Cybersecurity, Trustworthy ICT Research & Innovation

Unrestricted

Horizon2020Program(2014-2020)

Cybersecurity,TrustworthyICTResearch&InnovationActionsSecurity-by-designforend-to-endsecurity

H2020-SU-ICT-03-2018

CybersecuritycOmpeteNCefOrResearchanDInnovAtion1†

DeliverableD3.1:1styearreportoncommunitybuildingandsustainability

Abstract:D3.1providesanoverviewofthekeyWP3achievementsinY1ofCONCORDIA.Wepresentahigh-leveloverviewoftheresultsweattainedineachof

thefivetasks,ourlessonslearned,andourwayforwardforY2.

ContractualDateofDelivery Dec31,2019ActualDateofDelivery Dec23,2019DeliverableDisseminationLevel PublicEditors MarcoCaselli(T3.1)

CristianHesselman(T3.2,D3.1)ReinhardGloger(T3.3)FeliciaCutas(T3.4)AljosaPasic(T3.5)

Contributors SiemensSIDNCODE/MUNI/BADW-LRZEITDigitalATOS

QualityAssurance JakubCegan(MUNI)DanielTovarnak(MUNI)DetlefHoudeau(IFAG)ThibaultCholez(UL)

1†ThisprojecthasreceivedfundingfromtheEuropeanUnion'sHorizon2020researchandinnovationprogrammeundergrantagreementNo830927.

Ref. Ares(2019)7925128 - 29/12/2019

CONCORDIA CYBERSECURITYCOMPETENCEFORRESEARCHANDINNOVATION

Unrestricted2www.concordia-h2020.eu 23December2019

The CONCORDIA Consortium CODE ResearchInstituteCODE(Coordinator) GermanyFORTH FoundationforResearchandTechnology-Hellas GreeceUT UniversityofTwente NetherlandsSnT UniversityofLuxembourg LuxembourgUL UniversityofLorraine FranceUM UniversityofMaribor SloveniaUZH UniversityofZurich SwitzerlandJUB JacobsUniversityBremen GermanyUI UniversityofInsubria ItalyCUT CyprusUniversityofTechnology CyprusUP UniversityofPatras GreeceTUBS TechnicalUniversityofBraunschweig GermanyTUD TechnicalUniversityofDarmstadt GermanyMUNI MasarykUniversity CzechRepublicBGU Ben-GurionUniversity IsraelOsloMET OsloMetropolitanUniversity NorwayICL ImperialCollegeLondon UKUMIL UniversityofMilan ItalyBADW-LRZ LeibnizSupercomputingCentre GermanyEITDIGITAL EITDIGITAL BelgiumTELENOR Telenor NorwayACS AirbusCybersecurity GermanySECT secunetSecurityNetworks GermanyIFAG Infineon GermanySIDN SIDN NetherlandsSNET SurfNet NetherlandsCYD CyberDetect FranceTID TelefonicaI+D SpainRD RUAGDefence SwitzerlandBD Bitdefender RomaniaATOS AtosSpainS.A. SpainSAG Siemens GermanyFlowmon FlowmonNetworks CzechRepublicTÜVTRUSTIT TUVTRUSTITGmbH GermanyTI TelecomItalia ItalyEFA EFACEC PortugalALBV Arthur’sLegalB.V. NetherlandsEI eesyinnovation GermanyDFN-CERT DFN-CERT GermanyCAIXA CaixaBank Spain



BMW BMW GermanyGSDP MinistryofDigitalPolicy,Telecommunicationsand

MediaGreece

RISE RISEResearchInstitutesofSwedenAB SwedenEricsson EricssonAB SwedenSBA SBAResearchgemeinnutzigeGmbH AustriaIJS InstitutJozefStefan SloveniaDocument Revisions & Quality Assurance Internal Reviewers

1. JakubCegan(MUNI)2. DanielTovarnak(MUNI)3. DetlefHoudeau(IFAG)4. ThibaultCholez(UL)5. ChristianKeil(DFN-CERT)

Revisions:wecontinuallyupdateddraftsofD3.1onConfluence



Executive summary ThegoalofWP3istoreinforceEurope’scybersecurityleadershipbydevelopingandevaluatingbuildingblocksforaEuropeancross-sectorcybersecurityinfrastructure,specifically for collaborative threat handling, technology and serviceexperimentation, training and education, and starting up new businesses. WP3utilizesWP1’stechnologydevelopmentsandWP2’sindustrypilotsandthisinter-WPcooperationhasbeensuccessfullyinitiatedinY1.TheoverallYear1WP3achievementsincludethefollowing:

• Task 3.1 has successfully met Y1 targets to establish the groundwork forinformationsharingofcyberthreats.TheThreatIntelligencePlatformisunderdevelopmentandutilizestheMISPopensourcethreat intelligenceplatformthatwassuccessfullyvalidatedatDFN-CERT.TestingwithWP2'sTelecomandFinancepilotshascommenced.

• Task3.2 isontrack fordeveloping thehigh-levelarchitecture for theDDoSClearingHouse,runningafirstversionofthepilot,anditsassociatedusability“cookbook”.AsignificantachievementwastheestablishmentofthelegaldatasharingagreementforthepilotintheNetherlands.ThiswillformtheblueprintforthebroaderagreementneededforeffectivedeploymentattheEUlevel.

• Task 3.3 is on track to create a cyber security ecosystem to validate anddemonstrateCONCORDIA’s results and to foster cyber security trainings.Asteadily growing inventory of tools, cyber range platforms, and trainingofferingshavebeencreated.Task3.3alsoresearchedthepossibilityofsharingtestingandtrainingcontentacrosscyberrangeplatformsinCONCORDIA.

• Targeting the development of an EU-wide cybersecurity educationalecosystem,Task 3.4 has successfully conducted the assessment of theEU'seducational portfolio to develop the initial methodology for creatingcybersecuritycoursesandanassociatedcertificationschema.

• Task3.5addressingofcommunitybuildingactivitiestosupportstartupsisontrack. The background tasks of identifying startup stakeholder motives,challenges,influencefactorsandtheestablishmentofperformanceindicatorshasbeencompleted.



Contents1 Introduction......................................................................................................................6

2 BuildingathreatintelligenceplatformforEurope(T3.1)................................72.1 Taskobjective......................................................................................................................72.2 Status......................................................................................................................................72.3 KeyachievementsY1.........................................................................................................72.4 FurtherContributionsandOutlookforY2.................................................................9

3 PilotingaDDoSclearinghouseforEurope(T3.2)...............................................93.1 Taskobjective......................................................................................................................93.2 Status....................................................................................................................................103.3 KeyachievementsY1.......................................................................................................103.4 OutlookY2...........................................................................................................................14

4 DevelopingCONCORDIA’secosystem(T3.3).......................................................154.1 Taskobjective....................................................................................................................154.2 Status....................................................................................................................................154.3 KeyachievementsY1.......................................................................................................154.4 OutlookY2...........................................................................................................................18

5 EstablishingaEuropeaneducationecosystemforcybersecurity(T3.4)..195.1 Taskobjective....................................................................................................................195.2 Status....................................................................................................................................195.3 KeyachievementsY1.......................................................................................................195.4 OutlookY2...........................................................................................................................24

6 Communitybuilding,supportandincentivemodels(T3.5).........................246.1 Taskobjective....................................................................................................................246.2 Status....................................................................................................................................246.3 KeyachievementsY1.......................................................................................................256.4 OutlookY2...........................................................................................................................28

7 Conclusionsandoutlook............................................................................................288 References......................................................................................................................28

Annex A: Assessing the courses for Cybersecurity professionals alreadydevelopedbyCONCORDIApartners(T3.4)..................................................................29A.1 Executivesummary..........................................................................................................29A.2 TheLandscape...................................................................................................................31A.3 CONCORDIAecosystem...................................................................................................42A.4 Conclusions.........................................................................................................................51A.5 Annexes...............................................................................................................................54

AnnexB:Startupscene(T3.5)..........................................................................................62



1 Introduction ThegoalofCONCORDIA’sWP3 is todevelopbuildingblocks foraEuropeancross-sector(“horizontal”)cybersecurityinfrastructure,specificallyfor:

• Collaborativethreathandling(T3.1,T3.2),• Developingandevaluatingnewtechnologiesandservices(T3.3),• Trainingandeducation(T3.3,T3.4),and• Startingupnewbusinesses(T3.5)

Table1providesanoverviewofthekeybuildingblocksthatWP3providesandthetangibleformsthattheytake:

• Technical designs (TD), such as for cybersecurity platforms (e.g., for threatintelligence),labs,testbeds,andtools(e.g.,simulatingadversarybehaviour)

• Methodologies (M), for instance for setting up pan-European cybersecuritycourses,trainings,andstart-ups.

• Use cases (UC) of the technical designs and methodologies, for instancethroughactualcybersecuritycoursesandtechnicalpilots.

Forexample,theDDoSclearinghouse(T3.2)consistsofatechnicaldesignthatwewillusetwicethroughapilotintheNetherlandsandinItalyandthatwillalsoresultina“cookbook”(methodology)thatdiscusseshowtodevelop,setup,andgovernaDDoS clearing house. Similarly, CONCORDIA’s educational actions (T3.4) focus ondevelopingmethodologiesandframeworkstodesign,certify,andteachcoursesforcybersecurity professionals, mid-managers, executives, and teachers as well asdescribeprocessesforusingthem.

Table1.KeybuildingblocksofCONCORDIA’scross-sectorcybersecurityinfrastructure.

WP3keybuildingblock Output TaskAn intelligent decision support system for incident responseteamsusingasharedthreatintelligenceplatform

TD,M,UC T3.1

A DDoS clearing house for proactively and collaborativelyhandlingDDoSattacksusingDDoSfingerprints

TD,M,UC T3.2

A virtual lab for other CONCORDIA WPs, trainings, and(smaller) European cybersecurity companies in a post-CONCORDIAera

TD,M,UC T3.3

Hands-ontrainingsforoperationalteams,forinstancebasedontheconceptof“cyberranges”

TD,M,UC T3.3

Cybersecurity educational instruments such as courses andcurriculumsforprofessionalsandteachers(aspartoftheEEEC)

M,UC T3.4

A“factory”forstartingnewcybersecuritybusinesses(start-ups),forinstanceintermsofIPRmanagementanddatasharing

M,UC T3.5

TherestofthisreportprovidesanoverviewofthemainresultsandlessonslearnedofWP3in2019,withaseparatesectionforeachofWP3’stasks(Sections2through6).WeconcludewiththeoverallstatusofWP3andanoutlookfor2020inSection7.



2 Building a threat intelligence platform for Europe (T3.1)

2.1 Task objective The aim of Task 3.1 is to build and operate the CONCORDIA Threat IntelligencePlatform,alogicallycentralizedsystemthatenablesplayersfromdifferentsectorstoshareawidevarietyofthreatindicatorsinatrustedway.Theplatformwillbeabletoautomatically analyze threat information and seamlessly distribute appropriateeventnotifications.Itsimplementationwillbebasedonexistingcomponents,suchastheMalware Informationand threat SharingPlatform (MISP) [1] and the IncidentClearingHousedeveloped intheproject“AdvancedCyberDefenceCentre”(ACDC)[2].

2.2 Status Task3.1isontrackandfulfilledtheenvisionedtargetsforY1.TheworkcarriedoutinY1preparedthegroundforthecomprehensivedevelopmentofallactivitiesrelatedtothreatintelligenceinformationsharinginthenextyearsoftheproject.

2.3 Key achievements Y1 TechnologyscoutingTask3.1startedinJanuary2019withaseminaldiscussionamongallprojectpartnerswith the goal of defining requirements and objectives for Threat Intelligence (TI)sharing.Lateron,thecollectedfeedbackguidedthesearchforTIplatformsavailableonthemarketthatcouldfulfillCONCORDIA’sneeds.TheTIplatformofchoice,MISP,was selectednot just becauseof its comprehensive set of featuresbut also for itsmaturityanditsalready-establishedwide-spreadusagearoundEurope.Created in 2011, MISP is an open source threat intelligence sharing platformsupportedbytheComputerIncidentResponseCenterLuxembourg(CIRCL).CIRCLisa partner of the SPARTA project, which increases the probability that MISP willbecomeastandardinEurope.OriginallydevelopedcooperativelybyCIRCLandNATO,MISPemergedasaneffectiveandefficientsolutiontoshareIndicatorsofCompromises(IoCs)which,atthattime,wereexchangedonlybyemailasunstructured textualdata (e.g.,PDFdocuments).With the increase of cyberattack sophistication and the consequent need forcollaborative analysis operated by distributed teams of security experts, theadvantages of using MISP became clear and the project expanded to support agrowingnumberofusers: fromindividuals toworld-wideprivateorganizationsaswellasnationalandsupranationalCERTs(e.g.,CERT-EU).CONCORDIAplatformforthreatintelligenceWithinCONCORDIA,thecentralMISPinstance,representsthecoreoftheenvisionedCONCORDIA Platform for threat intelligence sharing.MISPwas deployed at DFN-CERTinJune2019andiscurrentlymanagedcooperativelybySiemensAG(principaland formal responsible) and DFN-CERT itself. A selected number of CONCORDIAparticipants (mostly related to the CONCORDIA “Telecom” and “Finance” pilots)



started testing and interactingwith the centralMISP instance in November 2019pavingthewaytotheofficialroll-outfacein2020.InthesecondhalfofY1,Task3.1focusedonaligningactivitiesandcontributionsofthe involved partners. Those include topics such as: the role and actions of theIncidentClearingHouse(ICH)ofDFN-CERT,thedefinitionofareferencearchitecturefortheCONCORDIAplatform,theidentificationofthekindofinformationthatwillbesharedamongallstakeholders,thetechniquesforgainingknowledgeontopoftheavailabledata(e.g.,machinelearning).While the ICH reactively informs resource owners of actual problems in theirnetworks(e.g.,botsdetectedconnectingtotheircommandandcontrolserver)andthusforwardsincidentstotheaffectedparties,theDDoSClearingHouse(presentedin Section 3) proactively shares fingerprints of detected DDoS attackswith otherpartiestofacilitateeasymitigationoncetheattackcomestheirway.SincethealreadyoperationalICHrequiresestablishedthirdpartiesastrustanchorstomanageaccessto the ICH for the different classes of organizations (e.g., Trusted Introducer forCERTs),termsofaccesstotheICHaspartoftheCONCORDIAprojectweredevelopedand shared with the consortium. The overall integration of the ICH within theCONCORDIA platform was preliminary examined but will be more thoroughlydiscussedintheupcomingmonths.Atthetimeofwriting,abasicsetofinteractionsrelatedtotheCONCORDIAPlatformhasbeenidentified.ThisisshowninbothFigure1andFigure2.Figure1emphasizesactivitiesinvolvingCONCORDIAstakeholderswitheitherthecentralMISPinstanceor the ICH. Such situation describes the status of threat intelligence sharing inCONCORDIAforthewholeofY1.

Figure1.CONCORDIAPlatforminY1.

