Projects

Involved Projects

CyberSec4Europe (2019 -, Goethe University Frankfurt, EU H2020)

CyberSec4Europe’s long-term goal and vision are a European Union that has all the capabilities required to secure and maintain a healthy democratic society, living according to European constitutional values (with regard to, for example privacy and sharing) and being a world-leading digital economy. Our strategy is to build on the strong basis provided by recent legislation that is evidenced in several directives and regulations, such as the GDPR, eIDAS, PSD2, the upcoming ePrivacy regulation and the existing legislation around ENISA including the impacts from the Cybersecurity Act. CyberSec4Europe will thus follow the intentions of European legislation that reflects and protects European societal, democratic and economic norms and principles such as data protection and privacy.

1. Miller, V. M.; Miller, M.; Rannenberg, K.; Niknia, A.; Arastouei, N.; Pape, S.; Skarmeta, A.; Ferreira, A.; Markatos, E.; Matyas, V.; Crabu, M.; Lopez, J.; Fernandez, C.; Pasic, A.; Omerovic, A.; Lafuente, A. L.; Angelini, M.; Hemetsberger, L.; Halunen, K.; Krenn, S.; Annicchino, P.; Kamm, L.; Goodman, D.; Goodman, R.; Surinx, D.; Preuveneers, D.; Sterlini, P.; Kadenko, N.; Douligeris, C. and Benzekri, A.: Clustering results and SU-ICT-03 project CONCERTATION conference year 1.
   Technical Report, CyberSec4Europe, 2020.
   
   
   
2. Canavese, D.; Lioy, A.; Pedone, I.; Regano, L.; Hatamian, M.; Löbner, S.; Pape, S.; Arastouei, N.; Skarmeta, A.; Hita, A. and Bernal, J.: Cybersecurity outlook 1.
   Technical Report, CyberSec4Europe, 2020.
   
   
   
3. Halunen, K.; Cheminod, M.; Beckerle, M.; Durante, L.; Preuveneers, D.; Kompara, M.; Martinie, C.; Bernabe, J. B.; Garofalo, G.; Tesfay, W. B.; Pape, S.; Palanque, P.; Crispo, B. and Gupta, S.: Usable security & privacy methods and recommendations.
   Technical Report, CyberSec4Europe, 2020.
   
   
   
4. Crispo, B.; Gupta, S.; Halunen, K.; Kompara, M.; Preuveneers, D.; Palanque, P.; Beckerle, M.; Martinie, C.; Hita, A. and Pape, S.: Usability Requirements Validation.
   Technical Report, CyberSec4Europe, 2020.
   
   
   
5. Hazilov, V. and Pape, S.: Systematic Scenario Creation for Serious Security-Awareness Games.
   In Computer Security - ESORICS 2020 International Workshops, DETIPS, DeSECSys, MPS, and SPOSE, Guildford, UK, September 17-18, 2020, Revised Selected Papers, Springer International Publishing, Cham, LNCS 12580, 2020.
   
   
   
6. Harborth, D.; Pape, S. and Rannenberg, K.: Explaining the Technology Use Behavior of Privacy-Enhancing Technologies: The Case of Tor and JonDonym.
   In Proceedings on Privacy Enhancing Technologies (PoPETs), 2020 (2): 111-128, 2020.
   
   
   
7. Pape, S.; Goeke, L.; Quintanar, A. and Beckers, K.: Conceptualization of a CyberSecurity Awareness Quiz.
   In Computer Security - ESORICS 2020 International Workshops MSTEC, pages 61-76, Springer International Publishing, Cham, LNCS 12512, 2020.
   
   
   
8. Pape, S.; Paci, F.; Juerjens, J. and Massacci, F.: Selecting a Secure Cloud Provider: An Empirical Study and Multi Criteria Approach.
   In Information, 11 (5), 2020.
   
   
   
9. Pape, S.; Schmitz, C.; Kipker, D-K. and Sekula, A.: On the use of Information Security Management Systems by German Energy Providers.
   .
   
