Periodic Reporting for period 1 - TRUST aWARE (Enhancing Digital Security, Privacy and TRUST in softWARE)
Période du rapport: 2021-06-01 au 2022-11-30
The motivation behind the TRUST aWARE project lies in four key aspects:
- Users are not always aware of their exposure to Security & Privacy (S&P) risks when they use software. This results in bad usage habits and lack of risk prevention mechanisms.
- Developers are lacking best-practices for S&P-by-design in software engineering.
- Standards and certifications are key enablers for assessing and assuring the level of S&P protection provided by modern software and their risks. However, developers and operators lack S&P certification methods and standards.
- Regulators and national agencies all over the world are defining and implementing new legal frameworks for protecting citizens against online S&P threats. But it is unclear whether the penalties are sufficient deterrent against S&P mispractices.
In this multi-party socio-technical context, the TRUST aWARE vision aims to revert the current “S&P vicious cycle” by providing holistic and actionable intelligence and tools for the different stakeholders towards turning it into a “TRUST aWARE virtuous cycle”. The tools and solutions will offer effective mechanisms to protect the freedom, security, and privacy of citizens across platforms while enhancing users’ TRUST on SoftWARE, cybersafety, and EU’s digital market position. Specifically, TRUST aWARE will facilitate this by delivering:
• User-friendly tools to protect consumers against S&P cyberthreats (attacks, abusive practices and inappropriate behaviours of digital services) to enable them to better understand, control, detect and respond to S&P threats and attacks in a timely manner, as well as configuring their own S&P protection settings.
• Collective intelligence for Computer Emergency Response Teams (CERTs) and authorities in collaboration with citizens, Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) to ensure and audit that digital products and their S&P practices are transparent, secure and in compliance with regulation.
• Knowledge to foster S&P-by-design in software engineering by supporting developers and digital service operators with standards and certification methods for compliance with the European S&P regulation.
By providing tools for key stakeholders along the whole cycle, and supporting cooperation and intelligence sharing, TRUST aWARE will minimize the impact of cyberthreats, empowering users, promoting collective awareness, and encouraging trustworthy S&P-preserving digital products in compliance with regulation. This is articulated by pursuing specific goals along the execution of the TRUST aWARE project.
- Users are not always aware of their exposure to Security & Privacy (S&P) risks when they use software. This results in bad usage habits and lack of risk prevention mechanisms.
- Developers are lacking best-practices for S&P-by-design in software engineering.
- Standards and certifications are key enablers for assessing and assuring the level of S&P protection provided by modern software and their risks. However, developers and operators lack S&P certification methods and standards.
- Regulators and national agencies all over the world are defining and implementing new legal frameworks for protecting citizens against online S&P threats. But it is unclear whether the penalties are sufficient deterrent against S&P mispractices.
In this multi-party socio-technical context, the TRUST aWARE vision aims to revert the current “S&P vicious cycle” by providing holistic and actionable intelligence and tools for the different stakeholders towards turning it into a “TRUST aWARE virtuous cycle”. The tools and solutions will offer effective mechanisms to protect the freedom, security, and privacy of citizens across platforms while enhancing users’ TRUST on SoftWARE, cybersafety, and EU’s digital market position. Specifically, TRUST aWARE will facilitate this by delivering:
• User-friendly tools to protect consumers against S&P cyberthreats (attacks, abusive practices and inappropriate behaviours of digital services) to enable them to better understand, control, detect and respond to S&P threats and attacks in a timely manner, as well as configuring their own S&P protection settings.
• Collective intelligence for Computer Emergency Response Teams (CERTs) and authorities in collaboration with citizens, Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) to ensure and audit that digital products and their S&P practices are transparent, secure and in compliance with regulation.
• Knowledge to foster S&P-by-design in software engineering by supporting developers and digital service operators with standards and certification methods for compliance with the European S&P regulation.
By providing tools for key stakeholders along the whole cycle, and supporting cooperation and intelligence sharing, TRUST aWARE will minimize the impact of cyberthreats, empowering users, promoting collective awareness, and encouraging trustworthy S&P-preserving digital products in compliance with regulation. This is articulated by pursuing specific goals along the execution of the TRUST aWARE project.
In this Reporting Period, the work carried out has focused on the following aspects, producing a number of reports, prototypes and demonstrators – some of them to be further improved along the upcoming months:
• Preparation, verification and execution of the methodologies for piloting and design specification through a co-creation process. The methodologies chosen in agreement of all pilot organisations (from Spain, France, Italy and Romania) and technical partners were group interviews. In these group interviews the citizen’s feedback, conceptualisation, demands and expectations about S&P were gathered. The feedback was very useful to define many of the characteristics of the dashboard and the creation of a user’s handbook. At the current moment, the recruitment and execution of these piloting and second round of design specifications is ongoing.