Figure2,ontheotherhand,showstheintentionofprovidingtotheprojectavirtualsinglepointofcontactforallthreatintelligencerelatedactivities.Componentswithin



theCONCORDIAplatformwillinteractwithoneanothertoorganizeavailablethreatintelligenceinformationandthustransparentlyimprovetheirservicestoallusers.

Figure2.CONCORDIAPlatformVision.

2.4 Further Contributions and Outlook for Y2 Intheupcomingyears,inordertopopulatetheCONCORDIAPlatform,allinterestedpartners will work on generating threat intelligence indicators (e.g., FORTH isworkingoncustomizinganddeployingstate-of-the-arthoneypotsolutions for thispurpose).TheseindicatorswillbeeventuallypushedtothecentralMISPinstanceand,thus,sharedwithintheconsortium.

Finally,animportantcontributionofT3.1reliesonthehandlingof“CourseofAction”(CoA)data,namely,informationonresponseactionstobeperformedtocounteractcyberattacksandsecuritybreaches.Within the CONCORDIA Platform, a specific component named “CoA HandlingPlatform”willbedesignedtofulfillthistask.TheCoAHandlingPlatformwillnotjustcollect CoAs but also evaluate them, make correlation and contextualize theinformationtomakeit“readytouse”.TheseactivitieswillpavethewayforautomateddeploymentofCoAswith the ambitionof boosting computer emergency responseteams’ efficiency and, thus, their capabilities to quickly respond to the upraisingnumberofcyberthreats.

3 Piloting a DDoS clearing house for Europe (T3.2) 3.1 Task objective TheobjectiveofTask3.2istopilotaDDoSClearingHousewithEuropeanindustryforEuropetoproactivelyandcollaborativelyprotectEuropeancriticalinfrastructureagainstDDoSattacks.



The tasks keydeliverables are a pilot in theNetherlands and in Italy and aDDoSclearinghouse“cookbook”thatenablesothersetsofserviceproviderstosetupandoperatetheirownclearinghouse.

3.2 Status Task3.2isontracktowardsitsgoal,butwemademoreprogressonthecookbook(e.g.,intermsfurtherdevelopingtheclearinghouseconcept)thanonthepilotintheNetherlands itself, which we had not anticipated. The main cause is that thedevelopmentofthedraftdatasharingagreementhadalongleadtime,partlybecauseofstaffingissuesandpartlybecauseittookawhileforthelegalandtechexpertstounderstandeachother’sproblemspaceandagreeonacommonapproach.Totacklethe latter, we will set up a permanent Legal working group for the pilot in theNetherlands(seelessonslearnedinSection3.3).

3.3 Key achievements Y1 ExperimentalsetupWesetupthefirstiterationoftheDDoSclearinghousepilotintheNetherlands,whichfocuses on creating and sharing DDoS fingerprints through ddosdb.nl, a centralinstanceofDDoS-DB [3] that runson thenetworkof SIDNLabs.TheNLpilot is acollaborationof10differentorganizations(e.g.,ISPs,Internetexchangepoints,andgovernmentagencies),threeofwhichareCONCORDIApartners(SIDN,SURFnet,andtheUniversityofTwente).DatasharingagreementWe developed a simple data sharing agreement for the first phase of the pilot,coveringbasic legal aspects like objectives, liability, security, personal identifiableinformation(PII),andgovernance.Thedatasharingagreementisvalidforafixedbutextensibledurationof6monthsandiscurrentlybeingreviewedbythepilotpartnersin the Netherlands. For simplicity, the DDoS fingerprintswe share currently onlyincludemetadataandnopacketcaptures(PCAPs).Thedevelopmentofthedatasharingagreementhadalongleadtime,partlybecauseofstaffingissuesandpartlybecauseittookawhileforthelegalandtechexpertstounderstandeachother’sproblemspaceandagreeonacommonapproach.DraftoverallarchitectureWe developed the high-level architecture of the clearing house (Figure 3), whichrevolvesaroundthreekeycomponents: thedissector (generates fingerprints fromDDoS traffic), DDoS-DB (distributes fingerprints and provides a searchablefingerprint history), and a converter (maps fingerprints to traffic filtering rules).Figure3showsanexampleinwhichserviceproviderSP2handlesDDoSattackAandshares the attack’s fingerprint FP(A) with service providers SP1 and SP3. Theoperations teams of SP1 and SP3 use the fingerprint to reconfigure theirinfrastructure (e.g., by loading appropriate filtering rules into their routers), thusproactivelypreparingforattackAshoulditcometheirwayaswell.Wereferto[5]foradiscussiononhowtheDissectorworks.



Figure3.ServiceprovidersSP1,SP2,andSP3usingaclearinghouse.

Figure 3 also illustrates how the DDoS clearing house differs from the IncidentClearing House (see Section 2): the DDoS clearing house proactively sharesfingerprintsofdetectedDDoSattacks,whereastheincidentClearingHousereactivelyinforms resourceownersof actualproblems in theirnetworks (e.g., botsdetectedconnectingtotheircommandandcontrolserver).SystemrequirementsThe partners in the Dutch pilot have also developed a report that provides anoverviewofthetechnicalrequirementsandusecasestoimprovetheclearinghouse’skey components (dissector, DDoS-DB, and converter). Examples of requirementsincludethatthedissectormustnotincludeanysensitiveinformationaboutthevictimofaDDoSattackinafingerprint(e.g.,destinationIPorMACaddresses)andthattheDDoS-DB must allow an authenticated user to perform searches on the index offingerprintsanddownloadthem.The requirements specification also contains a breakdown in different 4 dev-opsphases,with the firstphase focusingon improvements tosetupastable “clearinghousecycle”:fromgeneratingfingerprintsusingthedissector,todistributingthemthroughDDoS-DB,andusingthefingerprintsinnon-productionrouters.Thedevelopmentoftherequirementswasacollaborativeeffortofthe10partnersinNL, using a system architect jointly funded by the Netherlands’ National CyberSecurityCenter(NCSC-NL),NBIPandSURFnet.

DDoS attacks A MS2 F2PCAP(A) FP(A) FP(A)

SP2 (sender)

FP(B)

L2

MS1FP(A) FP(A)

L1

MS3FP(A) FP(A)

SP3 (receiver)

L3

FP(A)

Information layerDDoS handling

D2

C2

C3

DDoS-DB

DP2

reconfig

reconfig

reconfig

DDoS Clearing House

SP1 (receiver)

C1

Governance body

Rules and procedures

MS Mitigation SystemD DissectorC ConverterL Local DDoS-DB instanceF FilterFP Fingerprint



DisseminationWepresentedtheDDoSclearinghouseat9differentconferencesandworkshops(seeTable 2), including the key security conference in the Netherlands (the OneConference)andtheCONCORDIAOpenDoorEvent.Allpresentationsareavailableatwww.concordia-h2020.eu/publicity/.

Table2.Task3.2presentationsinY1.

Date Event26-Nov-2019 C.HesselmanandJ.Santanna,“FightingDDoSattackstogetherona

nationalscale”,SNiC2019ResilITconference(nationalconferenceforstudentassociationsincomputerscience),Amersfoort,NL

05-Nov-2019 C. Hesselman and J. Latour, “The DNS and the IoT: security andstability opportunities, risks, and challenges (for ccTLDs)”,ICANN66,Montréal,Canada

17-Oct-2019 C. Hesselman, “Piloting a DDoS Clearing House for Europe”,CONCORDIAOpenDoorEvent,LuxembourgCity,Luxembourg

02-Oct-2019 C.HesselmanandJ.Santanna,“FightingDDoSattackstogetheronanationalscale”,OneConference,TheHague,NL

02-Sep-2019 C.Hesselman,C.Hesselman,“MitigationofIoT-basedDDoSattacks”,APTLD76,Malasyia(remotepresentation)

16-Jun-2019 C.Hesselman,“IncreasingtrustinthedigitalinfrastructurethroughanationalDDoSclearinghouse”,AfricaInternetSummit(AIS2019),Kampala,Uganda(remotepresentation)

28-May-2019 C.Hesselman,“IncreasingtheresilienceoftheNetherlands’digitalinfrastructure together”, ISC2NL Cyber Resilience Event,Amersfoort,TheNetherlands

17-May-2019 C. Hesselman, “Mitigating DDoS attacks from botnets through anationalDDoSclearinghouse”,BotLegWorkshop,co-locatedwithTILTingPerspectives2019,Tilburg,theNetherlands

23-Feb-2019 C.Hesselman, “Collaboratively increasing the resilienceof criticalservices in the Netherlands through a national DDoS clearinghouse”, Internet Infrastructure Security Day at APRICOT2019,Daejeon,SouthKorea(remotepresentation)

LessonslearnedOurkeylessonslearnedare:The need for a DDoS clearing house is widely recognized. Based on the positivefeedbackwereceivedonour talks,weconclude that theneed foraDDoSclearinghouse is widely acknowledged. This is also illustrated by the Dutch partners’investments in the clearinghousepilot, both in-kindand in-cash. For example, allpartnersareputtinginpersonmonths(bothtechnicalandlegalexperts)andNCSC-NL,NBIP, and SURFnet jointly funded a systems architect to further flesh out theoverallarchitectureofFigure3.TheDDoSclearinghouseneedstobepartofawider“anti-DDoScoalition”.TheDDoSclearing house is an operational facility that needs to be supported by an active



community,whichwecall an “anti-DDoScoalition” (in theNetherlands: theDutchanti-DDoS coalition”). Member organizations organize themselves into variousworking groups to provide continuity, for instance to develop andmaintainworkproducts such as iterations of the clearing house’s data sharing agreement,proceduresandwaiveragreementsforDDoSexercises,andtherulesofengagementforcoalitionmembers(e.g.,membershiprules).TheDutchpartnersinthepilotalsoexpressedtheneedtocarryoutlarge-scaleDDoSexercisestogetherandactuallyranoneinthefourthquarterof2019.Asaresult,wethinkofananti-DDoScollationasintermsoftwocoreoperationaltasks:runningtheDDoSclearinghouseandcarryingoutDDoSexercises.Wealsolearnedthatananti-DDoScoalitionshouldconsistsoftwotypesofmembers:acoreoforganizationsthathaveajointoperationalrelationship(sharingfingerprintsandcarryingourDDoSexercises)andagroupofaffiliatedmembers that focusonsharingexpertiseandexperiences(ratherthanoperationalactivities).Theobjectiveoftheentirecoalitionshouldbetofurtherimprovetheprotectionofmembers’criticalservicesbysharingexpertise,experiences,andoperationaldataonDDoSattacks.Anti-DDoScoalitionsneedalegalworkinggroup.Thedevelopmentandoperationofthe clearing house requires a working group of legal experts that collaborativelydevelopandmaintainlegaldocumentsforvariousiterationsofthepilot,suchasthedatasharingagreement,thewaiveragreementsforDDoSexercises,andtheclearinghouse’s evolving governance structure. A legal working group speeds up thedevelopment and deployment of the clearing house because the people on theworkinggrouparecloselyinvolvedinthetopicandprovidecontinuitywhenpeoplearetemporarilyunavailableorchangejobs(weexperiencedthelatterfirst-handintheDutchpilot).Inaddition,alegalworkinggroupusesthecombinedexpertiseofitsmembers,whichwillhelpaligningthelegaldocumentswiththedifferentiterationsofthepilot.WearecurrentlysettingupalegalworkinggroupfortheDutchcoalition.Personaltrustiscrucialatearlystages.Personaltrustbetweenthe10partnersintheNetherlandswascrucialtomakeprogressinthisearlystageoftheclearinghouse.Forexample,peoplewereconfidentthattheycouldreachconsensusintheworkinggroupthat develops the DDoS clearing house, which is why we opted for unanimousdecisionmakinginourcurrent“governancemodel”(formalizedaspartofthedatasharingagreement).Keepdatasharingagreementsimpleandscalable.Thedatasharingagreementneedsto clearly articulate the purpose of the first iteration of the pilot, which is toexperiment with exchanging DDoS fingerprints across different organizations toassesstheusefulnessandeffectivenessoftheclearinghouse.Italsoneedstocoverother legal aspects (e.g., liability, security, PII, and governance), but only the bareminimum.Thisisimportanttokeepthedatasharingagreementsimpleandscalableandfitforexperimentation.Afuturechallengeistoevolvethedatasharingagreementsothatitslevelofsimplicityandscalabilitycontinuestoalignwithnextpilotiterations.



Combiningtechandlegalexpertiseearlyonisamust.Thedatasharingagreementrequiresclosecollaborationbetweenlegalandtechnicalexpertsfromthestart.Forexample,thetechfolkneedtoprovideguidanceforlegalexpertsontheconceptofaDDoS fingerprint and highlight the purpose and nature of the data exchange(collaborationandexperimentation).This is importanttoreducelegaluncertainty,whichhelpsavoidingconservativelegalconstructs(cf.[4])Combiningresearchandoperationalexpertiseearlyonisamust.Earlydiscussionswiththeoperationalteamswhowillworkwiththeclearinghouseisimportanttogettheirrequirements.Forexample,theyneedtobeincontrolofinstallingfilteringruleson their network infrastructure, whichmeans that the clearing house should notinstalltheserulesautomatically.AnotherexampleisthatsystemsmightfailunderaDDoS attack, which means that ops teams also need the possibility to createfingerprints by hand through a UI or a command line tool and share whateverinformationtheylearnedabouttheattack(e.g.,suspectedorigin,protocoltype).CONCORDIApartnersplayabridgingrole.SIDN,UT,andSURFnetplayabridgingrolebetween twodifferentworkstreams: thedevelopment of theDDoS clearinghousepilotintheNetherlandswith7non-CONCORDIApartnersandthemoreresearchtypeofworkinCONCORDIA(T3.2andT1.2).Toenablethetwoworkstreamstoadvancemore in parallel, we will create a separate experimental setup for CONCORDIApartners(ddosdb.eu)andsharetheresultsacrossthetwoworkstreams.

3.4 Outlook Y2 OurnextstepsfortheNLpilotaretosignthedatasharingagreement,startsharingDDoSfingerprints,andusethefingerprintstoconfigurenon-productionrouters.Inaddition,wehavestartedfleshingouttherequirementsforthenextiterationsofthepilotandimprovethedissector,DDoS-DB,andconvertersoftware.Ourotherplansfor2020includewritingablogonourlessonslearnedintheNLpilot(startingpointfortheDDoSclearinghousecookbook),settingupaninstanceoftheclearinghouseatSIDNLabsspecificallyforT3.2(ddosdb.eu),andrunexperimentssuchasfingerprintingbasedoncross-VMDDoStraffic,clusteringoffingerprints,andautomatic generation of mitigation rules. We’ll also translate the data sharingagreementfromDutchtoEnglishtoaccommodatethisactivityandmakeitavailablewithinCONCORDIA(e.g.,forT3.5).Finally, we aim to increase cooperation within T3.2 and with other WP3 tasks,specifically:• T3.1:todevelopatechnicaldesignonhowtoshareDDoSfingerprintsthroughthe

CONCORDIAthreatintelplatform(inadditiontothroughDDoS-DB)• T3.3:torunddosdb.euintheCONCORDIAvirtuallab(orfirstrunitatSIDNLabs,

thenmigrateit)• T3.5: to provide input for the “start-up factory” and guidance on data sharing

basedonthefirstversionoftheDDoSclearinghousecookbook.



