Projects

Involved Projects

CyberSecPro (2022 -, Social Engineering Academy)

The digital transformation imposes EU Higher Education Institutions (HEIs) to enhance their role in preparing the new generation workforce and to upskill the existing one in meeting the challenging and ever-growing cybersecurity challenges. 15 HEIs and 13 companies from 16 countries are working on an agile, collaborative, and multi-modal training program that will complement, support and advance the existing academic programs by linking innovation, research, industry, academia, and SME support. CyberSecPro aims to bridge the gap between degrees, working life, and marketable cybersecurity skill sets necessary in today’s digitalization efforts and provide examples of best practices for cybersecurity training programs. CyberSecPro’s ambition is to enhance the role of the Higher Education Institutes (HEIs) in offering hands-on and working-life skills for driving a trustworthy digital transformation in critical sectors of the economy. The enhanced HEIs will equip the workforce with the necessary capabilities to address the digital challenges and be capable to develop secure privacy aware innovative ICT and industrial products that serve people, businesses and working-life communities practicing their democratic values and rights. By establishing a unique Learning Factory, CyberSecPro will be an authentic environment to link innovation, research, industry, academia and SME support. The outcome of the CyberSecPro is to empower the NextGen Europe.

AUTOPSY (2022 -, Continental Automotive Technologies, BMBF)

AUtomotive data-Tainting fOr Privacy aSsurance sYstem – AUTOPSY: Rapidly evolving digital technologies such as the IoT, cloud and AI overrun classical industries, such as automotive, which have longer innovation and development cycles. The current trend of interconnecting cars with local infrastructure and cloud backends opens large potentials for data-driven applications, enhanced user experience, and new business models but also needs to consider privacy of the users inside the vehicle and others, just observed in the streets. This becomes especially critical with respect to GDPR. Goal of AUTOPSY is to create a better understanding of the data flows in automotive environments in the light of GDPR and create a privacy-aware system model for an automotive use-case to address various aspects of GDPR in specific technical designs. The technology of tainting will be applied to separate communication streams between the sensor and multiple parties accessing and processing the data with different privileges. AUTOPSY aims to design a dynamic and scalable end to end infrastructure that protects the data with lightweight privacy preserving techniques onboard the vehicle. Across the expertise of the different partners, the practical feasibility is demonstrated by modifying a resource constrained TCU with an implementation of the privacy-preserving techniques and evaluating its communication on the one hand, and the interaction with a cloud backend on the other. Bringing together one applied research partner and one automotive supplier from each country combines domain know-how and technological competencies to address the problem, develop new technologies and later enable new transnational services for customers. Transnational dissemination activities and the exchange of young researchers complement the research. To have privacy preserving techniques by design close to deployment in new cars in 2030 requires to start now and bring project results in the specification of the new automotive architectures in 2023-2024, which coincides with the earliest end of the project.
  1. Al-Momani, A.; Balenson, D.; Mann, Z. &.; Pape, S.; Petit, J. and Bösch, C.: Navigating Privacy Patterns in the Era of Robotaxis. In IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) 2024, International Workshop on Privacy Engineering (IWPE) 2024, pages 32-39, 2024.
    PDFDOILinkLinkLinkLink Abstract ABMPPB24iwpeBibtexprivacypetsiotautopsy

  2. Pape, S.; Syed-Winkler, S.; Garcia, A. M.; Chah, B.; Bkakria, A.; Hiller, M.; Walcher, T.; Lombard, A.; Abbas-Turki, A. and Yaich, R.: A Systematic Approach for Automotive Privacy Management. In CSCS '23: ACM Computer Science in Cars Symposium, Darmstadt, Germany, December 5th, 2023, ACM, 2023.
    PDFDOILinkLinkLinkLink Abstract PSGCBHWLAY23cscsBibtexprivacypetsautopsy

  3. Syed-Winkler, S.; Pape, S. and Sabouri, A.: A Data Protection-Oriented System Model Enforcing Purpose Limitation for Connected Mobility. In CSCS '22: ACM Computer Science in Cars Symposium, Ingolstadt, Germany, December 8th, 2022, ACM, 2022.
    PDFDOILinkLinkLinkLink Abstract SPS22cscsBibtexprivacypetscloud computingiotautopsy

PHOENi2X (2022 -, Social Engineering Academy, EU H2020)

A Cyber Resilience Framework providing Artificial Intelligence (AI) – assisted orchestration, automation & response capabilities for business continuity and recovery, incident response, and information exchange, tailored to the needs of Operators of Essential Services (OES) and of the EU Member State (MS) National Authorities entrusted with cybersecurity. PHOENi2X holistic approach integrates Prevention, Detection & Response via a fully-featured baseline toolset. Then, AI-assisted Situational Awareness, Prediction & Response features build upon said toolset, providing enhanced and up-to-date view of the threat landscape, early warning and attack prediction capabilities, and alert and response prioritization driven by a business impact risk assessment. These can recommend and trigger specific RPs that encode, orchestrate and execute specific IR and BC processes.
  1. Fysarakis, K.; Lekidis, A.; Mavroeidis, V.; Lampropoulos, K.; Lyberopoulos, G.; Vidal, I. G-M.; Casals, J. C. T. i; Luna, E. R.; Sancho, A. A. M.; Mavrelos, A.; Tsantekidis, M.; Pape, S.; Chatzopoulou, A.; Nanou, C.; Drivas, G.; Photiou, V.; Spanoudakis, G. and Koufopavlou, O.: PHOENI2X -- A European Cyber Resilience Framework With Artificial-Intelligence-Assisted Orchestration, Automation and Response Capabilities for Business Continuity and Recovery, Incident Response, and Information Exchange. Technical Report, 2023.
    PDFDOILinkLinkLinkLink Abstract FLMLLVVLSMTPCNDPSK23arxivBibtexsecurityserious gamephoeni2x

  2. Fysarakis, K.; Lekidis, A.; Mavroeidis, V.; Lampropoulos, K.; Lyberopoulos, G.; Vidal, I. G-M.; Casals, J. C. T. i; Luna, E. R.; Sancho, A. A. M.; Mavrelos, A.; Tsantekidis, M.; Pape, S.; Chatzopoulou, A.; Nanou, C.; Drivas, G.; Photiou, V.; Spanoudakis, G. and Koufopavlou, O.: PHOENI2X - A European Cyber Resilience Framework With Artificial Intelligence-Assisted Orchestration Automation For Business Continuity, Incident Response & Information Exchange. In IEEE CSR, 2023.
    PDFDOILinkLinkLinkLink Abstract FLMLLVVLSMTPCNDPSK23csrBibtexsecurityserious gamephoeni2x

CyberSec4Europe (2019 -, Goethe University Frankfurt, EU H2020)

CyberSec4Europe’s long-term goal and vision are a European Union that has all the capabilities required to secure and maintain a healthy democratic society, living according to European constitutional values (with regard to, for example privacy and sharing) and being a world-leading digital economy. Our strategy is to build on the strong basis provided by recent legislation that is evidenced in several directives and regulations, such as the GDPR, eIDAS, PSD2, the upcoming ePrivacy regulation and the existing legislation around ENISA including the impacts from the Cybersecurity Act. CyberSec4Europe will thus follow the intentions of European legislation that reflects and protects European societal, democratic and economic norms and principles such as data protection and privacy.
  1. Löbner, S.; Pape, S. and Bracamonte, V.: User Acceptance Criteria for Privacy Preserving Machine Learning Techniques. In Proceedings of the 18th International Conference on Availability, Reliability and Security, ARES 2023, Benevento, Italy, 29 August 2023- 1 September 2023, pages 149:1-149:8, ACM, 2023, 20th International Workshop on Trust, Privacy and Security in the Digital Society.
    PDFDOILinkLinkLinkLink Abstract LPB23trustbusBibtexprivacypetsmachine learningcs4e