• A first release of the following tools was completed: static software analysis, dynamic software analysis, Natural Language Processing (NLP) analysis framework, and inappropriate content detection framework. Integration via an Application Programming Interface (API) was carried out as a first approach to build a reliable and appealing software. Refinement, adjustments and additional improvements will be made in the coming months following the feedback from the end users to reach final and stable versions for the second round of piloting.
• A Cybersecurity & Privacy Dashboard has been developed to expose the capabilities of the aforementioned tools to the end-users through web interface for the validation and piloting phases.
• Key advances were produced in existing assets owned by TRUST aWARE partners as a way to enhance cybersecurity mechanisms and raise awareness. These are WithSecure Elements Mobile Protection, AdAnalyst by CNRS as well as the Activity Monitor technology, implementing a local (endpoint) attack detection and response logic.
• A cyber S&P threat intelligence methodology, and an operating model for conducting collaborative S&P CTI – by integrating privacy-related threats into overall cybersecurity threat intelligence methodologies – were defined. This includes an operational workflow describing the CTI process from the initial reporting to the final sharing with CERT’s constituency and the protocols and tools to securely share information between actors. The TRUST aWARE MISP is currently up and running and in process of connecting with other sources and instances.
• Relevant socio-economic indicators were identified based on scoping the initial conditions and desk research with existing literature. These indicators were validated through a qualitative assessment based on a workshop with the consortium partners and through a follow-up survey with these partners. Additionally, ethical impacts were identified through a literature review and.interviews with the project partners. This resulted in a methodology to identify ethically relevant concerns and recommendations relevant to different stages of TRUST aWARE tools lifecycle.
• Initial actions were carried out on the specification of methodologies, timelines and expected activities to be performed in different areas: Extensive research was performed in both the privacy and security standardisation activities and the certification methodology-related actions to map current cybersecurity/privacy standardisation and certification landscapes and validate the upcoming activities in the project and identify relevant market and stakeholder needs/possibilities to collaborate. A dissemination, exploitation and communication activities report was also generated with the support from all partners involved in the task, which introduces the key upcoming actions of all partners.
• Preparation, verification and execution of the methodologies for piloting and design specification through a co-creation process. The methodologies chosen in agreement of all pilot organisations (from Spain, France, Italy and Romania) and technical partners were group interviews. In these group interviews the citizen’s feedback, conceptualisation, demands and expectations about S&P were gathered. The feedback was very useful to define many of the characteristics of the dashboard and the creation of a user’s handbook. At the current moment, the recruitment and execution of these piloting and second round of design specifications is ongoing.
• A first release of the following tools was completed: static software analysis, dynamic software analysis, Natural Language Processing (NLP) analysis framework, and inappropriate content detection framework. Integration via an Application Programming Interface (API) was carried out as a first approach to build a reliable and appealing software. Refinement, adjustments and additional improvements will be made in the coming months following the feedback from the end users to reach final and stable versions for the second round of piloting.
• A Cybersecurity & Privacy Dashboard has been developed to expose the capabilities of the aforementioned tools to the end-users through web interface for the validation and piloting phases.
• Key advances were produced in existing assets owned by TRUST aWARE partners as a way to enhance cybersecurity mechanisms and raise awareness. These are WithSecure Elements Mobile Protection, AdAnalyst by CNRS as well as the Activity Monitor technology, implementing a local (endpoint) attack detection and response logic.
• A cyber S&P threat intelligence methodology, and an operating model for conducting collaborative S&P CTI – by integrating privacy-related threats into overall cybersecurity threat intelligence methodologies – were defined. This includes an operational workflow describing the CTI process from the initial reporting to the final sharing with CERT’s constituency and the protocols and tools to securely share information between actors. The TRUST aWARE MISP is currently up and running and in process of connecting with other sources and instances.
• Relevant socio-economic indicators were identified based on scoping the initial conditions and desk research with existing literature. These indicators were validated through a qualitative assessment based on a workshop with the consortium partners and through a follow-up survey with these partners. Additionally, ethical impacts were identified through a literature review and.interviews with the project partners. This resulted in a methodology to identify ethically relevant concerns and recommendations relevant to different stages of TRUST aWARE tools lifecycle.
• Initial actions were carried out on the specification of methodologies, timelines and expected activities to be performed in different areas: Extensive research was performed in both the privacy and security standardisation activities and the certification methodology-related actions to map current cybersecurity/privacy standardisation and certification landscapes and validate the upcoming activities in the project and identify relevant market and stakeholder needs/possibilities to collaborate. A dissemination, exploitation and communication activities report was also generated with the support from all partners involved in the task, which introduces the key upcoming actions of all partners.
In terms of socio-economic impact and societal implications, TRUST aWARE has distributed a survey and conducted a workshop on four main topics: (i) Providing people the confidence to use software despite existing security and privacy (S&P) threats; (ii) improving confidence for vulnerable populations online, including older adults; (iii) enhancing transparency about the use of personal data and related privacy threats due to missing or difficult to access information was considered an important social issue for TRUST aWARE; and (iv) economic concerns. This resulted in 24 impacts that will be further analysed throughout the second half of the project.