Streamlining Security and
PrIvacy by Design
SME Instrument Proposal Supporting Site with Extended Material
What is SSPID and why it is important
Streamlining Security and PrIvacy by Design (SSPID, pronounced like “speed”), is a comprehensive engineering approach to address the security and privacy aspects of IT-based systems in an integrated and coherent way throughout the whole system lifecycle. Its importance stems from the fact that it represents the first security-aware modeling and engineering approach designed to avoid interfering with the realization of other user requirements and introducing complexity for system engineers. Instead, SSPID facilitates and speeds up (hence the name) the development of systems with security and privacy. In addition it unleashes many other important capabilities like the ability to produce certification and labelling-friendly systems because it automatically generates important information to facilitate the task of external system evaluators.
“We observed that privacy and data protection features are, on the whole, ignored by traditional engineering approaches when implementing the desired functionality. This ignorance is caused and supported by limitations of awareness and understanding of developers and data controllers as well as lacking tools to realise privacy by design.”
ENISA Report. Privacy and Data Protection by Design – from policy to engineering. – see page iv, Key findings.
The engineering of secure IT systems has always been a weak link in the systems engineering catalogue. The lack of adequate engineering processes and tools supporting the treatment of security aspects throughout the whole system lifecycle has been evidenced by recent incidents. Current practices for developing secure systems are still closer to art than to an engineering discipline. Both researchers and practitioners agree that it is necessary to make security an integral part of the engineering activities and to provide extensive computer-support for engineers throughout the whole system lifecycle. At the same time, several studies conclude that the cybersecurity labour market is suffering a severe workforce shortage that will only worsen in the future. For instance, Symantec estimates the demand to be about 6 million jobs by 2019, with a projected shortfall of at least 1.5 million skilled workers.
The combination of the dependency on the availability of skilled experts, and the predicted shortfall of these, points to a problematic situation, but also to an excellent business opportunity for cybersecurity engineering solutions like SSPID that can mitigate the dependency on in-house experts.
The SSPID solution is composed of specialized security knowledge artifacts, engineering processes, tools to support these, and managed engineering services. The optimal offer will be determined in the light of the feasibility study, but we expect to have an important advantage over the competition thanks to the offer of flexible engineering-as-a-service approach, ranging from just becoming providers of customer- tailored security knowledge artifacts, to a complete approach in which we provide managed security engineering services. For our customers, and this has been confirmed by the companies that tested our approach, the SSPID solution represents a leap forward in the speed of development, security of resulting systems and security-specific documentation. This latter aspect must be highlighted, as it is the key to more evolution-friendly and certification-friendly systems.
Business opportunity and benefits for Europe
According to cPPP, “The cybersecurity market, one of the fastest growing markets in the ICT sector, yields huge economic opportunities”. In the same line, it highlights the problem of geographical segmentation and lack of European-wide collaboration mechanisms.
Surveys by Cisco Security Advisory Services and Raytheon and the NCSA also predict an important shortage of cybersecurity professionals in the near future and reveals that Europe is slightly behind USA, and clearly behind other regions such as Middle-East in most indicators, which means that European industry will be in a weak position with regards to other regions. In this scenario, the availability of a solution like SSPID, represents a way to overcome such weakness in two main ways: on the one hand by facilitating the task of the developers of secure systems based on expert knowledge, and on the other hand, by creating the foundations for a new security- engineering-as-a-service model to be offered by S2Labs and other providers of Managed Security Services.
The road behind
The origin of our innovation dates back to 2010, when we were involved in the SECFUTUR project, funded by the EC through the 7th Framework Programme, and focused on the security of embedded systems. Together with Fraunhofer Institute, NIST and MITRE, we performed an in-depth study that concluded that the origin of this situation is in the lack of a comprehensive and practical approach featuring a tight integration of three essential components: (i) a practical engineering process that covers the full development lifecycle of systems in any domain; (ii) means to capture and reuse security expertise; and (iii) computer automation and assistance mechanisms to support the engineering and development stages, and in maintaining adequate security levels when systems are in operation. Based on this, we worked on developing a solution that would revert the situation and devised mechanisms to capture the knowledge of security experts in a computer-readable format to be later used as input to a cybersecurity engineering tool, for which we developed an advanced prototype. At the end of the project we had a robust tool (System Security Engineering Assistant – S2EA) that has later been improved and extended to support the engineering of general IT systems.