  2. Harborth, D. and Pape, S.: A Privacy Calculus Model for Contact Tracing Apps: Analyzing the Use Behavior of the German Corona-Warn-App with a Longitudinal User Study. In Computers & Security: 103338, 2023.
    PDFDOILinkLinkLinkLink Abstract HP23coseBibtexprivacyhuman factorscs4e

  3. Sadeghi, A.; Pape, S. and Harborth, D.: The impact of individuals' social environments on contact tracing app use: Survey Study. In JMIR Human Factors, 10:e45825, 2023.
    PDFDOILinkLinkLinkLink Abstract SPH23jmirhfBibtexhuman factorsiotcs4e

  4. Chaudhary, S.; Kompara, M.; Pape, S. and Gkioulos, V.: Properties for Cybersecurity Awareness Posters' Design and Quality Assessment. In ARES 2022: The 17th International Conference on Availability, Reliability and Security, Vienna,Austria, August 23 - 26, 2022, pages 79:1-79:8, 2022, ETACS 2022.
    PDFDOILinkLinkLinkLink Abstract CKPG22etacsBibtexsecurityhuman factorscs4e

  5. Harborth, D. and Pape, S.: A Privacy Calculus Model for Contact Tracing Apps: Analyzing the German Corona-Warn-App. In ICT Systems Security and Privacy Protection - 37th IFIP TC 11 International Conference, SEC 2022, pages 3-19, IFIP Advances in Information and Communication Technology 648, 2022.
    PDFPresentation slidesDOILinkLinkLinkLinkVideo Abstract HP22ifipsecBibtexprivacycs4e

  6. Bracamonte, V.; Pape, S. and Löbner, S.: "All apps do this": Comparing Privacy Concerns Towards Privacy Tools and Non-Privacy Tools for Social Media Content. In Proceedings on Privacy Enhancing Technologies (PoPETs), 2022 (3): 57-78, 2022.
    PDFDOILinkLinkLinkLink Abstract BPL22petsBibtexprivacyiotmachine learningcs4e

  7. Chaudhary, S.; Pape, S.; Kompara, M.; Kavallieratos, G. and Gkioulos, V.: Guidelines for Enhancement of Societal Security Awareness. Technical Report Deliverable 3.19, CyberSec4Europe, 2022.
    PDFDOILinkLink Abstract CS4E22D3.19Bibtexprivacysecurityhuman factorsserious gamecs4e

  8. Outi-Marja, L.; Cheminod, M.; Pape, S.; Tesfay, W. B.; Beckerle, M.; Fischer-Hübner, S.; Preuveneers, D.; Hassan, A.; Pasquale, L.; Kezmah, B.; Kompara, M.; Rodriguez, J. G.; Moreno, R. T. and Martinie, C.: Security Requirements and Risks Conceptualization. Technical Report Deliverable 3.16, CyberSec4Europe, 2021.
    PDFDOILinkLink Abstract CS4E21D3.16Bibtexprivacysecuritycs4e

  9. Harborth, D. and Pape, S.: Investigating Privacy Concerns Related to Mobile Augmented Reality Apps - A Vignette Based Online Experiment. In Computers in Human Behavior, 122, 2021.
    PDFDOILinkLinkLinkLink Abstract HP21chbBibtexprivacyarpsychologycs4e

  10. Schmitz, C.; Schmid, M.; Harborth, D. and Pape, S.: Maturity Level Assessments of Information Security Controls: An Empirical Analysis of Practitioners' Assessment Capabilities. In Computers & Security, 108, 2021.
    PDFDOILinkLinkLinkLink Abstract SSHP21coseBibtexsecurityhuman factorscs4e

  11. Harborth, D.; Pape, S. and Rannenberg, K.: Explaining the Technology Use Behavior of Privacy-Enhancing Technologies: The Case of Tor and JonDonym (Poster). In 17th Symposium on Usable Privacy and Security (SOUPS 2021), 2021.
    PosterDOILinkLink Abstract HPR21soupsposterBibtexprivacyhuman factorsanoncs4e

  12. Pape, S.; Klauer, A. and Rebler, M.: Leech: Let's Expose Evidently bad data Collecting Habits - Towards a Serious Game on Understanding Privacy Policies (Poster). In 17th Symposium on Usable Privacy and Security (SOUPS 2021), 2021.
    PDFPosterDOILinkLinkLinkLink Abstract PKR21soupsposterBibtexprivacyserious gamecs4ethreat-arrest

  13. Pape, S. and Kipker, D-K.: Case Study: Checking a Serious Security-Awareness Game for its Legal Adequacy. In Datenschutz und Datensicherheit, 45 (5): 310-314, 2021.
    PDFDOILinkLinkLinkLink Abstract PK21dudBibtexsecuritysocial engineeringlawcs4ehatchthreat-arrest

  14. Löbner, S.; Tesfay, W. B.; Nakamura, T. and Pape, S.: Explainable Machine Learning for Default Privacy Setting Prediction. In IEEE Access, 9: 63700-63717, 2021.
    PDFDOILinkLinkLinkLink Abstract LTNP21accessBibtexprivacymachine learningcs4e

  15. Pape, S.; Harborth, D. and Kröger, J. L.: Privacy Concerns Go Hand in Hand with Lack of Knowledge: The Case of the German Corona-Warn-App. In ICT Systems Security and Privacy Protection - 36th IFIP TC 11 International Conference, SEC 2021, pages 256-269, Springer, IFIP Advances in Information and Communication Technology 625, 2021.
    PDFPresentation slidesDOILinkLinkLinkLink Abstract PHK21ifipsecBibtexinformation systemsprivacypetscs4e

  16. Pape, S.: Challenges for Designing Serious Games on Security and Privacy Awareness. In Privacy and Identity Management. Between Data Protection and Security - 16th IFIP WG 9.2, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Privacy and Identity 2021, Virtual Event, August 16-20, 2021, Revised Selected Papers, pages 3-16, Springer, IFIP Advances in Information and Communication Technology 644, 2021.
    PDFDOILinkLinkLink Abstract Pape21ifipscBibtexprivacysecurityhuman factorsserious gamecs4ethreat-arrest

  17. Schmitz, C.; Sekulla, A. and Pape, S.: Asset-centric analysis and visualisation of attack trees. In Graphical Models for Security - 7th International Workshop, GraMSec@CSF 2020, Boston, MA, USA, Virtual Conference, June 22, 2020, Revised Selected Papers, pages 45-64, Springer, LNCS 12419, 2020.
    PDFDOILinkLinkLinkLink Abstract SSP20gramsecBibtexsecuritycritical infrastructurescs4e

  18. Canavese, D.; Lioy, A.; Pedone, I.; Regano, L.; Hatamian, M.; Löbner, S.; Pape, S.; Arastouei, N.; Skarmeta, A.; Hita, A. and Bernal, J.: Cybersecurity outlook 1. Technical Report Deliverable 3.10, CyberSec4Europe, 2020.
    PDFDOILinkLink Abstract CS4E20D3.10Bibtexprivacysecuritycs4e