   
   
10. Schmitz, C.; Sekulla, A. and Pape, S.: Asset-centric analysis and visualisation of attack trees.
    In Graphical Models for Security - 7th International Workshop, GraMSec@CSF 2020, Boston, MA, USA, Virtual Conference, June 22, 2020, Revised Selected Papers, pages 45-64, Springer, LNCS 12419, 2020.
    
    
    
11. Hamm, P.; Harborth, D. and Pape, S.: A Systematic Analysis of User Evaluations in Security Research.
    In Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019, Canterbury, UK, August 26-29, 2019, ACM, 2019.
    
    
    

THREAT-ARREST (2018 -, Social Engineering Academy, EU H2020)

The goal of the THREAT-ARREST project is to is to develop an advanced training and simulation framework for cyber defense. The framework will incorporate emulation, simulation, gaming, and visualization to help stakeholders with different types of responsibility and levels of expertise counter known and new cyber-attacks. The Cyber Security Threats and Threat Actors Training - Assurance Driven Multi-Layer, end-to-end Simulation and Training project (THREAT-ARREST) is funded from the H2020-DS-SC7-2017 call under the topic of “Cybersecurity PPP: Addressing Advanced Cyber Security Threats and Threat Actors”.

1. Hazilov, V. and Pape, S.: Systematic Scenario Creation for Serious Security-Awareness Games.
   In Computer Security - ESORICS 2020 International Workshops, DETIPS, DeSECSys, MPS, and SPOSE, Guildford, UK, September 17-18, 2020, Revised Selected Papers, Springer International Publishing, Cham, LNCS 12580, 2020.
   
   
   
2. Pape, S.; Goeke, L.; Quintanar, A. and Beckers, K.: Conceptualization of a CyberSecurity Awareness Quiz.
   In Computer Security - ESORICS 2020 International Workshops MSTEC, pages 61-76, Springer International Publishing, Cham, LNCS 12512, 2020.
   
   
   
3. Koshutanski, H.; Frati, F.; Hildebrandt, T.; Hatzivasilis, G.; Fysarakis, K.; Smyrlis, M.; Spanoudakis, G.; Blinder, O.; Goeke, L.; Pape, S.; Leftheriotis, G.; Tsakirakis, G.; Bravos, G. and Kunc, M.: Initial Prototype of Integrated THREAT-ARREST Platform.
   Technical Report, Threat-Arrest, 2020.
   
   
   
4. Koshutanski, H.; Frati, F.; Hildebrandt, T.; Hatzivasilis, G.; Fysarakis, K.; Smyrlis, M.; Spanoudaki, S.; Spanoudakis, G.; Blinder, O.; Goeke, L.; Quintanar, A.; Pape, S.; Tsakirakis, G. and Bravos, G.: Initial installation and usage guidelines for the THREAT-ARREST platform.
   Technical Report, Threat-Arrest, 2020.
   
   
   
5. Frati, F. and Braghin, C., ed.: The Stakeholders' Engagement & Online Channels Report.
   Technical Report, Threat-Arrest, 2020.
   
   
   
6. Sofia, S.; Konstantina, K.; Tsantekidis, M.; Pape, S.; Leftheriotis, G.; Chieti, A.; Oikonomou, F. and Bravos, G.: The THREAT-ARREST dissemination and exploitation report v.1 1.
   Technical Report Deliverable 8.5, Threat-Arrest, 2020.
   
   
   
7. Goeke, L.; Quintanar, A.; Beckers, K. and Pape, S.: PROTECT - An Easy Configurable Serious Game to Train Employees Against Social Engineering Attacks.
   In Computer Security - ESORICS 2019 International Workshops, IOSec, MSTEC, and FINSEC, Luxembourg City, Luxembourg, September 26-27, 2019, Revised Selected Papers, pages 156-171, Springer International Publishing, Cham, LNCS 11981, 2019.
   
   
   
8. Koshutanski, H.; Tsantekidis, M.; Damiani, E.; Frati, F.; Cimato, S.; Riccobene, E.; Hatzivasilis, G.; Fysarakis, K.; Spanoudakis, G.; Blinder, O.; Vinov, M.; Hildebrandt, T.; Wortmann, D.; Rompoti, V.; Bravos, G.; Chatzigiannakis, V.; Beckers, K.; Pape, S.; Kunc, M. and Bašta, P.: THREAT-ARREST platform's initial reference architecture.
   Technical Report Deliverable 1.3, Threat-Arrest, 2019.
   
