Deliverable 6.4 Future Internet Initiatives Year 1

Theme [ICT-2011.1.4] Trustworthy ICT SECurity and trust COoRDination and enhanced collaboration Project Nº 316622 Deliverable 6.4 Future Internet Initiatives Year 1 Responsible: Contributors: Internal Reviewers: Massimo Felici, Nick Wainwright (HP Labs) Aljosa Pasic (ATOS) Olga Gadyatskaya (UNITN) Keith Howker, Paul Malone (WIT) Document Reference: D6.4 Future Internet Initiatives Year 1 Dissemination Level: PU Version: 2.0 Date: November 4, 2013

Change Record Version Date Author Change Description 0.1 18/07/2013 M. Felici Table of Content; General description of each section 0.2 07/10/2013 M. Felici Draft of all different sections 0.3 09/10/2013 N. Wainwright Comments on the different sections 0.4 11/10/2013 M. Felici Comments Addressed 1.0 15/10/2013 M. Felici Full draft of the deliverable 1.1 16/10/2013 N. Wainwright Comments on the different sections 1.2 18/10/2013 M. Felici Comments Addressed, version ready for internal review 1.3 22/10/2013 A. Pasic Contribution to the section on Industrial Liaison 1.4 22/10/2013 O. Gadyatskaya Comments on the deliverable 1.5 23/10/2013 K. Howker Comments on the executive summary 1.6 30/10/2013 P. Malone Comments on the deliverable 1.7 31/10/2013 K. Howker Various comments and suggestions in order to improve the readability of the deliverable 1.8 31/10/2013 N. Wainwright Comments on the Executive Summary 2.0 31/10/2013 M. Felici Addressed all comments and suggestions Deliverable 6.4 Future Internet Initiatives Year 1 Page 2 of 28

Executive Summary This deliverable reports on the tasks and specific activities performed by Work Package 6 during the reporting period Year 1. It describes the general process that brings the tasks of the work package together to achieve the principle objective of the WP, and the specific activities of tasks. This deliverable highlights the main work package objectives and clarifies how the work package activities contribute towards achieving them. Work Package 6 has leading responsibility for the objective to provide a forward, strategic perspective of the emerging and developing trust and security issues, challenges, requirements, and priorities. The main goal then of WP6 is to identify and explore required research directions for future developments, to integrate the findings into a coherent picture, and to inform relevant stakeholders. Achievement of the objective presents two major challenges: The first challenge is fundamental to the objective itself: to project current trends how the digital environment cyberspace will develop, what new, consequent problems may arise, what research and developments will be needed, and how, in turn, this research and development will shape the strategic directions for future user perceptions, industry practices, and policy decisions. The second challenge is concerned with response to on-going developments that impact the goals of the work package. New technologies (e.g. cloud computing) can lead to major shifts in the way ICT is deployed and used across communities and organizations; opening up new opportunities for the private citizen (users of technologies) as well as industry (suppliers, providers, vendors); they also shapes markets and economies that rely on such technological developments. Alongside the economic and technological development, there are on-going regulatory, legislative, and standardization activities needed to keep order in the digital environment and its dependants. The main tasks carried out by Work Package 6 in Year 1 contributing to the objective comprise a number of activities. In order to coordinate tasks within the work package as well as to identify clear means of interactions between work packages, this deliverable describes a Work Package process. Each task involves activities that contribute to specific project outcomes. During the reporting period Year 1, some work package s activities have focused on the economics of cyber security and privacy. The selected topic was discussed with the Advisory Focus Group, which confirmed the importance of economics for research and practice in cyber security and privacy. The Advisory Focus Group also helped in identifying the main focus for Year 2, that is, technology readiness, technology transfer and impact of research and practice in cyber security and privacy. Year 1 activities provided a means to critically analyse the selected topic. Similarly, other activities will support the analysis in a pragmatic manner of the identified topics for Year 2 and Year 3. This deliverable describes the activities and their main outcomes, and also identifies how they have contributed towards the work package tasks and to the work package itself. It also summarizes the work package progress with respect to the specified process. This deliverable discusses some early conclusions drawn from carrying out work package tasks and related activities (coordinated by the work package process). It summarizes the achievements objectives for Year 1 and the main insights, and identifies future activities for Year 2. Deliverable 6.4 Future Internet Initiatives Year 1 Page 3 of 28

TABLE OF CONTENTS Change Record... 2 Executive Summary... 3 List of Figures... 6 List of Tables... 6 Abbreviations... 7 1 Strategic Directions... 8 1.1 EU Context... 8 1.2 Document Objectives... 9 1.3 Document Organisation... 9 2 Work Package Process and Tasks... 10 2.1 Work Package Process... 10 2.2 Work Package Tasks... 10 2.2.1 Task 6.1 Advisory Focus Group... 11 2.2.2 Task 6.2 Investigation and Analysis... 11 2.2.3 Task 6.3 Communication and Participation... 12 2.3 Work Package Contributions and Dependencies... 12 3 Future Internet Initiatives: Year 1... 14 3.1 Work Package Activities... 14 3.1.1 A1: Advisory Focus Group Setup... 14 3.1.2 A2: Identification and Analysis of Key Topics... 15 3.1.3 A3: Workshop on Economics of Security in the Cloud... 16 3.1.4 A4: Volume on Cyber Security and Privacy... 17 3.1.5 A5: Other Communication and Participation Activities... 18 3.1.6 A6: Industrial Liaison... 19 3.1.7 A7: Monitoring Relevant Policies... 20 3.2 Work Package Progress... 20 4 Year 1 Achievements and Insights... 22 4.1 Achieved Objectives... 22 Deliverable 6.4 Future Internet Initiatives Year 1 Page 4 of 28

