The question is asked whether the EC could or should encourage projects to consider establishing a structured and visible relationship with an industry product group from the very outset; or would this become a hurdle – a piece of bureaucracy that could stifle innovation, spending time in meetings rather than carrying out the research itself? There is still the ongoing question in the security market paradigm – “why should I pay extra for security”? (Maybe the question should be “do I really want an insecure product or system”.) We have spoken of awareness-raising for many years; the awareness is now largely out there, but the economics of security are still by no means clear: What IT security requires is a change in the paradigm: the investment in security may not give an immediate and visible profit, but it must be made in order to prevent and avoid economic losses and further consequences. Think insurance – there are areas of life where insurance is already the norm, and in some cases actually mandatory.
Further problems and needs There is often only anecdotal information about the extent and severity of security lapses or attacks due to a natural reluctance by the victim to reveal the damage and its extent. A European-wide (or even international) regulatory initiative to mandate the controlled disclosure of security (-related) incidents could be part of a trusted framework for the exchange of cyber-security data. Many projects claim to create a community: it is not really clear how successful and measurable in the short term this is. As part of the project clustering mechanism, a group (or groups) could be set up to interface – or collaborate with existing interfaces – to larger industry product groups. A by-product would be a need for a common documentary approach within any product-oriented groups. Discussions pursued about how to go about doing user trials, the best approach for projects. The absence of user trials in projects needs to be addressed. For user trials you need the finalised results, you need a user interface or a partner that works directly on user interfaces (UI). If you involve the user right from the very start then you have a chance to come up with some useful innovations. The proposed solution of having such a follow up would be beneficial following the project lifespan, hence working towards that next step. Also the proposal of involving the industry product groups at the very start of the project would prove beneficial and projects need to focus more on developing such a relationship at the start of a project so it can be beneficial right through. PRESENTATION LINK: http://www.effectsplus.eu/files/2012/09/EFFECTSPLUS-WP2Padua.pdf