   
   
9. Beckers, K.; Goeke, L.; Pape, S. and Bravos, G.: THREAT-ARREST THREAT serious games v1.
   Technical Report Deliverable 4.2, Threat-Arrest, 2019.
   
   
   

HATCH (2016 -, Social Engineering Academy)

Social engineering is the acquisition of information about computer systems by methods that deeply include non- technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap. Traditional security requirements elicitation approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering and none of them elicits personal behaviours of individual employees. While the amount of social engineering attacks and the damage they cause rise every year, the security awareness of these attacks and their consideration during requirements elicitation remains negligible. We propose to use a card game to elicit these requirements, which all employees of a company can play to understand the threat and document security requirements. The game considers the individual context of a company and presents underlying principles of human behaviour that social engineers exploit, as well as concrete attack patterns. We evaluated our approach with several groups of researchers, IT administrators, and professionals from industry.

1. Kipker, D-K.; Pape, S.; Wojak, S. and Beckers, K.: Juristische Bewertung eines Social-Engineering-Abwehr Trainings.
   In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 112-115, Universität der Bundeswehr, Neubiberg, 2018.
   
   
   
2. Beckers, K.; Fries, V.; Groen, E. C. and Pape, S.: Creativity Techniques for Social Engineering Threat Elicitation: A Controlled Experiment.
   In Joint Proceedings of REFSQ-2017 Workshops, Doctoral Symposium, Research Method Track, and Poster Track co-located with the 22nd International Conference on Requirements Engineering: Foundation for Software Quality (REFSQ 2017), Essen, Germany, February 27, 2017., 2017.
   
   
   
3. Beckers, K. and Pape, S.: A Serious Game for Eliciting Social Engineering Security Requirements.
   In Proceedings of the 24th IEEE International Conference on Requirements Engineering, IEEE Computer Society, RE '16 , 2016, Acceptance Rate: 22/79 = 27.8%.
   
   
   
4. Beckers, K.; Pape, S. and Fries, V.: HATCH: Hack And Trick Capricious Humans -- A Serious Game on Social Engineering.
   In Proceedings of the 2016 British HCI Conference, Bournemouth, United Kingdom, July 11-15, 2016, 2016.
   
   
   

Privacy & Us (2015 - 2019, Goethe University Frankfurt, EU H2020)

With the rapid accumulation and processing of personal data by numerous organizations, it is of paramount importance to protect people from adverse uses of their data, while allowing them to enjoy the benefits the use of these data can possibly provide. This is the question of protecting citizens’ privacy, while enabling them to make informed decisions regarding their actions with privacy implications. The Privacy & Us Innovative Training Network (ITN) will train thirteen creative, entrepreneurial and innovative early stage researchers (ESRs) to be able to reason, design and develop novel solutions to questions related to the protection of citizens’ privacy, considering the multidisciplinary and inter-sectoral aspects of the issue. ESRs will be trained to face both current and future challenges in the area of privacy and usability. Privacy & Us offers a combination of research-related and transferable competence skills that will enhance the career perspectives of the ESRs in both the academic and non-academic sectors.

1. Hatamian, M.; Pape, S. and Rannenberg, K.: ESARA: A Framework for Enterprise Smartphone Apps Risk Assessment.
   In ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Lisbon, Portugal, June 25-27, 2019, Proceedings, pages 165-179, 2019, Acceptance rate: 26 / 142 = 18.3%.
   
   
   

SIOC (2016 - 2019, Goethe University Frankfurt, BMBF)

The aim of the project Self Privacy in Online Commerce (SIOC) is the design of an anonymous approach to online shopping in accordance to stakeholders’ requirements and business models while implementing data protection by design and data protection by default as essential principles of EU data protection rules. For this purpose, a vendor-independent architecture for anonymous shopping will be developed, allowing the buyers to manage and understand autonomously their user profiles by the means of virtual identities. To achieve a broad distribution, not only acceptance by the users is needed, but also by the other involved stakeholders, e.g. online-shop providers. Therefore, care will be taken to preserve existing business models (e.g. direct marketing) as far as possible.