  19. Hazilov, V. and Pape, S.: Systematic Scenario Creation for Serious Security-Awareness Games. In Computer Security - ESORICS 2020 International Workshops, DETIPS, DeSECSys, MPS, and SPOSE, Guildford, UK, September 17-18, 2020, Revised Selected Papers, Springer International Publishing, Cham, LNCS 12580, 2020.
    PDFDOILinkLinkLinkLinkVideo Abstract HP20sposeBibtexsecuritysocial engineeringcs4ehatchthreat-arrest

  20. Pape, S.; Goeke, L.; Quintanar, A. and Beckers, K.: Conceptualization of a CyberSecurity Awareness Quiz. In Computer Security - ESORICS 2020 International Workshops MSTEC, pages 61-76, Springer International Publishing, Cham, LNCS 12512, 2020.
    PDFPresentation slidesDOILinkLinkLinkLinkVideo Abstract PGQB20mstecBibtexsecurityserious gamesocial engineeringcs4ethreat-arrest

  21. Lafuente, A. L.; Schlichtkrull, A.; Rannenberg, K.; Cuellar, J.; Lopez, J.; Gago, C. F.; Krenn, S.; Matyas, V.; Vykopal, J.; Pape, S. and Goodman, D.: CyberSec4Europe summer schools 1. Technical Report Deliverable 9.7, CyberSec4Europe, 2020.
    PDFDOILinkLink Abstract CS4E20D9.7Bibtexprivacysecuritycs4e

  22. Harborth, D.; Pape, S. and Rannenberg, K.: Explaining the Technology Use Behavior of Privacy-Enhancing Technologies: The Case of Tor and JonDonym. In Proceedings on Privacy Enhancing Technologies (PoPETs), 2020 (2): 111-128, 2020.
    PDFDOILinkLinkLinkLink Dataset Dataset Dataset Dataset Abstract HPR20petsBibtexinformation systemsprivacypetsanoncs4e

  23. Pape, S.; Paci, F.; Juerjens, J. and Massacci, F.: Selecting a Secure Cloud Provider: An Empirical Study and Multi Criteria Approach. In Information, 11 (5), 2020.
    PDFDOILinkLinkLinkLink Abstract PPJM20informationBibtexsecuritycloud computingcloudatcs4eseconomics

  24. Crispo, B.; Gupta, S.; Halunen, K.; Kompara, M.; Preuveneers, D.; Palanque, P.; Beckerle, M.; Martinie, C.; Hita, A. and Pape, S.: Usability Requirements Validation. Technical Report Deliverable 3.7, CyberSec4Europe, 2020.
    PDFDOILinkLink Abstract CS4E20D3.7Bibtexprivacysecuritycs4e

  25. Pape, S.; Schmitz, C.; Kipker, D-K. and Sekula, A.: On the use of Information Security Management Systems by German Energy Providers. In Presented at the Fourteenth IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, 2020.
    PDFPresentation slidesDOILink Abstract PSKS20iccipBibtexinformation systemssecuritycritical infrastructureslawcs4esidate

  26. Miller, V. M.; Miller, M.; Rannenberg, K.; Niknia, A.; Arastouei, N.; Pape, S.; Skarmeta, A.; Ferreira, A.; Markatos, E.; Matyas, V.; Crabu, M.; Lopez, J.; Fernandez, C.; Pasic, A.; Omerovic, A.; Lafuente, A. L.; Angelini, M.; Hemetsberger, L.; Halunen, K.; Krenn, S.; Annicchino, P.; Kamm, L.; Goodman, D.; Goodman, R.; Surinx, D.; Preuveneers, D.; Sterlini, P.; Kadenko, N.; Douligeris, C. and Benzekri, A.: Clustering results and SU-ICT-03 project CONCERTATION conference year 1. Technical Report Deliverable 10.1, CyberSec4Europe, 2020.
    PDFDOILinkLink Abstract CS4E20D10.1Bibtexprivacysecuritycs4e

  27. Halunen, K.; Cheminod, M.; Beckerle, M.; Durante, L.; Preuveneers, D.; Kompara, M.; Martinie, C.; Bernabe, J. B.; Garofalo, G.; Tesfay, W. B.; Pape, S.; Palanque, P.; Crispo, B. and Gupta, S.: Usable security & privacy methods and recommendations. Technical Report Deliverable 3.5, CyberSec4Europe, 2020.
    PDFDOILinkLink Abstract CS4E20D3.5Bibtexprivacysecuritycs4e

  28. Hamm, P.; Harborth, D. and Pape, S.: A Systematic Analysis of User Evaluations in Security Research. In Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES 2019, Canterbury, UK, August 26-29, 2019, ACM, 2019.
    PDFDOILinkLinkLinkLink Abstract HHP19iwsmrBibtexsecuritymethodologycs4e

THREAT-ARREST (2018 -, Social Engineering Academy, EU H2020)

The goal of the THREAT-ARREST project is to is to develop an advanced training and simulation framework for cyber defense. The framework will incorporate emulation, simulation, gaming, and visualization to help stakeholders with different types of responsibility and levels of expertise counter known and new cyber-attacks. The Cyber Security Threats and Threat Actors Training - Assurance Driven Multi-Layer, end-to-end Simulation and Training project (THREAT-ARREST) is funded from the H2020-DS-SC7-2017 call under the topic of “Cybersecurity PPP: Addressing Advanced Cyber Security Threats and Threat Actors”.
  1. Hatzivasilis, G.; Ioannidis, S.; Smyrlis, M.; Spanoudakis, G.; Frati, F.; Braghin, C.; Damiani, E.; Koshutanski, H.; Tsakirakis, G.; Hildebrandt, T.; Goeke, L.; Pape, S.; Blinder, O.; Vinov, M.; Leftheriotis, G.; Kunc, M.; Oikonomou, F.; Magilo, G.; Petrarolo, V.; Chieti, A. and Bordianu, R.: The THREAT-ARREST cyber ranges platform. In IEEE International Conference on Cyber Security and Resilience (CSR), IEEE, 2021.
    PDFDOILinkLinkLinkLink Abstract HISSFBDKTHGPBVLKOMPCB21crstBibtexsecurityserious gamethreat-arrest

  2. Sofia, S.; Michalis, S.; Bouras, V. and Prevelakis, V., ed.: The THREAT-ARREST dissemination and exploitation report v.2. Technical Report Deliverable 8.8, Threat-Arrest, 2021.
    PDFDOILink Abstract TA21D8.8Bibtexsecuritythreat-arrest

  3. Pape, S.; Klauer, A. and Rebler, M.: Leech: Let's Expose Evidently bad data Collecting Habits - Towards a Serious Game on Understanding Privacy Policies (Poster). In 17th Symposium on Usable Privacy and Security (SOUPS 2021), 2021.
    PDFPosterDOILinkLinkLinkLink Abstract PKR21soupsposterBibtexprivacyserious gamecs4ethreat-arrest

  4. Pape, S. and Kipker, D-K.: Case Study: Checking a Serious Security-Awareness Game for its Legal Adequacy. In Datenschutz und Datensicherheit, 45 (5): 310-314, 2021.
    PDFDOILinkLinkLinkLink Abstract PK21dudBibtexsecuritysocial engineeringlawcs4ehatchthreat-arrest

  5. Goeke, L.; Pape, S. and Tsakirakis, G.: THREAT-ARREST serious games v2. Technical Report Deliverable 4.9, Threat-Arrest, 2021.
    PDFDOILink Abstract TA21D4.9Bibtexsecuritythreat-arrest

  6. Frati, F. and Braghin, C., ed.: The Stakeholders' Engagement & Online Channels Report v2. Technical Report Deliverable 8.7, Threat-Arrest, 2021.
    PDFDOILinkLink Abstract TA21D8.7Bibtexsecuritythreat-arrest

