opportunities and threats of the Catalan economy taking into account the different sectors and technological capabilities.
strengths, weaknesses, opportunities and threats. -Analysis of the leading sectors and capacities in crosscutting enabling technologies.
and risk prevention and management 6. To protect the environment and promote resource efficiency 8. To promote employment
opportunities and threats to the Catalan economy based on SWOT analyses carried out previously in Catalonia and on
opportunities and threats (see the document Analysis of the Catalan economy: strengths, weaknesses, opportunities and threats), the Catalan economy is diversified highly
and open with a large industrial base. Within a context of globalisation and recession, the Catalan production system is undergoing a process of structural change:
because they share risks and can undertake larger projects than a company would be willing to embark on alone,
Public administrations provide economic support, under the principle of shared risk, to actions aimed at increasing the market value of technologies identified as marketable.
It is vital to provide the greatest possible incentives for investment in new companies through financial instruments that reduce the risk to
However, due to the inherent risks (technological, operational and market) that they face, it is difficult for them to gain access to traditional sources of finance and capital funds.
and risk assessment adapted to the region of the Carpathian Basin. The participation in LIFEWATCH enables us to gain a respectable international position in the first phase of the development.
and offer more incentives for risk taking. Entrepreneurial knowledge involves much more than science and technology.
a regional development strategy may risk increasing vulnerability to changing economic conditions. Therefore it is crucial that the second principle of'relatedness'is taken also into consideration.
run the risk of autarky, and take a narrow view on the role of policy in the exercise.
stimulation of entrepreneurship/management of risk and uncertainty; market formation; mobilisation of resources; and legitimation.
the design of the RIS3 architecture needs to anticipate the risk of capture and make it more difficult for traditional groups to frustrate the process.
and risks associated with entrepreneurial search are shared and therefore do not become too prohibitive for the firm that is leading the search process.
Prioritisation always entails risks for those who have to select those few domains that, as a result, will get privileged access to public funding.
Such an open, participatory process, together with reliance on robust evidence based on regional assets, are the best guarantees to avoid both the risk of capture by interest groups
and the risk of lock in into traditional activities. Once the priorities are adopted it is important that the strategy is validated
Strategies that stop before this step run the risk of remaining unimplemented and/or not credible.
OECD 2011 58 Developing a RIS3 involves a degree of risk-taking, since there is always some uncertainty in the choice of priorities,
Test new or unconventional policy support approaches on a small scale before possible extension, limiting risk.
uncovering specific risk factors, such as the existence of a number of industries in need of modernisation or the dependence of the regional economy on a limited number of industries.
This implies, for instance, verifying that the vulnerability and capacity of adaptation of the regional innovation system have been
EU level debt instruments (guarantees/risk sharing: CIP-SMEG, RSFF, LGTT Risk Sharing Finance Facility (RSFF.
The Risk-Sharing Finance Facility (RSFF) aims to improve access to debt financing for promoters of research
and innovation investments by sharing the underlying risks between the EU and the EIB. Together, the European commission and the EIB are providing up to EUR 2 billion (up to EUR 1 billion each) to support loans
or guarantees supporting the priorities of the Seventh Framework Programme for RTD (FP7). These contributions will translate into up to EUR 10 billion worth of additional financing available to innovative companies and the research community.
the Risk-Sharing Instrument (RSI), was launched at the end of 2011. It was operated by the EIF on behalf of the EIB
The Loan Guarantee Instrument for TEN-T projects partially covers this revenue risk and consequently improves the financial viability of such TEN-T projects. 117 Policy DG in charge:
in order to reduce their risk and increase their lending activities in favour of the sector. It amounts to EUR 8 million over the period 2010-2013.
1) a guarantee instrument to providers of micro-credit (i e. loans of up to EUR 25,000, in particular to vulnerable groups in risk of social exclusion, for the purpose of setting up small commercial operations;
The European Investment Fund provides financial intermediaries an integrated risk finance product range of SME finance initiatives,
Procurers tend to favour low cost, low risk, and off-the-shelf solutions once the (political) decision on what to buy and at
There are hardly any mechanisms to allow the pooling of risk and resources across countries and different administrations;
and by decreasing the potential innovation costs and financial risks through ERDF co-funding; The recognition of the procurement phase as strategic in public policy cycles, by associating procurement departments at an early stage in the definition of a project and of regional innovation strategies for smart growth;
There is a risk of it being hampered by insufficient knowledge, limited support of grass roots, social enterprise and social entrepreneurship activities
In this regard, it has a pivotal role in answering (together with private stakeholders and the civil society) today's major societal challenges such as demographic ageing, increased demand for healthcare services, risk
risk management and strategic planning with a view to obtaining a better access to the private capital markets,
and protection of the knowledge become predominant and decisive for long term profit gaining and sustainability assurance (Nicolescu, 2011).