4 Developing CONCORDIA’s ecosystem (T3.3) 4.1 Task objective TheobjectiveofT3.3istoestablishtheCONCORDIAcybersecurityecosystemwithvirtual labs,servicesandtrainingactivities.VirtualLabactivityaimstodevelopanecosystem that would support validations and demonstrations of CONCORDIA’sresultsonlargeITinfrastructuresandinsmallercybersecuritylabs.Servicesactivityaims to create a curated portfolio of public and proprietary tools and availablecybersecurity labs tocreateacutting-edgeadvantage for thepartners tospeedupresearchanddevelopmentofcybersecuritysystems.Trainingactivityaimstodevelopand continuously evolve cyber range trainings to achieve better automated andcustom-tailoredtrainingthatcorrespondtotheevolvingcyberthreatlandscape.

4.2 Status Task3.3isontracktowardsitsgoal.ThemainfocuswasonCyberTrainingandtheinventory of Cyber Ranges and Trainings is already available online (website:https://www.concordia-h2020.eu/map-courses-cyber-professionals and onconfluence forproject-internaluse).The first steps forexchanging scenariosweredoneaswellasthecooperationwithotherH2020projectsandpilotshasstarted.Thevisibility inServiceswasbetterthanexpected.TheconceptofaVirtualLab,whichreliesonServicesandTrainings,willneedtobediscussedfurtherwithintheWP3inthefuture(lessonlearned).

4.3 Key achievements Y1 Lessonslearned:focusoncyberrangesThe idea along the lines of a common “live” testing lab must undergo a furtherdiscussion due to security, trust and privacy issues. Because of these reasons,emulationandsimulationapproachesareusuallyusedinthiscontext.Afterseveralroundsofinformation-gatheringwithintheconsortiumwehavelearnedthatatthepresenttimethemostcommonlyreportedmanifestationofacybersecuritylabiseitheracyberrangeoracyberrangeplatformandrelatedtrainings.OurfurthereffortsinY1wasthereforefocusedonthisverycomplexarea.Cyberrange(CR)isamultipurposeenvironmenttoexecutecomplexcybersecurityscenariosinanisolatedandsafemanner–essentiallyacyberspacecounterparttomilitarytestingandtrainingranges.Cyberrangeplatforms,ontheotherhand,allowtocreatemultipleinstancesofcyberrangeenvironmentsondemand.VirtualLabOneofthegoalsoftheVirtualLabistograntaccesstocybersecuritylabstopartnersandpossiblyalso to certificationbodies.Thisgoal is very tightly connected to theServices and Training activities where several potential labs and solutions weremapped.Threat Intelligence (TI) platform and Central Clearing House (CCH) are currentlyhostedintherelatedtasksT3.1andT3.2,respectively.



ServicesInordertofulfiltheobjectiveofprovidingcuratedportfoliooftoolsandservicestoCONCORDIA and the wider community, we integrated cybersecurity ecosystemcontent into the CONCORDIA website: https://www.concordia-h2020.eu/map-courses-cyber-professionals/(seeFigure4).Thereby,allinformationisinoneplaceandcaneasilybefound.

Figure4.CyberRangesandCTFEventswithintheCONCORDIAmap2andcalendar3.

As a first step, we gathered several information about cyber ranges and trainingpossibilitiesfromCONCORDIApartners.Morethan10cyberrangesandcyberrangeplatforms are either running or being created/set-up within CONCORDIA, forexampleatCODE,UL,ACS,RISE,andMUNI.ThesecyberrangesaswellasCapturetheFlag(CTF)eventsarealreadyshownintheCONCORDIAmap2(seeFigure4),whichisajointcooperationwithT3.4.Themapincludes,forexample,informationabouttheplace,securityarea(relatedtotheresearchtasksinWP1),sectors(relatedtoWP2),andadditionalinformation.Inordertoseethedifferentcybersecurityeventsduringtheyear,wearecurrentlyworkingtogetherwithdifferenttaskstoincludethemintotheCONCORDIAcalendar3,asshowninFigure4aswell.Inasecondstep,recommendedtools,likeChizpurfle(hasafocusontestingvendor-specificsystemservicesofAndroidOS)andFrida(dynamicinstrumentationtoolkitfor developers), are currently being collected internally and they are going to bedisplayed in the service catalog1 in Y2. Further helpful information, like existing

1https://www.concordia-h2020.eu/concordia-service-cybersecurity-tools/



cybersecuritylabs,willbeavailableviatheservicecatalogattheCONCORDIAwebsiteaswell.

TrainingCyberrangeplatforms,CR-basedtrainings,andrelatedtoolsarethemainfocusoftheTraining activity. Initial discussions were started with technical topics such astechnicalfederation,exchangeofscenarios,automaticexecutionofattackscenarios,scoring mechanisms and network simulation/emulation. Actual status anddevelopmentatCODE,UL,ACS,RISE,MUNI,andothercyberrangepartnerswastakenintoaccount.AjointworkshopwasheldatCODEinordertobroadencollaborationbetweenCODEandMUNI.AbroaderconsensuswasreachedregardingtechnicalfederationofcyberrangesandCRplatforms.AtthepresenttimeCONCORDIAdoesnothaveambitionstopursuethisdirection,asopposedtootherpilots,forexample.Instead,wearecurrentlyfocusedonresearchingthepossibilityofinterchangingtestingandtrainingcontent(e.g.basevirtual images, network topologies, SW configurations, and scenario descriptions)betweencyberrangeplatforms(e.g.,MUNICyberRange,CODECyberRange,andULCyberRange).Thiswillenablethepartnerstocombineandshareeffortintheareaoftrainingcreationvia(partial)scenarioexchange.CODE,UL,andMUNIhavetheirCRplatformsinanoperationalstateandasacademicpartnerstheyareabletosharedetailsabouttheirinternalworkings.MUNIcreatedafirstdraftofaminimalnetworktopologydescriptionformatwiththegoalofsharingtopologydescriptionbetween taskpartners.MUNIalsostarted legaland technicalprocedurestoreleasetheirCyberRangePlatformasopensourceinY2,whichisbasedontheKYPOcyberrangeconceptdevelopedatMasarykUniversity.SixmajoreventswereheldwithCONCORDIA’sparticipation(seeTable3)thataredirectlyrelatedtotheproject1measurableKPI-DC-5“Morethanfour(4)Capture-the-Flag(CTF)competitions,trainingseminars,andtrainingcourses.”

Table3.TrainingeventsinY1.

CODE-CTFandCTFqualification 22.-23.11.2019 120participantsCODE’sJeopardy-styleCTFinvolvedmultiplecategoriesofchallengesforwhichtheteamshadalimitof18hourstosolve.TheteamshadtogothroughanonlinequalifyingCTF,where29outof56teams(6fromCONCORDIA)gotqualified.URL:https://ctf.code.unibw-muenchen.de/ctf-2019---the-5th-element-results.htmlUL-SecurityManagementCourse 18-22.11.2019 25participants

2https://www.concordia-h2020.eu/map-courses-cyber-professionals/3https://www.concordia-h2020.eu/cybersecurityevents/4https://www.concordia-h2020.eu/concordia-service-cybersecurity-tools/



TheULcourseprovidedanoverviewofmethodsandtoolsrelatedtosecuritymanagementinanintegratedmanner,thedifferentpracticalexercisesbeingperformedoverthecyberrangeplatform.URL:http://telecomnancy.univ-lorraine.fr/fr/security-managementUL-CyberRangeLaunchEvent 24.09.2019 150participantsTheULCyberRangeLaunchEventincludedanoverviewofCONCORDIAactivitiesrelatedtothecyberrange,demonstrationsofthecyberrange.URL:https://telecomnancy.univ-lorraine.fr/fr/inaugurationMU–KYPOSummerSchoolonCS 13-15.08.2019 20participantsHands-ontutorialsandcybersecurity(CS)gamesfortrainingoftheCzechnationalteamparticipatinginjointventurewithCyberSec4Europe.

URL:https://www.europeancybersecuritychallenge.eu.JCODE-WorkshopatCODE2019 10.06.2019 40participantsTheaimoftheworkshopwastodiscussthebestpracticesandtechnologiesrequiredtosimulaterealsystems.Furthermore,itwasdiscussedhowcyberrangescouldprovideabroaderportfolioofscenariosforefficienttraining.URL:https://www.unibw.de/code/jahrestagungenMU-CyberCzechExercise 21-22.05.2019 24participantsTheexercisewaschosentodemonstratecyberrangeplatformcapabilitiestoCONCORDIArepresentatives.Theexercisetrainedtechnicalskills,abilitytocollaborate,communicate,andsharerelevantinformationwithmanagement.URL:https://www.concordia-h2020.eu/blog-post/cyber-training-defence-exercise/T3.3initiatedcooperationwiththeotherpilots(ECHO,SPARTA,CyberSec4Europe)andH2020projects(THREAT-ARREST)intheareaofcyberrangeplatformsandCR-basedtrainings.WithECHO,SPARTA,andTHREAT-ARREST,pointsofcontactwereestablished.WithCyberSec4Europe, jointcollaboration isalreadyunderway in theformofsummerschools(executedandplanned).Also,paneldiscussionCyberRangesinH2020PilotsatIEEENOMS2020conferencewasproposedtofostertheideaofcooperation.

4.4 Outlook Y2 OurplansforT3.3inY2are:VirtualLab

• CollaboratewithtasksT3.1andT3.2intermsoftestingITinfrastructure.• Gathermoreinformationinthecontextofexistingcybersecuritylabs.

Services

• Include more specific tools and training offerings into the CONCORDIAportfolio.

• IncorporatemoreTrainingeventsinCONCORDIAcalendar.



• Provideamorefine-grainedmechanismoffilteringandsearchintheavailableCONCORDIAitems.

Training

• Continuetoworkonaminimalnetworktopologydescriptionformat.Furtherpursuetheideaofscenarioexchange.

• Iflegallyandtechnicallypossible,releaseKYPOCyberRangePlatformasopensource.

• Participationon“IFIPsummerschoolonPrivacyandIdentityManagement”incollaborationwithCyberSec4Europe.

5 Establishing a European education ecosystem for cybersecurity (T3.4)

5.1 Task objective ThistaskwillcontributetothedevelopmentofaEuropeanEducationEcosystemforCybersecurity through a number of targeted actions addressing mainly thecybersecurity industry and its professionals (technicians, mid-level management,executives)andteachers.

5.2 Status The task 3.4 is progressing as planned. The work performed in the first year onpooling,assessinganddisseminatingexistingcoursesinConcordiaconsortium,thecommunicationactivitiesaroundthemsetsolidgroundsfordevelopingaEuropeanEducation Ecosystem for Cybersecurity. The findings of the feasibility study for aCybersecurity Skills Certification Schemewill help further in closing thework ondevelopingtheframeworkforaCONCORDIAcertificateandonthemethodologyforthecreationofnewcoursesalreadystartedinyear2019.

5.3 Key achievements Y1 Inyear1,undertaskT3.4westartedworkingonfourofthesixtaskactionslistedinthe project plan, namely Actions 1. Pooling, assessing and disseminating existingcourses,Action2.DesignanddevelopaCybersecurityspecificMethodologyforthecreationofnewcoursesand/orteachingmaterials,Action4.Developaframeworkfor a CONCORDIA certificate to be attached to the courses produced by theconsortiumandAction6.ContributetobuildingaEuropeanEducationEcosystemforCybersecurity(Figure5.StructureoftheT3.4actionsandprogress).



Figure5.StructureoftheT3.4actionsandprogress.

OverviewofcybersecuritycoursesofferedbyCONCORDIApartnersAction1’sinitialeffortwasallocatedtocollectinginformationontheexistingcoursesoffered by the CONCORDIA consortium to different categories of industryprofessionals in Cybersecurity within Europe such as technologists, mid-levelmanagers,executives.ThepartnerswhereinvitedtoprovidedetailsviatheEUSurveyplatform on the content of the course, target audience, delivery format, language,certification,alumni,butalsoonthe linkageofthecoursetothefivepillarsofthedata-centric approach to Cybersecurity advocated by CONCORDIA, and on theirassociationtothefivecoreindustrialpilotsthatCONCORDIAisfocusingon,namelyTelecom,Finance,Transporte-mobility,e-HealthandDefensesectors.InviewofdisseminatingtheCONCORDIAcourses,wehaveplottedthemonadynamicmap1ontheprojectwebsite.Wealsomadeavailabledifferent filterswhichcanbeused to help professionals identify the trainings which best suit their needs forupskilling,reskillingorsimplylearningaboutcybersecurity.Wealsousedtheeventscalendar2asanadditionalchannelfordisseminationoftheCONCORDIAcoursesbyprovidingconcretedateswhereavailable(seeFigure6.CONCORDIAdynamicmapofcoursesandexcerptfromthecalendar).

1https://www.concordia-h2020.eu/map-courses-cyber-professionals/2https://www.concordia-h2020.eu/cybersecurityevents/



Figure6.CONCORDIAdynamicmapofcoursesandexcerptfromthecalendar.

