Projects
Involved Projects
CyberSecPro (2022 -, Social Engineering Academy)

The digital transformation imposes EU Higher Education Institutions (HEIs) to enhance their role in preparing the new generation workforce and to upskill the existing one in meeting the challenging and ever-growing cybersecurity challenges. 15 HEIs and 13 companies from 16 countries are working on an agile, collaborative, and multi-modal training program that will complement, support and advance the existing academic programs by linking innovation, research, industry, academia, and SME support. CyberSecPro aims to bridge the gap between degrees, working life, and marketable cybersecurity skill sets necessary in today’s digitalization efforts and provide examples of best practices for cybersecurity training programs. CyberSecPro’s ambition is to enhance the role of the Higher Education Institutes (HEIs) in offering hands-on and working-life skills for driving a trustworthy digital transformation in critical sectors of the economy. The enhanced HEIs will equip the workforce with the necessary capabilities to address the digital challenges and be capable to develop secure privacy aware innovative ICT and industrial products that serve people, businesses and working-life communities practicing their democratic values and rights. By establishing a unique Learning Factory, CyberSecPro will be an authentic environment to link innovation, research, industry, academia and SME support. The outcome of the CyberSecPro is to empower the NextGen Europe.
AUTOPSY (2022 - 2024, Continental Automotive Technologies, BMBF)

AUtomotive data-Tainting fOr Privacy aSsurance sYstem – AUTOPSY: Rapidly evolving digital technologies such as the IoT, cloud and AI overrun classical industries, such as automotive, which have longer innovation and development cycles. The current trend of interconnecting cars with local infrastructure and cloud backends opens large potentials for data-driven applications, enhanced user experience, and new business models but also needs to consider privacy of the users inside the vehicle and others, just observed in the streets. This becomes especially critical with respect to GDPR.
Goal of AUTOPSY is to create a better understanding of the data flows in automotive environments in the light of GDPR and create a privacy-aware system model for an automotive use-case to address various aspects of GDPR in specific technical designs. The technology of tainting will be applied to separate communication streams between the sensor and multiple parties accessing and processing the data with different privileges. AUTOPSY aims to design a dynamic and scalable end to end infrastructure that protects the data with lightweight privacy preserving techniques onboard the vehicle.
Across the expertise of the different partners, the practical feasibility is demonstrated by modifying a resource constrained TCU with an implementation of the privacy-preserving techniques and evaluating its communication on the one hand, and the interaction with a cloud backend on the other.
Bringing together one applied research partner and one automotive supplier from each country combines domain know-how and technological competencies to address the problem, develop new technologies and later enable new transnational services for customers. Transnational dissemination activities and the exchange of young researchers complement the research.
To have privacy preserving techniques by design close to deployment in new cars in 2030 requires to start now and bring project results in the specification of the new automotive architectures in 2023-2024, which coincides with the earliest end of the project.
PHOENi2X (2022 - 2025, Social Engineering Academy, EU H2020)

A Cyber Resilience Framework providing Artificial Intelligence (AI) – assisted orchestration, automation & response capabilities for business continuity and recovery, incident response, and information exchange, tailored to the needs of Operators of Essential Services (OES) and of the EU Member State (MS) National Authorities entrusted with cybersecurity.
PHOENi2X holistic approach integrates Prevention, Detection & Response via a fully-featured baseline toolset. Then, AI-assisted Situational Awareness, Prediction & Response features build upon said toolset, providing enhanced and up-to-date view of the threat landscape, early warning and attack prediction capabilities, and alert and response prioritization driven by a business impact risk assessment. These can recommend and trigger specific RPs that encode, orchestrate and execute specific IR and BC processes.
CyberSec4Europe (2019 - 2022, Goethe University Frankfurt, EU H2020)

CyberSec4Europe’s long-term goal and vision are a European Union that has all the capabilities required to secure and maintain a healthy democratic society, living according to European constitutional values (with regard to, for example privacy and sharing) and being a world-leading digital economy. Our strategy is to build on the strong basis provided by recent legislation that is evidenced in several directives and regulations, such as the GDPR, eIDAS, PSD2, the upcoming ePrivacy regulation and the existing legislation around ENISA including the impacts from the Cybersecurity Act.
CyberSec4Europe will thus follow the intentions of European legislation that reflects and protects European societal, democratic and economic norms and principles such as data protection and privacy.
THREAT-ARREST (2018 -, Social Engineering Academy, EU H2020)

The goal of the THREAT-ARREST project is to is to develop an advanced training and simulation framework for cyber defense. The framework will incorporate emulation, simulation, gaming, and visualization to help stakeholders with different types of responsibility and levels of expertise counter known and new cyber-attacks. The Cyber Security Threats and Threat Actors Training - Assurance Driven Multi-Layer, end-to-end Simulation and Training project (THREAT-ARREST) is funded from the H2020-DS-SC7-2017 call under the topic of “Cybersecurity PPP: Addressing Advanced Cyber Security Threats and Threat Actors”.
HATCH (2016 -, Social Engineering Academy)