4.2 Main Insights... 23 4.3 Future Work... 23 References... 25 Appendix A: Work Package 6 Process... 26 Appendix B: Economics of Security in the Cloud (ESC) Workshop... 27 Appendix C: Cyber Security and Privacy: Table of Contents... 28 Deliverable 6.4 Future Internet Initiatives Year 1 Page 5 of 28

List of Figures Figure 1 Work Package Structure Links... 12 Figure 2 Advisory Focus Group s support and communication... 15 Figure 3 Key topic areas... 16 Figure 4 Volume on Cyber Security and Privacy (cover)... 18 Figure 5 Activity Timeline Year 1... 22 Figure 6 Work Package 6 Process... 26 List of Tables Table 1 Activity contributions to Work Package Tasks... 14 Table 2 Activities Contributions and Work Package Interactions... 21 Deliverable 6.4 Future Internet Initiatives Year 1 Page 6 of 28

Abbreviations AFG CCIS CloudCom CSA CSP EU FORUM CYSPA EEMA ENISA EOS EP3R ESC FIA ICT NIS SecCord TDL Advisory Focus Group Communications in Computer and Information Science IEEE Conference on Cloud Computing Technology and Science Cloud Security Alliance Cyber Security & Privacy Forum European Cyber Security Protection Alliance European Association for e-identity and Security European Union Agency for Network and Information Security European Organisation for Security European Public Private Partnership for Resilience Economics of Security in the Cloud Future Internet Assembly Information and Communication Technology Network and Information Security SECurity and trust COoRDination and enhanced collaboration Trust in Digital Life Deliverable 6.4 Future Internet Initiatives Year 1 Page 7 of 28

1 Strategic Directions This section provides a general introduction to the document. It describes the main WP6 objectives and clarifies how the work package activities contribute towards achieving them. The overall objective of WP6 (as stated in the DoW [1] and reported in the frame below) is to highlight research directions for future developments and to inform relevant stakeholders. The main tasks carried out by WP6 contribute to this objective. Each task will involve multiple activities. The overall objective is to establish and maintain a forward perspective of the issues, challenges, requirements, and priorities as they develop over the lifetime of the project and to communicate this to the Programme and its clients. This outlook may address policy and deployment as well as research and development. Identify, establish and run an Advisory Focus Group Setup and coordinate the running of two focus groups (academic and industrial) Identify key topical areas and emerging issues Creation of hot topic white papers with findings Disseminate such whitepapers through various channels (WP4 portal, clustering groups, other security forums, national and European level) Contribution to and participation in future internet initiatives events as they arise, promoting T&S inclusion. This deliverable reports on the progress of the activities conducted during the reporting period Year 1. The achievement of the overall objective presents two major challenges. The first one is due to the nature of the objective itself. It has to project current trends in research and development in order to identify appropriate strategic directions shaping future research dimensions, industry practices and policy decisions. The second one is concerned with on-going European developments that may be relevant for the objective of the work package. This is further discussed in the next section. The remainder of this section highlights project constraints and the deliverable objectives. 1.1 EU Context The task of setting out future strategic directions is complicated by the rapidly evolving social, economic and technological contexts. New technologies such as cloud computing represent a major shift in the way Information and Communication Technology (ICT) is deployed across organisations opening up new opportunities for the users private and corporate as well as industry providers, suppliers and vendors of services and equipment. It also shapes markets and economies that rely on such technological developments. Alongside such economic and technological development, there are on-going legislative (and standardisation) activities in order to regulate such markets and technologies. Among many on-going initiatives, one of particular relevance is the revision of the European Data Protection Directive [2], which clarifies the roles and responsibilities of data controllers and data processors in order to protect data subjects (that is, their personal data). Any revision of the current data protection directive (and its subsequent legislation) will have an impact on technologies too. Another initiative that is particular relevant is the recent European Cybersecurity Strategy [3], which intends to secure the European cyberspace in order to protect its users and promote a safe Internet. Deliverable 6.4 Future Internet Initiatives Year 1 Page 8 of 28

