Objectives

Objective 1: Improved organisational policy support for dynamic cybersecurity management

Description: Provide a cybersecurity management policy framework for organizations to better address the dynamic and constantly changing cybersecurity landscape. This includes a tighter integration between classical risk management and incident management tasks, in order to e.g. be able to more dynamically manage disaster recovery and business continuity after an incident. Collaboration within the organization (between different departments) and with other actors in the multi-level European cybersecurity framework, starting from actors in the local/regional supply chain to actors and authorities on the national/European level, is an important aspect to be addressed by a modern organizational cybersecurity management policy framework.

Ambition: This policy framework builds on the validation results of the CS-AWARE project, which have shown that organizational complexities and often outdated organizational policies prevent the effective and efficient implementation and use of modern and advanced cybersecurity management platforms, including better disaster recovery and business continuity and self-healing. The ambition of this project is to address this gap and define a cybersecurity management policy framework better suited to the dynamic nature of cybersecurity, dealing with heterogeneous networks of organizations and business units within the organisation. A reference implementation in the context of the CS-AWARE platform will be provided.

Relation to work program: (1) Development of situational awareness and threat intelligence for use in real-world scenarios; (2) Facilitating collaboration within the organization and with other actors in the multi-level cybersecurity environment; (3) Solutions must satisfy the needs of the end-user and inclusion of organizational perspective; (4) Builds upon and is in line with NIS directive; (5) Organizational basis for dynamic execution of disaster recovery and business continuity; (6) Effective contribution of SSH (Social sciences and Humanities) disciplines and the involvement of SSH experts

Objective 2: Better cybersecurity cooperation and collaboration on the local and regional level

Description: Provide a socio-technical framework for local/regional cooperation/ collaboration on cybersecurity to better address local supply chain dependencies. The local/regional level is currently not addressed in a strategic way in the multi-level cybersecurity framework established by the 2013/2020 European cybersecurity strategy and the NIS/NIS2 directive. This objective aims to address this gap and provide adequate support for cooperation and collaboration on this level (both methodological and tool support), and to improve the link between the local/regional level and the multi-level cybersecurity framework outlined by European legislation.

Ambition: The local/regional collaboration efforts build on the validation results of the CS-AWARE project, which have clearly shown that subcontracting and supply chain dependencies on the local/regional level are an integral part of the systemic set-up of an organization, and play a major role in cybersecurity and cybersecurity management considerations. Yet there is currently no structured and strategic approach to address this problem - neither legislative (e.g. NIS/NIS2), nor through any private sector/ industry initiatives. The most promising approach towards inter-organizational collaboration on cybersecurity in line with the NIS efforts is the ISAC (Information Sharing and Analysis Centres) approach, but currently those are predominantly focused on loose collaboration (without sophisticated tool support) between NIS organizations on a national/sectoral level. The ambition of this project is to address this gap and provide an ISAC-oriented framework for local/regional collaboration, including appropriate tool support and integration with dynamic cybersecurity management (down to real-time events). We aim to provide a framework where local/regional interest groups (LPAs, local industry associations, …) manage and facilitate collaboration among critical sector organizations, based on a socio-technical soft-systems methodology (SSM) based analysis of the interdependent environment. A reference implementation in the context of the CS-AWARE platform, and the SPOD collaborative platform, initially developed for collaboration and transparency in the context of the ROUTE-TO-PA H2020 project, will be provided. Relevant stakeholders to conduct two independent pilot studies in Italy and Greece are part of the project as partners or associated partners, including NIS critical sectors including health care and water/waste water management and the consideration of their critical dependencies.

Relation to work program: (1) Effective business continuity requires strong cooperation/collaboration on all levels; (2) Enhanced mechanisms for exchanging information among relevant players; (3) Accelerate (self)- recovery and possible adaptation of supply chain after an attack; (4) Cyber threat intelligence and situational awareness need to be developed from the current research level towards strategic considerations, and down to real- time events; (5) Facilitate cooperation of heterogeneous networks of organizations/ business units; (6) Satisfy needs of end-users and support daily tasks; (7) Builds upon and is in line with NIS directive; (8) Share information in real- time with relevant stakeholders; (9) Human factors (e.g. behavioural, psychological, physical, cultural and gender) need to be considered appropriately in all aspects of the proposed solution; (10) Effective contribution of SSH disciplines and the involvement of SSH experts