1. Harborth, D.; Braun, M.; Grosz, A.; Pape, S. and Rannenberg, K.: Anreize und Hemmnisse für die Implementierung von Privacy-Enhancing Technologies im Unternehmenskontext.
   In Sicherheit 2018: Sicherheit, Schutz und Zuverlässigkeit, Beiträge der 9. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 25.-27. April 2018, Konstanz, pages 29-41, 2018.
   
   
   
2. Pape, S.; Tasche, D.; Bastys, I.; Grosz, A.; Laessig, J. and Rannenberg, K.: Towards an Architecture for Pseudonymous E-Commerce -- Applying Privacy by Design to Online Shopping.
   In Sicherheit 2018: Sicherheit, Schutz und Zuverlässigkeit, Beiträge der 9. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 25.-27. April 2018, Konstanz, pages 17-28, 2018.
   
   
   

AN.ON-next (2016 - 2019, Goethe University Frankfurt, BMBF)

The AN.ON-next project aims at integrating privacy-enhancing technologies into the internet infrastructure. The technologies in focus include a basic protection at the ISP, an improved overlay network-based protection and a concept for privacy protection in the emerging 5G mobile network. Crucial success factors are the adjustment and development of standards, business models and pricing strategies for those new technologies.

1. Harborth, D. and Pape, S.: Dataset on Actual Users of the Privacy-Enhancing Technology Jondonym.
   IEEE Dataport, 2020.
   
   
   
2. Harborth, D. and Pape, S.: Dataset on Actual Users of the Privacy-Enhancing Technology Tor.
   IEEE Dataport, 2020.
   
   
   
3. Harborth, D. and Pape, S.: Empirically Investigating Extraneous Influences on the "APCO" Model - Childhood Brand Nostalgia and the Positivity Bias.
   In Future Internet, 12(12) (220), 2020.
   
   
   
4. Harborth, D. and Pape, S.: How Privacy Concerns, Trust and Risk Beliefs and Privacy Literacy Influence Users' Intentions to Use Privacy-Enhancing Technologies - The Case of Tor.
   In ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 51 (1): 51-69, 2020.
   
   
   
5. Harborth, D.; Pape, S. and Rannenberg, K.: Explaining the Technology Use Behavior of Privacy-Enhancing Technologies: The Case of Tor and JonDonym.
   In Proceedings on Privacy Enhancing Technologies (PoPETs), 2020 (2): 111-128, 2020.
   
   
   
6. Harborth, D.; Cai, X. and Pape, S.: Why Do People Pay for Privacy?.
   In ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Lisbon, Portugal, June 25-27, 2019, Proceedings, pages 253-267, 2019, Acceptance rate: 26 / 142 = 18.3%.
   
   
   
7. Harborth, D. and Pape, S.: How Nostalgic Feelings Impact Pokémon Go Players - Integrating Childhood Brand Nostalgia into the Technology Acceptance Theory.
   In Behaviour & Information Technology, 39 (12): 1276-1296, 2019.
   
   
   
8. Harborth, D. and Pape, S.: How Privacy Concerns and Trust and Risk Beliefs Influence Users' Intentions to Use Privacy-Enhancing Technologies -- The Case of Tor.
   In 52nd Hawaii International Conference on System Sciences (HICSS) 2019, pages 4851-4860, 2019, Acceptance rate: 48%.
   
   
   
9. Harborth, D.; Braun, M.; Grosz, A.; Pape, S. and Rannenberg, K.: Anreize und Hemmnisse für die Implementierung von Privacy-Enhancing Technologies im Unternehmenskontext.
   In Sicherheit 2018: Sicherheit, Schutz und Zuverlässigkeit, Beiträge der 9. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 25.-27. April 2018, Konstanz, pages 29-41, 2018.
   
   
   
10. Harborth, D. and Pape, S.: Examining Technology Use Factors of Privacy-Enhancing Technologies: The Role of Perceived Anonymity and Trust.
    In 24th Americas Conference on Information Systems, AMCIS 2018, New Orleans, LA, USA, August 16-18, 2018, Association for Information Systems, 2018.
    