The current state of development of S2EA is that of a fully-functional tool that has already been used in real world scenarios by several industrial partners, and has been sufficiently beta tested, which corresponds to a technology readiness level of TRL6. Figure 1 shows a summarised timeline with the major milestones achieved in the development of S2EA. Reports of those experiences have been presented in relevant international conferences (e.g. here and here) and in relevant fora such as the NATO Symposium on Architecture Definition & Evaluation. Video demonstrations are also available on the video page. S2Labs is a registered provider of security solutions with S2EA listed in INCIBE catalogue of security solutions.
Figure 1. S2EA evolution and milestones
The road ahead
Once SSPID was in a mature enough state to be used in real projects, we considered the next steps and we prepared an initial business plan in which we identified possible business models. In particular, apart from the traditional model of selling the tool as a (software) product, we identified models of (i) obtaining revenues from the production of artifacts to represent expert security knowledge in specific areas and maintaining such artifacts continuously updated (implying a subscription model), and (ii) selling our tool “as-a-service”. This latter model that has been called “engineering-as-a-service” is especially promising as it was explicitly requested by the companies that participated in the field trials.
The analyses done (mainly based on SWOT, vision crafting and business canvas) lead to the conclusion that our strategy could be based on a soft-start business model combined with a focused-market bootstrapping strategy (meaning we try to become strong in one market and then expend to new ones), which looks reasonable, but opens up at least three additional questions and reveals that finding the correct answers to those questions may become bottlenecks for our success. In the first place, we found that the choice of the specific IT area for launching SSPID (cloud computing, IoT, embedded systems, cyber-physical systems, etc.) could have a huge influence on our results and even determine the success or failure of our tool. Almost as important is the selection of the correct business model (or models) to offer our tool, which can also have a crucial role in determining our growth rate, in achieving a high level of loyalty from customers and in empowering our ability to stand ahead of competitors. Furthermore, in discussions with the companies that used our tool we noted that the pricing was also a very delicate and important aspect for success.
Additionally, we reckon the importance of doing a thorough risk analysis and to use the results as input to our final business plan and launching strategy. Consequently, given that the cost of those feasibility and risk studies to address those questions was beyond our financial capabilities, we decided to apply for the SME instrument phase 1 with the objectives of developing a rigorous feasibility study and business plan, including market studies but also expert advice and customer surveys and interviews.
We have already received the confirmation of some experts and organisations that are interested in supporting S2Labs to develop the feasibility study in their fields of expertise:
- Fabio Martinelli, Institute of Informatics and Telematics at National Research Council, Italy.
- Antoine Monsifrot, Home Experience Lab, Technicolor S.A, France.
- Renato Menicocci, Fondazione Ugo Bordoni, Italy.
Feasibility Study Objectives
The SSPID Feasibility Study proposal (of SME Instrument Phase 1) is to ensure the commercial success of the SSPID innovation by gathering the necessary intelligence to successfully introduce the innovation into specific market segments, sustain and expand market presence to other market segments, and define a rigorous business plan. Particularly, the planned feasibility study will pursue the following objectives:
- [FO1] Identify the best market niches to target in the launching of SSPID, prioritise other market segments for potential expansion, select appropriate strategies to enter those markets and select key players and top influencers to bootstrap the adoption of SSPID. This will be achieved by means of a focus group study with relevant companies and organisations to identify incentives and concerns for the adoption of SSPID. Participants will range from SMEs to big companies in different market segments.
- [FO2] Study market size and growth rate of companies’ investments in both proactive (preventive) and reactive (corrective) security measures to inform the SSPID business plan, models and marketing strategy. This choice of addressing both types of measures study is also motivated by the fact that major consultants and analysts recommend companies to strategically invest in both types of measures to achieve a strong security posture of their IT systems.
- [FO3] Elaborate a business plan including the selection of the appropriate business models, streams of revenue and market strategies to ensure the right positioning of SSPID innovation in the market, market penetration and return on investment for S2Labs. This objective will be based on economic and market studies to determine the most appropriate business models and ensure the commercial viability of SSPID. A leapfrogging strategy will be developed to secure the competitive advantage, including strategies for future offering of new business models.
- [FO4] Develop a pricing strategy and plan. Elaborate an appropriate pricing strategy for maximising revenue of the SSPID solution components, such as SSPID tools and knowledge base. Determine means to ensure continuous evolution of such plan, to stay aligned with market conditions.
- [FO5] Perform rigorous legal and intellectual property analysis to identity appropriate mechanisms for the protection of SSPID innovation and a rigorous FTO (freedom to operate) analysis.