and take calculated risks. 2. THEORETICAL FRAMEWORK The theoretical literature that deals with the issue of R&d
of population at risk of poverty or social excl. no. of persons) EU target 75 3 20 20 20 10 40 20,000, 000 RO target 70 2 19 24 19 11,3 26,7
Innovative public procurement means the public sector can take on the role and risks of a lead customer,
Foreign ownership in the region's key sectors brings with it both opportunities and risks.
The main risk is that foreign firms are likely to be‘footloose, 'that is they are more likely close plants
A second risk is owned that foreign firms‘crowd out'the local industry. This may happen by outcompeting local firms in their traditional domestic market,
there is always the risk of creating an additional level of bureaucracy, if these measures are linked not to a simplification of structures,
Measures under this investment priority should also promote food chain organization and risk management in agriculture by:(
and (ii) assisting farmers with risk management and financing investments in preventive and restoration actions. 170.
Threats Lack of applications and local content, but also an insufficient level of digital literacy and understanding of benefits;
the risk to deepen the digital gap becomes even bigger thus amplifying differences between Romania
Generalized access to e-tools is a necessary condition of the success of e-democracy and the elimination of a risk of a technology gap.
There is a strong risk that the definition of standards in technical committees may have far-reaching consequences for the overall future architecture of the electricity system without an adequate public debate.
growing energy demand, globalisation, increasing fossil fuel costs and a new awareness for the risks of nuclear power, the use of renewable energies has been supported by a growing range of stakeholders
highly flexible CHP plants) risk to be too low for coming needs. At the same time, smart technologies are used increasingly for ensuring the appropriate communication between the different actors
The objective of this paper is to analyse these risks and assess the starting point of the implementation stage of the Regional Innovation Smart Specialisation Strategies (RIS3) for the case of Spanish regions.
there is also a significant number of risks to consider. Table 2: Opportunities and risks regarding main elements of smart specialization ELEMENTS OPPORTUNITIES RISKS Prioritization Election of priorities through specialisation patterns To prioritize can help creating critical mass to achieve excellence.
Prioritizing the demands of the businesses facilitates the alignment of the regional capabilities with the market opportunities.
As mentioned in the research questions section, these opportunities and risks, as well as the real difficulties and problems encountered by policymakers
There is no a clear economic justification of a wider selection of sectors beyond the risk aversion of authorities on the choosing process of priorities8.
The paper has analysed the state of the art in current Spanish RIS3 just to assess the scope of these potential threats within the real strategic definition exercises.
as well as the risk aversive preferences of regional authorities, guides a wider selection of specialisation choices.
and Threats) for the R&d and Information Society situation in Castilla y León that has been the basis for establishing RIS3 programmes and objectives,
and Threats (SWOT) compiles and integrates quantitative and qualitative analytical conclusions in the Strategy's creation framework.
THREATS Prolonged effects of the financial crisis and difficulty in entering financial markets. Limitations of companies to funding
Loss of support structure for R&d because of the financial crisis and risk of system failure due to budget reasons.
THREATS Territory Low profitability in the area for operators for telecommunication infrastructure in the rural environment.
(I) SWOT Analysis R&d&i 13 Threats Extension of effects of the crisis. Difaiculty of access to Kinancial markets.
Building the evidence base for RIS3 (II) SWOT Analysis Knowledge Digital Society 17 Threats Low prokitability for operators in rural areas;
linking innovation to strategy, visible leadership, incentives for innovation, appropriate risk management, training for staff, the creation of‘circuits for information'(information flows within and beyond the organisation),
bureaucratic cultures, risk aversion, heritage and legacy, inability to keep up with pace and scale of change,
citizen engagement can be a high-risk activity. There are complex issues related to ensuring that participation is inclusive,
and‘member'voice Decision making power is not based on capital ownership Accept significant levels of economic risk Participatory in nature,
In line with other societal challenges, the issue of demographic change and ageing is portrayed increasingly both as a threat and an opportunity.
Similarly the Catalan Region and Barcelona City33 have applied social clauses in procurement for all its large contracts to integrate groups at risk of exclusion in the labour market.