    
    
11. Harborth, D. and Pape, S.: JonDonym Users' Information Privacy Concerns.
    In ICT Systems Security and Privacy Protection - 33rd IFIP TC 11 International Conference, SEC 2018, Held at the 24th IFIP World Computer Congress, WCC 2018, Poznan, Poland, September 18-20, 2018, Proceedings, pages 170-184, 2018, Acceptance rate: 27 / 89 = 30.3%.
    
    
    
12. Harborth, D. and Pape, S.: German Translation of the Concerns for Information Privacy (CFIP) Construct.
    Technical Report, SSRN, 2018.
    
    
    
13. Harborth, D. and Pape, S.: German Translation of the Unified Theory of Acceptance and Use of Technology 2 (UTAUT2) Questionnaire.
    Technical Report, SSRN, 2018.
    
    
    
14. Paul, N.; Tesfay, W. B.; Kipker, D-K.; Stelter, M. and Pape, S.: Assessing Privacy Policies of Internet of Things Services.
    In ICT Systems Security and Privacy Protection - 33rd IFIP TC 11 International Conference, SEC 2018, Held at the 24th IFIP World Computer Congress, WCC 2018, Poznan, Poland, September 18-20, 2018, Proceedings, pages 156-169, 2018, Acceptance rate: 27 / 89 = 30.3%.
    
    
    
15. Harborth, D.; Herrmann, D.; Köpsell, S.; Pape, S.; Roth, C.; Federrath, H.; Kesdogan, D. and Rannenberg, K.: Integrating Privacy-Enhancing Technologies into the Internet Infrastructure.
    Technical Report, Cornell University, arXiv, 2017.
    
    
    
16. Harborth, D. and Pape, S.: Privacy Concerns and Behavior of Pokémon Go Players in Germany.
    In Privacy and Identity Management. The Smart Revolution - 12th IFIP WG 9.2, 9.5, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Ispra, Italy, September 4-8, 2017, Revised Selected Papers, pages 314-329, Springer International Publishing, IFIP Advances in Information and Communication Technology 526, 2017.
    
    
    

SIDATE (2015 - 2018, Goethe University Frankfurt, BMBF)

Due to the recent German and European regulations for critical infrastructures, the concerned companies and especially energy providers are required to get certifications for their security. As a consequence in particular small and medium-sized energy providers struggle to fulfil the requirements. Compared to larger providers, there is a lack of financial and human resources which they could utilise for IT security. The aim of the SIDATE project is to develop tools and concepts in order to support small and medium-sized energy providers to continuously improve their security. Since many of them face same challenges, a natural solution to support them is to stimulate inter-organisational collaboration. This should be done by building an inter-organisational collaboration platform for energy providers. The platform should enable the energy providers to share their knowledge about IT security in a structured way. One of the platform’s modules should be a security self-assessment and benchmarking module, so the energy providers can easily assess and compare their security level.

1. Pape, S.; Schmitz, C.; Kipker, D-K. and Sekula, A.: On the use of Information Security Management Systems by German Energy Providers.
   .
   
   
   
2. Schmitz, C. and Pape, S.: LiSRA: Lightweight Security Risk Assessment for Decision Support in Information Security.
   In Computers & Security, 90, 2020.
   
   
   
3. Sekulla, A.; Schmitz, C.; Pape, S. and Pipek, V.: Demonstrator zur Beschreibung und Visualisierung einer kritischen Infrastruktur.
   In Human Practice. Digital Ecologies. Our Future. 14. Internationale Tagung Wirtschaftsinformatik (WI 2019), February 24-27, 2019, Siegen, Germany, pages 1978, 2019.
   
   
   
4. Aladawy, D.; Beckers, K. and Pape, S.: PERSUADED: Fighting Social Engineering Attacks with a Serious Game.
   In Trust, Privacy and Security in Digital Business - 15th International Conference, TrustBus 2018, Regensburg, Germany, September 5-6, 2018, Proceedings, Springer, Lecture Notes in Computer Science 11033, 2018, ISBN 978-3-319-98384-4, Acceptance rate: 15 / 29 = 51.7%.
   