ByNovember2019,non-lessthan33coursesorganisedbytheCONCORDIApartnerswereplottedonthemap.Tothese,anumberof27externalcourseswereaddedasweopenedthemapforexternalsubmissions.ThisendeavourispartofthetaskAction6 as it helps contribute to building the European Education Ecosystem forCybersecurity.Themapwillbeupdatedonacontinuousbasisandaimatbecomingthemainsourceofinformationonavailablecoursesforcybersecurityprofessionalsandofprofessionalsinterestedincybersecurity.ThecoursesweredisseminatedonlineviatheCONCORDIAwebsite(thecoursesmapand the calendar), social media posts, andofflineduring events (Brussels – ECSOmeetings;Rome–Womenincyber;Heraklion–ENISAsummerschool;Luxembourg-CONCORDIAOpenDoor2019)–thelinksare:• Launchthedynamicmaponcourses(duringtheGA5/06):

o https://www.concordia-h2020.eu/map-courses-cyber-professionals/o https://www.concordia-h2020.eu/news/towards-a-european-education-

ecosystem-for-cybersecurity/• Promotethedynamicmaponsocialmedia:

o https://twitter.com/FLCutas/status/1138378020094402560• Newsitem(calendarofcourses)createdonCONCORDIAwebsite:



o https://www.concordia-h2020.eu/news/concordia-calendar-courses/• Disseminationactivitiesonsocialmedia:

o https://twitter.com/FLCutas/status/1166285862381989890o https://twitter.com/FLCutas/status/1159012919230849024o https://twitter.com/concordiah2020/status/1158762987454377984o https://twitter.com/BCarminati/status/1154070421379190784o https://twitter.com/FI_CODE/status/1158998271651713024o https://twitter.com/FLCutas/status/1154000779906150400o https://twitter.com/FLCutas/status/1151404667332694016o https://twitter.com/concordiah2020/status/1151396260793987072o https://twitter.com/concordiah2020/status/1151396260793987072o https://twitter.com/EIT_Digital/status/1166247733780471808o https://www.linkedin.com/posts/felicia-cutas-18212332_concordia-

calendar-for-cybersecurity-courses-activity-6564787038250377216-04jB

o https://www.linkedin.com/posts/felicia-cutas-18212332_we-are-part-of-concordia-ecosystem-h2020-activity-6559706731482497024-LcQe

o https://www.linkedin.com/posts/concordia-h2020_concordia-calendar-for-cybersecurity-courses-activity-6564528922619334656-AcEG

o https://www.linkedin.com/posts/concordia-h2020_cybersecurity-skills-europe-activity-6557161779615539200-kUCt

o https://www.linkedin.com/posts/eit-digital_cybersecurity-incidents-cost-businesses-40b-activity-6572017256409112576-Lfng

• Newsitemtopromotetheupdateslinkedtothecourseso https://www.concordia-h2020.eu/news/concordia-map-60-

cybersecurity-courses-collected-in-6-months/• PromotionofthecalendarandcoursesonTwitter:

o https://twitter.com/FLCutas/status/1202154413940494336o https://twitter.com/FLCutas/status/1191642813647278080o https://twitter.com/FLCutas/status/1204348141052538880

AssessmentofCONDORDIAcoursesA significantwork part of Action 1. Pooling, assessing and disseminating existingcourses was devoted to assessing the existing CONCORDIA courses (Annex A:Assessing the courses for Cybersecurity professionals already developed byCONCORDIA partners (T3.4)). In view of doing so, we first outlined the keyCybersecurity needs and challenge areas, looked into the different Cybersecuritycompetenciesneededandsomeoftherelevantcoursesofferings,exploredthemarketneeds in termsofcybersecurityskillsandpresentedexistingmodels insupportofmatchingthecompaniesneedswiththeskillsoffers.WethenaskedtheCONCORDIAindustrypartnersabouttheirneedsintermsofskillsand technical people and check towhich extent they are addressed by the actualCONCORDIAprofessionaleducationoffer.TheconclusionswerecapturedinAnnexA:Assessing the courses for Cybersecurity professionals already developed byCONCORDIA partners (T3.4) and was/will be further used in developing themethodology for the creation of new courses and in feeding the CONCORDIAcybersecurityroadmapEducationchapter.Contentwise,thecoursesarevariousbut



notnecessarilyindustryspecific,especiallytheonesaddressedtomiddlemanagersandexecutives.Besides,theycovermainlyacademicandtechnicalknowledgeandtoa lesser extent business aspects and hands-on components for which part of theindustrypartnersarelookingfor.MethodologyforthecreationofnewcoursesBasedontheobservationsdrawninAnnexA:AssessingthecoursesforCybersecurityprofessionals already developed by CONCORDIA partners (T3.4) assessing theexistingCONCORDIAcoursesandtheeducationenvironment forprofessionals,wehavestateddevelopingaspartofthetaskAction2,amethodologyforthecreationofnewcoursesandteachingmaterials.Theproposedmethodologywillhaveabusinessapproachinthesensethatitwillstartfromtheindustryneedsintermofupskillingtheir personnel and/or hiring skilledworkers. The document is structured in tenchaptersasdepicted in theFigure7.Weplanatbuilding itasapracticalguidebyprovidingundereachchapterachecklistsandreferringtosomebestpracticecases.The structure was validated internally with the partners contributing to thedevelopmentofthisactionandisintheprocessofbeingdeveloped.Themethodologypaperwill bemade available to the consortiumpartners at the beginning of year2020.

Figure7.CONCORDIAstructureoftheMethodologyforcreationofcourses.

TowardsaCybersecuritySkillsCertificationSchemeProgress has been made also in the task Action 4. Develop a framework for aCONCORDIA certificate tobe attached to the coursesproducedby the consortiumlinked to the development of a framework for a CONCORDIA Certificate. We arecurrently finalizing the Feasibility study for a Cybersecurity Skills CertificationScheme assessing the need for the creation of such a certification scheme, andidentifyingspecificprofilesnotcurrentlycoveredbyanycertificationscheme.Thestudylooksmainlyintotheexistinginitiativesforcybersecuritycareersandstudies,cybersecuritybodyofknowledge,existingCybersecurityskillscertificationschemes,andmappingexistingcertificationschemestocompetenciesandlevels.Basedontheconclusions of the Feasibility study wewill develop a Certification framework toprovide thenecessary information regarding theprocess of the skills certification



specifictocertainprofiles-fromthesubmissionoftheapplicationtotheachievementandthepreservationoftheircertification,todescribetheexaminationmechanismsproposed by CONCORDIA for the certification of knowledge, skills and othercompetences of the related professionals, and to look into the type of supportingtechnologytobeusedintheimplementationoftheframework.

5.4 Outlook Y2 InYear2wewillcontinueupdatingtheinformationonthecybersecuritycoursesforprofessionalswithrespecttothedatesandnewcontentandwillpromotethemonlineandoffline.ThemethodologyforthedevelopmentofnewcybersecuritycoursesforprofessionalswillbefinalizedandmadeavailabletotheconsortiuminQ1-2020.ThemethodologywillbeafterwardsappliedtotheAction3ofT3.4bydevelopingnewcourses targeting industrymid-levelmanagement andexecutives.Wealsoplan tofinalize thework on the Feasibility study for the Cybersecurity skills certificationschemeandontheFrameworkfortheCertificate.TheintentionwouldbetotesttheFramework for theCertificatebyapplying it to a specificprofile identifiedvia theFeasibilitystudy.

6 Community building, support and incentive models (T3.5) 6.1 Task objective Task3.5hastwoobjectives.Thefirstisrelatedtoearlystagestartupsandservicesthat CONCORDIA could deliver to these stakeholders, including creation of futurestartups(e.g.today’sCONCORDIAresearchers)anddefinitionofsupportservicesthattheymightneed.Thesecondobjectiveofthetaskistodevelopandevaluateincentivemodelsfordatasharing,whichwillstart inYear2.Inbothobjectives,collectionofbestpracticesanddraftingofguidelinesareexamplesofactivitiestobeexecuted.Task3.5contributestoCONCORDIAoverallprojectobjectiveO2,whichstatesthat“CONCORDIAaddressesthiswithagovernancemodelthatcombinestheagilityofastartupwiththesustainabilityofalargecenter”.TaskT3.5iscloselyrelatedtotaskT5.1,whichfocuseson“startupincubators”.Wethereforejointlycarryoutinformationgatheringactivities.

6.2 Status We are on track for the first objective of task T3.5. In Y1, we developed a firstdescriptionoftheconceptofa“startupfactory”andsharedourpreliminaryresultswithinCONCORDIAandwiththelargercybersecuritycommunityinEurope.Theseresultsarebasedonasetofresearchquestionswearticulated,aliteraturestudy,andinterviews of several startup cybersecurity companies and researcher-entrepreneurs.WecapturedtheresultsofY1inaninternaldeliverable(seeAppendixB),whichwasdistributedtothepartnersinvolvedandtothemanagementboard,aswellasexternaladvisors.The feedbackwascollectedanddiscussedat theCONCORDIAOpenDoorEventinLuxembourg,withseveralalternativeoptionsforthefurtherdevelopmentofservicesforCONCORDIAstartupcommunity.



WeobservethatstartingcybersecuritybusinessoffthegroundisslightlydifferentthanstartingotherITbusiness,giventhemarketspecificities(formoredetailsseedeliverableD6.3).Theservicesandbusinessmodelmayvaryduetothelocationorphysicalpresence,butinsomecasesnotentirely.AcybersecuritystartupthattargetsSMEcustomers,forexample,mightchoosealocalgo-to-marketstrategy,whilenichesolutioncouldonlyuseonline sales channels.Thereare someguidelinesandbestpracticesavailableontheInternet1andentrepreneurshiphasbeenaddedtocertaincurricula,suchasEITDigitalMasterSchool2,butthedifficultyliesinapproachingthedemand side customers, which are often reluctant to work with the freshlyestablishedcompanies.Thesecondpartof taskT3.5ondatasharing incentiveswill start inY2because itdependsonotherCONCORDIAactivities,suchasT3.1,T3.2,andtheWP2pilots.

6.3 Key achievements Y1 ResearchquestionsarticulatedOurfirstworkproductconsistedofasetofresearchquestions,whichwearticulatedbased on a literature study that covered topics such as cybersecurity-specificcontexts,differentkindsoffinancingoptionsforstartups,stakeholdermotivations,andsuccessfactors.Theresearchquestionswefocusonare:

• Whatarethemotivesfordifferentstakeholdersin“startupfactory”schemesandservices?

• Howistheperformancemeasuredandhowdoesitrelatetocybersecuritykeyperformanceindicatorsingeneral?

• What are the external factors that shape or influence “startup factory”landscapeforcybersecurityentrepreneursinEurope?

We also interviewed selected spin-offs and startups to gain insight into thesequestions from their experiences, as well as with some investors and otherstakeholders.Inparallel,wehavecarriedoutaliteraturestudyonservicesforearlystage startups inother IT sectors. Finally, collection andanalysis of data includedcomparisonof findings fromliteratureandpublicsources, inorderto findspecificchallengesandgapsinthecybersecuritystartupsituationinEurope,.StartupfactorypropositionWedevelopedafirstdescriptionoftheconceptofa“startupfactory”,forinstanceintermsof its servicedefinition,valueproposition,andpositioning.This is themainresultofphase1(seeFigure8)thatisestablishingvisionand,afterall feedbackisgatheredfromthemanagementboard,itwillbealsoreflectedinthestrategy.

1 So You Want to Run a Cybersecurity Startup, available athttps://static1.squarespace.com/static/551468e4e4b0bd427144c108/t/560af216e4b053ff51a6e0d6/1443557910287/FullSiteSol-article-V4.pdf/2https://masterschool.eitdigital.eu/programmes/sap/



Theconcept isbasedonreconciliationof innovationpushandpullparadigms inacybersecurity ecosystem such as CONCORDIA.Demand side customers, aswell aslargesystem integratorsorconsultantsalreadypresenton themarket,areable tobetteridentifyrealbusinessneedsandderiveorconnecttoinnovativeideascomingfromsupplysideacademiaorstartups.InsideCONCORDIAtheseideascouldbetestedbefore or in parallel to the business modelling or start of startup revenues. Themechanism that could be used could be Open Call (already described in thedescriptionofwork)orasapartoftheWP2.

Figure1.Implementationofearlystagestartupservicesin3phases

Ourdefinitionisbasedoninterviewswithresearchers-entrepreneursandearlystagestartups, which are the startup factory’s main target groups. We for instancediscussed other similar services with them (e.g., in terms of their gaps), thespecificities of cybersecurity markets, and the relationships between the targetaudienceofthestartupfactoryandotherstakeholders.Wedrewupafirstsetofconclusions,whichwepresentedatseveralevents,suchasConcordiaOpenDooreventinLuxembourgorCybersec4europeconcentrationeventinToulouse.Someexamplesare:

• Communitybuildingthroughnetworkingandbrokerageisfine,butstartupswouldnotpayforit.

• Supportforskillsandeducationincludingmentoringishighlywelcomedandsomestartupsarewillingtopayforit,iforganisedattheregionallevel

• Theconceptof cybersecurity-specific incubators receivedpositive feedbackandthesecouldbepan-European

• Startupvouchers(e.g.foruseoftestingfacilities,orcertification)arealsoseenasagoodidea.



• Atthemomentthereisnoproblemwithaccesstofinance,butstartupshavedifficulty to reach customers without partnerships with trusted andestablishedlargecompanies.Partnermatchmakingcouldbeagoodidea.

• BusinessdevelopmentsupportinCONCORDIAiswelcomedandKPIsshouldberelatedto“accesstofinalcustomer”insteadofpurefinancing

Participationinotherevents(e.g.,ECSOCyberInvestordaysandSouthSummit)hadtheobjectiveofgatheringopinionsfromearlystagestartups,inordertounderstandtheirneedsaswellasfurtherpromotetheCONCORDIAstartupcommunity.StartupchallengesBasedonourliteraturestudyandtheinterviewsweconducted,weidentifiedfourkeychallengesforcybersecuritystartups:Accesstoearlyadoptercustomers,whichiscriticalforanynewcompany,butinthecase of cybersecurity it ismuchmoreproblematic, since thebusiness is basedontrust.Customersdonotwanttobethefirstclientandtheyoftenpreferwell-knownproviders or brands, even if these established players lack agility or innovativeproducts.This is evenmore the case foroperatorsprovidingessential servicesoroperating specific market segments such as defence, which are experienced inworkingwithstartups,forinstanceintheformofsubcontractorsoflargecompanies.Accesstofundsandfinancing,whichseemstoberathersatisfactorybecausestartupshaveseveralalternativefundingmechanismsattheirdisposal(e.g.incubators,openchallengesorhackatons,cyberinvestoreventsetc),whichisunlikeafewyearsagowhenthesetofoptionswasmorelimitedandbankcreditsor“friendsandfamily”financingmodelswerepredominant.However,solvingfinanceissuesdoesnotsolveall theproblemsforthestartup. Investments fromseedfunds, forexample,donotbringreferencesandisnotaguaranteeforthesolutiondeployment.Customersdonottrustsomeexistingreferencesthatcomefromresearchorinnovationprojects,andoftenaskforreferencesfromtheoperationalenvironmentwithcustomersthataresimilartothemintermsofsizeandmarketsegment.Hereagain,financingthatmixespartnershipwithlargercompanies,orsomesortofvouchersorincentiveforfirsttimedeployment,wasmentionedasoneofthepossiblesolutions.Keeping up with the quickly changing cybersecurity landscape, which forces allstakeholders to continuously monitor technology and markets, as well as toimplement internal innovationprocessestomaintainappropriate levelofsecurity.Whilethisisanimportantactivityforanycompany,itismorecomplicatedforearlystagestartupsbecausetheyoftendonothaveresourcesforthiskindoftasks.Similarconcernswereexpressedforfuturecertifications,labellingandcompliancetasks.Developing business support services for startups, which is important becausecybersecuritycompanieswillbecollaboratingwithmanypartiesinmanydifferentways in the future, including jointly entering themarket and subcontracting. Thistranslates to specific business model challenges, including cybersecurity startupvalue networks. Knowledge sharing and best practice exchange is expected withsimilarcompaniesoperatinginotherregions,universities,corporates,startupsand



otherMemberStates.Supportservices,suchasmentoringorbusinesspartnershipbuilding,willthusplayavitalrole.

6.4 Outlook Y2 InY2,wewillbecomparingregionaldifferences,suchastheinvestmentsindifferentMemberStates,theratioventurecapitalavailable,culturalandinstitutionalfactors,riskappetite.WewillalsolooktojoinpartsofthistaskwiththosefromT5.1,whichdealswithmoremature startups. Based on best practices we plan to publish a “Guide for youngcybersecurityentrepreneurs”.Theworkondatasharingincentiveswillalsostartinyear2,withstrongercollaborationbetweenpilotactivitiesandtasksT3.1andT3.2.