1.2 Document Objectives The main objective of this document is to report on the WP 6 activities conducted during the reporting period Year 1. The document describes the main activities conducted and the resulting outcomes. It defines a process guiding and orchestrating the work package activities. The work package process combined with a timeline highlights the main activities conducted in the reporting period and planned for the following one (that is, Year 2). 1.3 Document Organisation This section describes the structure and the main objectives of the deliverable (as highlighted in the Executive Summary). Section 2 defines a process for WP6 in relation with the project dependencies. The defined process structures a workflow coordinating the different tasks. It also points out how the different tasks contribute to specific outcomes. Section 2 furthermore describes the objectives for each task. Section 3 reports the activities conducted during Year 1. It describes how each activity contributed to specific outcomes and tasks. Section 4 highlights the main Year 1 remarks and preliminary identifies some future activities. Deliverable 6.4 Future Internet Initiatives Year 1 Page 9 of 28

2 Work Package Process and Tasks This section describes the main tasks conducted by WP6 Strategic Directions. In order to coordinate tasks (described in Section 2.2) within the work package as well as to identify clear means of interactions between SecCord s work packages, we have defined a Work Package Process (described in Section 2.1). Each task involves different activities that contribute to specific project outcomes (Described in Section 3). The remainder of this section introduces the work package process and clarifies the objectives of each task. This organisational structure will form the basis for reporting yearly advancements of the described process, conducted activities and planned future initiatives. 2.1 Work Package Process This section describes the overall process identified to guide the execution of WP6 Strategic Directions. The rationale is to have a process that coordinates WP6 tasks and identifies clear outcomes to report every year. The yearly execution of process allows the achievement of WP 6 objectives. Each year the tasks change their focus in order to adjust to the overall progress of the project. Therefore, the overall process is similar for each year of the project. Figure 6 (in Appendix A) shows the WP6 Process over the three years of SecCord. The workflow coordinating each task is such to support the production of project deliverables as well as the collaboration with the other work packages. During Year 1, Task 6.1 Advisory Focus Group is concerned with the work package s objectives of: Identify, establish and run an Advisory Focus Group Setup and coordinate the running of two focus groups (academic and industrial). These two objectives are critical for Task 6.2 Investigation and Analysis pursuing the objectives of identifying and critically analysing relevant topics: Identify key topical areas and emerging issues Creation of hot topic white papers with findings. The discussions and analyses of key topics provide material for further discussion and engagement with relevant communities of researchers and practitioners as well as policy-makers. Task 6.3 Communication and Participation contributes towards the objectives of: Disseminate such whitepapers through various channels (WP4 portal, clustering groups, other security forums, national and European level) Contribution to and participation in future internet initiatives events as they arise, promoting T&S inclusion. Every year, each task focuses on different topics in order to investigate a broad spectrum of research in Security and Trust. Therefore, the workflow of Year 2 and Year 3 are similar to that of Year 1. However, tasks will focus on different strategic directions and involve different activities in order to achieve project objectives. The following section describes in details the objectives of each task. 2.2 Work Package Tasks This section describes the tasks of the work package as identified in the Description of Work [1]. The description of each task clarifies the objectives as well as the interactions with other tasks and the Deliverable 6.4 Future Internet Initiatives Year 1 Page 10 of 28

other work packages. Although the focus of each task may vary with the progress of the project, the overall objectives remain constant. They are achieved by different means and activities identified and planned yearly. Section 3 reports the activities and outcomes during the reporting period Year 1. 2.2.1 Task 6.1 Advisory Focus Group The main role of the Advisory Focus Group (AFG) is to advise SecCord on the identification of key topical areas and emerging issues in trust and security research. On the one hand, the AFG advises SecCord on the identification of multidisciplinary research areas that highlight legal, social and economic aspects of trust and security technologies. On the other hand, it contributes to the discussion of barriers that inhibit research results to industry impact. Among the main objectives for the AFG is to identify key topic areas, trends and emerging issues. The identified key topic areas will be further analysed and described in future deliverables, and disseminated through various channels. The overall objective is to establish and maintain a forward perspective of the issues, challenges, requirements and priorities as they develop over the lifetime of the project and to communicate this to European stakeholders. This addresses ICT research, development, deployment and policy. This task is concerned with establishing and supporting an AFG that helps to identify key priorities for future action, particularly with respect to the needs of the European ICT industry, its suppliers and consumers. The AFG involves industry stakeholders, leading visionary research experts, and Trust and Security (T&S) external initiative key representatives. It consists of two focus subgroups that make up the overall advisory focus group: an academic focus group supporting the needs of Task6.2 and WP3 Analysis of Trust and Security Programme Achievements and an industrial focus group supporting the needs of Task5.1 Industrial Liaison and WP3. The AFG, therefore, provides guidance to the project on research priorities. These research priorities are assessed against current research and development initiatives (Task6.2 in collaboration with WP3 and WP5). They inform a European research and development roadmap, which will contribute to the shaping of future research and development initiatives. SecCord intends to engage technically in discussion with the AFG. SecCord promotes activities (e.g. white papers and workshops) that aim to enhance the interaction with relevant research and industry stakeholders (Task 6.3). The outcomes of such activities inform WP6 conclusions and recommendations for strategic directions for research. The AFG meets once or twice a year in order to discuss relevant emerging research issues and topics and to provide feedback on the consortium activities. The structure of the AFG is such as to support the activities of WP3, WP5 and WP6. 2.2.2 Task 6.2 Investigation and Analysis This task investigates specific multidisciplinary research directions within the problem space of ICT Security and Trust. It provides a series of studies of key topics, with the support of the AFG from its own assessment of the future directions: emergent key issues challenging the Internet, its services, and its users. Critical analyses supported by relevant literature provide insights about research and development perspectives identified and discussed by the AFG. The AFG helps to prioritise these research and development perspectives in the areas of ICT Security and Trust (S&T). Security and Trust together with technical and socio-economic-legal perspectives represent a vast research problem space in terms of identifying multidisciplinary research topics that need to be explored selectively. It also helps assessing research and development outcomes. This informs the SecCord strategic research direction agenda (road-mapping). Deliverable 6.4 Future Internet Initiatives Year 1 Page 11 of 28