   
   
5. Dax, J.; Hamburg, D.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C.; Sekulla, A. and Terhaag, F.: Sichere Informationsnetze bei kleinen und mittleren Energieversorgern (SIDATE).
   In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 29, Universität der Bundeswehr, Neubiberg, 2018.
   
   
   
6. Dax, J.; Ley, B.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C. and Sekulla, A.: Stand der IT-Sicherheit bei deutschen Stromnetzbetreibern.
   In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 69-74, Universität der Bundeswehr, Neubiberg, 2018.
   
   
   
7. Dax, J.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C.; Sekulla, A. and Terhaag, F.: Das SIDATE-Portal im Einsatz.
   In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 145-150, Universität der Bundeswehr, Neubiberg, 2018.
   
   
   
8. Hamburg, D.; Niephaus, T.; Noll, W.; Pape, S.; Rannenberg, K. and Schmitz, C.: SIDATE: Gefährdungen und Sicherheitsmassnahmen.
   In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 51, Universität der Bundeswehr, Neubiberg, 2018.
   
   
   
9. Kipker, D-K.; Pape, S.; Wojak, S. and Beckers, K.: Juristische Bewertung eines Social-Engineering-Abwehr Trainings.
   In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 112-115, Universität der Bundeswehr, Neubiberg, 2018.
   
   
   
10. Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C.; Sekulla, A. and Terhaag, F.: Stand zur IT-Sicherheit deutscher Stromnetzbetreiber : technischer Bericht.
    Technical Report, Universität Siegen, 2018.
    
    
    
11. Schmitz, C.; Sekula, A.; Pape, S.; Pipek, V. and Rannenberg, K.: Easing the Burden of Security Self-Assessments.
    In 12th International Symposium on Human Aspects of Information Security & Assurance, HAISA 2018 ,Dundee, Scotland, August 29-31, 2018, Proceedings., 2018.
    
    
    
12. Beckers, K.; Schosser, D.; Pape, S. and Schaab, P.: A Structured Comparison of Social Engineering Intelligence Gathering Tools.
    In Trust, Privacy and Security in Digital Business - 14th International Conference, TrustBus 2017, Lyon, France, August 30-31, 2017, Proceedings, pages 232-246, 2017, Revision 1, Table 7 was corrected, see https://link.springer.com/10.1007/978-3-319-64483-7_16.
    
    
    
13. Dax, J.; Ivan, A.; Ley, B.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C. and Sekulla, A.: IT Security Status of German Energy Providers.
    Technical Report, Cornell University, arXiv, 2017.
    
    
    
14. Dax, J.; Ley, B.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C. and Sekulla, A.: Stand zur IT-Sicherheit deutscher Stromnetzbetreiber : technischer Bericht.
    Technical Report, Universität Siegen, 2017.
    
    
    
15. Beckers, K. and Pape, S.: A Serious Game for Eliciting Social Engineering Security Requirements.
    In Proceedings of the 24th IEEE International Conference on Requirements Engineering, IEEE Computer Society, RE '16 , 2016, Acceptance Rate: 22/79 = 27.8%.
    
    
    
16. Beckers, K.; Pape, S. and Fries, V.: HATCH: Hack And Trick Capricious Humans -- A Serious Game on Social Engineering.
    In Proceedings of the 2016 British HCI Conference, Bournemouth, United Kingdom, July 11-15, 2016, 2016.
    
    
    
17. Dax, J.; Hamburg, D.; Kreusch, M.; Ley, B.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C. and Terhaag, F.: Sichere Informationsinfrastrukturen für kleine und mittlere Energieversorger.
    In Multikonferenz Wirtschaftsinformatik (MKWI) -- Teilkonferenz IT-Sicherheit für Kritische Infrastrukturen (Poster), 2016.
    
    
    
18. Dax, J.; Ley, B.; Pape, S.; Schmitz, C.; Pipek, V. and Rannenberg, K.: Elicitation of Requirements for an inter-organizational Platform to Support Security Management Decisions.
    In 10th International Symposium on Human Aspects of Information Security & Assurance, HAISA 2016 ,Frankfurt, Germany, July 19-21, 2016, Proceedings., 2016.
    