7 Conclusions and outlook Asacommunitybuildingandsustainabilityactivity,WP3hasfullymetitsobjectivesfor Year 1 and proactively explored enhancements beyond the baseline activitiesscopedintheDoA.AllWP3activitiesarecurrentlyontrackandalltaskshaveoutlinedtheirY2work.

8 References [1] MISP-OpenSourceThreatIntelligencePlatform&OpenStandardsForThreat

InformationSharing.(https://www.misp-project.org/)[2] The “Advanced Cyber Defence Centre” project - Information Sharing

Platform/Central Clearing House. (https://acdc-project.eu/software/information-sharing-platformcentral-clearing-house/)

[3] DDoS-DBhomepage,https://github.com/ddos-clearing-house[4] K.eSilva,“Mitigatingbotnets:Regulatorysolutionsforindustryinterventionin

large-scalecybercrime”,Ph.D.thesis,TilburgUniversity,Dec2019[5] J. Conrads, “DDoS Attack Fingerprint Extraction Tool: Making a Flow-based

ApproachasPreciseasaPacket-based”,M.Sc.Thesis,UniversityofTwente,Aug2019



Annex A: Assessing the courses for Cybersecurity professionals already developed by CONCORDIA partners

(T3.4) Abstract:ThisdocumentispartofthedeliverableD3.1andisprovidinginsightsonthe courses for Cybersecurity professionals already developed by CONCORDIApartnerswhileplacing them in the larger landscapeof cybersecurity.The findingsreflecttheperiodofassessmentbetweenJanuary–October,2019,andwillbefurtherusedasabasisforestablishingaEuropeanEducationEcosystemforCybersecurity.

Editors Felicia Cutas Contributors EIT Digital – Felicia Cutas

UMIL – Claudio Ardagna UOP – Kostas Lampropoulos UT – Mattijs Jonker TUDA – Neeraj Suri

A.1 Executive summary Cybersecurityasaconceptinindustrialandbusinessenvironmentwasconsideredinthepastasanafter-thoughofthedesignandoperationofInformationalTechnologysystems process. This had to do with the lack of proper training and securityawarenessof thebusiness/industrialprofessionals involved insuchenvironments.Underthe lightofmanycybersecurityattacksthathavecausedhavocatEuropeanandInternationallevelandproducedconsiderablerisksanddamages,thisattitudehasconsiderablychanged.Thus,nowadays,thereisagrowingneedbytheindustrialprofessionalcommunityforlearningbasicbutalsoadvancedcybersecurityconcepts.This is reflected in the considerable amount of offered cybersecurity courses byvariousEuropeanandinternationalorganizations.However,despitetheplethoraofoptionsto learnthere isaprofound lackofcoherencyandholisticplanning inthistraining and awareness effort since each offered course (or series of courses) isdesigned with different criteria from other courses (by another organization).Hence,inseveralcasesthisapproachisconfusingthetraineeonwhatandhowheshould perceive cybersecurity concepts, as well as how to use them to cover hisprofessionalneeds.InConcordia,weacknowledgetheproblemandtrytoaddressitbydevelopingaEuropeanEducationEcosystemforCybersecuritythatwillincludeabroadrangeofcoursespresentedinaconsistentandcoherentmanner,thatwilltakeintoaccounttheactualneedsofboththeindustryandtheindustryprofessionals,andthatwillindicatetheroadmaponhowtodesignnewcourseservingtheprofessionalsinthebestpossiblemanner.This document presents the portfolio of courses offered by the CONCORDIAconsortium to different categories of industry Cybersecurity professionals withinEuropesuchastechnologists,mid-levelmanagers,executives.Thisendeavor,alongwith other actions to be developed under WP3, aims at contributing to thedevelopmentofaEuropeanEducationEcosystemforCybersecurity.



The findings presented in this paper will be further used in developing aCybersecurity specificmethodology for the creation of new courses and teachingmaterialsforCybersecurityprofessionals,andforpotentiallyidentifyunmetneedsintermsofcourses.ItwillalsocontributetodevelopingaCybersecurityRoadmapforEuropeaspartoftheWP4.Thedocumentisorganizedasaprogressionof3chaptersthatcoverthefollowing:ChapterA2:outlinesthemajoreducational/competencebuildingchallengesrelatedto the Cybersecurity sector while also introducing a non-exhaustive collection ofavailableCybersecuritycoursesforprofessionals,bothonlineandoffline.Thechapteroverviews trends in needs of European companies in terms of cybersecuritytypes/profilesofjobsopeningsonLinkedInovertheperiodApril–October2019andcloses by pointing to different models aiming at helping (future) Cybersecurityprofessionalsindevelopingtheneededskillstobuildtheircareerwithinthesector.Theintentistocontribute,asviable,tomatchthe“demandandsupply”fortalentintermofskillsdevelopment.ChapterA3:presentsthecurrentlyavailablepoolofCybersecurityrelevantcoursesalready developed by the CONCORDIA partners. The data on these courses wascollectedastoreflecttheirlinkagetothefivepillarsofthedata-centricapproachtoCybersecurityadvocatedbyCONCORDIA,andalsotheirassociationtothefivecoreindustrialpilotsthatCONCORDIAisfocusingon,namelyTelecom,Finance,Transporte-mobility, e-Health and Defense sectors. Furthermore, the CONCORDIA industrypartnerswerequeriedontheirneedsintermsofcybersecurityskillsandpeople,inanattempttogetabetterunderstandingofthegeneralskillsgapchallenge.ChapterA4: closeswith some recommendationson the characteristicsof coursesneededtobeofferedontheCybersecurityskillsmarketplaceastofacethecurrentchallengesandtosupporttheincreasingdemandforCybersecurityprofessionals.



A.2 The Landscape WhatarethekeyCybersecurityneedsandchallengeareas?The digitization of industries, the constant increase in number of interlinked IoTdevices, the dramatic rise in the data volumes and the pervasive use of ICTtechnologiesinallwalksoflifeareexpandingthelistofCybersecurityrisks.AsurveyconductedbyTUVRheinland1lists8maintrendsinCybersecurityfor2019.Relevant to our assessment exercise it’s worth mentioning the following trends.Trend1:Cybersecurityhasbecomeaboard-levelissue,Trend5:TheCybersecurityskillsshortagewilldistortthelabormarket,andTrend8:Cybersecuritywilldefinedigitaleconomywinnersandlosers.Indeed, it is important to acknowledge that Cybersecurity it is not strictly an “ITmatter” any longer, but it impacts all levels of the businesses and turned into abusinessrisk.Cybersecuritystrategiesshouldaddresshorizontallyalldepartmentsof an organization and would need to be allocated reasonable funding, both forinvesting in technologies and in people at different levels. Thus, it becomesparamounttoincreasethetrainedworkforcepoolandtoupskilltheexistingone,bothingeneralknowledgebutalsoinverytechnicalones.AccordingtotheVaronis’infographicsThefutureofCybersecuritybudgeting2,mostC-levelexecutives(60%)interviewedconsiderthatthecurrentsolutionstheyhaveimplementedintheirorganizationskeepthemsafefromcyberthreats,thusdonotprioritize investment in information security products and services. ThedisagreementoverprioritiesbetweentheseniormanagementandtheCybersecurityexpertscontributedtoexposingthecompaniestodatabreaches.Nevertheless, theimportance of cyber protection ismore andmore acknowledged and 75% of theorganizationsstudiedhaveincreasedtheirCybersecurityinvestmentsinthepast12months.Itisnotclearthoughtowhichextent,partofthisbudgetisallocatedtoskillsdevelopmentwithintheorganization.Morethan40%ofcyberattacks3aretargetingsmallbusinesses.Besides,todate,60%ofsmallcompaniesgooutofbusinesswithinsixmonthsofacyber-attack.Theskillsshortageestimatedtoreach1.5milliongloballyby2020willleadtoanincreaseinsalaries,making itchallenging for thesmallorganizationstoattract talentsoas toprotect their organization. Consequently, if little investment in developingCybersecurityskillswithintheorganizationismade,thecyberriskwillturnintothemainbusinessrisk.

1https://img06.en25.com/Web/TUVRheinlandAG/%7B72babaf7-4989-4086-a89b-2536d75429b5%7D_TÜV_Rheinland_Cybersecurity_Trends_2019_EN.pdf2https://techaeris.com/2019/05/11/infographic-the-future-of-cybersecurity-budgeting3https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html



TheCybersecuritysectorhasastrongannualgrowthrate,astheworldwidemarketforinformationsecurityisexpectedtoreach€145billionby2020.Partofthisgrowthisgeneratedbystartupsandyoungcompanies fromtheNetworkand InformationSecuritysector,thoseinnovativeandagilewayofactingbringanaddedvaluetothesector. An ENISA analysis on Challenges and opportunities for EU Cybersecuritystartups1confirmed that the start-ups are aswell impacted by the skills shortagebecauseof the scarcityof theappropriateprofilesand the costof sourcing,whichreduce their chances to scale-up. The same analysis identifies that on top of thecategoryofinvestmentandfundingchannelsfortheNISstart-upsarethefollowing:investorsspecializedinCybersecurity(eg.accelerators);investorsnon-specializedinCybersecurity;privatestakeholdersthatprovidesupportotherthanfundingtoNISstart-ups, such as private incubators, private accelerators and corporate openinnovationin largecompanies.Someofthesecategoriescouldbealso lookingintodevelopingknowledgeandbekeptupdatedintheCybersecurityareaforthebenefitofthestartupstheyareinvestingin,andoftheEuropeanCybersecurityindustryasawhole.Buttheinvestorsarenottheonly“un-conventional”categoryofprofessionalsthoseactivitieswouldbenefit fromacquiringknowledgeoncybersecurity.Following thetrend of digitization, the cyberattacks are threatening an increased range ofindustries, thus forcing a shift in skills needed to perform traditional tasks. Forinstance, in the health sector, physicianswould not only need to take care of thepatients but also to protect their data. The cybersecurity threats and some of theassociatedvulnerabilitiesthatcurrentlyaffectthehealthsectorarewelldescribedinthe publication Health Industry Cybersecurity Practices: Managing Threats andProtecting Patients 2 which also recommend cybersecurity practices for smallorganizations3andformediumandlargeorganizations4.Samegoesinthelegalareawhere the practitionerswould not only need to understand cybersecurity field ifinterestedtobecomeacybersecuritylawyerbutalsotoprotecttheinformationtheyareworkingwith as a significant amount of data is collected during the process.Universitiesareexpanding theiroffersas toprepare thenewgenerations,but thepractitionersshouldalsogetanunderstandingofthecyberdomainanddevelopbasicsecurityskills.WhenitcomestotheITprofessionals,theTripwireSkillsgapsurvey20195revealednotonlythattheskillsgapisgrowinganditisgettingharderforthecompaniestohireskilledsecurityprofessionals,butalso the fact that theskills required tobeagreatITsecurityprofessionalarechangingatafasterpace.

1https://www.enisa.europa.eu/publications/challenges-and-opportunities-for-eu-cybersecurity-start-ups2https://healthsectorcouncil.org/wp-content/uploads/2018/12/HICP-Main-508.pdf3https://healthsectorcouncil.org/wp-content/uploads/2018/12/tech-vol1-508.pdf4https://healthsectorcouncil.org/wp-content/uploads/2018/12/tech-vol2-508.pdf5https://www.tripwire.com/misc/skills-gap-survey-2019/



Bothhighereducationindustryandtheprofessionaltrainingprovidersareworkingto address the increase skills need. But, as reflected in the ECSO paper Gaps inEuropean Cyber Education and Professional training 1 there is a need for atransformation in the area. Cybersecurity is to be viewed as an emerging meta-discipline and not just an academic discipline. The academic education systemapproaches Cybersecurity from a holistic perspective whereas the professionaltraining is usually focused on specific skills. As are addressing different learningneeds,theyshouldbothbepartofacareerdevelopmentpath.Besides,theyshouldnotworkinisolationbutcooperateandexchangeknowledge.One of the challenges the organizations are facing today when looking forCybersecurityspecialists, isthedifficulty inmatchingtherecruitmentcriteriawiththestudiesandthequalificationslistedintheCVsoftheapplicantsbecauseoftheuseofnon-standardterminology.Theadoptionofastandardlexicon,includingcyberroleresponsibilities2willhelpontheonehandcompaniesidentifyingtherighttalentforthejob,andontheotherhandtheeducationprovidersbettershapetheircurriculumtomatchthecyberworkforceneeds.Finally,asthecyberthreatsanorganizationisfacingarediverseandwouldrequiredifferenttypeofskillsandperspectives,adiverseteam3shouldbebuilt.Thediversitywithin the team would require different backgrounds and personalities (techies,creative people, problem solvers, communicators, …) but also different age andgender.Itwillbringtheadvantageofreachingbetteroutcomesaswillhelpassessingsituationsfromdifferentperspectivesandprovidingdifferentapproachestoproblemsolving.WhatarethedifferentCybersecuritycompetenciesneeded?InthecontextoftheCONCORDIAprojectandforthepurposeofthisanalysisweusetheterm“Cybersecurityprofessionals”asincludingacademiathoughtmostlythebroad group of industry representatives such as IT technical teammembers andexperts,middlemanagersleadingITornon-ITtechnicaldepartments,andexecutivesofthecompanies.SinceCybersecurityisahorizontalissueimpactingalldigitizedindustries,theneedsintermsofcompetenciesmightdifferbutthefollowingelementscouldbeconsideredgenerallyvalid:

• IT Technical team members – are looking for acquiring new knowledge,developingnew skills, and to upskill the existing ones. This category could

1https://www.ecs-org.eu/documents/publications/5bf7e01bf3ed0.pdf2https://niccs.us-cert.gov/sites/default/files/documents/pdf/cybersecuritytalentidentificationandassessment.pdf?trackDocs=cybersecurity%20talent%20identification%20and%20assessment.pdf3https://www.forbes.com/sites/extrahop/2019/07/19/how-to-combat-the-security-skills-shortage/#27db2e464eae



incorporate also the recent graduates and the students comingback to theuniversitiestofollowonlyspecificCybersecurityrelatedmodules.

• IT Technical experts and freelancers – are looking for expanding theirCybersecurityknowledge,ortotesttheirskillsindifferentscenarios.

• Middle-managers leading IT departments – are looking into learning about

new techniques and/or solutions to identify, protect, detect, react fast andrecoverfromacyberattack.

• Middle-managers leading non-IT departments – are looking into

understandingthegeneralcyberrelatedrisks,andintopracticaltechniquestobeimplementedastoavoidacyberattack,andtorecognizeandknowhowtoreact in case such an event occurs. This category could include also non-traditionalcategoriessuchasphysicians,lawyers.

• Executives – are looking into having a general understanding of the

Cybersecurityareaanditsimpactonthebusiness,investmentandinsurancewise included, as Cybersecurity is becoming a business risk. CybersecurityAuditors within companies are also part of this group. This categoryincorporates also the startups and scaleups which do not afford having aspecializedITdepartmenttoprotecttheirbusinessthusneedtocoveralltheaspectsofthebusiness.

