Erasmus+ project “MISSILE”
Partner Organizations
- CSI CENTER FOR SOCIAL INNOVATION LTD, Cyprus
- S.C. PREDICT CSD CONSULTING S.R.L., Romania
- YASAR UNIVERSITESI, Turkey
- FH JOANNEUM GESELLSCHAFT MBH, Austria
Project Summary
The project MISSILE is focused on extremely hot topic, developing key competencies, related toawareness about the information security vulnerabilities, threats and countermeasures. The maingoal of the project is to develop a methodology for raising awareness of the information securityvulnerabilities, threats and security solutions through learning and training and therefore increaseoverall security level of users and organizations. It can be achieved by the following objectives:
– to define user needs and requirements in the field of the information security training;
– to develop a concept for information security training, covering the major issues regarding thecontemporary information security issues;
– to develop platform, which represents an actual implementation and actualizes the createdmethodology in a feasible and reliable way;
– to create learning materials, related to information security issues, social engineering, users’ beliefsand understandings about sensitive data and information security, as well as selecting and applyingproperly defined security policies, mechanisms and countermeasures;
– to conduct effective valorisation of the created concept and its realization by conducting of pilotingwith a selected target group of users.
By basing our solution into iterative working platform and user trials, we will push our system intopiloting for testing and evaluating the created methodology. Apart from the innovative methodologyfor information security training and learning, we also foresee the formulation and exploitation ofsecurity and awareness training methods’ synergies as a major outcome of the MISSILE project.
This view is supported by our approach to allow dynamic definition of training and learning and byenabling novel methodology ahead of the state of the art.
The MISSILE information security and awareness training / learning strategy is properly designed tohave a multi-purposed impact, by (directly or indirectly) affecting the:
– creating new ideas and practical results in science;
– development of a methodology for training / learning in the field of information security;
– reaching a wide public of specialists and non-specialists and new audiences at both European andlocal levels;
– ensuring visibility across Europe, covering different countries and languages;
– ensuring further dissemination and strong follow-up.
Intellectual Outputs
O2 Training Module on Technological Aspects of Information Security
The training module will be developed according to the previously created curricula (O1) andstructured in learning modules, according to the various learning scenarios. The created modules willbe available through developed learning platform. It will include the technological content in the fieldof the information security, which will be delivered to the learner. The purpose of the module is toraise trainees’ awareness about security issues and to obtain knowledge and skills for analysis and
assessment of information security in computer networks and systems. The learning outcomes arethe following:
- understanding basic problems regarding contemporary systems security;
- analysis and assessment of security threats and risks;
- development and application of security policy and mechanisms.
The materials will cover the defined topics, aiming at introducing the following major issues andrelated security solutions:
– theoretical basics, like confidentiality, integrity, availability, security policy and mechanisms, riskassessment and management, etc.
– malware, vulnerabilities and threats, like viruses, worms, trojans, spam, spyware, adware, sniffing,spoofing, etc.
– network attacks – DoS, man-in-the middle, buffer overflow, code injection, etc.
– security countermeasures, like antivirus software, firewalls, applied cryptography, intrusiondetection and prevention systems, audit software, etc.
– security standards and frameworks (ISO/IEC 2700x, NIST, IEC 62443, etc.)
– social engineering attacks – like phishing, tailgating, infected USB devices
The learning materials will contain text, multimedia elements, like images, video, audio, interactivematerials, practically oriented cases and projects, etc.The module will also include some theoretical fundamentals like the concepts of confidentiality,availability and integrity, and the relations between them including physical, software, devices,policies and people; the basis of authentication, non-repudiation, access control and privacy. Theresources will also cover how the appropriate policies will be adequately defined and the security
techniques and mechanisms could be selected in order to tackle and solve problems and to achievethe maximum security with the present resources.
The module will be:
– comprehensive: it will contain an exhaustive and up to date set of activities on the topic of coding
– self-contained: people in charge of delivering the module won’t need to rely on any externalresource to deploy it
– participative: it will allow users to act as a group in order to tackle some of the challenges, it will alsoinvolve interaction between facilitators and users
– adjustable: facilitators will be able to adjust it based on the needs of their target public, theirbackground knowledge, competences, and skills
– immersive – non-linear, game-based, interactive, engaging
At the end of each training, surveys will be conducted to determine the degree of satisfaction with thetraining, with the assessment of the following criteria:
- Actuality – conformity of the curriculum content of the current regulatory framework and thecontemporary knowledge;
- Relevance – correspondence between the learning objectives and the curriculum; correspondencebetween the curriculum and the needs / activity of the administration;
- Practical relevance – linking the content with the practical needs of the participants in the training
O3 Training Module on Legal Aspects of Information Security
Information technologies have entered into all aspects of public life and have prompted globalintegration of the information space. This led to the development of legislation regulating the field ofinformation security and protection of information – classified, public and private (personal data).
Taking into account the global trends, the legislators in EU and member countries adopted numerousnew laws regulating the information security. At the same time, there are few opportunities to acquire
follow-up training for employees involved in this field. This imposes the obvious need for a welldesignedand structured curriculum to build up new knowledge and skills.
The aim of the training is to create the necessary prerequisites for improving the qualification of thelearners and for fulfillment of their duties at every level in the ministries, agencies and all non-profit
public organizations. The training will be useful to all professionals working in the field of informationsecurity and managers and specialists from the state and municipal administrations.