Objective 3: Improved data quality assessment and AI-based data correlation for utilising threat intelligence and social media in dynamic incident and risk management

Description: Provide a real-time data collection and AI framework that is able to collect information from a variety of sources (log files, threat intelligence, social media, …) and correlate organizational and local/regional information (assets, dependencies, behaviour, …) with contextual cybersecurity information coming from threat intelligence or social media discussions. The goal of the framework is to be able to (a) better predict systemic vulnerabilities and risks by mapping the organizational state with the cybersecurity landscape in a dynamic way. (b) derive mitigation and disaster recovery/ business continuity/self-healing strategies, building the knowledge base for the dynamic cybersecurity and incident management covered in other project objectives (policy framework, local/regional and multi-level collaboration, dynamic business continuity and self-healing as well as cybersecurity information sharing).

Ambition: A recent report on the use of AI in cybersecurity10 reveals that there is currently no solution for AI in the context of threat intelligence and data correlation. The AI framework will build on and extend the results of the CS-AWARE project. In CS-AWARE the data collection and AI engine produced excellent results in the context of custom behaviour pattern monitoring within organizational systems based on the socio-technical organizational analysis, but did not produce adequate results in the context of (a) assessing the quality of threat intelligence collected from a large set of heterogeneous sources and (b) correlating organizational behaviour with threat intelligence and social media for providing context information and deriving mitigation, business continuity and self-healing strategies. The ambition of this project is to provide an advanced AI framework for both data quality assessment and data correlation in this context, in order to be able to provide mitigation, business continuity and self-healing strategies tailored to the organizational context. A reference implementation in the context of the CS-AWARE platform will be provided.

Relation to work program: (1) Go beyond the state-of-the-art in developing and validating AI-based self-healing, effective business continuity and disaster recovery in real-world scenarios; (2) Cyber threat intelligence and situational awareness need to be developed from the current research level towards strategic considerations, and down to real-time events; (3) Collection of heterogeneous data, models and predictions for multi-level security; (4) Satisfy the needs of the end-users and support daily tasks, efficient and effective operations and ensure business continuity; (5) Build on NIS directive for exchanging (collecting) information; (6) Dynamically extract all relevant digital evidence, information and digital traces, provide real-time personalised technical assistance, share information and real-time alerts with relevant stakeholders

Objective 4: Dynamic disaster recovery, business continuity and system self-healing on the organisational and local/regional level

Description: Provide a framework for dynamic (real-time) creation and continuous reassessment of disaster recovery/ business continuity options relevant to specific organizational or local/regional dependency set-ups to be able to deal with cascading effects. The framework will be designed to take into account systemic organizational and local/regional set-ups as well as general mitigation and recovery/ business continuity strategies shared via e.g. threat intelligence to predict and provide tailored recovery/ business continuity and self-healing strategies. The goal of this framework is the closer integration of disaster recovery/ business continuity, which is traditionally a risk management task, with the day-to-day (real-time) incident management. Therefore, the framework will provide integrations with cybersecurity incident management tools and advanced system self-healing tools for technical assistance and automated implementation of business continuity in case of an incident.

Ambition: The disaster recovery/ business continuity framework builds on the capabilities of the CS-AWARE platform for (a) the generation of systemic-holistic and socio-technical asset and dependency information on the organizational and local/regional level, (b) the data collection and AI engine for providing general mitigation and business continuity information from threat intelligence. The ambition of this project is to provide dynamic disaster recovery/ business continuity and self-healing framework based on those AI capabilities, including the consideration of cascading effects. Furthermore, an integration with the cybersecurity and risk management and system self- healing capabilities of the CS-AWARE platform will be provided in order to integrate disaster recovery and business continuity in operational dynamic cybersecurity management. A reference implementation in the context of the CS- AWARE platform will be provided.