• Investors looking into indevelopingknowledgeandbekeptupdated in theCybersecurityarea,inviewofplacingfundingindifferentcyberornon-cyberrelatedbusinesses.

• Academia – are looking for enriching their theoretical knowledge with

informationonnewprotocols,techniques,products,servicesdevelopedbytheindustry

• Non-IT employees – not necessarily actively looking into developingCybersecurity skills but being asked by the company procedures to have abasicknowledgeinthefieldinordertopreventand/orreactproperlyincaseof a possible cyber-attack. This category could include also the users ingeneral.

Besides,inordertobuildacareerinCybersecurityoneshouldbeawarethatapartoftechnical skills, soft skills suchasanalytical-, communication-,writing-, leadershipskillsshouldideallybedeveloped.These needs are backed by the findings of the International Information SystemSecurityCertificationConsortium(ISC)2intheir2018(ISC)2Cybersecurityworkforce



study1inwhichCybersecurityexperts identifiedcommonchallenges that couldbeaddressedatthecompanylevelsuchas:thelackofsecurityawarenessamongend-users; a lack of funding; not enough skilled staff available; a general lack ofsupport/awareness from management about the urgency of Cyber- securityinitiativesoverall.Furthermore, the (ISC)2 study also depicts different skills areas identified byCybersecurityprofessionalsasimportanttobeimprovedorenhancedinthefuture.

FigureA1.Credits:(ISC)2

It is important to note that, in today data-driven environment and data-driveneconomy,acyber-securityprofessionalmusthavecompetencesintheareaofdataanalysis.Thelatterinfactisofparamountimportanceforguaranteeingandverifyingcybersecurity inmodernarchitectures.Evenmore, the roleof thedata scientist isfundamentaltogetridofnovelthreatsandattacks.Infact,securityismovingfromapplication security to data security,meaning that cybersecurity depends on datasecurityandthecapabilitiesofcorrectlyinterpretingthedataatourdisposal.Today,manyArtificialIntelligenceapproachesareappliedforguaranteeingcybersecurity,while,inturn,cybersecuritytechniquesareappliedtoartificialintelligencetoprovesomesecuritypropertiesonthem.TheneedofdataanalysisforcybersecurityisclearinallaboveboxesinFigureA1.andespeciallyinthedarkbluebox–“topareasforimprovement”,whereahugeamountofdataiscollectedeveryday(e.g.,Cloud)andtheabilityofcorrectlyanalyzingthembecomefundamental(e.g.,forensics).Thisisalsotrueintheorangebox–“areastoenhanceandgrowth”pointingtotheneweffort

1https://www.isc2.org/-/media/ISC2/Research/2018-ISC2-Cybersecurity-Workforce-Study.ashx?la=en&hash=4E09681D0FB51698D9BA6BF13EEABFA48BD17DB0



supported by the European Commission in the definition of the EUCybersecurityCertificationFramework1. AlookintotheavailablecourseofferingsInthecontextofCONCORDIA,weconsiderthecourses/trainingsforCybersecurityprofessionalsasthecoursestowhichaCybersecurityprofessionalcanhavedirectaccesswithoutbeingconstrainedtobeenrolledinafullprogramme.Thesecouldbeorganizedonline,face-to-face,orcouldbeblended.A search on the Internet reveals that there is a plethora of courses addressingCybersecurityprofessionals.Theonlinecoursesareconvenient toprofessionalsastheyofferfullcontrolonorganizingpeoples’timeforstudyingthushelpingthemtocopebothwiththeprofessionalbusinesslifeandtheneedsforupskillingorreskilling.Thesecouldbedoubledbyface-to-facecoursesformiddleandseniormanagersorexecutives,orbyspecificcompetitionssuchascyber-rangesfortechnicalexperts.When it comes to the online courses, we identified the main platforms from theviewpointoftheusersandoftheCybersecurityrelatedcontentasbeingthefollowing:

- Coursera2–has33millionusersandithasinitsportfolioabout50coursesonCybersecurity,mostofthemaddressingintroductorytopics.

- edX 3 platform – has 14 million users to which it offers only around 30Cybersecurityrelatedcourses

- LinkedInLearning4-alearningplatformwith9.5millionusers,hostsaround120coursesonCybersecurity,halfofthemaddressingintermediateskilllevel,closelyfollowedbycoursesaimedatdevelopingbasicskillslevels

- Cybraryplatform5offerstoits2millionusersabout500cyberspecificvideocoursesforprofessionalsastodeveloptheircareers,butalsoforbusinessesinviewofworkforcedevelopment.

- IASACA 6 (Information Systems Audit and Control Association) providesonline,offlineandmixedcoursesofdifferentlevels(foundation,practitioner)both for information security and Cybersecurity, including courses forCybersecurityauditors.Thecoursesaresanctionedbycertifications.IASACAis a nonprofit global association that serves 140,000 professionals in 180countries

- Udacityplatform7–has8millionusersbuthasonlya small (9)numberofsecurity/Cybersecuritycourses

Although they are addressing the same market, each platform is structuring theinformationbasedonitsownmodel,andwithoutmakingareferencetoanycommon

1https://www.enisa.europa.eu/news/enisa-news/the-european-union-agency-for-cybersecurity-a-new-chapter-for-enisa2https://www.coursera.org/3http://www.edx.org/4https://www.lynda.com/5https://www.cybrary.it/6https://www.isaca.org/pages/default.aspx7https://www.udacity.com/



competenceframework.Thus,itmakesdifficulttocomparethedifferentoffersandtheirattractiveness.Inanattempttomeasurethereactionofthemarkettotherisksthecyberattacksarebringing within the different industries, we used the public statistics offered byLinkedInLearningplatformoveraperiodof6monthsandmonitoredthenumberof“views”ofdifferentCybersecurityrelatedcourses.ThefiguresconfirmedforinstanceareactiontotheincreasedCybersecurityriskforthebusinessbyregisteringaraiseinnumberof“views”fromonemonthtoanother(between7-15%)oncoursesformanagers suchas “ReasonableCybersecurity forbusiness leaders”, “Cybersecurityforexecutives”,“MicrosoftCybersecurity:shuttingdownshadowIT”,“Cybersecurityfor SMEs: essential training”, all launched in late 2018 or early 2019. The biggestincreaseinviews(19-20%)isregisteredforthecourse“TransitioningtoacareerinCybersecurity”, and the newly launched (June 2019) “Cybersecurity for ITprofessionals”and“TheCybersecuritythreatlandscape”.Withrespecttothecyber-ranges,informationisveryscarcethusdifficulttoassessatthisstage.cyberwiser.eu1–the“CivilCyberRangePlatformforanovelapproachtoCybersecuritythreatssimulationandprofessional training”newly launchedendof2018andbenefitingfromH2020funding,aimsatprovidingasetofinnovativetoolstogeneratehighlydetailedexercise scenarios simulating ICT infrastructures tobeused for Cybersecurity professional training, togetherwith tools and solutions tosimulate cyberattacks and defensive countermeasures. Cyberwiser.eu offers a“Behindthescenes:anin-depthlookatthetechnologybehindtheCYBERWISER.euPlatform”2TheEuropeanUnionAgencyforNetworkandInformationSecurity3(ENISA)putatthedisposalofinterestedprofessionalsacomprehensivesetoftrainingmaterialsinsupportofdevelopingskillsintheIncidentResponseandinthefieldofOperationalSecurity.InMay2019,theENISACSIRTtrainingmaterial4listwascomprisedof42titles,coveringfourmainareas:Technical,Operational,SettingupaCSIRTandLegalandCooperation.TheofferfortrainingcoursesforCybersecurityspecialistsis,onthecontrary,verylimited.Thetrainingsareavailableuponrequestby,forexample,theNational or Governmental CERT of the Member State, and must follow the EUregulation526/2013.ENISA and the Network and Information Security (NIS) education partners puttogetheraNISuniversitiesmap5underwhichtherearegroupedtogethercoursesand

1file://cyberwiser.eu2 https://www.cyberwiser.eu/news/behind-scenes-depth-look-technology-behind-cyberwisereu-platform3https://www.enisa.europa.eu/4https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material5https://www.enisa.europa.eu/topics/cybersecurity-education/nis-in-education/universities



certificationprogrammeslinkedtoNetworkandInformationSecurity,mostofthemforundergraduates,postgraduatesoratmasterlevel.Outofthe551coursesspreadaroundtheEU28,538areofflinecourses(datavalidinMay2019).Mostofthecoursesarerequiringregistrationinafullcurriculumthustheyarenotspecificallyaddressingthe Cybersecurity professionals and their needs as defined in this paper.Nevertheless, the map provides valuable content mainly to technical peopleinterestedindevelopingacareerinCybersecurityindustry,notnecessarilyengagedinabusinessactivityandwithnotimerestrictions.DifferentinternationalconsultingcompaniesandorganizationsincludeintheirofferscoursescoveringCybersecuritytopics:DeloitteEMEACyberAcademy1–offersonlinetrainings,awarenessprograms,onsitetrainings and aHackazone Zone, an online learning platform containing over 125challengesforperforminghands-onexercisesrelatedtovariousCybersecuritytopics.Theyaretargetinghighly-qualifiedtechnicalpeoplebutalsoexecutivesanddirectiveboards, technical andnon-technicalmanagers and executives and other employeegrades. The Deloitte Academy area of expertise covers Ethical Hacking, SecureSoftware Development, Reverse Engineering, Monitoring and correlation, DDoS,Advancedpersistentthreats,ForensicAnalysis,CyberIntelligence,CybersecurityandMobileDeviceSecurity.PwC’s Academy 2 is offering specialized courses to professionals, companies,industriesandgovernmentbodies intrendingdomains,betweenthemtheface-to-face course “Cybersecurity for Non-Cybersecurity Professionals during which theparticipantswillbegettinginvolvedinaproprietaryvirtualgame–GameofThreats3.EYCertifypoint4–isofferingcoursesforcertifyingauditorsondifferentstandardssuchasISO/IEC27001:2013-InformationSecurityManagementSystem,orSS584:2015-Specificationformulti-tieredcloudcomputingsecurity,commonlyknownasMTCSKPMGCyberAcademy5offersablendedframeworkofe-learning,virtualclassroomsandworkshop-basedfacetofacetraining.Theirofferrangesfrompenetrationtestingand security architecture to identity access management and cyber maturityassessment.Whatarethecompanieslookingfor?Despitethelargeofferforfreecourses,companiesarefacingdifficultiesforfillinguptheir Cybersecurity related positions. According to the job openings published onLinkedIn and monitored for 6 months between April-September 2019, the totalnumberatthelevelofEU28remainsprettymuchstablefromonemonthtoanother

1https://www2.deloitte.com/bd/en/pages/risk/solutions/deloitte-emea-cyber-academy.html2https://www.pwc.com/sg/en/academy.html3https://www.pwc.co.uk/issues/cyber-security-data-privacy/services/game-of-threats.html4https://www.ey.com/gl/en/services/specialty-services/certifypoint/certifypoint---training-courses5https://home.kpmg/md/en/home/services/advisory/consulting/cyber-security/cyber-academy.html



anditisaround3500±5%.Ingeneral,theaverageperiodforapositionopenedonLinkedInisonemonth.Thefactthatthetotalnumberremainsalmostthesameit’saproofofthecontinuousneedforprofessionalsinthearea.UKcountsforonethirdofthe positions opened followed in top 10 by The Netherlands, Germany, Portugal,France,Poland,Spain,Italy,IrelandandBelgium.(SeeFigureA2)

FigureA2:Cybersecurityjobs:positionsopened–top10EUcountries

Whenitcomestotheexperiencerequiredbytheemployer,the“Associate”levelismostindemand,closelyfollowedbythe“entrylevel”positions.Themostindemandjobcategoryinthecyber-domainistheIT,followedbyfarbytheengineers.(FigureA3)

FigureA3:CybersecuritypositionsopenedperExperiencelevel

IfwecontrastthesedatawiththeofferofcoursesdisplayedontheENISAmapwithnopretentionofanexhaustiveanalysisandawareaboutthelimitationsgivenbythesubjectivityofthedata,itcanbeobservedthat,countrieswithabigofferofcourses,thus with presumably more entry level Cybersecurity skilled people, are notnecessarily the ones also looking for hiring them and the other way around. Forinstance,Polandhas145 jobsopenedintheCybersecurity industry,butnocoursewasreportedontheNISmap.Ontheotherhand,Sloveniaencodedinformationabout



12coursesontheNISmap,buttheSloveniancompanieshavenopositionsopenforentryandassociatelevels.(AnnexA.5.5.)Howtomatchthecompaniesneedswiththeskillsoffers?CompaniesareusuallylookingforhiringalreadyskilledITtechnicalpeople.Yet,intheirabsence,thecompaniestrytore-skilland/orup-skillexistingemployees.Thistrend is confirmed also by the CONCORDIA industry partners questioned on thematteranddescribedinthenextchapter.Buttheprocessofdeveloping,displaying,searchingforspecificskillsshouldbebasedonagenerallyagreedstructureastoensureacommonlanguageontheskillsmarket.InsupportofthisendeavoronecangetinspiredfromtheUSNationalInitiativeforCybersecurityEducation(NICE)CybersecurityWorkforceFrameworkwhichdepictsfordifferentCybersecurityworkforcecategoriesthenecessaryassociatedknowledge&skillsandthelistoftaskstobeperformed:NISTSpecialPublication800-1811.Thisframeworkdocumentisofusefordifferentworkforcedevelopment,education,ortrainingpurposes.AttheEuropeanlevel,asalreadymentioned,ECSOiscallingforaspecificframeworkforprofessionaldevelopmentinCybersecurity,tobejointlydevelopedwiththerelevantactorsinthefield.TheCybersecurityCareerPathway2proposesaninteractivestructurebylistingthecoreCybersecurityrolesatentry-mid-andadvanced-levelanddetailsthetopskillsand the top certifications requested for each position. As there is no clear andgenerallyagreedtaxonomyonthejobtitlesintheindustry,ausefulinformationisalsoprovidedonthecommonjobtitlesemployerslistinjobopeningsforeachrolewhilealsopositioningtheindividualrolesinthemostcommonNICECybersecurityworkforce frameworkcategories.Anexample foranentry levelrole isdepicted inAnnexA.5.1.The tool ismainlydesigned for theuseof those interested to start anddevelop acareer in Cybersecurity. Nevertheless, the structure could be used also by thecompanieswhen deciding to open a new position on the jobmarket, not only bybenchmarking the salary expectations with respect to the competition and thedemandbutalsousingsimilarkeywordswhendescribing the tasksas toease thematchbetweentheirneedsandtheskillsandqualificationslistedbytheapplicantsintheirCVs.ACybersecurityCompetencyModelClearinghouse3wasdevelopedfewyearsagointheUSinviewofpromotingskillsetsandcompetenciesessentialtoeducateandtrainthe workforce. The model is structures on 5 tiers: Personal EffectivenessCompetencies, Academic competencies, Workplace Competencies, Industry-WideTechnicalCompetencies,Industry-SectorFunctionalAreas.