Bruno et al, 2008: 6). Social learning can be stymied by risk averse organisational cultures, weak feedback mechanisms and conventions that extol process over outcomes,
because it was encouraged to be risk aware rather than risk averse when it designed its tenders
With respect to both domains of public services the developmental state and the welfare state we argued that the state needs to become more supportive of experimentation and less risk averse.
and threats (like becoming commissioned agents of the state and diluting their social mandate). Our second point concerned the shortcomings of the sector.
Henceincluding firms withatleastonepatentedinventionallowsareliableidentificationof the firms at risk ofengagingininventiontradingactivities. Companynamesidentified fromthepatentdatabasehavebeen matchedwithcompanynamesfromtheamadeusdatabase (Bureau vandijk; hencebothlistedandnon-listedcompanieswereincl-udedinoursample.
and placing incumbents under competitive threat. New spin-off ventures enable the commercialisation of knowledge that would
Yet many emerging and potential business creators are lacking entrepreneurship skills such as in risk assessment,
Whilst this favours the SME, large corporations are adapting to become important players within this type of business model rather than treating it solely as a threat.
Entrepreneurs take risks by offering new solutions in the market in the face of uncertainty about
processes and business models to fit at the risk of failure. The entrepreneur innovates by experimenting.
discovering opportunities, taking risks, shifting resources and creating breakthrough innovations and these roles moreover are not mutually exclusive.
since the mere competitive threat of new and small firms, or contestability of their markets, may force incumbents to upgrade.
Knight, F. 1921), Risk, Uncertainty and Profit, Chicago University Press, Chicago. Jensen, M.,B. Johnson, E. Lorenz and B. Lundvall (2007), Forms of Knowledge and Modes of Innovation, Research Policy, Vol. 36, No. 5, pp. 680-693.
when information asymmetries and risk are very high, often preventing traditional bank financing and even access to private venture capital funds.
and share the risk of R&d and innovation investments with other local partners. 2. FRANCE SMES, ENTREPRENEURSHIP AND INNOVATION OECD 2010 63 France A. Structural indicators on enterprise population
whilst cushioning the financial risk for people willing to invest in technology-based start-ups. The Creation Support to New Innovative Enterprises programme for 2007-13 builds on this past experience
and the venture capital market by facilitating loans to risk-capital societies interested in sharing the risk with the firms.
perceived economic risk Cost of financial 2. UNITED STATES SMES, E 106 NTREPRENEURSHIP AND INNOVATION OECD 2010 United states Small Business Innovation Research (SBIR
in order to cope with risk management. Each funding operation is covered by the following guarantees against default: 20%personal liability of the partners of the company getting the loan;
To minimise and spread risk the new funds syndicated many of their investments to a far larger extent than funds would consider today.
In addition, Yozma offered the foreign investors in these small funds insurance of 80%of their risk as well as the option of buying out the government's share within five years.
identify criteria for risk sharing; support investments in R&d. New financial services for R&d; investments in technology-based start-ups;
and risks involved in the internationalisation process (OECD, 2008b). ) As a result, public policy has a key role to play,
and to ensure that the risks and costs of international networking are minimised for participating SMES through, for instance,
which often run the risk of being trapped in a oneway relationship with the parent company.
and risks and costs associated with international networking by setting up legal services or guarantee schemes,
computing, collaborating, dealing with risk and uncertainty or developing a new product or service (Tether et al.
such as risk assessment and warranting, strategic thinking, self-confidence, the ability to make the best of personal networks,
take imaginative and informed approaches to problem solving involving calculated risks. 3) Responsible citizens have knowledge and understanding of the nature of work and social and economic enterprise;
Careful analysis of the growing literature reveals a perceived risk that the term social entrepreneurship could become very inclusive and,
and manufacture and distribute medicines to populations at risk. One World Health also creates interesting opportunities for industry
the ability to recognise social value-creating opportunities and key decision-making characteristics of innovativeness, proactiveness and risk-taking.
4) is/are willing to accept an above-average degree of risk in creating and disseminating social value;
and this requires the display of innovativeness, proactiveness and risk management behaviour. This behaviour is constrained by the desire to achieve the social mission
some advanced skills on business management and human resources and some specific skills related to risk assessment and warranting,
and whose social vulnerability map includes situations of high deprivation for youth and adults. The Cafu Foundation has a Library, Playroom, Visual Arts Room and Workshop, Computer Rooms, Dental care Office, Cafeteria, Kitchen and Pantry,
act with potentially innovative proposals, even considering the risks of alienation and manipulation. When questioning how social innovation is produced,
people are insured for social risks mainly by the state and they have a certain security and knowledge of
dependency on the public purse also carries risks for the sustainability of the socially innovative sectors.