Social engineering is the acquisition of information about computer systems by methods that deeply include non- technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap.
Traditional security requirements elicitation approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering and none of them elicits personal behaviours of individual employees. While the amount of social engineering attacks and the damage they cause rise every year, the security awareness of these attacks and their consideration during requirements elicitation remains negligible.
We propose to use a card game to elicit these requirements, which all employees of a company can play to understand the threat and document security requirements. The game considers the individual context of a company and presents underlying principles of human behaviour that social engineers exploit, as well as concrete attack patterns. We evaluated our approach with several groups of researchers, IT administrators, and professionals from industry.
Privacy & Us (2015 - 2019, Goethe University Frankfurt, EU H2020)

With the rapid accumulation and processing of personal data by numerous organizations, it is of paramount importance to protect people from adverse uses of their data, while allowing them to enjoy the benefits the use of these data can possibly provide. This is the question of protecting citizens’ privacy, while enabling them to make informed decisions regarding their actions with privacy implications.
The Privacy & Us Innovative Training Network (ITN) will train thirteen creative, entrepreneurial and innovative early stage researchers (ESRs) to be able to reason, design and develop novel solutions to questions related to the protection of citizens’ privacy, considering the multidisciplinary and inter-sectoral aspects of the issue. ESRs will be trained to face both current and future challenges in the area of privacy and usability. Privacy & Us offers a combination of research-related and transferable competence skills that will enhance the career perspectives of the ESRs in both the academic and non-academic sectors.
SIOC (2016 - 2019, Goethe University Frankfurt, BMBF)

The aim of the project Self Privacy in Online Commerce (SIOC) is the design of an anonymous approach to online shopping in accordance to stakeholders’ requirements and business models while implementing data protection by design and data protection by default as essential principles of EU data protection rules. For this purpose, a vendor-independent architecture for anonymous shopping will be developed, allowing the buyers to manage and understand autonomously their user profiles by the means of virtual identities. To achieve a broad distribution, not only acceptance by the users is needed, but also by the other involved stakeholders, e.g. online-shop providers. Therefore, care will be taken to preserve existing business models (e.g. direct marketing) as far as possible.
AN.ON-next (2016 - 2019, Goethe University Frankfurt, BMBF)

The AN.ON-next project aims at integrating privacy-enhancing technologies into the internet infrastructure. The technologies in focus include a basic protection at the ISP, an improved overlay network-based protection and a concept for privacy protection in the emerging 5G mobile network. Crucial success factors are the adjustment and development of standards, business models and pricing strategies for those new technologies.
SIDATE (2015 - 2018, Goethe University Frankfurt, BMBF)

Due to the recent German and European regulations for critical infrastructures, the concerned companies and especially energy providers are required to get certifications for their security. As a consequence in particular small and medium-sized energy providers struggle to fulfil the requirements. Compared to larger providers, there is a lack of financial and human resources which they could utilise for IT security.
The aim of the SIDATE project is to develop tools and concepts in order to support small and medium-sized energy providers to continuously improve their security. Since many of them face same challenges, a natural solution to support them is to stimulate inter-organisational collaboration. This should be done by building an inter-organisational collaboration platform for energy providers. The platform should enable the energy providers to share their knowledge about IT security in a structured way. One of the platform’s modules should be a security self-assessment and benchmarking module, so the energy providers can easily assess and compare their security level.
ClouDAT (2013 - 2015, Dortmund University of Technology, EU EFRE / Ziel2.NRW)

ClouDAT develops an open source tool for documentation and assessment of security requirements and controls in cloud computing services and for generation of documentation conforming to given standards.
The project aims at supporting small and medium-sized enterprises in certification of their cloud solutions.
Goal of the project is the development of a provider independent approach for planning, documenting and checking of security requirements and controls in cloud computing systems. The approach will be implemented as an open source tool which in turn is based on existing tools such as UML editors.
With ClouDAT we can document cloud computing systems on the different service levels including SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) and IaaS (Infrastructure-as-a-Service) as well as the relevant business processes. These documentation will allow third parties to assess the given systems. Risks and threats, e.g. that secret data can be accessed by the cloud provider's staff, can be located and countermeasures documented. Our approach is applicable to public and private cloud systems.
The documentation process will consider the different legal regulations such as the German data protection law. A potential cloud customer will be enabled to assess whether a provided service fulfills his individual requirements. Therefore, ClouDAT develops a catalog of requirements, which enables a certification for IaaS, PaaS and SaaS, e.g. following the ISO 27001 standard. Besides legal requirements it will be possible to define individual requirements of small and medium-sized enterprises. For the documentation, ClouDAT provides a set of patterns, which allow users to specify concrete requirements by inserting concrete elements. The whole approach is based on standard notations such as UML and allows intergration into development processes. The use of an automated analysis tool will finally support a reasonably priced certification of cloud computing systems, which makes it attractive also for smaller enterprises.
Seconomics (2012 - 2015, Dortmund University of Technology, EU)