2.2.3 Task 6.3 Communication and Participation This task in collaboration with the other work packages contributes to the dissemination activities of SecCord conclusions and recommendations. It consists of three main components: Delivering position papers: Topic papers to make available the findings of the AFG; contributing to appropriate channels, forums, and events Participating in networking activities: Liaise with and contribute to key future internet initiatives associated with the Programme, e.g.: future Strategic Research Agenda; follow-on to the Future Internet Assembly (FIA) and its support activities Supporting community involvements: Provide content and commentary to channels propagated through the project s own portal. 2.3 Work Package Contributions and Dependencies There are a number of dependencies and commitments (described in the DoW [1]) between WP6 and the other WPs. This section highlights the role of WP6 with respect to the other WPs. Figure 1 shows graphically the interactions between the work packages. Figure 1 Work Package Structure Links WP2 Support Enhanced Collaboration: WP6 helps with the update of the clustering activities. It also coordinates the interaction between the Advisory Focus Group and WP2. WP3 Analysis of Trust and Security Programme Achievements: WP6 coordinates the interaction between the Advisory Focus Group and WP3. The identified Key Topics will inform the revision of Trust and Security research. Deliverable 6.4 Future Internet Initiatives Year 1 Page 12 of 28

WP4 Dissemination and Conference: WP6 contributes to the dissemination activities as well as to the annual conference. It also coordinates the interaction between the Advisory Focus Group and WP4 in order to identify opportunities for participations and involvements. WP5 Research to Industry Impact: WP6 coordinates and facilitates the activities of the industrial sub-group of the Advisory Focus Group in order to support WP5. WP6 Strategic Directions: WP6 is responsible for establishing and maintaining the SecCord s Advisory Focus Group to support WP6, WP3 and WP5 activities. The Advisory Focus Group helps to identify future emergent key issues. WP6 engages and liaises with future Internet activities, and works to make trust and security area very highly visible. Outputs are disseminated via WP4 activities and WP2 collaborative activities. The relationships between work packages can be further expressed in terms of links between tasks. Task 6.1 Advisory Focus Group directly supports Task 5.1 Industrial Liaison and Task 3.1 Research & Innovation Yearbook. The SecCord s AFG provides guidance on the key topics to be critically analysed in order to identify directions for research and development (Task 6.2 Investigation & Analysis). The identification and discussion of such topics provide feedback to the security and trust clusters (Task 2.2 Enhanced Collaboration). Task 6.3 Communication & Participation contributes toward the dissemination as well as the community building and provides direct support to Task 4.3 Trust & Security Community Building and Dissemination. We deal with other emergent links, contributions and dependencies between tasks by coordination and collaboration between work packages. Deliverable 6.4 Future Internet Initiatives Year 1 Page 13 of 28

3 Future Internet Initiatives: Year 1 This section details the relevant work package activities conducted during the reporting period. It describes the performed activities and their main outcomes, and also highlights how they have contributed towards the work package tasks. 3.1 Work Package Activities During the reporting period Year 1, all tasks (i.e. Task 6.1 Advisory Focus Group, Task 6.2 Investigation and Analysis, and Task 6.3 Communication and Participation) made progress. The organisation of the tasks and their activities followed the WP 6 process (Figure 6). This section clarifies the work package activities that contributed to the work package. Table 1 lists the main work package activities conducted during Year 1 and highlights their contributions to the work package tasks respectively. The different activities supported successfully the progress of related tasks. Table 1 Activity contributions to Work Package Tasks Activity Task 6.1 Advisory Focus Group Task 6.2 Investigation and Analysis Task 6.3 Communication and Participation A1: Advisory Focus Group Setup A2: Identification and Analysis of Key Topics A3: Workshop on Economics of Security in the Cloud A4: Volume on Cyber Security and Privacy A5: Other Communication and Participation Activities A6: Industrial Liaison A7: Monitoring Relevant Policies The activities conducted during Year 1 have successfully contributed towards the WP tasks. They delivered the expected outcomes with respect to the work package objectives. The following sections describe each of these activities in details. 3.1.1 A1: Advisory Focus Group Setup This activity was directly related to Task 6.1 Advisory Focus Group; probably the most critical one during the first year of the project in order to start other related tasks and activities. We successfully set up the SecCord s Advisory Focus Group (AFG) consisting of academic and industrial expert groups. We invited experts based on their research interests relating to the scope of the project. The list of people who accepted our invitation to join the AFG and attended the first meeting has been reported in Deliverable D6.1 Advisory Focus Group Setup [1]. While planning the first AFG meeting we wanted to make the organisation as effective as possible, therefore, we decided to collocate the first AFG meeting with the annual Cyber Security & Privacy EU Forum (CSP EU FORUM 2013), which was held Deliverable 6.4 Future Internet Initiatives Year 1 Page 14 of 28