Banks, in turn, are unwilling to take on the risks and costs of making small, uncollateralized loans (Karani 2007.
Talk of finance takes us inevitably to the issue of risk and hence regulation and regulatory frameworks.
Potts 2009) and thus risk (e g. Gibbons and Littler 1979; Bhatta 2003. Dodgson et al. 2005), for example, have pointed out that there is a broad understanding in innovation research that the innovation process requires experimentation.
Innovators, public and private investors need to manage innovation risks. Risk management can be facilitated though innovation-friendly legal frameworks, shared ownership and alternative ways to finance start-ups.
Regulatory frameworks, the availability of different organizational forms and attitudes to risk and reward will all shape the opportunities for social innovation to take place.
The European Journal of Social science Research 445 dominated by approaches to risk management that privilege the tried
individuals'financial and personal capacity, their ability to access social capital and their willingness to take risks will influence opportunities for innovation.
reduce the risk of people falling into poverty and cut carbon emissions to 80%of 1990 levels.
reduce the risk of people falling into poverty and cut carbon emissions to 80%of 1990 levels (http://ec. europa. eu/europe2020/targets/eu-targets).
Revisiting the Issue of Risks in Innovation in the Public sector. The Innovation Journal: The Public sector Innovation Journal 8 (2). http://www. innovation. cc/scholarly-style/bhatta-risks. pdf. Borzaga, C,
. and R. Bodini. 2012. What to make of Social Innovation? Towards a Framework for Policy Development.
Varying national rules on taxation and data protection ran the risk of stifling the growth these tech businesses can create,
This leads to the risk of digital issues falling through the cracks, while politicians such as Kroes argue it should be hardwired into all policymaking.
Of course there are risks, and there will be challenging questions for us to answer as we enter this new reality,
or when new opportunities and threats indicate a need for reinvention (Johnson et al. HBR 2008.
Not since the opening of the atomic age, with its promises of power too cheap to meter and threats of nuclear incineration, has a technology so deeply captured the imagination of the public.
%the risk of corporate security holes (31%)and the high price of Could Computing services (27.8%).
and possessing the ability to exchange helps eliminate the inhibitor of change. the risks involved in change.
When a person certain risks associated with the expected change in personal group or organization,
The ability to take risks, tolerance for ambiguity inherent in innovation, resistance to stress are reduced.
5, 6, 7-positive reactions to change Very few people are prepared to give up ideas for your loved obvious risks.
and threats in a convincing manner and particularly the EU would achieve it aware of the need for change
the remaining 39,82%saw the change as a threat Manifestations of resistance to change Unfortunately 74,72%of employees show an active resistance to change Frequency of using tactics to reduce resistance to change-actions of senior managers on change Reducing resistance
as the acquisition of investment usually brings high capital costs and risks. Enhanced cooperation between different actors will help to improve income sources and also the opportunities for more investment in the field
yet, there are risks and limitations associated with citizen engagement, and further research is needed to understand the impact of participation on society and individuals.
First, the term risks becoming a buzzword, leading to a loss of credibility and support,
rather there are associated risks and challenges. For instance, the value of engagement tends to be contingent on the form and practice of that activity
and the risks associated with a low quality version of it spreading. Receptive contexts Lastly, we emphasise the significance of receptive contexts.
or the financial risks that acquiring external growth capital brings, social innovators tend to favour it.
'and others involved in resourcing social innovation may share risks, allocate costs, and distribute benefits more effectively.
a signi cant level of economic risk; a minimum amount of paid work. The social dimension consists of three as well:
First, the term risks becoming a buzzword or a passing fad, as many organisations adopt the concept without really embracing the practice.
marked by a high degree of risk and uncertainty due inter alia to the specific context wherein they appear social innovations are, in a significant way,
Whether or not they can be seen as better (more effective/social/democratic) is a question of its own that can only be answered in retrospective. 85 High degree of risk
and other procedures in 2007 following cases such as the withdrawal of Merck's painkiller Vioxx in 2004 after it was shown that the drug increased the risk of a heart attack.