1https://www.nist.gov/file/3725812https://www.cyberseek.org/pathway.html3https://www.slideshare.net/colleenlarose7/competency-model-clearinghouse



AnnexA.5.2.includesmoredetailslinkedtothedifferentareasfromTiers4and5depictedinFigureA4:CybersecurityCompetencyModel.

FigureA4:CybersecurityCompetencyModel

At the European level, a concerted work on defining what are the competencesneeded tobeowned/developedbydifferentEuropeanactorsplayinga role in theCybersecuritymarketorimpactedbyit,iscurrentlypursuedbyECSOincollaborationwiththeirmembers,andthe4Cybersecuritypilotprojects.ItwillbebasedonexistingcompetencesframeworkssuchasEuropeane-CompetenceFramework(e-CF)1,NICE.The work will build, between others, on the ECSO Information and Cybersecurity Professional Certification 2 paper which looked into the professional securitycertificationschemesandframeworksinEuropeaswellasinternationally.Themainfindingsarearoundthefactthatthe industry isstillverydependentonUS-centriccertificateswhicharenotbasedonformaltraining.And,evenif insomeEuropeancountriesfirststepshavebeentakentosetupacertificationscheme,theuptakeoftheseschemesisverylimited.Theauthorsofthepaperrecommendtheestablishmentof an EU-wide certification and accreditation scheme as well as a EuropeanframeworkforprofessionaldevelopmentinCybersecurity.Also,theECHOpilotprojectislookingfordevelopingaCyber-skillsframework(E-CSF)astoaddresstheneedsandskillsgapofcybersecurityprofessionalsbasedonamappingofthecybersecuritymulti-sectorassessmentframework.Itisintendedthatthe E-CSF will bemade up of learning outcomes, competencemodel and genericcurriculum in order to establish a mechanism to improve the human capacity ofcybersecurity across Europe. In view of achieving this goal, the ECHO pilot willleverage a common cyber-skills reference, derived and refined from ongoing and

1https://www.ecompetences.eu/2https://ecs-org.eu/documents/publications/5bf7e0d81b347.pdf



related work in the field (e.g, ECSO, e-Competence Framework, EuropeanQualificationFramework).

A.3 CONCORDIA ecosystem We askedour CONCORDIA industry about their needs in termsof skills andtechnicalpeopleInviewofcapturingthedata,weinvitedtheCONCORDIAindustrypartnerstofillinasurveyorganizedaroundtwotopics:TopicA-theirpracticeinhiringcybersecurityrelatedprofessionals,andTopicB-theirneedsintermsofdevelopingcybersecurityskillswithintheirorganization.TheCONCORDIA industrypartnersaremainly representativesof thenational andinternationalcorporatesegment,andtoalesserextenttheSMEsone.Lessthan30%of the respondents are covering through their activities one or two of theCybersecuritydomains(seelistanddescriptionsinAnnexA.5.3.),whilemostofthemdevelop activities touching 3-5 domains, with the Network-, Data/Application-CentricSecuritydomainsprofilingonthetop.Whenitcomestotheindustriestheyare active on, apart of the five CONCORDIA focus areas (telecom, finance,transportation,e-healthanddefence)someoftheindustrypartnersarealsocoveringareaslikesemiconductorindustry,energy,automation,IT,law,services.

Theoutcomeofthesurveycanbesummarizedasfollows:TopicA. What are the organization’s needs in terms of NEW employeecategories&theassociatedskills?- When looking for hiring new employees, the level of cybersecurity level

requestedwithrespecttotheopenpositionisdepictedinthefigurebelow.Asexpected,theITrelatedjobsrequiremediumandhighlevelofcybersecurityskills.Nevertheless,itcanbeobservedthatthereisnotyetapriorityinaskingnon-technicalpeopleandexecutivestohavebasicskillsinthearea.

FigureA5.Jobprofilesvs.Cybersecurityskillslevelrequiredwhenhired



- WhenaskedabouttherelevanceofthepossessionofaCERTIFICATErelatedto the cybersecurity skills in the process of recruitment, the answers arealmostequallyspreadbetweenVeryrelevantforITpositions-RelevantforITpositions – Relevant for all the positions – Not necessarily relevant – Notrelevant.ItworthmentioningthattheNotnecessarilyrelevant–NotrelevantoptionswereselectedmainlybytheSMEpartners.

- 80%ofthecompaniesagreethatanEUharmonizedtaxonomyrelatedtothecybersecurity skills linked to different job positionswould be useful in theprocessofrecruitment

- In view of addressing cybersecurity needs within their organization, morethanhalfoftheorganizationswouldratherprefertohireanalreadyskilledpersonthantore-skillorup-skillanexistingemployee.Nevertheless,incasetheydecidetoinvestinpersonaldevelopmentoftheemployees,thein-housecourses arepreferred to external courses; yet, sometimesboth options areapproached in parallel: train and grow internally as well as hire from theoutside.

- Additional practices in recruiting new employees were reported such as:hiring young people from academics as part time, and up-skill them viatraining-on-the-job; hiring from outside EU due to the lack of skilledpersonnel.

TopicB. What are your company needs in terms of cybersecurity skillsdevelopmentforEXISTINGemployees?- Whenaskedaboutwhattypeofcontentforthecoursestheorganizationsare

lookingforfortheiremployeesthevastmajorityofthempointedtowardsamixoftechnical,hands-onandcyber-business-orientedtopics.Theweightofthetypeofknowledgewithinacoursevarythoughdependingontheroletheemployeeisplayingintheorganization.

FigureA6.Typeofcoursecontent-overall



FigureA7.Typeofcoursecontentperjob

- Most of the companies surveyed are offering or would like to offercybersecurityrelatedcoursestothedifferentcategoriesoftheiremployees.Notsurprisingly,themosttargetedonesaretheITtechnicalteamseniorsandjuniors, but also the ITmiddlemanagers. The online format for courses ispreferredbyfarwhiletheblendedformathastheleasttraction.

- Whenitcomesto thecompanynormalpracticewithrespect to thecoursesoffered to their employees, apart of two companiesdeclaring that they areoffering the employees only courses developed inhouse, all the others areofferingamixofthefollowingoptions:Developandrunin-house;Contractacourseprovidertotailorthecontentforthespecificneeds;Allowemployeestofindanonlinecoursethatfitstheirneeds;Buyoff-the-shelfcourses.

- Theemployeesareofferedthepossibilitytoattendacourseforupdatingtheircyber related knowledge with different frequencies which vary from “asfrequentasneeded”listedbymostofthecompaniesto“onceevery2years”,withapreferredlengthof2-3daysincaseofaFace-to-Faceformat.

- How important is the Certification option when buying a course for youremployees?Thein-housecoursesorbaselinesecuritycoursesofferedtotheemployeesarenotnecessarilyselectedbecauseofthecertificationoptions.Yettheemployer is interested inmore thanacertificateofattendancebutofaCertificate issued by the training provider following a test/exam passedand/or Certificate offered by MOOC platforms as proof of the knowledgeacquired.Whenitcomestothecertificationsbasedonstandards,thefollowinghavebeenlisted:CSX,CSX(P),OSCP,CEH,CyberEssentials.

The CONCORDIA industry partnerswere also asked to list their top 3 immediateneeds intermsofskills,consideringthecybersecuritythreatstheirorganizationisfacing.TheanswerspointedmainlytotraditionalcoursesandvariedfromSecurityawareness and Security fundamentals to Solid understanding of mobile networksecurity or Use of AI/Machine Learning; from Threat Intelligence analysis,Penetration testing and intrusion detection andMalware analysis, to Secure chip-design, Secure software-design and secure hardware-software co-design. Specificmentionswereincludedontheimportanceofahands-on,exercise-basedapproach



includingfortheonlineformatofdeliverywhichshouldbeasinteractiveandreallifeaspossible.

Finally, thepartnerswere asked to addanyother comments linked todevelopingskillsforcybersecurityprofessionalsandwhichwerenotaddressedbythepreviousquestions. The most relevant of them are listed below and will be used in thedevelopment of the cybersecurity specific methodology for the creation of newcoursesandteachingmaterials.

“Needtoeasytoaccessandregistercourses,thatareonline,thataremobiledevicefriendly, that cover concepts intuitively, and can provide links to more hands-oncourses,iffollow-upsareneeded”“Wehaveanumberofinternalonlinecourseswhichareobligatoryforeachemployeeandothersthatareobligatoryforcertainroles.”“Coachingisanimportantpartduringthelearningprocess.Couldbeon-line.“"Cybersecurityprofessionalswouldbenefitfromthedevelopmentofsoftskillsthatcouldfurthersupportthemworksinacollaborativemanner.""Academic degrees, although interesting, appear to lack basic skills for thecybersecurity practitioners. When hiring a person with a degree in the subject,usually that onlymeans that she/he have the potential to understand the subjectprovidedspecifictheoreticalandonthejobtrainingisprovided.Butevenso,insomecountriesitisdifficulttofindeventhat.(e.g.Germany,Austria,...)""the semiconductor industry take a special place in the cyber security market;semiconductorcompaniesstayat thebeginningof thevaluechain for thesecurityindustry, which are focus on prevention of cyber attacks; securemicrocontroller,meansdevelop,qualifyandcertifyproductsalongISO15408,EAL4+,5+or6+"CONCORDIAprofessionaleducationlandscapeCONCORDIAaimsatestablishingaEuropeanEducationEcosystemforCybersecurity.ThefirststepinthisendeavoristostartcollectinginformationonwhatCONCORDIAconsortiumofferintermsofskillsdevelopment(universityandindustrypartners).ThisdatawillbecontrastedwiththeneedsintermsofskillsofdifferentCONCORDIApartners(mainlytheindustrypartners)andofthemarketastoidentifythepotentialunmetneedsintermsofskillsdevelopment.TothisendweinvitedalltheCONCORDIApartnerstoprovidestructuredinformationonthecourses/trainingstheyareorganizingforCybersecurityprofessionals.Apartofageneraldescriptionofthecourse,itslocationandthelanguagetaught,thefollowing information aligned to the CONCORDIA scope and objectives were alsocollected:



- Cybersecuritypillarsaddressed–Device-centric//Network-centric//System/Software-centric//Application/Data-centric//User-centricsecurity–seedescriptionofthepillarsinAnnexA.5.3.

- Industryfieldaddressed-withafocusonCONCORDIAsector-specificpilots:Telecommunication//Finance//Transportation/e-Mobility//eHealth//Defence

- Maintargetaudience–differentcategoriesofindustryprofessionals- Typeofcourse(face-to-face,online,blended)- Entryrequirements- TypeofCertificationoffered

By endof year2019, theCONCORDIApartners both from industry and academia,providedinformationonatotalof33courses(AnnexA.5.4.).Thedataisdisplayedonadynamicmap1ontheCONCORDIAwebsitefortheuseofthecommunityatlarge.Themapprovidesdifferentfiltersastohelpmatcheasierthespecificneedforskillsdevelopmentwiththeoffer.OverthecourseoftheCONCORDIAproject,themapwillbeperiodicallyupdatedwiththe new courses/trainings developed by the different university and industrypartners.Besides,inoureffortforestablishingaEuropeanEducationEcosystemforCybersecurity,themapisopenforsubmissionofcourses/trainingsforCybersecurityprofessionalsorganizedbyotherEuropeanorganizations.Todatethemapdisplaysalready 27 courses organized in Europe by different organizations outside theConcordiaconsortium.ThemapwillthushavethepotentialtobecomeamarketplaceforCybersecurityskillsforprofessionals.Generalconsiderations

MostoftheCONCORDIAcourseswerelaunchedin2018or2019.TheyareusuallyrunningonceortwiceayearwithfewexceptionssuchastheCyberIncidentGameplannedfor4sessionsoverayear,andSINAbasicscheduledtwiceamonth,with15sessions in total over a year. The short courses are between one day and oneweeklongandareaddressinggroupsof10to20people.Thelongercoursesoftheequivalent of one university semester (12-14weeks) are bringing together largergroups of participants, namely between 80-120. Most of the courses are offeredagainstafee.Cybersecuritypillars

AcloselookintothedatacollectedwithrespectofthefiveCONCORDIACybersecuritypillars(AnnexA.5.3.)addressedrevealsthefactthatalmost40%ofthecoursesarespecificallytargetingonecybersecuritypillar,whileanother40%areofferingcontentvalidfortwoorthreepillars.Nevertheless,somecoursesaretailoredtodevelopmoregeneralskillsrelevantforallthefivepillars.The most addressed pillars are the Network-centric, followed closely by theData/Application-centric security and the Software/System-centric pillars.

1https://www.concordia-h2020.eu/map-courses-cyber-professionals/



Interestingly,theleastcoveredskillsareintheareaofDevice-centricsecuritywhichdealswithdataacquisitionand thedevicesproducingrawdatasuchasembeddedsystems,sensors,IoTdevices.TheUser-centricsecuritypillarisalsolessaddressedinthecoursescurriculaalthoughitdealswithissueslikeprivacy,socialnetworks,fakenewsandidentitymanagement.ThiscouldbeexplainedbythefactthatCONCORDIApartnersaremainlyactingintheareaslinkedtothetransportationandusageofdata,andlessinthosedealingwithdataacquisitionanddevicesproducingrawdata.

FigureA8:CONCORDIAcourses–contentvs.thecybersecuritypillarsaddressed

Industryfields

ThefiveCONCORDIAsectors(Telecom,Finance,eHealth,Defence,Transportation/e-Mobility)arealmostequallycoveredbytheto-dateCONCORDIAtrainingportfoliowith Telecom sector being themost addressed. Themajority of the courses helpdevelopskillsapplicabletoatleast4CONCORDIAindustrysectors.Nevertheless,anumberofothercoursesaretargetingdifferentotherindustriessuchascloud,IoT,criticalinformationinfrastructureoroperatingsystems,whilealmostaquarterofthecoursesarenotrelatedtoanyindustryinparticular.



FigureA9:CONCORDIAcourses–contentvs.industriesrelevance

Targetaudience

TheexistingCONCORDIAcoursesaremainlyaddressingthetechnicalpeople,andtoalesserextentthemiddlemanagersofnon-ITdepartmentsandtheexecutivesofbigandsmallcompanies.

FigureA10:CONCORDIAcourses–distributionofthetargetaudience

Deliverymethod-F2F,onlineorblended?

