The digital economy is a complex socio-technical phenomenon where different stakeholders interplay, users often get exposed to a myriad of security and privacy (S&P) threats when they use digital services for social networking, entertainment, banking, education, health, or even home security.
The digital economy is a complex socio-technical phenomenon that has brought in many advantages for citizens and society. However, cyber threats are one of the most critical risks threatening the world while the cybersecurity market continues growing (from $3.5 billion in 2004 to $138 billion in 2017). In this complex ecosystem where different stakeholders interplay, users often get exposed to a myriad of security and privacy (S&P) threats when they use digital services for social networking, entertainment, banking, education, health, or even home security. The factors behind digital S&P threats are numerous and interconnected, being to a great extent a combination of inappropriate software engineering practices, bad user habits, and lack of regulatory enforcement and certification mechanisms, among others.
There are fundamental and interconnected problems for the different stakeholders involved in the development, certification, regulatory enforcement and use of digital products:
- Users are not always aware of their exposure to S&P risks when they use software. This results in bad usage habits and lack of risk prevention mechanisms.
- Developers are lacking best-practices for S&P-by-design in software engineering. This results in S&P issues for end users (either intentional or unintentional ones) due to poor development practices, aggressive data-driven business models, and market pressures for quick releases without assuring S&P compliance.
- Standards and certifications are key enablers for assessing and assuring the level of S&P protection provided by modern software and their risks. However, developers and operators lack S&P certification methods and standards.
- Regulators and national agencies all over the world are defining and implementing new legal frameworks for protecting citizens against online S&P threats. But it is unclear whether the penalties are sufficient deterrent against S&P mispractices. At the same time, the pace of technological innovation is faster than policy-making and enforcement. There is a lack of effective tools for collective intelligence, assessment and enforcement.
For the EU and the Member States to define improved security and privacy policies and to establish a long-term vision, it is fundamental to have data, information, and a body of knowledge regarding privacy, data protection and the associated ethical, legal and socio-economic aspects. It is essential to involve individuals and organisations in the process, and to reach out to stakeholders as the main player in the effective response to online concerns.
TRUST aWARE vision
In this multi-party socio-technical context, the TRUST aWARE vision aims to revert the current “S&P vicious cycle” by providing holistic and actionable intelligence and tools for the different stakeholders towards turning it into a “TRUST aWARE virtuous cycle”.
The tools and solutions will offer effective mechanisms to protect the freedom, security, and privacy of citizens across platforms while enhancing users’ TRUST on SoftWARE, cybersafety, and EU’s digital market position. Specifically, TRUST aWARE will facilitate this by delivering:
User-friendly tools to protect consumers against S&P cyberthreats (attacks, abusive practices and inappropriate behaviours of digital services) to enable them to better understand, control, detect and respond to S&P threats and attacks in a timely manner, as well as configuring their own S&P protection settings.
Collective intelligence for Computer Emergency Response Teams (CERTs) and Authorities in collaboration with citizens, Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) to ensure and audit that digital products and their S&P practices are transparent, secure and in compliance with regulation.
Knowledge to foster S&P-by-design in software engineering by supporting developers and digital service operators with standards and certification methods for compliance with the European S&P regulation.