Investors and financial analysts can use the Scoreboard to assess investment opportunities and risks. 18 Investing in research:
Gradual recovery, external risks, IP/13/1025 of 05/11/2013, http://europa. eu/rapid/press-release ip-13-1025 en. htm. 16 The samples
Der spiegel, 19 april 2013, http://www. spiegel. de/international/business/lack-of-skilled labor-could-pose-future-threat-to-german-economy-a-894116. html country (number of statements
1996) and Carrier (1994) mentionexplicit strategiestoincreaseandstimulateinternalcreativityand risk takingbehavior. Yetanotherinternalvariableis investmentsinr&d (Birchalletal. 1996; Oerlemansetal. 1998). ) Amongotherinternalfactorsthatwerefoundtobe importantdeterminantsofsuccessofinnovativeeffortsare the natureofthecommercializationandmarketingeffort, thedegreeofmarketinginvolvementinproductplanning and firmcompetenceintheareaoftechnologystrategyand technologymanagement (Hoffman etal.
and A Culture of Innovation mean that the global population is need increasingly in of the necessary education to harness and maximise the potential benefits while minimising risks of globalisation and innovation.
the organisation has been one of the first and most active promoters of the development of sustainable knowledge societies, identifying potential threats to,
and vulnerabilities to malicious attacks. iv. Lack of efficient caching & mirroring: There is no inherited method for on-path caching along the communication path
because current Qos assurance mechanisms in the IP world require improvements to replace the Layer 2 Qos schemes of the tradi 48 L. Bokor, Z. Faigl,
delegation of management authority to network management systems and decentralised assurance of service delivery in a home area are important too. 7 Summary
OVM (Ontology for Vulnerability Management) to support security needs 35; Netqosont (Network Qos Ontology) to meet the needs of service quality 27;
estimating, and understanding the risks, challenges, and usability aspects of this network of networks. As collected by the FISE (Future Internet Socioeconomics) working group within the FIA on its wiki, the following general aspects of socioeconomics,
The framework also ignores factors such as risks (deployment is harder if the associated risk is higher),
regulatory requirements and the role of hype and group think. When there are competing proposals (which should be selected for deployment?)
These factors reduce the deployment risk, especially as it should also be easier to roll back
and CRAMM (CCTA Risk Analysis and Management Method) 7 have similar objectives to our methodology.
and quantifying security risks in organizations. The situations analyzed by the aforementioned methodologies are associated often with certain kinds of tussles.
technology literacy and expectations, openness to risk and innovation. Furthermore, it should be studied whether and how these attributes,
For instance, impact assessment (3a) could be performed by mathematical models for assessing risk or utility, as well as providing benchmarks like the price of anarchy ratio.
On the other hand, risk assessment techniques seem more relevant for the second tussle since high congestion can have an impact on ISP's plans to offer other real-time services.
Risk assessment techniques could be used in this case, as well as models for estimating social welfare loss. A side-effect of this tussle is innovation discouragement
then setting-for example-a low price would increase his risk of being selected by the least profitable customers.
and care are suggested as a countermeasure for moral hazard issues. Similarly the proposed way for mitigating the effects of adverse selection is for the less informed party to gather more information (called signaling)
few people were interested in debating the societal risks and values surrounding a platform that could potentially distribute previously secret documents.
when an ISP (the provider) requests a share of an ASP's revenues (the consumer) due to its higher investment risks and operational costs.
and economic mechanisms that will allow network providers to offer inter-domain Qos assurance and obtain higher bargaining power during negotiations for service terms (e g. pricing).
in addition, change the threat model and increase the attack surface. An attack can potentially be launched by a malicious or fake service provider, service consumer,
as well as providing assurance about security properties of exposed services and information. 164 Part III: Future Internet Foundations:
The second group of chapters investigates the provision of assurance of the security properties of services and infrastructures in the future Internet.
the provision of assurance through formal evidence and the consideration of risk and cost arguments in the Secure Development Life cycle (SDLC).
One of the major ingredients of this program, the provision of security assurance through formal validation of security properties of services, is investigated in detail in the chapter‘Towards Formal Validation of Trust and Security in the Internet of Services by R
and trust assurance in the future Internet addressing one of the major obstacles preventing businesses and users to fully exploit the Future Internet opportunities today.
but also faces new security risks, from the breach of separation between tenants to the compliance challenge in case of distribution over different regulatory domains.
The authors discuss these risks and provide an outlook to their mitigation, embedded in a systematic security risk management process.
In cloud computing, but also in most other Future Internet scenarios like the Internet of Services, the need for data exchange leads to sensitive data, e g.,
and trust risks emerging from the increased level of sharing and collaboration in the future Internet can be mitigated,
Such a life cycle support must deliver assurance to the stakeholders and enable risk and cost management for the business stakeholders in particular.