The project SECONOMICS developped approaches and software tools to analyze socio-economical aspects of information security, especially in the context of cyber-physical Systems.
The developed models were validated onto three use cases: the international air transport (airport Anadolu), urban transportation (TMB in Barcelona) and the critical national infrastructure (energy and gas networks of National Grid UK and US). The developed approaches incorporate risk analysis with economical aspect to develop software tools, which aid the decision makers.
The contribution of Fraunhofer ISST and TU Dortmund was focussed on the model-based analysis of IT security risks.
SECONOMICS goal was synthesizing sociological, economic and security science into a usable, concrete, actionable knowledge for policy makers and social planners responsible for citizen's security.
The project was driven by industry case studies and specifically identified security threats in transport (air and urban and super urban metro) and critical infrastructure.
The research focus placed social science and political science at the heart of the modeling framework.
In particular the project seeked to explore the challenges of pan European coordination in security outcomes for transport and critical infrastructure.
The contribution of the project was in developing and furthering the state of the art in modelling security problems in a technological and socio economic context and then applying state of the art risk assessments and analysis of the social context to develop optimal policies.
The outputs were twofold: first assessment of the future and emerging threats in the identified areas with rigorous modeling of the optimal mechanisms for mitigation within the policy domain.
Second, and more crucially, a generalized policy "toolkit" that will assist decision makers in identifying and reacting coherently (within the appropriate social context) to future and emerging threats that may arrive long after the project has been completed.
The lasting impact of SECONOMICS was a methodological revolution driven by a common, but diverse set, of modelling tools and utilizing recent advances in modelling technology that seamlessly transverses the social, economic and technological domains.
Secure Clouds (2011 - 2013, Dortmund University of Technology, BMBF KMU-innovativ)

Cloud computing is yet one of the leading developments and depicts the biggest progress in web technologies.
Computing power, memory space or even complex services are outsourced using standardized interfaces and made available via internet. Users and companies are then charged for their service usage according to usage time and user count. Through this, cloud computing offers a convenient way for using shared and easy accesible resources, in both a web-based and demand-oriented sense. Resources can be accessed directly and automatically.
However, cloud computing brings concept-based risks, which are to be approached within this project: e.g. the risk of private data becoming publicly available or attacks on customer data by the cloud computing provider's staff.
Outsourcing of services into a cloud computing environment arises numerous compliance and security problems for the potential customer. Legal requirements as well as business requirements must be met after migration to a cloud environment. Compliance to laws, industry-specific regulations and other rules has to be kept. Thus, a potential user of cloud computing services has a need for technologies and tools, that allow him to get a deep insight in fulfillment of security and compliance requirements regarding the market. These tools need to offer support for decision making, if services should be outsourced into the cloud. Furthermore, if services are to be outsourced, there is a need for tool-supported approaches for ensuring that security and compliance requirements are still met after migration.
The goal of this project is to develop an analytic tool environment regarding the security requirement analysis of processes that are to be outsourced into the cloud. The tool-based examination of business processes is based on the different artefacts available within the companies, such as documents, forms and log-files. Thereby it can be checked whether outsourcing of a process is possible while keeping all security and compliance requirements.
MoDelSec (2011 - 2012, Dortmund University of Technology, DFG)

MoDelSec was part of the Reliably Secure Software Systems (RS3) - DFG Priority Programme 1496. The objective of this project was to develop an approach for
considering advanced techniques in access control (in particular
delegation of user permissions) in the context of a formally-based
software development methodology. The approach was based on
formalizations from the Secure Information Flow approach to
security verification, which offers the possibility for a
particularly fine-grained security analysis. Since secure
information flow formalizations have traditionally been used in the
context of mandatory access control (MAC) which does not usually
include user-level permission delegation, investigation of
delegation in this context has so far been limited. Since the
Secure Information Flow approach has found increasing use over the
last few years, one of the goals of this project was therefore to
fill this gap by investigating how to support the analysis of
sophisticated access control techniques such as delegation of user
permissions. A further objective was to exploit results on modular
analysis of Secure Information Flow properties in the context of
the analysis of access control mechanisms and in particular the
delegation of user permissions. The scientific progress was transferred into the context of a secure software
development approach based on formal verification tool support.
TEICHI (2010 - 2012, University of Kassel)

The TEICHI Framework is a modular tool for displaying documents encoded according to the guidelines of the Text Encoding Initiative (TEI Lite P5) as pages in a Drupal-based website. The framework's name brings together the Text Encoding Initiative (TEI) and Computer-Human Interaction (CHI).
Possible use cases for the TEICHI Framework are text edition projects in literary studies, history, or other text-based disciplines, provided they have a relatively straightforward editorial situation: only one given edition of a text is documented, a single-column presentation makes sense, and authorial and editorial annotation are important. The modules could also be of use in educational contexts, e.g. workshops on electronic textual editing.