  7. Pape, S.: Challenges for Designing Serious Games on Security and Privacy Awareness. In Privacy and Identity Management. Between Data Protection and Security - 16th IFIP WG 9.2, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Privacy and Identity 2021, Virtual Event, August 16-20, 2021, Revised Selected Papers, pages 3-16, Springer, IFIP Advances in Information and Communication Technology 644, 2021.
    PDFDOILinkLinkLink Abstract Pape21ifipscBibtexprivacysecurityhuman factorsserious gamecs4ethreat-arrest

  8. Hazilov, V. and Pape, S.: Systematic Scenario Creation for Serious Security-Awareness Games. In Computer Security - ESORICS 2020 International Workshops, DETIPS, DeSECSys, MPS, and SPOSE, Guildford, UK, September 17-18, 2020, Revised Selected Papers, Springer International Publishing, Cham, LNCS 12580, 2020.
    PDFDOILinkLinkLinkLinkVideo Abstract HP20sposeBibtexsecuritysocial engineeringcs4ehatchthreat-arrest

  9. Pape, S.; Goeke, L.; Quintanar, A. and Beckers, K.: Conceptualization of a CyberSecurity Awareness Quiz. In Computer Security - ESORICS 2020 International Workshops MSTEC, pages 61-76, Springer International Publishing, Cham, LNCS 12512, 2020.
    PDFPresentation slidesDOILinkLinkLinkLinkVideo Abstract PGQB20mstecBibtexsecurityserious gamesocial engineeringcs4ethreat-arrest

  10. Koshutanski, H.; Frati, F.; Hildebrandt, T.; Hatzivasilis, G.; Fysarakis, K.; Smyrlis, M.; Spanoudakis, G.; Blinder, O.; Goeke, L.; Pape, S.; Leftheriotis, G.; Tsakirakis, G.; Bravos, G. and Kunc, M.: Initial Prototype of Integrated THREAT-ARREST Platform. Technical Report Deliverable 6.1, Threat-Arrest, 2020.
    PDFDOILink Abstract TA20D6.1Bibtexsecuritythreat-arrest

  11. Koshutanski, H.; Frati, F.; Hildebrandt, T.; Hatzivasilis, G.; Fysarakis, K.; Smyrlis, M.; Spanoudaki, S.; Spanoudakis, G.; Blinder, O.; Goeke, L.; Quintanar, A.; Pape, S.; Tsakirakis, G. and Bravos, G.: Initial installation and usage guidelines for the THREAT-ARREST platform. Technical Report Deliverable 6.2, Threat-Arrest, 2020.
    PDFDOILink Abstract TA20D6.2Bibtexsecuritythreat-arrest

  12. Frati, F. and Braghin, C., ed.: The Stakeholders' Engagement & Online Channels Report. Technical Report Deliverable 8.4, Threat-Arrest, 2020.
    PDFDOILinkLink Abstract TA20D8.4Bibtexsecuritythreat-arrest

  13. Sofia, S.; Konstantina, K.; Tsantekidis, M.; Pape, S.; Leftheriotis, G.; Chieti, A.; Oikonomou, F. and Bravos, G.: The THREAT-ARREST dissemination and exploitation report v.1 1. Technical Report Deliverable 8.5, Threat-Arrest, 2020.
    PDFDOILinkLink Abstract TA20D8.5Bibtexsecuritythreat-arrest

  14. Goeke, L.; Quintanar, A.; Beckers, K. and Pape, S.: PROTECT - An Easy Configurable Serious Game to Train Employees Against Social Engineering Attacks. In Computer Security - ESORICS 2019 International Workshops, IOSec, MSTEC, and FINSEC, Luxembourg City, Luxembourg, September 26-27, 2019, Revised Selected Papers, pages 156-171, Springer International Publishing, Cham, LNCS 11981, 2019.
    PDFDOILinkLinkLinkLink Abstract GQBP19mstecBibtexsecurityserious gamesocial engineeringthreat-arrest

  15. Beckers, K.; Goeke, L.; Pape, S. and Bravos, G.: THREAT-ARREST THREAT serious games v1. Technical Report Deliverable 4.2, Threat-Arrest, 2019.
    PDFDOILinkLink Abstract TA19D4.2Bibtexsecurityserious gamesocial engineeringthreat-arrest

  16. Koshutanski, H.; Tsantekidis, M.; Damiani, E.; Frati, F.; Cimato, S.; Riccobene, E.; Hatzivasilis, G.; Fysarakis, K.; Spanoudakis, G.; Blinder, O.; Vinov, M.; Hildebrandt, T.; Wortmann, D.; Rompoti, V.; Bravos, G.; Chatzigiannakis, V.; Beckers, K.; Pape, S.; Kunc, M. and Bašta, P.: THREAT-ARREST platform's initial reference architecture. Technical Report Deliverable 1.3, Threat-Arrest, 2019.
    PDFDOILinkLink Abstract TA19D1.3Bibtexsecuritythreat-arrest

HATCH (2016 -, Social Engineering Academy)

Social engineering is the acquisition of information about computer systems by methods that deeply include non- technical means. While technical security of most critical systems is high, the systems remain vulnerable to attacks from social engineers. Social engineering is a technique that: (i) does not require any (advanced) technical tools, (ii) can be used by anyone, (iii) is cheap. Traditional security requirements elicitation approaches often focus on vulnerabilities in network or software systems. Few approaches even consider the exploitation of humans via social engineering and none of them elicits personal behaviours of individual employees. While the amount of social engineering attacks and the damage they cause rise every year, the security awareness of these attacks and their consideration during requirements elicitation remains negligible. We propose to use a card game to elicit these requirements, which all employees of a company can play to understand the threat and document security requirements. The game considers the individual context of a company and presents underlying principles of human behaviour that social engineers exploit, as well as concrete attack patterns. We evaluated our approach with several groups of researchers, IT administrators, and professionals from industry.
  1. Pape, S. and Kipker, D-K.: Case Study: Checking a Serious Security-Awareness Game for its Legal Adequacy. In Datenschutz und Datensicherheit, 45 (5): 310-314, 2021.
    PDFDOILinkLinkLinkLink Abstract PK21dudBibtexsecuritysocial engineeringlawcs4ehatchthreat-arrest

  2. Hazilov, V. and Pape, S.: Systematic Scenario Creation for Serious Security-Awareness Games. In Computer Security - ESORICS 2020 International Workshops, DETIPS, DeSECSys, MPS, and SPOSE, Guildford, UK, September 17-18, 2020, Revised Selected Papers, Springer International Publishing, Cham, LNCS 12580, 2020.
    PDFDOILinkLinkLinkLinkVideo Abstract HP20sposeBibtexsecuritysocial engineeringcs4ehatchthreat-arrest

  3. Kipker, D-K.; Pape, S.; Wojak, S. and Beckers, K.: Juristische Bewertung eines Social-Engineering-Abwehr Trainings. In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 112-115, Universität der Bundeswehr, Neubiberg, 2018.
    PDFDOILinkLinkBibtexsecurityserious gamesocial engineeringlawhatchsidate

  4. Beckers, K.; Fries, V.; Groen, E. C. and Pape, S.: Creativity Techniques for Social Engineering Threat Elicitation: A Controlled Experiment. In Joint Proceedings of REFSQ-2017 Workshops, Doctoral Symposium, Research Method Track, and Poster Track co-located with the 22nd International Conference on Requirements Engineering: Foundation for Software Quality (REFSQ 2017), Essen, Germany, February 27, 2017., 2017.
    PDFPresentation slidesDOILinkLinkLinkLink Abstract BFGP17CreaREBibtexsecurityserious gamesocial engineeringhatch