Various European institutions have highlighted the need for tools and technologies for security- and privacy-aware system engineering. This is the case of both the strategic objectives of ECSO (cPPP) initiative in relation to assurance and security / privacy by design, and the ENISA key findings (see box in Section 1).
In general, potential users of the SSPID solution are organisations and companies that need rigorous, traceable, and evolvable security engineering, especially those that need high levels of security but lack in-house security expertise, and those that aim to comply with the principles of security and privacy by design. Based on recent reports cloud-based services (SaaS) could be among our priorities for market introduction, but we need further confirmation from the planned feasibility study.
Key users’ needs addressed by SSPID innovation with respect to state of the art (click to see a report for details – PDF):
- Need of security-aware expertise-driven engineering process and methodology. A number of cybersecurity frameworks and strategies have been proposed, but they all remain at organisational and procedural levels (guidelines). No computer assistance is currently available as integrated part of system engineering and development of secure systems. SSPID provides companies with an engineering process characterised with high-level of modularity, flexibility and adaptability that best scales to and integrates with the most common industry engineering practices. SSPID will allow companies: (i) to achieve a security engineering process tailored to their systems’ needs and practices, and (ii) to apply world-class security expertise and solutions into their systems with high-level of rigour and precision.
- Need of machine-processable and engineering-oriented security knowledge representation. Several artefacts have been proposed for representing security solutions, focusing on different engineering phases and following different paradigms. Most of current artefacts are small extensions and improvements based on the concept of security threats lacking tools to enable their use in industrial environments. SSPID knowledge representation artefacts are designed to capture expert security knowledge with the goal of using it in the engineering of secure systems. The SSPID solution will offer companies of any size an affordable and easy access to up-to-date word- class security expertise and solutions in a computer-processable format allowing them to streamline security and privacy of their systems by design. SSPID users will have access to an extensive knowledge base for a wide range of domains such as cloud- and service-oriented computing, cyber-physical systems, Internet of things, e-government, etc.
- Need of security engineering toolset with high-degree of decision support and process automation. A very important activity when engineering a secure system is deciding how to fulfil security requirements with sound and compatible security solutions, and even more how to correctly integrate those in the system under development. This process is currently manual and currently requires a high level of security expertise from system engineers. In this respect, SSPID will provide crucial computer- assisted decision support in the selection of the most suitable security solutions to addresses their requirements, and the integration of selected solutions in the SUD model. SSPID toolset is designed to hide complexity and minimise error-prone activities, while at the same time documenting and tracing with appropriate evidences the sound use of security solutions.
Main economic benefits to users with respect to state of the art:
- Reduce cost and increase return of investment for companies developing secure and privacy-aware IT systems by providing an easy and affordable way to engineer, operate and evolve such systems, without the need to have in-house security experts but benefiting from world-class security expertise (SSPID knowledge base), and without having significant impact on their current engineering practices.
- Improve quality and time-to-market of IT-based systems (i) by facilitating the sound integration of proven security solutions with adequate by-design treatment of security and privacy; (ii) by providing mechanisms to validate the correctness of the integration of such solutions throughout the system cycle; and (iii) by providing evidences to speed-up and facilitate certification and labelling activities.
- Reduce cost of security incidents due to reduction in errors originating in the system engineering phase and problems derived from uncontrolled system evolution (accounting for more than 80% of severe errors) and reduction of the severity and reaction time for other incidents. When security incidents occur the SSPID innovation provides crucial information for reaction and recovery. Likewise, SSPID enables community-driven reaction to zero-day threats and preventive system evolution.
Market segments, growth rate, enablers and barriers.
The SSPID innovation targets the European IT industry in general, with a focus on the cybersecurity market. The specific market segments that will be targeted first will be determined in the feasibility study. Based on our preliminary analysis, the innovation has strong relevance to the emerging segment of the market dedicated to proactive security measures. However, we must highlight also that the innovation has inherent relevance to the market segment of reactive security measures (detection, response and recovery) currently dominating market trends as revealed by a 2016 Gartner report. The feasibility study objective aims at studying the specifics of these market segments and expected size and growth rate for the period 2017 – 2020, and determine and prioritise most viable market opportunities.