The main task will be to develop the knowledge, skills and abilities of professionals and to increasetheir professional qualifications in the field of information security and information protection incomputer systems and networks. At the end of the course, learners will acquire the knowledge for:
– the basic concepts and policies for protection of classified, public and personal information and thelegal framework in force in this field;
– to search, find and use new developments in the field of information security and informationprotection;
– to respond successfully to new situations in the area of information security and decision-making inthe sphere of information protection.
Therefore, logically the education will address key issues related to the legal protection of certaintypes of information. The subject of the training will include protection of classified information, publicinformation and personal data and legal aspects of information security and the general concept,strategy and policies for ensuring information security at European and national level.
The learning materials will contain text and multimedia elements like images, audio, interactivematerials, practically oriented cases and projects.
The module will be divided in two parts:
– The first aspect will reveal the regulation within the European Union. Attention will be paid to each ofthe three levels of regulatory protection – policy documents, directives and standards, but the focuswill be on the most significant of them – the General Data Protection Regulation – Regulation (EC)2016/679 ). The EU’s requirements for the storage of personal data and information storagemeasures, including the requirement for certain types of organizations to appoint a Data Privacy
Officer (DPO), will be examined.
– Next stage will be to inspect the regulation on a national level in each of the member states. Thelegal framework in partner countries is formed by:
* The Classified Information Protection Framework which introduced effective mechanisms to ensureinformation security for all entities that create, process, store and transmit classified information. Inthis regard, the concept of state secret and its delimitation from similar concepts such as officialsecret, trade, military, etc. are considered. Learners will be introduced to the levels of informationclassification, unauthorized access to classified information and criminal law protection.
* The Law on Access to Public Information – The learners will be introduced to the scope and contentof the public information, the obligation to provide such information to the subjects and way to access
and the restrictions on access to public information.
* Personal Data Act – The learners will be introduced to the concept and categories of personal dataand the general principles for the protection of personal data. An overview of the national legislationand the data protection legislation will be made, paying special attention to the new moments in theGDPR.
– Special attention will be paid to the criminal law protection of the information in national legislationand the most frequently committed crimes – protection of personal data, commercial and publicinformation, computer crimes – illegal access to computer systems, theft of information, computerfraud.
As a conclusion we can say that the development and implementation of such a curriculum will createtraditions and advanced experience for the needs of future ventures and initiatives in this field.
O4 Training Module on Economic Aspects of Information Security
Economics of information security is one of the most complementary and neglected field ofinformation security studies and trainings. By integrating a module on economic aspects ofinformation security not only increase the target groups’ awareness towards economic outputs but
also will affect their perceptions and applications in market mechanism. Because the economics ofinformation security has become a growing field of economics. More generally, many of the mostbasic information security issues are in the current economic debate. The economics of informationsecurity is mainly related to market failure. According to a recent survey by Global Threat IntelligenceReport, NTT Group, 2017 the economic impact of information security in EU breaches vary between1 and 26.19 million euro (£14 million) annual cost per company.
Many researchers have started to work on the economics of information security as a market failureand its aspects. This module training aim to teach managing the economics of information securityagainst market failures. The learning outcomes are the following:
– understanding the security and privacy economics, including utility, incentives, public goods,externalities and internalities, and trade-offs;
– comprehension of economic resources and risk assessment with respect to security policy;
– using and comparing models to understand security policy, technology, and decision-making.
One of the major aspects in economics of information security is about economic vulnerability.Economic vulnerability refers to risks caused by exogenous shocks to system of production,distribution and consumption that arising out of economic openness. However, markets forvulnerability can be managed to reduce the cost of securing the soft wares and mobile applications.Vulnerabilities are mostly thought by the banking systems and financial economic, however a larger
perspective will be the focus of this module after a comprehensive need analysis.
Externalities are another aspect in economics of information security. Information economics arecharacterized by many positive and negative externalities where economic decision making units’actions have effects on third parties. The module will cover the following major topics:
– Information security vulnerabilities
– Privacy problems as an externality and free rider problem
– Security as an externality
– Price discrimination
– Asymmetric information: adverse selection and moral hazard
– Policy options for dealing with market failures
Although a rare number of this module on the economics of information security will contribute to theProject during the Project lifetime to its stakeholders but its teaching materials will remain after the
Project with high potential of contributing to the growing body of literature with the evidence from EU.
Since a literature review exist, a deep review and conceptualization is going to make through a deepliterature from an interdisciplinary perspectives, such as from IS, MIS, Economics, Law and Business studies.
The module will be:
– comprehensive: it will contain an exhaustive and up to date set of activities on the topic of coding
– self-contained: people in charge of delivering the module won’t need to rely on any externalresource to deploy it
– participative: it will allow users to act as a group in order to tackle some of the challenges, it will alsoinvolve interaction between facilitators and users
– adjustable: facilitators will be able to adjust it based on the needs of their target public, theirbackground knowledge, competences, and skills
– immersive – non-linear, game-based, interactive, engagingAt the end of each training, surveys will be conducted to determine the degree of satisfaction with thetraining, with the assessment of the following criteria:
- Actuality – conformity of the curriculum content of the current regulatory framework and thecontemporary knowledge;
- Relevance – correspondence between the learning objectives and the curriculum; correspondencebetween the curriculum and the needs / activity of the administration;
- Practical relevance – linking the content with the practical needs of the participants in the training.