    
    

ClouDAT (2013 - 2015, Dortmund University of Technology, EU EFRE / Ziel2.NRW)

ClouDAT develops an open source tool for documentation and assessment of security requirements and controls in cloud computing services and for generation of documentation conforming to given standards. The project aims at supporting small and medium-sized enterprises in certification of their cloud solutions. Goal of the project is the development of a provider independent approach for planning, documenting and checking of security requirements and controls in cloud computing systems. The approach will be implemented as an open source tool which in turn is based on existing tools such as UML editors. With ClouDAT we can document cloud computing systems on the different service levels including SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) and IaaS (Infrastructure-as-a-Service) as well as the relevant business processes. These documentation will allow third parties to assess the given systems. Risks and threats, e.g. that secret data can be accessed by the cloud provider's staff, can be located and countermeasures documented. Our approach is applicable to public and private cloud systems. The documentation process will consider the different legal regulations such as the German data protection law. A potential cloud customer will be enabled to assess whether a provided service fulfills his individual requirements. Therefore, ClouDAT develops a catalog of requirements, which enables a certification for IaaS, PaaS and SaaS, e.g. following the ISO 27001 standard. Besides legal requirements it will be possible to define individual requirements of small and medium-sized enterprises. For the documentation, ClouDAT provides a set of patterns, which allow users to specify concrete requirements by inserting concrete elements. The whole approach is based on standard notations such as UML and allows intergration into development processes. The use of an automated analysis tool will finally support a reasonably priced certification of cloud computing systems, which makes it attractive also for smaller enterprises.

Seconomics (2012 - 2015, Dortmund University of Technology, EU)

The project SECONOMICS developped approaches and software tools to analyze socio-economical aspects of information security, especially in the context of cyber-physical Systems. The developed models were validated onto three use cases: the international air transport (airport Anadolu), urban transportation (TMB in Barcelona) and the critical national infrastructure (energy and gas networks of National Grid UK and US). The developed approaches incorporate risk analysis with economical aspect to develop software tools, which aid the decision makers. The contribution of Fraunhofer ISST and TU Dortmund was focussed on the model-based analysis of IT security risks. SECONOMICS goal was synthesizing sociological, economic and security science into a usable, concrete, actionable knowledge for policy makers and social planners responsible for citizen's security. The project was driven by industry case studies and specifically identified security threats in transport (air and urban and super urban metro) and critical infrastructure. The research focus placed social science and political science at the heart of the modeling framework. In particular the project seeked to explore the challenges of pan European coordination in security outcomes for transport and critical infrastructure. The contribution of the project was in developing and furthering the state of the art in modelling security problems in a technological and socio economic context and then applying state of the art risk assessments and analysis of the social context to develop optimal policies. The outputs were twofold: first assessment of the future and emerging threats in the identified areas with rigorous modeling of the optimal mechanisms for mitigation within the policy domain. Second, and more crucially, a generalized policy "toolkit" that will assist decision makers in identifying and reacting coherently (within the appropriate social context) to future and emerging threats that may arrive long after the project has been completed. The lasting impact of SECONOMICS was a methodological revolution driven by a common, but diverse set, of modelling tools and utilizing recent advances in modelling technology that seamlessly transverses the social, economic and technological domains.

1. Pape, S.; Paci, F.; Juerjens, J. and Massacci, F.: Selecting a Secure Cloud Provider: An Empirical Study and Multi Criteria Approach.
   In Information, 11 (5), 2020.
   