  5. Beckers, K. and Pape, S.: A Serious Game for Eliciting Social Engineering Security Requirements. In Proceedings of the 24th IEEE International Conference on Requirements Engineering, IEEE Computer Society, RE '16 , 2016, Acceptance Rate: 22/79 = 27.8%.
    PDFDOILinkLinkLinkLink Abstract BP16reBibtexsecurityserious gamesocial engineeringhatchsidate

  6. Beckers, K.; Pape, S. and Fries, V.: HATCH: Hack And Trick Capricious Humans -- A Serious Game on Social Engineering. In Proceedings of the 2016 British HCI Conference, Bournemouth, United Kingdom, July 11-15, 2016, 2016.
    PDFPosterDOILinkLinkLinkLink Abstract BPF16bhciBibtexsecurityserious gamesocial engineeringhatchsidate

Privacy & Us (2015 - 2019, Goethe University Frankfurt, EU H2020)

With the rapid accumulation and processing of personal data by numerous organizations, it is of paramount importance to protect people from adverse uses of their data, while allowing them to enjoy the benefits the use of these data can possibly provide. This is the question of protecting citizens’ privacy, while enabling them to make informed decisions regarding their actions with privacy implications. The Privacy & Us Innovative Training Network (ITN) will train thirteen creative, entrepreneurial and innovative early stage researchers (ESRs) to be able to reason, design and develop novel solutions to questions related to the protection of citizens’ privacy, considering the multidisciplinary and inter-sectoral aspects of the issue. ESRs will be trained to face both current and future challenges in the area of privacy and usability. Privacy & Us offers a combination of research-related and transferable competence skills that will enhance the career perspectives of the ESRs in both the academic and non-academic sectors.
  1. Hatamian, M.; Pape, S. and Rannenberg, K.: ESARA: A Framework for Enterprise Smartphone Apps Risk Assessment. In ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Lisbon, Portugal, June 25-27, 2019, Proceedings, pages 165-179, 2019, Acceptance rate: 26 / 142 = 18.3%.
    PDFDOILinkLinkLinkLink Abstract HPR19ifipsecBibtexsecurityprivacy'n'us

SIOC (2016 - 2019, Goethe University Frankfurt, BMBF)

The aim of the project Self Privacy in Online Commerce (SIOC) is the design of an anonymous approach to online shopping in accordance to stakeholders’ requirements and business models while implementing data protection by design and data protection by default as essential principles of EU data protection rules. For this purpose, a vendor-independent architecture for anonymous shopping will be developed, allowing the buyers to manage and understand autonomously their user profiles by the means of virtual identities. To achieve a broad distribution, not only acceptance by the users is needed, but also by the other involved stakeholders, e.g. online-shop providers. Therefore, care will be taken to preserve existing business models (e.g. direct marketing) as far as possible.
  1. Hamm, P.; Pape, S. and Rannenberg, K.: The Influence of Privacy Concerns on Cryptocurrency Acceptance. In ICT Systems Security and Privacy Protection - 38th IFIP TC 11 International Conference, SEC 2023, Poznan, Poland, June 14-16, 2023, Proceedings, 2023.
    PDFDOILinkLinkLinkLink Abstract HPR23ifipsecBibtexhuman factorssioc

  2. Rannenberg, K.; Pape, S. and Hamm, P.: Abschlussbericht: Selbstdatenschutz im Online-Commerce (SIOC); Teilvorhaben: Architektur, Modellierung und Nutzerakzeptanz von Selbstdatenschutztechniken im Online-Commerce. Technical Report, Goethe-Universität Frankfurt am Main, 2019.
    DOILinkLinkBibtexsioc

  3. Harborth, D.; Braun, M.; Grosz, A.; Pape, S. and Rannenberg, K.: Anreize und Hemmnisse für die Implementierung von Privacy-Enhancing Technologies im Unternehmenskontext. In Sicherheit 2018: Sicherheit, Schutz und Zuverlässigkeit, Beiträge der 9. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 25.-27. April 2018, Konstanz, pages 29-41, 2018.
    PDFPresentation slidesDOILinkLinkLinkLink Abstract HBGPR18sicherheitBibtexinformation systemsprivacypetseconomyanonsioc

  4. Pape, S.; Tasche, D.; Bastys, I.; Grosz, A.; Laessig, J. and Rannenberg, K.: Towards an Architecture for Pseudonymous E-Commerce -- Applying Privacy by Design to Online Shopping. In Sicherheit 2018: Sicherheit, Schutz und Zuverlässigkeit, Beiträge der 9. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 25.-27. April 2018, Konstanz, pages 17-28, 2018.
    PDFPresentation slidesDOILinkLinkLinkLink Abstract PTBGLR18sicherheitBibtexprivacypetse-commerceeconomysioc

AN.ON-next (2016 - 2019, Goethe University Frankfurt, BMBF)

The AN.ON-next project aims at integrating privacy-enhancing technologies into the internet infrastructure. The technologies in focus include a basic protection at the ISP, an improved overlay network-based protection and a concept for privacy protection in the emerging 5G mobile network. Crucial success factors are the adjustment and development of standards, business models and pricing strategies for those new technologies.
  1. Harborth, D.; Pape, S. and Rannenberg, K.: Explaining the Technology Use Behavior of Privacy-Enhancing Technologies: The Case of Tor and JonDonym (Poster). In 17th Symposium on Usable Privacy and Security (SOUPS 2021), 2021.
    PosterDOILinkLink Abstract HPR21soupsposterBibtexprivacyhuman factorsanoncs4e

  2. Harborth, D. and Pape, S.: Empirically Investigating Extraneous Influences on the ``APCO'' Model - Childhood Brand Nostalgia and the Positivity Bias. In Future Internet, 12(12) (220), 2020.
    PDFDOILinkLinkLinkLink Abstract HP20futureinternetBibtexprivacypsychologyanon

  3. Harborth, D.; Pape, S. and Rannenberg, K.: Explaining the Technology Use Behavior of Privacy-Enhancing Technologies: The Case of Tor and JonDonym. In Proceedings on Privacy Enhancing Technologies (PoPETs), 2020 (2): 111-128, 2020.
    PDFDOILinkLinkLinkLink Dataset Dataset Dataset Dataset Abstract HPR20petsBibtexinformation systemsprivacypetsanoncs4e

  4. Harborth, D. and Pape, S.: Dataset on Actual Users of the Privacy-Enhancing Technology Jondonym. IEEE Dataport, 2020.
    PDFDOILinkLinkLinkLink Dataset Dataset Abstract HP20dataportJDBibtexprivacypetsmethodologyanon

  5. Harborth, D. and Pape, S.: Dataset on Actual Users of the Privacy-Enhancing Technology Tor. IEEE Dataport, 2020.
    PDFDOILinkLinkLinkLink Dataset Dataset Abstract HP20dataportTorBibtexprivacypetsmethodologyanon

  6. Harborth, D. and Pape, S.: How Privacy Concerns, Trust and Risk Beliefs and Privacy Literacy Influence Users' Intentions to Use Privacy-Enhancing Technologies - The Case of Tor. In ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 51 (1): 51-69, 2020.
    PDFDOILinkLinkLinkLink Dataset Dataset Abstract HP20sigmisBibtexinformation systemsprivacypetsanon