Yet this also creates more vulnerabilities and risks as the number of trust domains in an application gets multiplied,
the size of attack surfaces grows and so does the number of threats. Furthermore, the Future Internet will be an intrinsically dynamic
and evolving paradigm where, for instance, end users are empowered more and more and therefore decide (often on the spot) on how content
as both risks and assumptions are hard to anticipate. Moreover, both risks and assumptions may evolve;
thus they must be monitored and reassessed continuously. 1. 2 The Need for Engineering Secure Software Services The need to organize,
We need to enable assurance: approving that the developed software is secure. Assurance must be based on justifiable evidence,
and the whole process designed for assurance. This would allow the uptake of new ICT-services according to the latest Future Internet paradigms,
where services are composed by simpler services (provided by separate administrative domains) integrated using third parties infrastructures and platforms.
Thus, embedding risk/cost analysis in the SDLC is currently one of the key research directions
bearing in mind that the discovery and remediation of vulnerabilities during the early development stages saves resources.
and compose-able services,(4) enabling security assurance, integrating the former results in (5) a risk-aware and cost-aware software development life-cycle (SDLC),
and (6) the delivery of case studies of future internet application scenarios. The first three activities represent major and traditional stages of (secure) software development:
Both the security assurance programme and the programme on Risk and Cost aware SDLC will interact with each of the initial three activities,
The need for assurance in the future Internet demands a set of novel engineering methodologies to guarantee secure system behavior and provide credible evidence that the identified security requirements have been met from the point of view of all stakeholders.
Such deployments inherit security risks from the classical Internet and, at the same time create new and more complex security challenges.
The integration of security aspects into this paradigm is called the so modeldriven security 6, leading to a design for assurance methodology in
so threats in the environment may change along the time and some reconfiguration may be required to adapt to that changes.
reducing costs and risks usually arisen by uncertainty, leveraging a risk and cost-aware. There are large catalogues and surveys on security patterns available 26,13,
but the FI applications yet to come and the new scenarios enabled by FI need to extend
Secure Service Programming Many security vulnerabilities arise from programming errors that allow an exploit. Future Internet will further reinforce the prominence of highly distributed and concurrent applications,
and similar vulnerabilities associated with web-based distributed applications. Obviously, the logical rationales underlying such best-practises must be articulated,
Supporting Security Assurance for FI Services. Assurance will play a central role in the development of software based services to provide confidence about the desired security level.
Assurance must be treated in a holistic manner as an integral constituent of the development process
seamlessly informing and giving feedback at each stage of the software life cycle by checking that the related models
Obviously the security support in programming environments that must be delivered will be essential to incept a transverse methodology that enables to manage assurance throughout the software and service development life cycle (SDLC.
The next section clarifies these issues. 5 Embedding Security Assurance and Risk management during SDLC Engineering secure Future Internet services demands for at least two traversal issues,
security assurance and risk and cost management during SDLC. 5. 1 Security Assurance The main objective is to enable assurance in the development of software based services to ensure confidence about their trustworthiness.
Our core goal is to incept a transverse methodology that enables to manage assurance throughout the software development life cycle (SDLC.
A first sub-domain covers early assurance at the level of requirements, architecture and design.
A second sub-domain includes the more conventional and complementary assurance techniques based on implementation. Assurance during the Early Stages of SDLC.
Early detection of security failures in Future Internet applications reduces development costs and improves assurance in the final system.
This first strand aims at developing and applying assurance methods and techniques for early security verification.
These methods are applied to abstract models that are developed from requirements to detailed designs. One main area of research is stepwise refinement of security
In addition, for assurance, there is the need to extend model checking methods to enable automatic generation of protocol correctness proofs that can be verified independently by automated theorem proving.
Security Assurance in Implementation. Several assurance techniques are available to ensure the security at the level of an implementation.
Security policies can be implemented correctly by construction through a rigorous secure programming discipline. Internet applications can be validated through testing.
and testing in order to provide the final assurance that the latter cannot deliver, be it for scientific and technological reasons,
We need comprehensive assurance techniques in order to guarantee that security concerns are taken correctly into account through the whole SDLC.
Metrics can be used directly for computing risks (e g.,, probability of threat occurrence) or indirectly (e g.,
, time between antivirus updates. Security metrics in the future Internet applications become increasingly important. Service-oriented architectures demand for assurance indicators that can explicitly indicate the quality of protection of a service,
and hence indicate the effective level of trustworthiness. These metrics should be assessed and communicable to third parties.
and determined by the various techniques in the Engineering process. 5. 2 Risk and Cost Aware SDLC There is the need of the creation of a methodology that delivers a risk and cost aware SDLC for secure FI services.
Such a life cycle model aims to ensure the stakeholders'return of investment when implementing security measures during various stages of the SDLC.
While the software development proceeds through incremental phases, the risk and cost analysis will undergo new iterations for each phase.