in collaboration with the European Association for e-identity and Security (EEMA) and Trust in Digital Life (TDL) and hosted by the European Commission in Brussels on 18 th April 2013 (Deliverable D6.1 reports on the organisation and the outcomes of the first AFG meeting [1]). The collocation with the CSP EU Forum 2013 allowed us to have an effective meeting from two viewpoints: cost-effectiveness and community engagement. We were able to have a large AFG meeting as most members attended the CSP EU FORUM 2013. Moreover, this has allowed the AFG members to engage with relevant communities of researchers, practitioners and policy-makers attending the event. It has also given them the opportunity to familiarise with on-going community activities (in particular, Trust and Security Clusters of WP2 Support Enhanced Collaboration, and the Annual Trust and Security Conference of WP4 Dissemination and Conference). Figure 2 shows the direct support and communication between the AFG and the work packages. Figure 2 Advisory Focus Group s support and communication 3.1.2 A2: Identification and Analysis of Key Topics In order to achieve the main work package objective to establish and maintain a forward perspective of the issues, challenges, requirements, and priorities as they develop over the lifetime of the project and to communicate this to the Programme and its clients, with the support of the AFG, we have begun to identify trust and security issues relating to legal, social and economic aspects of Information and Communication Technology (ICT). Deliverable 6.4 Future Internet Initiatives Year 1 Page 15 of 28

For this first year, we have decided to focus on economic perspectives. We felt that it is critical to the prioritisation of research and development activities as well as investments, as in the past European funded research and development outcomes have often failed to be taken up by industry. This is often characterised by the valley of death problem [5], that is, research and development outcomes in cyber security facing difficulties of being deployed into industry practices (this was confirmed by the discussions at the AFG meeting [4]). We critically analysed the discussions at the first AFG meeting and supported them with relevant literature. We summarised these discussions into four research dimensions in security and trust [4]: Technology Operational Impact People. Figure 3 shows and summarises the identified key topic areas. Figure 3 Key topic areas The economic perspective of research and development in security and trust is concerned with both operational and impact dimensions. In order to investigate such directions for timely technology developments, we focused our activities on the Economics of Security in the Cloud. In order to investigate such research topic in a pragmatic way, we have started to organise related activities (e.g. a related workshop and review of related literature). 3.1.3 A3: Workshop on Economics of Security in the Cloud The economic aspects of cloud computing are still only vaguely understood. Different deployments of cloud computing involving different stakeholders enable new or alternative business models. Deliverable 6.4 Future Internet Initiatives Year 1 Page 16 of 28

However, emerging issues (e.g. see CSA report on the top threats affecting cloud computing [6]) about security and trust may affect the economics of cloud computing as well as its adoption. We have organised a workshop 1 on Economics of Security in the Cloud (ESC), co-located with CloudCom 2013 2 (a major event for researchers and practitioners in cloud computing), in order to engage with related stakeholders. The workshop s call for paper concerned major topics (e.g. behavioural security and privacy, economics models for security in the cloud, cyber-defence strategy and game theory, economics of privacy and anonymity). The programme committee comprising experts from academia and industry has peer-reviewed submissions, and selected five papers to be presented at the workshop and published in the conference proceedings. Among the selected papers (see the preliminary programme in Appendix B) were also submissions from on-going European projects (A4CLOUD, Accountability For Cloud and Other Future Internet Services; TREsPASS, Technologysupported Risk Estimation by Predictive Assessment of Socio-technical Security) and other nationallyfunded initiatives. 3.1.4 A4: Volume on Cyber Security and Privacy The CSP EU FORUM 2013 3 was organised in collaboration with the European Association for e- Identity and Security (EEMA) and Trust in Digital Life (TDL) and hosted by the European Commission in Brussels. The Trust in the Digital World and Cyber Security & Privacy EU Forum consisted of a variety of presentations and panel discussions covering the key challenges and strategies available to effectively manage employee, citizen and corporate trust. The conference provided an opportunity for those in business, the public sector, research and government who are involved in the policy, security, systems and processes surrounding trust to exchange ideas and views. In order to engage technically with researchers as well as to enhance the visibility of the event, this two-day conference organised by EEMA, TDL and CSP EU FORUM (and hosted by DG CONNECT, European Commission) in partnership with the SECCORD project invited presenters, panellists and exhibitors to contribute to a volume published by Springer in the Communications in Computer and Information Science (CCIS) series 4. The call-for-paper solicited two types of papers (not previously published or concurrently submitted elsewhere) to be published in the post-proceedings of the conference: 1) Practical Experience Reports and Tools presenting an in-depth description of practitioner experience, a case study, a test bed or a tool, providing new insights to the community 2) Research Papers presenting recent original research results with an archival quality conference publication. Papers submitted in both categories were peer-reviewed by program committee members and experts. Papers submitted have been peer-reviewed by (at least three) program committee members and experts. The peer-review process provided authors with valuable feedback in order to improve 1 http://www.cspforum.eu/events 2 http://2013.cloudcom.org/ 3 http://www.cspforum.eu/ 4 http://www.springer.com/series/7899 Deliverable 6.4 Future Internet Initiatives Year 1 Page 17 of 28