Relation to work program: (1) Advanced self-healing disaster recovery and effective business continuity in critical sectors; (2) Better disaster preparedness against possible disruptions, attacks and cascading effects; (3) Better business continuity covering two or more sector; (4) Develop new methodologies, services and tools for accelerating the self-recovery and possible adaptation of the infrastructures and supply chains after an attack; (5) AI-based self- healing, effective business continuity and disaster recovery in real-world scenarios covering two or more business sectors and supporting their private and public actors; (6) Satisfy the needs of the end-users and support daily tasks, efficient and effective operations and ensure business continuity; (7) Build on current NIS directive practices; (8) Dynamic execution of disruption recovery and business continuity processes; real-time personalized technical assistance

Objective 5: Improved integration of threat intelligence and information sharing in organisational cybersecurity management

Description: The generation and sharing of threat intelligence based on real-world evidence is one of the core pillars of the multi-level collaborative European cybersecurity framework. Collaboration and information sharing is already operational to some extend on the European and national levels (e.g. between competent authorities, CSIRTs), but when it comes to utilization of threat intelligence by individual organizations and local/regional networks in their day-to-day cybersecurity incident and risk management, there is currently little awareness and supporting procedures/tools available to streamline the process. Besides technical obstacles to improve the automation of the process, there are organizational/political as well as social/psychological issues involved that prevent organizations from sharing information about cybersecurity beyond legal obligations.

Ambition: The information sharing framework builds on the results of the CS-AWARE project, which integrates threat intelligence in a central way for dynamic cybersecurity management in organizations, and offers the technical means to share cybersecurity information/evidence with relevant authorities in the multi-level cybersecurity environment. The ambition of this project is to provide a better definition of the information sharing requirements from the organizational and local/regional perspective, in order to optimize the threat intelligence provided by authorities for day-to-day cybersecurity management, and to assess the requirements and create incentives for organizations to share information beyond legal obligations. For this, both relevant end user organisations and authorities (CSIRTs) will be involved in defining the information sharing framework. A reference implementation of the framework will be provided in the context of the CS-AWARE platform. The aim for the framework is to become the standard cybersecurity information sharing approach in this context.

Relation to work program: (1) Enhanced mechanisms for exchange of information among relevant players; (2) Collaboration and data sharing between different security actors and should be based on a collection of heterogeneous data; (3) Satisfy the needs of the end-users and support daily tasks, efficient and effective operations/ organizational perspective; (4) The methods for exchanging information and the actors considered should build, whenever possible, on the current practices in line with the NIS Directive; (5) Dynamically extract all relevant digital evidence, information and digital traces; (6) Human factors (e.g. behavioural, psychological, physical, cultural and gender) need to be considered appropriately; (7) Effective contribution of SSH disciplines and the involvement of SSH experts

Objective 6: Define KPI based benchmarking and profiling to dynamically assess the security state in the multilevel cybersecurity environment

Description: Provide KPI based benchmarking and profiling to help organizations assess their (cascading) cybersecurity risk and incident management performance against other actors in the collaborative multi-level European cybersecurity environment (e.g. other organizations in the local/regional network, other organizations in the same NIS sector, other organizations in the national/European context). In line with the framework defined by the 2013/2020 European cybersecurity strategy and subsequent legislation (e.g. NIS/NIS2), the aim is to continuously monitor and assess the cybersecurity state of organizations according to performance indicators related to the European cybersecurity framework (e.g. how much information shared, how many resources dedicated to collaboration in a certain time frame, impact on the effectiveness of cybersecurity management, …). This objective includes the definition of appropriate KPIs in the context of the main project objectives, and a reference implementation to automatically collect and visualize the relevant statistical information and to evaluate the KPIs in the context of the CS-AWARE platform. The goal of the KPI based benchmarking is to allow organizations to better assess their cybersecurity status against other relevant actors, and at the same time provide incentives to improve their behaviour in areas they are lacking behind, in order to more actively participate in the European collaborative cybersecurity efforts.

Ambition: While there are many approaches available to define KPIs in the context of cybersecurity management to help managers better understand the cybersecurity state within their organization, those are usually highly dependent on the organizational context and are therefore highly individual. To the best of our knowledge, there is currently no framework available to (a) assess the security state of organizations against relevant other actors and (b) assess the cybersecurity behaviour of organizations with respect to their participation in the European collaborative cybersecurity efforts (c) make the continuous evaluation of KPIs an integral part of cybersecurity management to provide incentives for organizations for continuous and dynamic improvements. The ambition of CS-AWARE-NEXT is to provide such a framework, and a reference implementation in the context of the CS- AWARE platform.

