Universiteit Leiden

nl en

Research project

Cyber Security by Integrated Design (C-SIDe)

C-SIDe project involves a broad selection of associates in solving cybersecurity problems. Security of software systems has emerged as a critical need in our interconnected society. Companies developing software products look for Security-by-Design approaches accommodating security into their software design process.

Duration
2021
Contact
Els de Busser
Funding
NWA Cyber Security
Partners
  • Institute for Security and Global Affairs (at the Faculty of Governance and Global Affairs)
  • Leiden Institute for Advanced Computer Science, the Hague University for Applied Sciences
  • National Cyber Security Centre at the Ministry of Justice and Security

Link to project website: www.projectcside.nl

Security of software systems has emerged as a critical need in our interconnected society. Too often we hear about security issues found in technologies utilised by millions across the globe, such as failures in functioning, hacks or privacy-related problems. It is not only cheaper but also more sensible to fix these issues during the development time preventing any problems, rather than later, when the system becomes accessible to the users and can cause real damage. Companies developing software products look for Security-by-Design approaches accommodating security into their software design process.

Security-by-Design

Current Security-by-Design approaches focus on technology-related steps and engage only stakeholders involved in these technical steps. Our insight is that security is not only a technical concept, but it emerges from an interplay of many technical and non-technical factors, for example, how well the users understand what they need to do to keep the system secure, or whether the managers have realistic expectations about how quickly a secure system can be developed.

We aim to develop an integrated approach to Security-by-Design, and a methodology for developing secure systems that will involve a multitude of stakeholders, including experts in psychology, privacy, and governance and risk management. This methodology will allow organisations to have a better view on security of their products and to create exciting and secure technologies. To facilitate adoption of security-by-design, we will also work on identifying opportunities to improve the public cyber security policy aiming to support companies working on secure-by-design products.

The project

We are joining experts from the relevant domains by setting up a cooperation between the Institute for Security and Global Affairs (at the Faculty of Governance and Global Affairs), the Leiden Institute for Advanced Computer Science, the Hague University for Applied Sciences and the National Cyber Security Centre at the Ministry of Justice and Security. Further, we are cooperating with SURF, and the National eHealth Living Lab at the Leiden University Medical Centre. They will be instrumental in helping us develop and test the methodology.

The project has a one-of-a-kind structure in which four PhD candidates and one postdoc researcher will conduct their own research but will also maintain a strong interdisciplinary cooperation. Of the four PhD candidates, two will be focusing on the technological part of the project and two will be working on the topic of private organization and public governance. The four of them will jointly be developing the C-SIDe methodology and this is a unique feature of the project. The postdoc researcher will conduct a study of the key concepts to be used throughout the project, how they relate to each other, develop a common terminology and support the four PhD candidates in their cooperation.

Integrating technical and non-technical aspects of cyber security into software

Integrating cyber security into design also means studying the interaction of humans with technology, studying how human behaviour could be changed and how it should be steered into the most secure direction. For these reasons aspects of human behaviour will be running through all parts of the project.

The C-SIDE project aims to create a methodology that will be used by different companies. Organizations are therefore studied in order to find or create an organizational architecture that will be supportive of the C-SIDE methodology. Organizational studies entail a diverse selection of topics like leadership style, risk management, business ethics, governance, the role of the board, processes, structures and social relationships. Following C-SIDE’s own promise, organizational studies are not only used in the testing phase, but already included in the design of the methodology.

The C-SIDE project entails a new way of thinking about (cyber)security. Philosophical insights will be used to guide our thinking and be critical of our own biases. The different disciplines in the project all have their own theories and ways of doing research. Philosophy will help us understand the assumptions that are present in the different disciplines and assess them. The C-SIDE methodology has a lot of different practical aims, philosophy will be used to make sure it is an ethically just/good design. Finally, philosophy of science will be used to make sure we conduct good ethical research.

The main focus of our project is to improve software security by introducing an integrated, inter-disciplinary methodology for software development. We will use the state-of-art and the state-of-practice knowledge from the Computer Science and Software Engineering domains, upon which we will build our methodology.

One of the aims of this project is to investigate and map out what the existing cybersecurity collaborations between public and private actors and institutions are. This information subsequently allows us to build a comprehensive picture of the present cyber security governance landscape in the Netherlands. By carefully studying the institutions and the existing relations with others, we can get an idea of which institutional designs are currently in place, and how these designs aim to guarantee cybersecurity. The further investigation and analysis of these alliances could then grant us more insight in how the collaborations between actors could be optimised. Finally, we hope to identify opportunities to improve the public policy aiming to support companies working on secure-by-design products.

Ethics of care is an ethical theory: it guides us in making morally “good” decisions. While there are different ethics of care theories, their common ground is the focus on context and interpersonal relationships. It has its roots in feminist theories and can be applied in a multitude of domains. From the sciences of healthcare, soil, law and politics to organizational studies and governance; care ethics has been applied. The C-SIDE project will take this to the next level and apply it on security by design. The unique feature of C-SIDE is the combination of the social and technical aspects of cyber security. Including the social in the technical can be seen as an act of care for both the end-user and the organization itself.

Many parts of building a cyber secure software are offered – and sometimes imposed and enforced – by a variety of laws and regulatory frameworks. Laws and other legal instruments on data protection, privacy and technology will show us the rules that need to be complied with or the guidelines that should be followed. Privacy and data protection are not always recognized as such but they form a significant feature of cyber security. On the one hand, we protect (sensitive) personal data and privacy by providing in strong cyber security. On the other hand, creating software that is cyber secure also means only collecting and processing those data that are necessary for the purpose that the software is trying to achieve. Laws will also offer consequences when they are not complied with. The C-SIDE project will study how the legal requirements can be built into the design of a software in order to make it compliant.

Criminologists have been worried about designing out crime for years. Traditionally, interventions have been focused on designing inherently secure urban environments and products. However, its application to technology design is more limited. In Project C-SIDE, we aim to bring criminological knowledge to designing more secure software systems. Specifically, criminology will contribute to the conceptual definition of the type of roles software systems play in causing cybercrime. This analysis will describe how software systems can feature as objects, subjects, tools, or settings for particular kinds of cyber-criminal behaviour. Based on this conceptualisation, specific measures to secure software systems will be developed, including its design against cybercrime, adding on security products, securing the situation in which the software system is at risk, such as organisations, and making remote interventions.

Taking decisions about security requirements and objectives for new software requires understanding the broad cyber risk picture. Our project will integrate an inter-disciplinary cyber risk perspective. It will allow organisations to take early cost-effective decisions about secure software design, while taking into account not only cyber threats stemming from known software weaknesses or threat actors, but also organisational goals and values.

C-SIDE team members presenting their work

In June 2023, the C-SIDe team presented their research at several conferences in the Netherlands and Belgium:

At the EU Cyber Security Conference organized by Maastricht University in Brussels, Cristina Del Real zoomed in on cyber security in time of crises. Parto Mirzaei presented her research into fragmentation of the Dutch cyber security governance landscape and Jasmijn Boeken introduced her approach to ethics of care and cyber security in organizations.

Arina Kudriavtseva presented her findings on metrics in securing software systems to the INTERSCT Conference in The Hague, The Netherlands.

This website uses cookies.  More information.