The SSPID innovation relates to the market niche of system security engineering tools. Recent studies envisage a steep increase in demand and investment for this market niche in the next years, due to the expanding trend of the global cybersecurity market (see below) and to the recommendations of different European cybersecurity strategies, such as ECSO, cPPP initiative, NIS directive, ENISA position and GDPR, as they all highlight the importance of enabling technologies and tools to foster privacy and security by design. The effect of these recommendations on the European cybersecurity market is evidenced by the upcoming GDPR where privacy and data protection by design will be explicitly demanded (see §78 and Article 25), and compliance to such principles required as soon as GDPR comes into force (25.05.2018)
Regarding the global cybersecurity market, in a recent report, Cybersecurity Ventures predicts global spending on cybersecurity to exceed $1 trillion for the 5-year period from 2017 to 2021 with anticipated 12- 15% annual growth to 2021. The report estimates businesses of all sizes and types to double down on cyber protection for the referred 5-year period. Market researcher Gartner says worldwide information security spending will grow 7,9% to reach $81 Billion in 2016. In another report Gartner says the overall security market will grow at a 7,8% CAGR (compound annual growth rate) through 2019.
As for the European cybersecurity market, the MicroMarketMonitor estimates a market grow from $26 billion in 2015 to $37 billion by 2020 at an estimated CAGR of 6,8% through 2020. The report lists some of the most relevant cyber security products defined by their capability to proactive measures, reactive measures, security management, impact mitigation and data recovery, and risk and compliance management. Table 1 below summarises these market forecasts for the 5-year period 2016 – 2020.
|Market Sector Year (Billions $)||2016||2017||2018||2019||2020|
|Global Cybersecurity Market||81||87||94||101||109|
|European Cybersecurity Market||29||31||33||35||37|
Market enablers. The SSPID toolset will feature full integration with modelling tools (it is currently available integrated with MagicDraw) with the goal to boost SSPID and outreach important stakeholders in different domains and sectors. The integration with modelling tools is envisaged as initial enabler for market introduction. We have already established contacts with No Magic (owner of MagicDraw product), and they have expressed interest to support SSPID exploitation using their store and dissemination channels (e.g., NoMagic Conference, etc.). In the feasibility study we will select and prioritise other modelling environments (such as Eclipse Modelling Framework, IBM Rational, Enterprise Architect, Visual Paradigm, etc.) with industrial relevance that will serve as enablers to expand the SSPID market to a wider user base.
Market barriers. Within the context of feasibility objective, we will aim to identify all relevant potential market barriers to overcome for the innovation both in terms of technology feasibility and strategic impact. For instance, some of these barriers for which we already have overcoming strategies are:
- Companies’ reluctance to change tools/practices for system engineering. To overcome that we are based on well-established standards, and decided to integrate the SSPID tools with widely-used modelling environments to ensure the compatibility with common engineering practices, and facilitate the adoption by integrating with the tools they already use.
- Companies’ practices treating security and privacy as add-on. To overcome that problem, we adopted a win-win approach that ensures that the adoption of SSPID security engineering practices result also in a reduction in the effort devoted to engineering and reducing the effort devoted to studying security solutions by means of proven world-class security expertise and solutions. In that way, companies will improve the quality of systems and reduce security-related engineering effort and costs.
As a spin-off of the GISUM research group at the University of Malaga, S2Labs was founded with two main overarching strategic goals: (i) serve as a vehicle for research results of high potential to reach industry; and (ii) offer IT solutions to create positive impact on society by preserving citizens’ rights to privacy, safety and security when using IT technologies in daily life.
The main line of innovation set out in the company’s strategic policy is on software engineering driven by advanced modelling tools and engineering patterns to guarantee security and privacy aspects of IT systems. In line with that, the SSPID innovation will be an important milestone to the S2Labs’ innovation activities and potential, as it will realise company’s vision and strategic goals by bringing into market an effective and practical solution to produce trustworthy IT systems addressing security and privacy by design.
SSPID has a strong relevance and interest to S2Labs’ management. The expected impact on the company from successful SSPID launching in the market will strengthen the position of S2Labs within the domain of its main activities and reinforce its position within IT industry both in Spain and in Europe. It will also consolidate new jobs and positions in the company, directly related to the development and exploitation of the products, as well as positions related to dissemination and marketing of the SSPID solution.
SSPID innovation is expected to open the possibility for S2Labs to enter emerging market niches with high demand of security engineering solutions and with high potential of revenues. SSPID will S2Labs to expand its network of partners and clients and thus outreach new sectors in the market. In this line, the feasibility study objectivesand will ensure the financial viability of the commercialisation of the SSPID innovation and its potential expansion to other market segments.