Relation to work program: (1) This requires collaboration and data sharing between different security actors; (2) Satisfy the needs of the end-users and support daily tasks; (3) Human factors (e.g. behavioural, psychological, physical, cultural and gender) need to be considered appropriately in all aspects of the proposed solution; (4) Research should address the risks and impact of a cyber-incident on the business itself, using appropriate KPIs, but also possible cascading effects of cyber incidents for critical infrastructure (including potential cross-sectoral and cross-border impacts) and society overall; (5) This topic requires the effective contribution of SSH disciplines and the involvement of SSH experts

Objective 7: Provide a reference implementation and deployment in the context of the CS-AWARE cybersecurity awareness and collaboration platform

Description: While frameworks and methodologies defined through the project objectives are designed to be generic and can in general be adapted to any advanced cybersecurity solutions like SIEM (Security Information and Event Management) systems, a reference implementation of all frameworks and methodologies (policy framework, local/regional collaboration, AI framework, disaster recovery/ business continuity framework, KPI based benchmarking and profiling framework, system self-healing and cybersecurity information sharing) will be provided in the context of the CS-AWARE platform developed during the CS-AWARE H2020 project, allowing to integrate the novel aspects developed in this project by extending existing components (awareness and visualization, data collection and AI, system self-healing, cybersecurity information sharing), and adding/integrating new components to the CS-AWARE framework (cybersecurity policy management, local/regional collaboration, business continuity, KPI based benchmarking and profiling).

Ambition: The reference implementation builds on the existing CS-AWARE framework and platform11. The ambition of this project is to integrate the research output of this project in CS-AWARE, including (a) Integration and extension of components in the existing framework and information flow model; (b) A reference implementation of new and adapted components; (c) Integration of new components in the docker based integration and deployment model. We are following an agile implementation strategy in line with the design-science based approach of the project, allowing us to consider the end user input in concert with the design and validation phases of the project.

Relation to work program: (1) The proposed solutions should include dynamic execution of disruption recovery and business continuity processes; (2) They should dynamically extract all relevant digital evidence, information and digital traces, provide real-time personalised technical assistance, share information and real-time alerts with relevant stakeholders; (3) Human factors (e.g. behavioural, psychological, physical, cultural and gender) need to be considered appropriately in all aspects of the proposed solution; (4) The research should include a proof of concept in order to validate the claimed progress and show the benefits in an adequate testing environment involving real end-users; (5) End-users should be involved in all steps of the cycle from design to development and testing; (6) Participation of SMEs is encouraged.

Objective 8: Follow an agile, design-science based approach to project implementation and validation, with end-user involvement in all project phases

Description: The applicability and relevance of the objectives addressed by this project in the context real-world scenarios needs to be ensured through agile, iterative and collaborative design, implementation and validation. This involves the inclusion of the perspectives of all relevant stakeholders (e.g. academic, industry, authorities, end- user) in all project phases (e.g. requirements analysis, design, implementation, validation). For this purpose, realistic scenarios will be developed together with the stakeholders to serve as basis for design and validation. The project consortium includes relevant public and NIS sector partners in two local/regional case studies in Greece and Italy (including NIS critical sector organisations from health care and water supply/distribution, and major Industry representatives), as well as a relevant CERT/CSIRT partner to ensure the inclusion of actors from the multi-level European cybersecurity environment.

Ambition: Design-science12 is a well-established discipline perfectly suited for innovative research projects, in order to design, implement and verify innovation at the confluence between people, organizations and technology. The CS-AWARE project has defined a design-science based methodology for component design and integration13 and its subsequently validation, tailored to the complexities of the cybersecurity domain and European project-based innovation. The ambition for this project is to build on this work and define a monitoring, evaluation and validation approach that allows end-user involvement (local/regional interest groups and critical sector organizations, relevant authorities/CSIRTs) and agile and iterative design, implementation and validation in all project phases, (a) tailored to the context of cybersecurity risk and incident management on the organizational and local/regional level (b) operating within the European collaborative cybersecurity framework. End-user involvement is ensured by establishing two independent pilot case studies in Italy and Greece, with relevant organisations (critical NIS sector organisations from the health and water management sectors, and major Industry organisations) being part of the project as partners or associated partners.

Relation to work program: (1) Satisfy the needs of the end-users and inclusion of organizational perspective; (2) Human factors (e.g. behavioural, psychological, physical, cultural and gender) need to be considered appropriately in all aspects of the proposed solution; (3) Definition and use of appropriate KPIs; (4) End-users should be involved in all steps of the cycle from design to development and testing; (5) This topic requires the effective contribution of SSH disciplines and the involvement of SSH experts.