In order to support the propagation of analysis results through the phases of the SDLC Engineering Secure Future Internet Services 189 one needs to develop methods and techniques for the refinement of risk analysis documentation.
Such refinement can be obtained both by refining the risk models e g. by detailing the description of relevant threats and vulnerabilities,
and by accordingly refining the system and service models. Aggregation: In order to accommodate to a modular software development process,
one needs to focus on a modular approach to the analysis of risks and costs. In a compositional setting, also risks become compositional
and should be analysed and understood as such. This requires, however, methods for aggregating the global risk level through risk composition
which will be investigated. Evolution: The setting of dynamic and evolving systems furthermore implies that risk models
and sets of chosen mitigations are dynamic and evolving. Thus, in order to maintain risk and cost awareness,
there is a need to continuously reassess risks and identify cost-efficient means for risk mitigation as a response to service
or component substitution, evolving environments, evolving security requirements, etc.,both during system development and operation.
Based on the modular approach to risk and cost analysis one needs methods to manage the dynamics of risks.
In particular, the process for risk and cost analysis is highly iterative by supporting updates of global analysis results through the analysis of only the relevant parts of the system as a response to local changes and evolvements.
secure programming as well as assurance and the relation to each of these ingredients must be investigated. During security requirements engineering risk analysis facilitates the identification of relevant requirements.
Furthermore, methods for risk and cost analysis offer support for the prioritization and selection among requirements through e g. the evaluation of trade-off between alternatives or the impact of priority changes on the overall level of risks and cost.
In the identification of security mechanisms intended to fulfil the security requirements risk and cost analysis can be utilized in selecting the most cost efficient mechanisms.
The following architecture and design phase incorporates the security requirements into the system design. The risk and cost models resulting from the previous development phase can at this point be refined
and elaborated to support the management of risks and costs in the design decisions. Moreover, applying cost metrics to design models
and architecture descriptions allows early validation of cost estimates. Such cost metrics may also be used in combination with security metrics for the optimization of the balance between risk and cost.
The assurance techniques can therefore be utilized in providing input to risk and cost analysis, and in supporting the identification of means for risk mitigation based on security metrics. 190 W. Joosen et al. 6 Conclusion We have advocated in this paper the need
and the opportunity for firmly establishing a discipline for engineering secure Future Internet Services, typically based on research in the areas of software engineering, security engineering and of service engineering.
We have clarified why generic solutions that ignore the characteristics of Future Internet services will fail:
the peculiarities of FI services must be reflected upon and be addressed in the proposed and validated solution.
composing services leads to new, subtle and dangerous, vulnerabilities due to interference between component services and policies, the shared communication layer,
however, do not provide automated support for the discovery of important vulnerabilities and associated exploits that are already plaguing complex web-based security-sensitive applications,
otherwise a counterexample is sent back to the Orchestrator (where a failed validation means the existence of vulnerabilities that need to be fixed).
Towards Formal Validation of Trust and Security in the Internet of Services 201 Vulnerability: Policy:
The vulnerability was detected by the SATMC backend of the AVANTSSAR Platform and the attack was reproduced in an actual deployment of SAML-based SSO for Google Apps.
and the vulnerability was kept confidential until Google developed a new version of the authentication service
The severity of the vulnerability has been rated High in a note issued by the National Institute of Standard and Technology (NIST.
has automatically found vulnerabilities in PKCS#11-based products by Aladdin, Bull, Gemalto, RSA, and Siemens among others.
All discovered risks and flaws in the SAML protocol have been addressed in NW-NGSSO implementation and countermeasures have been taken.
The results have been collected in tables that can be used by SAP in setting-up the NW-NGSSO services on customer production systems.
and Security in the Internet of Services 205 there and helped SAP Research to better understand the vulnerability itself
These results show that the AVANTSSAR technology can provide a high level of assurance within industrial BPM systems,
For each of these challenges, we introduce existing concepts to mitigate these risks and survey related research in these areas. 1 Cloud computing and the Future Internet Cloud computing is expected to become a backbone technology of the Future Internet that provides Internet-scale
Furthermore, we survey existing components to overcome these security and privacy risks. We will explain the state-of-the-art in addressing these requirements
Examples for supplementary services are threat surveillance (e g. Alertlogic), access-and identity management (e g.,, Novell, IBM), virtual private networking (e g.,
2. 2 Today's Datacenters as the Benchmark for the Cloud Using technology always constitutes a certain risk.