   
   

Secure Clouds (2011 - 2013, Dortmund University of Technology, BMBF KMU-innovativ)

Cloud computing is yet one of the leading developments and depicts the biggest progress in web technologies. Computing power, memory space or even complex services are outsourced using standardized interfaces and made available via internet. Users and companies are then charged for their service usage according to usage time and user count. Through this, cloud computing offers a convenient way for using shared and easy accesible resources, in both a web-based and demand-oriented sense. Resources can be accessed directly and automatically. However, cloud computing brings concept-based risks, which are to be approached within this project: e.g. the risk of private data becoming publicly available or attacks on customer data by the cloud computing provider's staff. Outsourcing of services into a cloud computing environment arises numerous compliance and security problems for the potential customer. Legal requirements as well as business requirements must be met after migration to a cloud environment. Compliance to laws, industry-specific regulations and other rules has to be kept. Thus, a potential user of cloud computing services has a need for technologies and tools, that allow him to get a deep insight in fulfillment of security and compliance requirements regarding the market. These tools need to offer support for decision making, if services should be outsourced into the cloud. Furthermore, if services are to be outsourced, there is a need for tool-supported approaches for ensuring that security and compliance requirements are still met after migration. The goal of this project is to develop an analytic tool environment regarding the security requirement analysis of processes that are to be outsourced into the cloud. The tool-based examination of business processes is based on the different artefacts available within the companies, such as documents, forms and log-files. Thereby it can be checked whether outsourcing of a process is possible while keeping all security and compliance requirements.

1. Bleikertz, S.; Mastelic, T.; Pape, S.; Pieters, W. and Dimkov, T.: Defining the Cloud Battlefield -- Supporting Security Assessments by Cloud Customers.
   In Proceedings of IEEE International Conference on Cloud Engineering (IC2E), pages 78-87, 2013, Acceptance rate: 22 / 107 = 20.6%.
   
   
   

MoDelSec (2011 - 2012, Dortmund University of Technology, DFG)

MoDelSec was part of the Reliably Secure Software Systems (RS3) - DFG Priority Programme 1496. The objective of this project was to develop an approach for considering advanced techniques in access control (in particular delegation of user permissions) in the context of a formally-based software development methodology. The approach was based on formalizations from the Secure Information Flow approach to security verification, which offers the possibility for a particularly fine-grained security analysis. Since secure information flow formalizations have traditionally been used in the context of mandatory access control (MAC) which does not usually include user-level permission delegation, investigation of delegation in this context has so far been limited. Since the Secure Information Flow approach has found increasing use over the last few years, one of the goals of this project was therefore to fill this gap by investigating how to support the analysis of sophisticated access control techniques such as delegation of user permissions. A further objective was to exploit results on modular analysis of Secure Information Flow properties in the context of the analysis of access control mechanisms and in particular the delegation of user permissions. The scientific progress was transferred into the context of a secure software development approach based on formal verification tool support.

1. Ochoa, M.; Pape, S.; Ruhroth, T.; Sprick, B.; Stenzel, K. and Sudbrock, H.: Report on the RS3 Topic Workshop "Security Properties in Software Engineering".
   Technical Report, Universitätsbibliothek der Universität Augsburg, Universitätsstr. 22, 86159 Augsburg, 2012.
   
   
   

TEICHI (2010 - 2012, University of Kassel)

The TEICHI Framework is a modular tool for displaying documents encoded according to the guidelines of the Text Encoding Initiative (TEI Lite P5) as pages in a Drupal-based website. The framework's name brings together the Text Encoding Initiative (TEI) and Computer-Human Interaction (CHI). Possible use cases for the TEICHI Framework are text edition projects in literary studies, history, or other text-based disciplines, provided they have a relatively straightforward editorial situation: only one given edition of a text is documented, a single-column presentation makes sense, and authorial and editorial annotation are important. The modules could also be of use in educational contexts, e.g. workshops on electronic textual editing.

1. Pape, S.; Schöch, C. and Wegner, L.: TEICHI and the Tools Paradox. Developing a Publishing Framework for Digital Editions.
   In Journal of the Text Encoding Initiative, 2: 1-16, 2012.
   
   
   
2. Pape, S.; Schöch, C. and Wegner, L.: Bringing Bérardier de Bataut's Essai sur le récit to the Web: Editorial Requirements and Publishing Framework (Poster).
   In Poster at: TEI 2010, The 2010 Conference of the Text Encoding Initiative Consortium, 2010.
   
   
   
3. Pape, S.; Schöch, C. and Wegner, L.: A Framework for TEI-Based Scholarly Text Editions.
   Technical Report, Universität Kassel, 2010.