  7. Harborth, D. and Pape, S.: How Nostalgic Feelings Impact Pokémon Go Players - Integrating Childhood Brand Nostalgia into the Technology Acceptance Theory. In Behaviour & Information Technology, 39 (12): 1276-1296, 2019.
    PDFDOILinkLinkLinkLink Abstract HP19bitBibtexinformation systemsarpsychologyanon

  8. Harborth, D.; Cai, X. and Pape, S.: Why Do People Pay for Privacy-Enhancing Technologies? The Case of Tor and JonDonym?. In ICT Systems Security and Privacy Protection - 34th IFIP TC 11 International Conference, SEC 2019, Lisbon, Portugal, June 25-27, 2019, Proceedings, pages 253-267, 2019, Acceptance rate: 26 / 142 = 18.3%.
    PDFDOILinkLinkLinkLink Dataset Dataset Abstract HCP19ifipsecBibtexinformation systemsprivacypetseconomyanon

  9. Harborth, D. and Pape, S.: How Privacy Concerns and Trust and Risk Beliefs Influence Users' Intentions to Use Privacy-Enhancing Technologies -- The Case of Tor. In 52nd Hawaii International Conference on System Sciences (HICSS) 2019, pages 4851-4860, 2019, Acceptance rate: 48%.
    PDFDOILinkLinkLinkLink Abstract HP19hicssBibtexinformation systemsprivacypetsanon

  10. Rannenberg, K.; Pape, S. and Harborth, D.: Abschlussbericht:Verbundprojekt: Anonymität Online der nächsten Generation (AN. ON-Next); Teilvorhaben:" Standardisierung und Geschäftsmodelle". Technical Report, Goethe-Universität Frankfurt am Main, 2019.
    DOILinkLinkBibtexanon

  11. Harborth, D. and Pape, S.: JonDonym Users' Information Privacy Concerns. In ICT Systems Security and Privacy Protection - 33rd IFIP TC 11 International Conference, SEC 2018, Held at the 24th IFIP World Computer Congress, WCC 2018, Poznan, Poland, September 18-20, 2018, Proceedings, pages 170-184, 2018, Acceptance rate: 27 / 89 = 30.3%.
    PDFPresentation slidesDOILinkLinkLinkLink Dataset Dataset Abstract HP18ifipsecBibtexinformation systemsprivacypetspsychologyanon

  12. Paul, N.; Tesfay, W. B.; Kipker, D-K.; Stelter, M. and Pape, S.: Assessing Privacy Policies of Internet of Things Services. In ICT Systems Security and Privacy Protection - 33rd IFIP TC 11 International Conference, SEC 2018, Held at the 24th IFIP World Computer Congress, WCC 2018, Poznan, Poland, September 18-20, 2018, Proceedings, pages 156-169, 2018, Acceptance rate: 27 / 89 = 30.3%.
    PDFPresentation slidesDOILinkLinkLinkLink Abstract PTKSP18ifipsecBibtexprivacyiotlawanon

  13. Harborth, D. and Pape, S.: German Translation of the Unified Theory of Acceptance and Use of Technology 2 (UTAUT2) Questionnaire. Technical Report, SSRN, 2018.
    PDFDOILinkLinkLink Abstract HP18ssrn_utautBibtexinformation systemsmethodologyanon

  14. Harborth, D. and Pape, S.: German Translation of the Concerns for Information Privacy (CFIP) Construct. Technical Report, SSRN, 2018.
    PDFDOILinkLinkLink Abstract HP18ssrn_cfipBibtexprivacymethodologyanon

  15. Harborth, D.; Braun, M.; Grosz, A.; Pape, S. and Rannenberg, K.: Anreize und Hemmnisse für die Implementierung von Privacy-Enhancing Technologies im Unternehmenskontext. In Sicherheit 2018: Sicherheit, Schutz und Zuverlässigkeit, Beiträge der 9. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI), 25.-27. April 2018, Konstanz, pages 29-41, 2018.
    PDFPresentation slidesDOILinkLinkLinkLink Abstract HBGPR18sicherheitBibtexinformation systemsprivacypetseconomyanonsioc

  16. Harborth, D. and Pape, S.: Examining Technology Use Factors of Privacy-Enhancing Technologies: The Role of Perceived Anonymity and Trust. In 24th Americas Conference on Information Systems, AMCIS 2018, New Orleans, LA, USA, August 16-18, 2018, Association for Information Systems, 2018.
    PDFDOILinkLinkLinkLink Abstract HP18amcisBibtexinformation systemsprivacypetspsychologyanon

  17. Harborth, D.; Herrmann, D.; Köpsell, S.; Pape, S.; Roth, C.; Federrath, H.; Kesdogan, D. and Rannenberg, K.: Integrating Privacy-Enhancing Technologies into the Internet Infrastructure. Technical Report, Cornell University, arXiv, 2017.
    PDFDOILinkLinkLinkLink Abstract HHKPRFKR17anonBibtexprivacypetsanon

  18. Harborth, D. and Pape, S.: Privacy Concerns and Behavior of Pokémon Go Players in Germany. In Privacy and Identity Management. The Smart Revolution - 12th IFIP WG 9.2, 9.5, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Ispra, Italy, September 4-8, 2017, Revised Selected Papers, pages 314-329, Springer International Publishing, IFIP Advances in Information and Communication Technology 526, 2017.
    PDFDOILinkLinkLinkLink Abstract HP17ifipscBibtexinformation systemsprivacypetsarpsychologyanon

SIDATE (2015 - 2018, Goethe University Frankfurt, BMBF)

Due to the recent German and European regulations for critical infrastructures, the concerned companies and especially energy providers are required to get certifications for their security. As a consequence in particular small and medium-sized energy providers struggle to fulfil the requirements. Compared to larger providers, there is a lack of financial and human resources which they could utilise for IT security. The aim of the SIDATE project is to develop tools and concepts in order to support small and medium-sized energy providers to continuously improve their security. Since many of them face same challenges, a natural solution to support them is to stimulate inter-organisational collaboration. This should be done by building an inter-organisational collaboration platform for energy providers. The platform should enable the energy providers to share their knowledge about IT security in a structured way. One of the platform’s modules should be a security self-assessment and benchmarking module, so the energy providers can easily assess and compare their security level.
  1. Pape, S.; Schmitz, C.; Kipker, D-K. and Sekula, A.: On the use of Information Security Management Systems by German Energy Providers. In Presented at the Fourteenth IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection, 2020.
    PDFPresentation slidesDOILink Abstract PSKS20iccipBibtexinformation systemssecuritycritical infrastructureslawcs4esidate

  2. Schmitz, C. and Pape, S.: LiSRA: Lightweight Security Risk Assessment for Decision Support in Information Security. In Computers & Security, 90, 2020.
    PDFDOILinkLinkLinkLink Abstract SP20coseBibtexsecuritycritical infrastructuressidate

  3. Sekulla, A.; Schmitz, C.; Pape, S. and Pipek, V.: Demonstrator zur Beschreibung und Visualisierung einer kritischen Infrastruktur. In Human Practice. Digital Ecologies. Our Future. 14. Internationale Tagung Wirtschaftsinformatik (WI 2019), February 24-27, 2019, Siegen, Germany, pages 1978, 2019.
    PDFDOILinkLinkLinkLink Abstract SSPP19wiBibtexsecuritycritical infrastructuressidate