their papers. The selected papers grouped in thematic parts of the proceedings capture just a snapshot of the two-day conference (see Appendix C), which provided an opportunity to present and debate on-going cyber security and privacy research and development in Europe. These proceedings intend to inform researchers, practitioners and policy-makers about research developments and technological opportunities for innovation in cyber security and privacy. The selected and revised papers are now published in the CCIS volume published by Springer [7]. Figure 4 shows the cover of the proceedings, which are available in printed as well as digital media online 5. Figure 4 Volume on Cyber Security and Privacy (cover) 3.1.5 A5: Other Communication and Participation Activities The discussions at the first AFG meeting highlighted two particular perspectives defining strategic directions: Research Impact and Research Dimensions [1]. The former (research impact) stresses that it is necessary to understand how to enhance research impact on user practices and industry products and services. Technology transfer may face some obstacles due to (lack of) technology maturity or (lack of) innovation stimuli. Other barriers may be due to (lack of) research support (in terms of legal, commercial or intellectual property instruments). In order to understand better the issues faced by research and development in trust and security, we will carry on different analyses that will be reported by publications and white papers (in collaboration with the other work packages) concerned with: 5 http://dx.doi.org/10.1007/978-3-642-41205-9 Deliverable 6.4 Future Internet Initiatives Year 1 Page 18 of 28

R&D Challenges in Cybersecurity: the outcomes of the first AFG meeting were presented in a panel at the Workshop on Addressing R&D Challenges in Cybersecurity: Innovation and Collaboration Strategy (co-located with Trust 2013, the 6th International Conference on Trust and Trustworthy Computing, Department of Computing at Imperial College London). The objective of the workshop was to foster discussion on innovation strategies to address, some aspects of cybersecurity R&D, including cybersecurity R&D strategy and innovative collaboration models. Our position statement presented the readiness-innovation space (identified in [4]) to discuss strategies to support research impact. Economics of Security in the Cloud: this will review literature that we have identified in order to organise the related workshop. The planned white paper will highlight current understanding of economics of security in the context of cloud computing. It will give an example of how an economic perspective may give us a different viewpoint of analysis of technologies and critical features like security. Economics of Cyber Security and Privacy: in order to generalise our understandings of economics of cyber security and privacy, we have made enquiries to a scientific journal about publication of a special issue on Economics of Cyber Security and Privacy. Technological Readiness and Maturity: research outcomes are often assessed against criteria that provide limited information about their potential impact and effective operational usage; this limits our understanding of innovation cycles and research-to-industry impact. Research Policy and Market: alternative funding and supportive instruments create a market for research outcomes, however it is unclear whether or not current funding and regulatory instruments create the most favourable conditions for innovation and research transfers. Research-to-Industry Technological Transfer: trust and security research outcomes face uncertainty in their successful transfer to practice and industry; this is not indicative of their potential, but it is often due to lack of support, misunderstanding of market complexity, and misalignment of incentives better understating of such barriers would enhance research-toindustry impact of security and trust research. 3.1.6 A6: Industrial Liaison During the first meeting of SecCord AFG, the industrial subgroup discussed on the alignment of industrial research positions and their placement in the context of the on-going European Commission initiatives. In particular, it discussed the publication of the European Cybersecurity Strategy [8] and the Communication on Cybersecurity directive and the plan to set up the Network and Information Security (NIS) Platform that was finally established in June 2013. SecCord performed an analysis of the existing industry-led initiatives and presented this to the AFG in order to discuss the best way for the future collaborations. Trust in Digital Life TDL founded in 2008 by Microsoft, Nokia, Gemalto and Philips, with priority to acquire new members and establish a solid governance and financial base. New members were recruited and today it has more than 30 members. Public funding was awarded (ACTOR) to build the ecosystem with members, working group delivered papers on use cases, technical requirements, and strategic research agenda was delivered. So called sprint projects were done to demonstrate some technologies e.g. E-authentication. However, the high level impact and link to national groups were missing. Focus was mainly on technology and less on policy. In 2013 TDL started a new phase and established itself as a legal entity. The European Public Private Partnership for Resilience (EP3R) is the group led by the European Union Agency for Network and Information Security (ENISA) for Deliverable 6.4 Future Internet Initiatives Year 1 Page 19 of 28

