Risk management and assurance models
Specific challenge: The ability to assess, manage, reduce, mitigate and accept risk is paramount for an effective protections against cybersecurity threats and incidents. The dependence of networks and information systems, that are essential for the functioning of our societies and economies (including Critical Infrastructures), on public communication networks and off-the-shelf components is an additional risk. However, in the area of cybersecurity, recent developments and trends render traditional (i.e. static and iterative) risk management methodologies ineffective and rapidly obsolete.
There are however no generally accepted best practices guidelines for risk management, nor a consensus on the minimal requirements for the market actors concerned, neither at a sectorial, nor at cross-sector level. For this reason, the NIS* public-private platform (Network Information Security Platform) will seek to identify best practices on risk management, including information assurance, risks metrics and awareness raising.
Scope: The proposals should implement a pilot to demonstrate the viability and scalability of state-of-the-art risk management frameworks. The risk management framework will have to encompass methods to assess and mitigate the risks in real time. Work should include a socio-economic assessment to evaluate the cost-benefit of implementing the framework. The framework should be dynamic, continuously adapted to new ways of managing risk to keep up with the ever evolving threat and vulnerability landscape. New ways of dealing with the security risk resulting from on-demand composition of services and massive interconnectivity should be developed.
The work on risk management frameworks can be complemented with the development of tools to evaluate the risks and its impact on business, tools for preventive assessment of risk and trustworthiness of customers and providers, tools providing a simple view and understanding of a complex system, and tools to detect social engineering attacks. Where necessary risk management can include ICT supply chain security.
Current assurance models and the resulting control and audit frameworks should be revisited. The applicability of the methods to the calculation of insurance premiums should also be investigated.
The selected pilots will have to engage with the NIS platform, contribute to its objectives and take due consideration of its recommendations.
The Commission considers that proposals requesting a contribution from the EU of between €2m and €5m EURO would allow this topic to be addressed appropriately. Nonetheless, this does not preclude submission and selection of proposals requesting other amounts.
Proposals have to address the specific needs of the end-user, private and public security end user alike. Proposals are encouraged to include public security end-users and/or private end users.
A risk management framework has to be put in place allowing the comprehensive comparison between sector specific or national approaches, and providing an assessment on the residual risk. The framework will facilitate the implementation of legal obligations on risk management, identify gaps in existing legislation, while remaining adaptive to possible changes in the legal frameworks.
Type of action: Innovation actions
The conditions related to this topic are provided at the end of this call and in the General Annexes.