Overall, the benefits need to outweigh the potential disadvantages and risks. While the cost and flexibility benefits of using clouds are easy to quantify,
potential disadvantages and risks are harder to qualitatively assess or even quantitatively measure. An important aspect for this equation is perceived the level of uncertainty:
Today, uncertainty about the actual availability does not allow enterprises to make such risk management decisions
cloud providers must enable enterprises to integrate cloud infrastructures into their overall risk management. We will use these requirements in our subsequent arguments. 3 New Security
and Privacy Risks and Emerging Security Controls Cloud computing being a novel technology introduces new security risks 7 that need to be mitigated.
cautious monitoring and management of security risks 13 is essential (see Figure 1 for a sketch following 12.
and privacy risks where importance has been increased by the cloud and identify potential security controls for mitigating those risks. 1. Survey of Risks 2. Design of Controls 3. Implement. of Controls 4. Monitoring of Effectiveness Fig. 1. Simplified Process for Managing
Security Risks 12) Trustworthy Clouds Underpinning the Future Internet 213 3. 1 Isolation Breach between Multiple Customers Cloud environments aim at efficiencies of scale by increased
sharing resources between multiple customers. As a consequence, data leakage and service disruptions gain importance and may propagate through such shared resources.
In order to mitigate this risk in a cloud computing environment, multi-tenant isolation ensures customer isolation. A principle to structure isolation management is One way to implement such isolation is labeling
This risk is hard to mitigate since security controls need to strike a balance between the power needed to administrate
A practical approach to minimize this risk is to adhere to a least-privilege approach for designing cloud management systems.
and Guarantees While the proposed mechanisms to mitigate the identified risks are important, security incidents are largely invisible to a customer:
However, run-time attestation solution still remains an open and challenging problem. 3. 5 What about Privacy Risks?
the user as well as the data subject might face risks of data loss, corruption or wiretapping due to the transfer to an external cloud provider.
and cost-efficient schemes to mitigate the risk of insider fraud. The goal is to minimize the set of trusted employees for each customer through implementing a rigorous least privilege approach as well as corresponding controls to validate employee behavior.
We surveyed security risks that gain importance in this setting and surveyed potential solutions. Today, demand for cloud security has increased
and to limit the risks imposed by misbehaving cloud providers and their employees. Acknowledgments. We thank Ninja Marnau and Eva Schlehahn from the Independent Centre for Privacy Protection Schleswig-Holstein for substantial and very helpful input to our chapter on privacy risks.
We thank the reviewer for helpful comments that enabled us to improve this chapter. This research has been supported partially by the TCLOUDS project http://www. tclouds-project. eu funded by the European union's Seventh Framework Programme (FP7/2007-2013) under grant agreement number ICT-257243.
Top threats to cloud computing, version 1. 0. March 2010), http://www. cloudsecurityalliance. org/topthreats/csathreats. v1. 0. pdf 8. Computer and Communication
Toward risk assessment as a service in cloud environments. In: Proceedings of the 2nd USENIX conference on Hot topics in cloud computing. pp. 13 13.
Privacy and data security risks in cloud computing. Electronic commerce & Law Report 15,186 (2010) 23. Van dijk, M.,Juels, A.:
In addition, the risk, for personal data to travel across boundaries and business domains, is that the usage conditions agreed J. Domingue et al.
However, these new capabilities may entail privacy risks. From the user perspective, the risk is that of losing control of his personal information once they are released in the cloud.
In particular, when personal data are consumed by multiple services, possibly owned by different entities in different locations, the conditions of the data usage,
and minimize the risk of violating the agreed privacy policy. The concept of sticky policy may be used to address some of the privacy requirements of the cloud scenario.
In addition, security risks currently present in network environments request for immediate attention. This could be achieved by building trustworthy network environments to assure security levels
and manage threats in interoperable frameworks for autonomous monitoring. 1. 2 The Vision of a Modern Self-Managing Network The future vision is that of a self-managing network
vi) Mechanisms, tools and methodology construction for the verification and assurance of diverse self-capabilities that are guiding systems and their adaptations, correctly;
with Qos assurance is seen. A flexible way of usage based on virtualised overlays can offer a strong support for the transportation of multimedia flows.
including assessment of impact and risks. In this paper, we intend to further elaborate on these challenges.
and reduce the risk of poverty. Other hot societal issues are sustainable development, reducing greenhouse gases emissions and improving the energy efficiency of urban infrastructure.
estimation and risk prevention systems (e g. sensitivity to pollution, extreme summer heating. Remote working and e-commerce services for businesses, entertainment and communications for individuals.
Overtext Web Module V3.0 Alpha
Copyright Semantic-Knowledge, 1994-2011