  4. Rannenberg, K.; Pape, S. and Schmitz, C.: Abschlussbericht: SIDATE-Sichere Informationsnetze bei kleinen und mittleren Energieversorgern; Teilvorhaben: IT-Sicherheitsmetriken für kleine und mittlere Energieversorger. Technical Report, Goethe-Universität Frankfurt am Main, 2019.
    DOILinkLinkBibtexsidate

  5. Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C.; Sekulla, A. and Terhaag, F.: Stand zur IT-Sicherheit deutscher Stromnetzbetreiber : technischer Bericht. Technical Report, Universität Siegen, 2018.
    PDFDOILinkLink Abstract PPRSST18trBibtexsecuritycritical infrastructuressidate

  6. Aladawy, D.; Beckers, K. and Pape, S.: PERSUADED: Fighting Social Engineering Attacks with a Serious Game. In Trust, Privacy and Security in Digital Business - 15th International Conference, TrustBus 2018, Regensburg, Germany, September 5-6, 2018, Proceedings, Springer, Lecture Notes in Computer Science 11033, 2018, ISBN 978-3-319-98384-4, Acceptance rate: 15 / 29 = 51.7%.
    PDFDOILinkLinkLinkLink Abstract ABP18trustbusBibtexprivacysecurityserious gamesocial engineeringsidate

  7. Dax, J.; Hamburg, D.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C.; Sekulla, A. and Terhaag, F.: Sichere Informationsnetze bei kleinen und mittleren Energieversorgern (SIDATE). In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 29, Universität der Bundeswehr, Neubiberg, 2018.
    PDFDOILinkLinkLinkLinkBibtexsecuritycritical infrastructuressidate

  8. Dax, J.; Ley, B.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C. and Sekulla, A.: Stand der IT-Sicherheit bei deutschen Stromnetzbetreibern. In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 69-74, Universität der Bundeswehr, Neubiberg, 2018.
    PDFDOILinkLinkLinkBibtexsecuritycritical infrastructuressidate

  9. Dax, J.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C.; Sekulla, A. and Terhaag, F.: Das SIDATE-Portal im Einsatz. In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 145-150, Universität der Bundeswehr, Neubiberg, 2018.
    PDFDOILinkLinkBibtexsecuritycritical infrastructuressidate

  10. Hamburg, D.; Niephaus, T.; Noll, W.; Pape, S.; Rannenberg, K. and Schmitz, C.: SIDATE: Gefährdungen und Sicherheitsmassnahmen. In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 51, Universität der Bundeswehr, Neubiberg, 2018.
    PDFDOILinkLinkBibtexsecuritycritical infrastructuressidate

  11. Kipker, D-K.; Pape, S.; Wojak, S. and Beckers, K.: Juristische Bewertung eines Social-Engineering-Abwehr Trainings. In State of the Art: IT-Sicherheit für Kritische Infrastrukturen, pages 112-115, Universität der Bundeswehr, Neubiberg, 2018.
    PDFDOILinkLinkBibtexsecurityserious gamesocial engineeringlawhatchsidate

  12. Schmitz, C.; Sekula, A.; Pape, S.; Pipek, V. and Rannenberg, K.: Easing the Burden of Security Self-Assessments. In 12th International Symposium on Human Aspects of Information Security & Assurance, HAISA 2018 ,Dundee, Scotland, August 29-31, 2018, Proceedings., 2018.
    PDFDOILinkLinkLinkLink Abstract SSPPR18haisaBibtexsecuritycritical infrastructuressidate

  13. Dax, J.; Ivan, A.; Ley, B.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C. and Sekulla, A.: IT Security Status of German Energy Providers. Technical Report, Cornell University, arXiv, 2017.
    PDFDOILinkLinkLinkLink Abstract DILPPRSS17trBibtexsecuritycritical infrastructuressidate

  14. Dax, J.; Ley, B.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C. and Sekulla, A.: Stand zur IT-Sicherheit deutscher Stromnetzbetreiber : technischer Bericht. Technical Report, Universität Siegen, 2017.
    PDFDOILinkLink Abstract DLPPRSS17trBibtexsecuritycritical infrastructuressidate

  15. Beckers, K.; Schosser, D.; Pape, S. and Schaab, P.: A Structured Comparison of Social Engineering Intelligence Gathering Tools. In Trust, Privacy and Security in Digital Business - 14th International Conference, TrustBus 2017, Lyon, France, August 30-31, 2017, Proceedings, pages 232-246, 2017, Revision 1, Table 7 was corrected, see https://link.springer.com/10.1007/978-3-319-64483-7_16.
    PDFPresentation slidesDOILinkLinkLinkLink Abstract BSPS17trustbusBibtexprivacysecuritysocial engineeringsidate

  16. Beckers, K. and Pape, S.: A Serious Game for Eliciting Social Engineering Security Requirements. In Proceedings of the 24th IEEE International Conference on Requirements Engineering, IEEE Computer Society, RE '16 , 2016, Acceptance Rate: 22/79 = 27.8%.
    PDFDOILinkLinkLinkLink Abstract BP16reBibtexsecurityserious gamesocial engineeringhatchsidate

  17. Beckers, K.; Pape, S. and Fries, V.: HATCH: Hack And Trick Capricious Humans -- A Serious Game on Social Engineering. In Proceedings of the 2016 British HCI Conference, Bournemouth, United Kingdom, July 11-15, 2016, 2016.
    PDFPosterDOILinkLinkLinkLink Abstract BPF16bhciBibtexsecurityserious gamesocial engineeringhatchsidate

  18. Dax, J.; Hamburg, D.; Kreusch, M.; Ley, B.; Pape, S.; Pipek, V.; Rannenberg, K.; Schmitz, C. and Terhaag, F.: Sichere Informationsinfrastrukturen für kleine und mittlere Energieversorger. In Multikonferenz Wirtschaftsinformatik (MKWI) -- Teilkonferenz IT-Sicherheit für Kritische Infrastrukturen (Poster), 2016.
    PDFPosterDOILink Abstract DHKLPPRST16mkwiBibtexsecuritycritical infrastructuressidate

  19. Dax, J.; Ley, B.; Pape, S.; Schmitz, C.; Pipek, V. and Rannenberg, K.: Elicitation of Requirements for an inter-organizational Platform to Support Security Management Decisions. In 10th International Symposium on Human Aspects of Information Security & Assurance, HAISA 2016 ,Frankfurt, Germany, July 19-21, 2016, Proceedings., 2016.
    PDFDOILinkLinkLinkLink Abstract DLPSPR16haisaBibtexsecuritycritical infrastructuressidate

ClouDAT (2013 - 2015, Dortmund University of Technology, EU EFRE / Ziel2.NRW)

ClouDAT develops an open source tool for documentation and assessment of security requirements and controls in cloud computing services and for generation of documentation conforming to given standards. The project aims at supporting small and medium-sized enterprises in certification of their cloud solutions. Goal of the project is the development of a provider independent approach for planning, documenting and checking of security requirements and controls in cloud computing systems. The approach will be implemented as an open source tool which in turn is based on existing tools such as UML editors. With ClouDAT we can document cloud computing systems on the different service levels including SaaS (Software-as-a-Service), PaaS (Platform-as-a-Service) and IaaS (Infrastructure-as-a-Service) as well as the relevant business processes. These documentation will allow third parties to assess the given systems. Risks and threats, e.g. that secret data can be accessed by the cloud provider's staff, can be located and countermeasures documented. Our approach is applicable to public and private cloud systems. The documentation process will consider the different legal regulations such as the German data protection law. A potential cloud customer will be enabled to assess whether a provided service fulfills his individual requirements. Therefore, ClouDAT develops a catalog of requirements, which enables a certification for IaaS, PaaS and SaaS, e.g. following the ISO 27001 standard. Besides legal requirements it will be possible to define individual requirements of small and medium-sized enterprises. For the documentation, ClouDAT provides a set of patterns, which allow users to specify concrete requirements by inserting concrete elements. The whole approach is based on standard notations such as UML and allows intergration into development processes. The use of an automated analysis tool will finally support a reasonably priced certification of cloud computing systems, which makes it attractive also for smaller enterprises.