resilience of information and communications technology infrastructure, which works to foster cooperation between the public and private sectors on security and resilience objectives, baseline requirements, policy practices, and measures. In 2013 it was revamped by ENISA and new thematic areas have been announced with their terms of references: Key assets, resources and functions for the continuous and secure provisioning of electronic communications across countries Baseline requirements for security and resilience of electronic communications Coordination and cooperation needs and mechanisms to prevent and respond to large scale disruptions affecting electronic communications However, after the establishment of NIS platform, these groups have been integrated in the new platform. EOS, the European Organisation for Security, is registered as a limited liability cooperative company under Belgian Law with equal shareholder Members and run not-for-profit. As of 2013, EOS represents the interests and expertise of 43 Members involved in Security although only about the half of these companies is active in ICT. The working group called ICT security (which has issued a number of White papers from 2010 to 2013) was renamed cybersecurity in 2013 and is closely linked to CYSPA project (EOS is the coordinator) which aims to launch European Cyber Security Protection Alliance. The actual launch is postponed until 2014. Besides these groups, analysis of the other related networks of excellence, thematic networks, large scale projects, as well as non-security partnerships, such as Future Internet PPP, has been prepared and presented to the AFG. Thanks to the Industry liaison activity of SecCord, different initiatives and industrial efforts came together for the first time in April as a part of AFG, including the chairman of TDL Steering board, CEO of EOS, representatives of EP3R, Stork etc. However, the emergence of NIS platform as the glue or unifying initiative has changed the overall context and the future SecCord activities will address this new landscape. 3.1.7 A7: Monitoring Relevant Policies This activity benefits from our direct involvements in related groups, e.g. working groups of the Network and Information Security (NIS) Platform and European projects (e.g. A4CLOUD among many others) as well as interactions with other on-going projects (e.g. by means of the clustering and dissemination activities). Our main focus is on legislative activities concerned with data protection [2] and cyber security [8]. Further attention is given to the forthcoming European Framework Programme for research and innovation, Horizon 2020. The objective is twofold. First, it is necessary to make our activities as relevant and timely as possible with on-going legislative efforts. This is also useful to inform other stakeholders (e.g. European research projects). Second, our activities intend to identify gaps in current research, practice and policy and to identify opportunities for future research and innovation. 3.2 Work Package Progress This section summarises the work package progress with respect to the specified process (Figure 6). The work package process highlights a workflow that links all tasks (which may link directly or indirectly with other project tasks). Work package activities have contributed toward progress of all relevant tasks. Table 2 summarises the main activities contributions and interactions with other work packages. Deliverable 6.4 Future Internet Initiatives Year 1 Page 20 of 28

Table 2 Activities Contributions and Work Package Interactions Activity A1: Advisory Focus Group Setup A2: Identification and Analysis of Key Topics A3: Workshop on Economics of Security in the Cloud A4: Volume on Cyber Security and Privacy A5: Other Communication and Participation Activities Contribution Highlights Setup of the Advisory Focus Group; First AFG Meeting; Identification of Key Topics Identification of Key Topics; Critical analysis of Key Topics Community engagement on a selected topic Community engagement and dissemination Identification of key topics to be critically analysed and discussed with relevant communities A6: Industrial Liaison Communication of relevant European initiatives, and discussion on potential alignment and engagement A7: Monitoring Relevant Policies Identification of and involvement in relevant initiatives WP Interactions WP5 WP3 WP2, WP3 WP3, WP4 WP5 WP3 The work package process guided the different tasks and identifies how the outcomes are used by or contribute to each task. The activities conducted during the reporting period Year 1 have contributed towards the progress of each task. Moreover, they have supported the interactions with the other work packages. The work package has contributed towards three types of outcomes: Critical Analyses (the critical analysis of the AFG meeting has identified specific key topics), Dissemination (in terms of presentations or publications) and Community Interactions (with relevant stakeholders and experts). Work package 6 is in line with the expected objectives for the reporting period Year 1. Deliverable 6.4 Future Internet Initiatives Year 1 Page 21 of 28

4 Year 1 Achievements and Insights This section highlights some remarks drawn from carrying out WP 6 tasks and related activities (coordinated by the work package process). It summarises the achieved objectives for Year 1 and the lessons learned. Moreover, it identifies some activities to be carried out during Year 2. Figure 5 shows the activity timeline for Year 1. It highlights the main activities conducted during the reporting period. Moreover, it preliminary identifies some activities that will be carried out during Year 2. The remainder of this section summarises the achieved objectives for Year 1, the main insights and some preliminary identified activities for Year 2. Figure 5 Activity Timeline Year 1 4.1 Achieved Objectives Work package 6 has successfully achieved all its objectives (as identified in Section 2) for Year 1. It has conducted specific activities (Section 3) that contributed towards such objectives and concrete outcomes: Advisory Focus Group, Key Topics, and Community Engagement. Advisory Focus Group: the work package has successfully established an Advisory Focus Group (AFG) for the project. The first meeting AFG meeting, collocated with the CSP EU FORUM 2013, highlighted research dimensions to be investigated in order to guide future initiatives and to draw a roadmap for research and development in security and trust. Key Topics: the critically analysis of the input provided by the AFG combined with a review of relevant literature identified key topics of interests for future initiatives in cyber security and Deliverable 6.4 Future Internet Initiatives Year 1 Page 22 of 28

