member of one or more workspaces.

CyberCrime is created as a new workspace within CyberConnector. As such, it inherits the complete interaction features of OPENNESS, as well as the pre-existing knowledge available within CyberConnector and its enrolled 280 individual members.
In addition to these benefits, CyberCrime is created as a workspace with a dedicated taxonomy and knowledge repository, which has been created by COURAGE and shared and adopted across the 3 projects, CAMINO, COURAGE and CyberROAD. This is an important result in moving forward from the CC/CT activities at project level towards a space in which a common terminology has been agreed.
COURAGE has also created a mobile application for the taxonomy and knowledge repository. This mobile application will be linked to the workspace as CyberConnector has the functionality to do this, with other applications already installed.
Another commonly agreed result that is carried forward to the CyberCrime workspace is the use of the THOR categorisation (Technical, Human, Organisation and Regulatory) developed by COURAGE together with the CAMINO and CyberROAD projects for the consolidated research agenda. CyberConnector is a constantly living and expanding community, and as such, the CyberCrime workspace provides a stepping stone for the future that uses key deliverables not as the ending results of a project(s), but as a pillar on which to continue working.

Springer publication

As part of an additional dissemination effort, COURAGE undertook to consolidate chapters from representatives of all three projects which were used for a Springer publication on “Combatting Cybercrime and Cyberterrorism”.
The aim of developing the "Combating Cybercrime & Cyberterrorism - Policies and Management of research" book was to produce an authorised, authoritative and accessible edited collection of chapters of substantial practical and operational value which, for the very first time, provides security practitioners with a trusted reference and resource designed to guide them through the complexities and operational challenges of effectively develop polices and research agenda related to cybercrime and cyberterrorism (CC/CT).
Benefitting from three major European Commission funded projects, the book is enriched with case studies, explanations of strategic responses and contextual information providing the theoretical underpinning required for the clear interpretation and application of cyber law, policy and practice, this unique volume seeks to further embed the increasing role and responsibility of all Law Enforcement Agencies (LEA’s), Private sector and Academia to tackle CC / CT. The book shall become an instrumental tool for policy makers and researchers to formulate and deploy relevant CC/CT strategies.
This new contribution to CC/CT knowledge follows a multi-disciplinary philosophy supported by leading experts across academia, private industry and government agencies. The volume progresses well beyond the guidance of LEAs, academia, and private sector policy documents and doctrine manuals by considering CC/CT challenges in a wider practical and operational context. The volume juxtaposes practical experience and, where appropriate, policy guidance, with academic commentaries to reflect upon and illustrate the complexity of cyber ecosystem ensuring that all security practitioners are better informed and prepared to carry out their CC/CT responsibilities to protect the citizens they serve.
The volume structure provides theoretical, contextual and informative chapters combined with explanations of national/international policy, practice and procedure. The chapters are brought to life with case studies, underpinned with practical advice, guidance, checklists, tables and tool kits specifically designed by CC/CT subject matter experts (SME’s).

List of Websites:
Project website: www.courage-project.eu
CyberConnector: https://cyberconnector.eu/
Twitter: FP7_COuRAGE

Contact details:
Nina Olesen
Rue Montoyer 10
1000 Brussels
Belgium
+32 2 777 02 51
nina.olesen@eos-eu.com

Related information

Reported by

ENGINEERING - INGEGNERIA INFORMATICA SPA
Italy

Subjects

Safety
Follow us on: RSS Facebook Twitter YouTube Managed by the EU Publications Office Top