Taking decisions about security requirements and objectives for new software requires understanding the broad cyber risk picture. Our project will integrate an inter-disciplinary cyber risk perspective. It will allow organisations to take early cost-effective decisions about secure software design, while taking into account not only cyber threats stemming from known software weaknesses or threat actors, but also organisational goals and values.
Criminologists have been worried about designing out crime for years. Traditionally, interventions have been focused on designing inherently secure urban environments and products. However, its application to technology design is more limited. In Project C-SIDE, we aim to bring criminological knowledge to designing more secure software systems. Specifically, criminology will contribute to the conceptual definition of the type of roles software systems play in causing cybercrime. This analysis will describe how software systems can feature as objects, subjects, tools, or settings for particular kinds of cyber-criminal behaviour. Based on this conceptualisation, specific measures to secure software systems will be developed, including its design against cybercrime, adding on security products, securing the situation in which the software system is at risk, such as organisations, and making remote interventions.
Many parts of building a cyber secure software are offered – and sometimes imposed and enforced – by a variety of laws and regulatory frameworks. Laws and other legal instruments on data protection, privacy and technology will show us the rules that need to be complied with or the guidelines that should be followed. Privacy and data protection are not always recognized as such but they form a significant feature of cyber security. On the one hand, we protect (sensitive) personal data and privacy by providing in strong cyber security. On the other hand, creating software that is cyber secure also means only collecting and processing those data that are necessary for the purpose that the software is trying to achieve. Laws will also offer consequences when they are not complied with. The C-SIDE project will study how the legal requirements can be built into the design of a software in order to make it compliant.
Ethics of Care
Ethics of care is an ethical theory: it guides us in making morally “good” decisions. While there are different ethics of care theories, their common ground is the focus on context and interpersonal relationships. It has its roots in feminist theories and can be applied in a multitude of domains. From the sciences of healthcare, soil, law and politics to organizational studies and governance; care ethics has been applied. The C-SIDE project will take this to the next level and apply it on security by design. The unique feature of C-SIDE is the combination of the social and technical aspects of cyber security. Including the social in the technical can be seen as an act of care for both the end-user and the organization itself.
One of the aims of this project is to investigate and map out what the existing cybersecurity collaborations between public and private actors and institutions are. This information subsequently allows us to build a comprehensive picture of the present cyber security governance landscape in the Netherlands. By carefully studying the institutions and the existing relations with others, we can get an idea of which institutional designs are currently in place, and how these designs aim to guarantee cybersecurity. The further investigation and analysis of these alliances could then grant us more insight in how the collaborations between actors could be optimised. Finally, we hope to identify opportunities to improve the public policy aiming to support companies working on secure-by-design products.
Computer Science & Software Engineering
The main focus of our project is to improve software security by introducing an integrated, inter-disciplinary methodology for software development. We will use the state-of-art and the state-of-practice knowledge from the Computer Science and Software Engineering domains, upon which we will build our methodology.
The C-SIDE project entails a new way of thinking about (cyber)security. Philosophical insights will be used to guide our thinking and be critical of our own biases. The different disciplines in the project all have their own theories and ways of doing research. Philosophy will help us understand the assumptions that are present in the different disciplines and assess them. The C-SIDE methodology has a lot of different practical aims, philosophy will be used to make sure it is an ethically just/good design. Finally, philosophy of science will be used to make sure we conduct good ethical research.
The C-SIDE project aims to create a methodology that will be used by different companies. Organizations are therefore studied in order to find or create an organizational architecture that will be supportive of the C-SIDE methodology. Organizational studies entail a diverse selection of topics like leadership style, risk management, business ethics, governance, the role of the board, processes, structures and social relationships. Following C-SIDE’s own promise, organizational studies are not only used in the testing phase, but already included in the design of the methodology.
Integrating cyber security into design also means studying the interaction of humans with technology, studying how human behaviour could be changed and how it should be steered into the most secure direction. For these reasons aspects of human behaviour will be running through all parts of the project.