Seconomics (2012 - 2015, Dortmund University of Technology, EU)

The project SECONOMICS developped approaches and software tools to analyze socio-economical aspects of information security, especially in the context of cyber-physical Systems. The developed models were validated onto three use cases: the international air transport (airport Anadolu), urban transportation (TMB in Barcelona) and the critical national infrastructure (energy and gas networks of National Grid UK and US). The developed approaches incorporate risk analysis with economical aspect to develop software tools, which aid the decision makers. The contribution of Fraunhofer ISST and TU Dortmund was focussed on the model-based analysis of IT security risks. SECONOMICS goal was synthesizing sociological, economic and security science into a usable, concrete, actionable knowledge for policy makers and social planners responsible for citizen's security. The project was driven by industry case studies and specifically identified security threats in transport (air and urban and super urban metro) and critical infrastructure. The research focus placed social science and political science at the heart of the modeling framework. In particular the project seeked to explore the challenges of pan European coordination in security outcomes for transport and critical infrastructure. The contribution of the project was in developing and furthering the state of the art in modelling security problems in a technological and socio economic context and then applying state of the art risk assessments and analysis of the social context to develop optimal policies. The outputs were twofold: first assessment of the future and emerging threats in the identified areas with rigorous modeling of the optimal mechanisms for mitigation within the policy domain. Second, and more crucially, a generalized policy "toolkit" that will assist decision makers in identifying and reacting coherently (within the appropriate social context) to future and emerging threats that may arrive long after the project has been completed. The lasting impact of SECONOMICS was a methodological revolution driven by a common, but diverse set, of modelling tools and utilizing recent advances in modelling technology that seamlessly transverses the social, economic and technological domains.
  1. Pape, S.; Paci, F.; Juerjens, J. and Massacci, F.: Selecting a Secure Cloud Provider: An Empirical Study and Multi Criteria Approach. In Information, 11 (5), 2020.
    PDFDOILinkLinkLinkLink Abstract PPJM20informationBibtexsecuritycloud computingcloudatcs4eseconomics

Secure Clouds (2011 - 2013, Dortmund University of Technology, BMBF KMU-innovativ)

Cloud computing is yet one of the leading developments and depicts the biggest progress in web technologies. Computing power, memory space or even complex services are outsourced using standardized interfaces and made available via internet. Users and companies are then charged for their service usage according to usage time and user count. Through this, cloud computing offers a convenient way for using shared and easy accesible resources, in both a web-based and demand-oriented sense. Resources can be accessed directly and automatically. However, cloud computing brings concept-based risks, which are to be approached within this project: e.g. the risk of private data becoming publicly available or attacks on customer data by the cloud computing provider's staff. Outsourcing of services into a cloud computing environment arises numerous compliance and security problems for the potential customer. Legal requirements as well as business requirements must be met after migration to a cloud environment. Compliance to laws, industry-specific regulations and other rules has to be kept. Thus, a potential user of cloud computing services has a need for technologies and tools, that allow him to get a deep insight in fulfillment of security and compliance requirements regarding the market. These tools need to offer support for decision making, if services should be outsourced into the cloud. Furthermore, if services are to be outsourced, there is a need for tool-supported approaches for ensuring that security and compliance requirements are still met after migration. The goal of this project is to develop an analytic tool environment regarding the security requirement analysis of processes that are to be outsourced into the cloud. The tool-based examination of business processes is based on the different artefacts available within the companies, such as documents, forms and log-files. Thereby it can be checked whether outsourcing of a process is possible while keeping all security and compliance requirements.
  1. Bleikertz, S.; Mastelic, T.; Pape, S.; Pieters, W. and Dimkov, T.: Defining the Cloud Battlefield -- Supporting Security Assessments by Cloud Customers. In Proceedings of IEEE International Conference on Cloud Engineering (IC2E), pages 78-87, 2013, Acceptance rate: 22 / 107 = 20.6%.
    PDFDOILinkLinkLinkLink Abstract BMPPD13ic2eBibtexsecuritycloud computingsecureclouds

MoDelSec (2011 - 2012, Dortmund University of Technology, DFG)

MoDelSec was part of the Reliably Secure Software Systems (RS3) - DFG Priority Programme 1496. The objective of this project was to develop an approach for considering advanced techniques in access control (in particular delegation of user permissions) in the context of a formally-based software development methodology. The approach was based on formalizations from the Secure Information Flow approach to security verification, which offers the possibility for a particularly fine-grained security analysis. Since secure information flow formalizations have traditionally been used in the context of mandatory access control (MAC) which does not usually include user-level permission delegation, investigation of delegation in this context has so far been limited. Since the Secure Information Flow approach has found increasing use over the last few years, one of the goals of this project was therefore to fill this gap by investigating how to support the analysis of sophisticated access control techniques such as delegation of user permissions. A further objective was to exploit results on modular analysis of Secure Information Flow properties in the context of the analysis of access control mechanisms and in particular the delegation of user permissions. The scientific progress was transferred into the context of a secure software development approach based on formal verification tool support.
  1. Ochoa, M.; Pape, S.; Ruhroth, T.; Sprick, B.; Stenzel, K. and Sudbrock, H.: Report on the RS3 Topic Workshop "Security Properties in Software Engineering". Technical Report, Universitätsbibliothek der Universität Augsburg, Universitätsstr. 22, 86159 Augsburg, 2012.
    PDFDOILinkLink Abstract OPRSSS12trBibtexsecuritysoftware engineeringmodelsec

TEICHI (2010 - 2012, University of Kassel)

The TEICHI Framework is a modular tool for displaying documents encoded according to the guidelines of the Text Encoding Initiative (TEI Lite P5) as pages in a Drupal-based website. The framework's name brings together the Text Encoding Initiative (TEI) and Computer-Human Interaction (CHI). Possible use cases for the TEICHI Framework are text edition projects in literary studies, history, or other text-based disciplines, provided they have a relatively straightforward editorial situation: only one given edition of a text is documented, a single-column presentation makes sense, and authorial and editorial annotation are important. The modules could also be of use in educational contexts, e.g. workshops on electronic textual editing.
  1. Pape, S.; Schöch, C. and Wegner, L.: TEICHI and the Tools Paradox. Developing a Publishing Framework for Digital Editions. In Journal of the Text Encoding Initiative, 2: 1-16, 2012.
    PDFDOILinkLinkLink Abstract PSW12jteiBibtexsoftware engineeringdigital humanitiesteichi

  2. Pape, S.; Schöch, C. and Wegner, L.: Bringing Bérardier de Bataut's Essai sur le récit to the Web: Editorial Requirements and Publishing Framework (Poster). In Poster at: TEI 2010, The 2010 Conference of the Text Encoding Initiative Consortium, 2010.
    PosterDOILinkBibtexsoftware engineeringdigital humanitiesteichi

  3. Pape, S.; Schöch, C. and Wegner, L.: A Framework for TEI-Based Scholarly Text Editions. Technical Report, Universität Kassel, 2010.
    PDFDOILinkLink Abstract PSW10trBibtexsoftware engineeringdigital humanitiesteichi