privacy. These key topics grouped together point out critical research areas. Moreover, a preliminary analysis of the barriers affecting technology transfers of cyber security research outcomes provides some hints of emerging tensions between research, development and policy. Addressing such tensions between research, development and policy would enhance research impact to practice and industry. Community Engagement: the work package has actively engaged with relevant communities. The overall strategy has been to engage with them technically, that is, by supporting activities that provided a means to discuss critical aspects of security and trust. This has created the conditions to explore multi-disciplinary dimensions (e.g. economics) capturing complex aspects of trustworthy ICT. 4.2 Main Insights The activities conducted during Year 1 gave us some useful insights that will be taken into account for organising activities in Year 2. These insights capture three critical aspects concerning with the management of the Advisory Focus Group, the exploration of a multidisciplinary research agenda and the effectiveness of project activities. Advisory Focus Group: the organisation of the first AFG meeting successfully achieved the intended objectives. The collocation with the CSP EU FORUM was very effective (both in terms of costs as well as logistics) in bringing together a large AFG. This also facilitated the engagement of the AFG with relevant communities as well as with project activities. Future AFG meetings will follow a similar strategy, i.e. co-locating the AFG meetings with relevant project activities (e.g. clustering meetings, CSP EU FORUM). Multidisciplinary Research Agenda: security and trust encompasses a vast research space. Exploring such a space exhaustively is beyond the scope and the capability of the project. The AFG feedback is useful to prioritise specific research and development directions. It is possible to identify topics that naturally highlight economic, social or legal perspectives of security and trust. Rather than simply discussing such topics, it has been useful to promote and organise activities (e.g. workshops, publications) that provide channels for technical engagement with relevant communities. Future activities will explore pragmatically the security and trust research space in order to define a multidisciplinary research agenda. Effective Coordination: the combined effort of the different work packages and the coordination of specific activities (e.g. AFG Setup and CSP EU FORUM) allowed us to make the most of the available resources. For instance, this has allowed the gathering of a large AFG, which was partially supported directly by SecCord. Similar combined efforts resulted in outcomes (e.g. the publication of a Volume on Cyber Security and Privacy) enhancing the visibility of SecCord activities. 4.3 Future Work Future activities (in Year 2) will continue to support related tasks. Some of the activities carried out during the reporting period (Year 1) will be continued in order to deliver specific outcomes. For instance, we foresee that: Activity 1 (AFG Setup) will continue as management of the AFG in order to organise future involvement of the AFG Deliverable 6.4 Future Internet Initiatives Year 1 Page 23 of 28

Activity 2 (Identification and Analysis of Key Topics) will continue to discuss (and if necessary, to update) the identified topics in order to prioritise them for detailed analysis Activity 3 (Workshop on Economics of Security in the Cloud) will probably be terminated in order to move our focus on another topic (according to the indications of the AFG) Activity 4 (Volume on Cyber Security and Privacy), based on our first experience in publishing post-proceedings for the CSP EU FORUM, we will try to update such activity in order to best serve the CSP EU FORUM community Activity 5 will synthesise analyses in white papers and contribute to appropriate dissemination channels Activity 6 will continue to seek opportunities to align our objectives and engage with ongoing European initiatives Activity 7 will monitor relevant policies by continuous engagement and interaction with relevant communities. The above activities together with new ones will be clarified while progressing with the process guiding Work Package 6. Deliverable 6.4 Future Internet Initiatives Year 1 Page 24 of 28

References [1] SecCord, Annex I Description of Work, Grant Agreement 316622, Version Date 02 07 2012. [2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281, 23/11/1995, p. 0031-0050 (1995). [3] European Commission, High Representative of the European Union for Foreign Affairs and Security Policy, JOINT COMMUNICATION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, JOIN(2013) 1 final, Brussels, 2013. [4] SecCord, Deliverable D6.1 Advisory focus group setup, Version 2.0, June 2013. [5] Maughan, D., Balenson, D. Lindqvist, U., Tudor, Z., Crossing the Valley of Death : Transitioning Cybersecurity Research into Practice. IEEE Security & Privacy 11(2):14-23, March/April 2013. [6] CSA, The Notorious Nine: Cloud Computing Top Threats in 2013, Top Threats Workinh Group, Cloud Security Alliance, February 2013. [7] Felici, M. (Ed.), Cyber Security and Privacy, Trust in the Digital World and Cyber Security and Privacy EU Forum 2013, Brussels, Belgium, April 2013, Revised Selected Papers, Springer, Communications in Computer and Information Science (CCIS), Vol. 182, October 2013. [8] European Commission, High Representative of the European Union for Foreign Affairs and Security Policy, JOINT COMMUNICATION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, JOIN(2013) 1 final, Brussels, 2013. Deliverable 6.4 Future Internet Initiatives Year 1 Page 25 of 28