We have conducted an initial exploration, which indicated that our revenues can come from both license selling and services selling. Regarding the service-based offer, we could focus on the EaaS (Engineering as a Service) model. This preliminary work suggests that a more in-depth study aimed at determining the optimal market offer is required. Despite of the firmness of our purpose to exploit the business opportunity and to release a solution that we are convinced would benefit the IT industry at large, the lack of financial resources to undertake this feasibility study has hindered progress so far. We expect that the SME instrument will help filling the current gap between the product and the market. We have also done an initial estimation of the workforce necessary, which indicates that number of jobs grows proportionally with turnover, showing the socially beneficial aspects of the innovation and its sustainability.
Measures to maximise impact
a) Dissemination and exploitation of results
Sections 1.3 and 1.4 of the proposal recall the solid technological basis of our SSPID innovation over the last years and across several European-level collaborative R&D projects. However, despite the solid technological foundation and potential, the S2Labs’ management team has recognised the need to perform a comprehensive feasibility study and to elaborate a rigorous business plan to ensure right positioning and launching of the innovation in the most viable market niches. The S2Labs’ management team has also recognised the need and importance of in-depth risk analysis and planning of marketing strategies to outreach key stakeholders in industry, and expand the innovation to other sectors and market segments.
The objectives (Section 1.1) and work plan (Section 3.1) of the feasibility study will address the above identified needs, and results of the study will be used to consolidate S2Labs’ final business plan and strategy of how to reach and sustain market presence of the SSPID innovation in the period 2017 – 2020.
b) Intellectual Property, knowledge protection and regulatory issues
The background IP items necessary for the realisation of SSPID innovation are all owned by S2Labs. The most relevant, background and foreground IP items are:
- SSPID engineering process methodology: S2Labs is the sole owner of the engineering process methodology, which the SSPID is built upon. Members of S2Labs are the authors of the engineering process methodology with a number of publications on that.
- SSPID toolset software: S2Labs is the owner of the current version of the S2EA tool implemented as a modelling tool plugin and will be also the owner of the targeted market-ready version of the SSPID tool.
- SSPID security models (knowledge): S2Labs will own security models defined and issued by S2Labs. Security experts (third parties) will own security models created by them. Companies and organisations (third parties) may define on their own security models, and be owners of those.
An in-depth analysis of legal and IPR will be performed (objective) to select the most appropriate mechanisms to protect the SSPID innovation. We have already performed initial explorations and the results have shown that no patent cover the domain of SSPID, but the feasibility study will include a complete and rigorous FTO analysis of SSPID innovation.
Work plan – Work package and deliverable
The Feasibility Study is a single work package with several tasks to achieve the defined objectives. These tasks are structured to investigate each of the major areas to develop a strategic business plan.
Table 3.1 a: Work package description
|Work Package Title||Feasibility Study|
|Description of work
The work package includes the following tasks to achieve the objectives.
Task 1: Cybersecurity market study: Undertake a global market study based on current and potential customers, published data and end users to identify key market opportunities, technological trends, size and growth forecasts, analyzing the competitive landscape and the market entry barriers.
Relates to feasibility study objectives: , .
Task 2: Innovation and IP assessment: A full Innovation and IP assessment will be undertaken to ensure that our innovation business and IP strategies are fully aligned to make strategic decisions with confidence maximising our knowledge in the market.
Relates to feasibility study objectives: .
Task 3: International business strategy development: Based on the output from Task 1, this task will analyse strategic partners in identified international markets (other SMEs having complementary technology and expertise, technology providers, business developers, etc.).
Relates to feasibility study objectives: , .
Task 4: Risk assessment: A full technical, financial and commercial risk assessment will be undertaken. Mitigation strategies will be developed to offset the risks and critical path analysis to evaluate implications. SWOT analysis of the proposed plan will be made.
Relates to feasibility study objectives: , , .
Task 5: Business planning: Information collected from tasks T1-T4 will be processed, analysed and integrated to a global business plan including Sales & Marketing, Innovation, Financial, IP, etc.
Relates to feasibility study objectives: , .
Task 6: Project Management: Coordination and control of the whole project (resources assigned, tasks, timelines, etc.).
Relates to feasibility study objectives: ALL.
D1. Feasibility report, including a business plan (Delivery at M6)
The deliverable will report on: (i) Description of work undertaken during the feasibility study, methodology used, processing of information, results of assessment of SSPID viability, risk assessment and definition of next stage; and (ii) Business plan for the project to commercialise the SSPID innovation.
The table blow shows the SSPID SME Instrument Phase I Proposal GANTT diagram.
|Cybersecurity Market study|
|Innovation and IP assessment|
|International business strategy|