Objectives and Purpose

The secUnity slogan, “Supporting the Security Community,” describes our objective, i.e. to intensify IT security research in Germany and Europe. We strive for sustainable and interdisciplinary connectivity of all researchers, experts, software engineers and users, incorporating, in particular, economic and legal perspectives of IT security.

Existing research consortia are to be supported, new ones are to be established, and communities of young researchers are to be set up. To make transparent the multiplicity and the different competences in IT security research, an IT security map will be created. It will contain a differentiated list of key research items and will be open for permanent additions.

Moreover, we are developing a process in secUnity to identify joint research topics. In a close dialog with all researchers, experts, software engineers, users, we will assess gaps in IT security in order to develop a vision of a long-term policy of IT security research. One useful tool in this dialog is the push-pull platform. In addition, a roadmap of highly relevant research topics is being developed in secUnity which can serve as a basis for future consortial projects.

We organize and support various types of events ranging from scientific workshops to open topical evenings, sometimes political, which in many ways promote dialog among the players involved. In addition, we are going to run interdisciplinary summer schools or winter schools for active promotion of young researchers in IT security.

Law and IT Security

Within the constitutional “government duty of technology management,” the law acts as the agency transforming political conditions imposed. Technology is to be promoted, on the one hand, and to be controlled in an adequate way, where necessary also to be limited, on the other hand. In a society completely dependent on functioning IT and continuing to digitize, the law must continuously respond to real phenomena and, ideally, act in a prospective way. IT security law is the anchor in this approach, but has not yet been developed properly (from a legal point of view) because of the accelerated technological change.

New legal areas in information and telecommunications technologies are developing only with some delay although the comprehensive application of IT permanently gives rise to new legal problems in all areas of law. Also, legal informatics as a young discipline has an impact on all classical fields of law (public law, criminal law and civil law). Besides these different areas of law, a variety of sources of law contribute to the lack of transparency in jurisprudence, especially as seen from the perspective of appliers of law. A uniform legal area, let alone a central codification of IT security law, is not yet to be discerned. However, even more problematic is the fact that, unlike the technological side, there is no legal community in the important area of IT security law which would be able to provide new legal impulses in this interdisciplinary dialog.

As a consequence, the focus of legal activities in secUnity is on identifying players in jurisprudence concentrating on IT security law. New technical phenomena are to be illuminated from a legal perspective. Besides furthering a legal community and putting new legal problems to selected agencies, an overview should be produced of (legal) players well versed in the subject. This serves the purpose of establishing an interdisciplinary, open platform for exchange, which can help greatly to differentiate the dichotomy between legal framework conditions and freedom of technical innovation and, at the same time, effectively meet the challenges arising.

Business and IT Security

Increasing digitization and the general availability and utilization of internet-based services are changing the economic environment, the daily life of individuals, and society as a whole. What is also growing is vulnerability. Many businesses and users worry about their security and privacy. To diminish the probability, and also the level, of damage arising from security incidents, improved technical solutions are being developed continuously. However, for their further dissemination it is important that these solutions are designed to be user-friendly and, at the same time, cost-efficient. Against this background, the “IT Security Economics” research area studies the economic rules of supply and demand of / for IT security solutions.

Users of IT security solutions can be persons, companies or other institutions, such as public authorities. One major purpose of work in this research area, on the one hand, is the development of economic models offering support in decisionmaking about the question whether or not specific investments in IT security are worthwhile. Another building block is the assessment of the willingness of users to pay for IT security solutions. On the one hand, this implies empirical methods of business economics and, on the other hand, psychological aspects which must be taken into account. One example is the so-called privacy paradox which means that people indicate in opinion polls that their private sphere is very important to them while they do not behave accordingly (intention-behavior gap). Similar patterns of behavior can be found also for IT security solutions. For this reason as well, more awareness of IT security is to be solicited within the framework of activities in the “IT security” profile area.

From the provider’s perspective, i.e. the perspective of IT security vendors in the narrower and broader senses, the development of business models constitutes the focus of work. On the one hand, this means applying to IT security the findings derived from research and practical experience. Again, the economic rules in the IT security industry constitute an important foundation, as do the findings about the willingness of (potential) users to pay for IT security solutions. In this way, it is possible to derive recommendations for action for IT security vendors of any size, including startups, which can help improve sustainably the competitive position of these firms.

For this reason, IT security vendors are shown on the map in order to promote cooperative ventures and further advance connectivity. In this case as well, a distinction has to be made between IT security vendors in the narrower sense (e.g. vendors of specialized IT security solutions) and in the broader sense (e.g. vendors of IT products with specific IT security features).

Increasing digitization in particular affects young (university) graduates. As a consequence, a summer school about “Economics of IT Security and Privacy” is being planned for 2017 at the Darmstadt TU and is to provide international students with valuable knowledge about the economic aspects of IT security.