Project description

Project background

The Competence Center for Applied Security Technology (KASTEL) is one of three competence centers for cyber security in Germany, which were initiated by the Federal Ministry of Education and Research (BMBF) in March 2011. Following the motto “Comprehensible security in the networked world”, KASTEL is meeting the challenges posed by the increasing interconnection of previously isolated systems. KASTEL bundles the competencies in the field of IT security at the research location Karlsruhe. The goal is to develop a widespread approach instead of isolated partial solutions. The focus will be on comprehensive security in specific application areas, such as power grids or intelligent factories. To ensure this security, new threats need to be modeled, security objectives need to be described and new methods have to be developed. This can only be achieved through the cooperation of cryptographers, IT-security specialists, software-engineers, network experts, jurists, economists and social scientists.

Project objectives of IIP in KASTEL

Within the framework of KASTEL, the IIP deals with economic risk management. Risk management generally includes the systematic analysis of internal organisational risks and the development of measures to reduce risks for the purpose of long-term protection of the organisation. The handling and control of IT risks requires not only that organizations have the necessary technologies and processes, but also that these are economically sensible and feasible. Economically oriented risk management is therefore becoming increasingly important due to the ever stronger linkage of industrial value chains in terms of information technology and the associated growing effort required to protect these structures from attacks and technical errors. Economic risk management refers not only to the economic efficiency of IT risk management, but also to the economic consequences of a failure of IT systems (e.g. business interruption). With a view to the development of scalable and quantifiable safety concepts, it is possible to consider material and immaterial consequences in the risk assessment. In addition, an economic risk analysis also takes into account the behaviour of the actors as well as the opportunity costs of risk-reducing measures and thus the conflicting objectives of security investments. The following project objectives of IIP in KASTEL can be derived from this:

  • Categorization of attacker profiles and identification of attack strategies to enable targeted defense  against external attackers (external offenders)
  • Identification of internal system attackers (internal offenders) as well as analysis and design of internal organisation incentives for risk reduction
  • Description of requirements for an internal safety culture to reduce "negligence and human error" as sources of danger
  • Assessment of direct/indirect material and immaterial damage