The aim of this ERC proof of concept (PoC) grant was to assess the feasibility and commercial applicability of an adaptive security technology that focuses on the key assets managed by a system, and their values. The technology monitors the assets, and changes the means and extent by which those assets are protected in response to changes in assets and their values. Assets may be digital (such as sensitive user data) or physical (such as valuable physical artefacts). The IP underpinning the technology is protected through a patent that was granted during the lifetime of the project. The technology is based on a method for computing security risks associated with particular assets and particular threats.
The project developed two prototype software tools that were used to demonstrate two key capabilities: security modelling and configuration of key assets and threats, and adaptive security of applications underpinned by the security configuration. The tools were successfully implemented, tested and piloted, demonstrating the technical feasibility of the research. However, although the commercialisation case remains strong, feedback from industry suggested that the proposed technology on its own is insufficient for a full deployment and market evaluation. The primary reason is that the approach requires an infrastructure to be in place that monitors and tracks assets in a system, particularly in terms of their location and context of use. Although such an infrastructure is being investigated by the main ERC Advanced Grant that underpins this PoC project, it is not yet mature enough to be integrated with the asset-centric adaptive security technology being evaluated by this PoC grant.
Nonetheless, through good fortune, the technology has garnered interest by a Dublin-based cyber security company, which has now employed the software researcher/developer who worked on ERC PoC, to investigate the technology in a commercial setting and to develop extensions and business cases for its commercial deployment. Although, there is nothing definitive to report at present, a licensing arrangement is on the cards.
The principal investigator learned a number of key lessons as part of this PoC project process:
General:
=======
- Recruiting the staff with the right mix of skills to undertake the proof of concept work is key to the success of such projects, and software developers with an appreciation of both the research world and commercial practice are hard to come by, but essential.
- Business cases and requirements are equally important to technical feasibility requirements, and are a pre-requisite to consider before an commercialisation is contemplated.
Specific:
=======
- Adaptive security is a tremendously attractive concept for many mobile and ubiquitous computing scenarios, however, explaining to a user why a system is adapting in the way that it is a key requirement for its success.
- A focus on key assets is tremendously valuable but is not enough; assets need to be located, monitored, and assessed in order to be (adaptively) secured appropriately. This requires an infrastructure for tracking assets in order to be available. For digital assets it is often the case that some infrastructure is available, but this is not always the case for physical contexts (such as building, supply chains, etc).