According to the(ISC)2CybersecurityWorkforceStudy2018, theemployers’mainchoiceinofferingskillingopportunitiestoemployersistheonlineversionasthisisthemostcosteffectiveonefromthemanagementperspective.Theface-to-faceoption



ranks5 in the listofoptions forprofessionaldevelopment in theworkplace, afterconferenceattendance,personalstudyreviewandonthejobwithpeers’alternatives.On the otherhand, the same study reveals that the employees aremoreprone toattend the face-to-face (F2F) courses as these give them more opportunities tointeract and network, to exchange experiences, and it is closely followed by theinternet-basedtraining.When it comes to the CONCORDIA courses, the vast majority of them is offeredexclusivelyinaface-to-faceformatwhileonlytwoarefullyonlineandthreeothersareblended.Thus,theyareverymuchalignedtotheemployees’appetitetoconsumethistypeofservice.Languagetaught

18outof the33CONCORDIAcoursesare taught inEnglishoroffer thisoptionasalternativetoGermanorFrench.ThisalreadyprovesanopennesstotheEuropeanCybersecurityskillsmarketaslanguageisnot, inthiscase,abarrier.Nevertheless,20%ofthecoursesareexclusivelytaughtonlesscommonlanguagessuchasCzech,Dutch,SloveneorItalian.Content

Contentwise,theCONCORDIAcoursesarefocusingondevelopingspecifictechnicalskills.Thisisreflectedinthetargetaudiencethosemaingroupisthetechnicalteam,followedbyacademiaandstudents’group.Nevertheless,someothercoursestakeabroaderapproachtothetopicandhavelowornoentryrequirementsthusaremoreaccessible to a larger audience such as senior managers, managers of non-ITdepartments,startups.Certification

Todate,noneofthecoursesorganizedbyCONCORDIApartnersareofferingindustryrecognizedcertifications.Nevertheless,someofthemarepreparingtheparticipantsinviewofapplyingforISACAand(ISC)2certifications.Thevastmajorityofcourseproviders are issuing certificates of participation, sometimes signed by aCybersecurity expert. Others offer certificates of completion issued by a well-establishedonlinetrainingplatformsuchasCoursera.Alumni

Although no consistent datawas collectedwith respect to the participants to thecourses organized by the CONCORDIA partners, the following information wasconsideredtobeagoodestimateonthegraduatessofar:

- Totalnumberofparticipantsoverthewholeperiodthecoursesrun:5900+- Genderdistribution:91%malesand9%females- Agedistribution:themajorityoftheattendeesareintheirearlystagesoftheir

careersorinthegrowingstageas62%ofthemarebetween25-34yearsold.35%oftheparticipantsarebetween35-54yearsoldandonly3%arebetween55-64yearsold

- Countryoforigin–mostoftheparticipantscomefromthecountriesinwhichthe course is hosted (in case of the face-to-face courses). In case of longer



durationcourses(theequivalentofoneuniversitysemester)theparticipantsgroupismultinational like incaseofacourseorganizedinGermanywhich,apartfromotherEUparticipants,attractspeoplefromChinaandIndia;orthecaseofthecoursesinSloveniaattractingalsoparticipantsfromCroatia,Spain,PortugalandTurkey.

FigureA11:CONCORDIAcourses–pastparticipantsdistributionpergenderand

age

TheexternalcoursesplottedontheCONCORDIAmapTheCONCORDIAmapwasopenforexternalsubmissionsstartingmid-July2019.Overaperiodof2monthsthereweresubmitted27coursesviatheRegisteryourCourse1form.ThispoolofexternalcoursesfollowingtoacertainextentthecharacteristicsoftheCONCORDIAcoursesandcouldbedescribedasfollows:

- Pillars:mostofthecoursesaddresstheSoftware/System-centric,Network-centricandApplication/Data-centricpillarswhilethelesstargetedoneistheUser-centricpillar

- Industry:thevastmajorityofthecoursesaredevelopingskillsfitfortheTelecomindustry,followedbytheTransportindustry;someofthecourseprovidersreportedalsootherareasofuseoftheskillsacquiredviatheircoursessuchasEnergy.

- Targetaudience:mostofthecoursesaretargetingthecorporateaudience,mainlythetechnicalteammembersbutalsothemanagersofthenon-ITdepartmentsandtheseniormanagementgroup.Someofthemaretargetingtheusers-individualsusing5Gtechnologyorthoseinterestedtolearntheapproachesusedbyhackers,whileoneisspecificallyaddressingthepublicadministration

- Deliverymethod:face-to-faceisthemodelusedby70%ofthecourseswhileonly4arerunonlineandonly1isofferedinablendedformat.

- Language:thelanguageusedis,generally,countryspecific.Nevertheless,someofthecourseprovidersofferthecourse(also)inEnglish,orprovidethedocumentationinEnglish

1 https://docs.google.com/forms/d/e/1FAIpQLScg5QrSQEOikUAJguXL3OrBhIPh3FzZzSvBk2RhGmh6ZRIMtQ/viewform



- Content:only20%ofthecoursesdonotrequireanyentryrequirementsasthecontentprovidedisconsideredintroductoryorclosetointroductorytothespecifictopic.Alltheothercoursesrequirebasictomediumskillsinthetechnicaldomainsaddressedbythecourse.

- Certification:2ofthecoursesareofferingofficialcertificatesrecognizesbythenationalauthoritieswhiletheothersareofferingcertificatesofattendance.

A.4 Conclusions Thefindingssofarproofedheterogeneitybothofthecybersecurityjobsmarketandofthecybersecuritycoursesoffer.Besides,thelackofanagreedterminologycrossdomains and industries related to competencies needed for a specific job makesdifficultforthecompaniestofillintheopenpositions,butalsoforcourseproviderstodesigntheircurriculaastoanswertothemarketneeds,andfortheindividualstoidentifytheskillstheyneedtopossessordevelopastomatchthejobopenedonthemarket.PillarsInanattempt tocreateahigh-levelstructureof thecoursesoffered inEurope,weusedthedatadrivenapproachanditsfivepillarsadvocatedbyCONCORDIA.Wethusinvited the course providers to register their courses on the CONCORDIAmap bymentioning,betweenotherelements, thecybersecuritypillars theskillsdevelopedunderthespecificcoursecouldbeused.Thefindingsgatheredfrom60courses(33fromCONCORDIApartnersand27fromexternalcourseproviders)showsthattheleastcoveredpillarsinCONCORDIAaretheDevice-centricsecuritypillardealingwithdata acquisition and the devices producing raw data such as embedded systems,sensors, IoT devices, and the User-centric security pillar dealing with issues likeprivacy, social networks, fake news and identity management. These findings,althoughnotnecessarilyrepresentativeforthewholeEuropeanmarket,matchthethreats identified in the first chapter, especially those linked to the user-centricsecuritypillar.TargetMoregeneralcybersecurityawarenessneedstobeofferedacrossdifferentindustries,not necessarily technical ones, thus targeting non-traditional cyber audience.Althoughtherearequiteafewonlinecoursesaddressingthisgeneralneed,thereislittle or none tailored to some specific non-technical audience yet targeted andimpactedby cyberattacks. In this respect the following topics couldbe envisaged:Economics of Cybersecurity within an organization, Cybersecurity for lawyers,Cybersecurity for physicians, Cybersecurity for investors. The Cybersecurity forInvestors course for instance, could answer to problems identified in the ENISAanalysisonChallengesandopportunitiesforEUCybersecuritystartups1)andcouldbeco-organizedincollaborationwithInvestEurope2.Theknowledgeacquiredbytheinvestors will help them not only when looking for investing in Cybersecurity

1 https://www.enisa.europa.eu/publications/challenges-and-opportunities-for-eu-cybersecurity-start-ups2https://www.investeurope.eu/



companies but also when assessing the viability of any of the companies ascybersecurityshouldbetreatedasabusinessrisk.The industry survey reveals an increased interest in Cybersecurity awarenesscoursesasuntrainedstaffisthegreatestcyberrisktothebusiness.Whenitcomestothetechnicalarea,inadata-drivenenvironmentanddata-driveneconomy,aCybersecurityprofessionalmusthavecompetences in theareaofdataanalysis.Thus,aspecificcurriculumfordatascientistpositionswouldbebeneficialtobedeveloped.SomeothertopicscouldbefurtheridentifiedbasedontheanalysistobedoneintheDeliverableslinkedtotheThreatlandscape,legalenvironmentandeconomicperspectives.ContentContentwise,thecourseswouldneedtobedevelopedinrelationwithanagreedEUcompetence framework.Theyshouldnot stayatageneral levelas toensure theirrelevance forabroadcross industryaudience,butshouldbe industryspecificandbuiltstartingfromclearlearningobjectivesdefinedindirectcollaborationwiththetargetedindustryrepresentatives.Nomatterthetargetaudience,abroadapproachtothetopicwouldbeadvisable,astocoverbothtechnicalknowledgeandsoftskills,but also somemanagerial skills1. Theweights of the different subjects should bebalanced though, according to the profile of the target audience. The hands-onapproachandrealcasescenariosadaptedtothespecificaudienceshouldbefavored.LanguageEU is a multi-cultural continent and local language skills are important tocommunicate.Yet,thefreemovementofpeoplecomeswithfreemovementofskillsandthelanguageshouldnotbeabarrier.Thus,inanattempttobuildaninternationalnetworkofCybersecurityexpertslookingintoexchanginginformationinsupportofbetterprotectingEuropeagainstcyberattacks,thetrainingsshould,atleastpartiallybetaughtinEnglish,thelanguageofthecomputer(mostprogramminglanguagesuseEnglish languagekeywords). ChoosingEnglish as amain languagewould increasealsotheparticipationinthedifferentMOOCswhichareintheirvastmajoritytaughtinEnglish,stillabarrierfornon-Englishspeakers2.Itwillalsosupportthemobilityofthe Cybersecurity professionals from countries with a big offer of courses, thuspresumablymoreCybersecurityskilledpeopletocountrieswithbigdemandonjobmarket.CertificationUndoubtedly,certificationsareimportantintheprocessofrecruitmentofthecyberprofessionals. And at the international level there are quite a few very specificcertifications for the IT professionals. In Europe though, as revealed in the ECSOstudy, the industry is still very dependent on US-centric certificates which are not based on formal training. And, even if in some European countries first steps have been taken

1https://insights.dice.com/cybersecurity-skills/2 https://www.academia.edu/23952938/Planning_to_Design_MOOC_Think_First_?email_work_card=title



to set up a certification scheme, the uptake of these schemes is very limited. There is thus room and a need for a European Cybersecurity certification scheme. During the duration of the project we will be looking into developing a framework of a certificate.The analysis helped identifying some topics and some good-to-have courses’characteristics. These findings will be further considered when developing thecybersecurity specific methodology for the creation of new content and teachingmaterials.Besides,thecoursecontentdevelopmentanddeploymentareintendedtobedesignedinsuchawayastobealignedtotheCONCORDIAcertificationframework.Thepaperwillbeperiodicallyupdatedastocapturethenewtrends,challengesandoffers in the cybersecurity education and will contribute to the definition of theeducationpillaroftheCybersecurityRoadmapforEurope.



A.5 Annexes A.5.1.CybersecurityCareerPathway-exampleSource: https://www.cyberseek.org/pathway.html (data collected from September 2017 through August 2018)

FigureA12.CybersecurityCareerPathway–exampleforCybersecurity

Specialist/Technician



A.5.2.CybersecuritycompetenciesSource:https://www.slideshare.net/colleenlarose7/competency-model-clearinghouse

FigureA13:CybersecurityCompetencies–Tiers4and5



A.5.3.The5pillarsoftheresearchandtechnology

FigureA14:CONCORDIA-Thefivepillarsoftheresearchandtechnology

CONCORDIA has a data-driven approach to security and addresses it via the fivepillarsofresearchandtechnologyasillustratedinthefigureabove.Theindividualpillarsaredescribedasfollows:•Device-centricSecurity:DCSaddressesthedataacquisitionandthedevicesthatproducerawdata,suchasembeddedsystems,sensors,IoTdevices,drones,andtheassociatedsecurity-centricissues,suchasIoTsecurity.•Network-centricSecurity:NCSreferstothetransportationofdataaswellaswiththenetworkingandthesecurityissuesassociatedwiththis.TopicsrangefromDDoSprotection,Software-DefinedNetworking(SDN)toencryptedtrafficanalysis.• Software/System-centric Security: SSCS centers around topics such asmiddleware,secureOS,andsecuritybydesign.malwareanalysis,systemssecurityvalidation, detection of Zero-days, and recognizing service dependencies arespecificallyaddressed.

• Data/Application-centric Security: DACS addresses issues such as datavisualizationandthesecurityofapplicationslikecloudservices.•User-centric Security: UCS addresses issues like privacy, social networks, fakenewsandidentitymanagement.



A.5.4.TheCONCORDIAcourses

Title WHO WHAT

CyberRange: IT EthicalHacking

AirbusCybersecurity

Hands-on Labs on differenttopicsandcountermeasuresinasimulatednetwork.

ICS-EthicalHacking AirbusCybersecurity

Hands-on Labs on differenttopics of threats scenarios andcountermeasuresinasimulatedindustrialenvironment.

Cyber Incident HandlingWorkshop

AirbusCybersecurity

Table-topgametolearnhowtodeal with cyber incidents fromdifferentperspectives.

CyberRange: AdvancedPersistent Threats andTargetedAttacks

AirbusCybersecurity

Hands-on labs to learncurrenttechniques of APTs andTargetedAttacks.

CyberIncidentGame AirbusCybersecurity

Play the hacker role: plan acyber-attack on an classicalnetwork or an industrialnetworkinfrastructure.

Cybersecurityforbusiness EITDigital An innovative training toempower and train inimproving and championingCybersecurityforthefuture

SecurityandPrivacyforBigData

EITDigital Learn how to identify keysecurity and data protectionissuesandhowtoapplyprivacypreserving methodologies incompliance with the currentregulations

ENISA Summer School(assistingtheorganization)

FORTH Network and Informationsecurity:policy,economic,legalandresearchmatters

CSIRTCyberTraining MasarykUniversity

Hands-on tailor-madeCybersecurity training for ITadministrators andCSIRT/CERT members.Everything from servershardening to networkmonitoring&analysis

Capture the Flag by TeamLocalos

ResearchInstituteCODE

Learn and evolve yourCybersecurity capabilities. Andhave fun at our Cybersecuritycompetition!

IT Competence EducationandTraining

ResearchInstituteCODE

In our flexible Cyber Range,participants are provided withself-learning modules,



individual exercises as well asdefensive/offensive hands-onscenarios.

SINABasics Secunet Basics and functions of theSecure Inter-NetworkArchitecture(SINA)

TRANSITSI/II SURFnet Training for new andexperienced computer securityincidentresponseteam(CSIRT)personnel, and individualsinterested in establishing aCSIRT.

Reliable Software andOperatingSystems

TechnicalUniversityDarmstadt

Dependability and SecurityIssuesforSWsystems

SecurityandtheCloud:TheIssueofMetrics

TechnicalUniversityDarmstadt

SW and Distributed SystemsSecurity

ICTSecurity University ofMariboru

Basics; Physical security andbiometrics; Cryptographybasics; Secure e-commerce;Protection of communicationtechnologies; Standards,security policies and securityplanning; Software security;User aspects of security andprivacy

Dataprotection University ofMariboru

Introduction to the topic;Advanced cryptography;Usabilityandrelatedstandards;Practical aspects of dataprotection

ADVANCEDINFORMATIONSECURITY

University ofMariboru

Providein-depthknowledgeontechniques for securing andprotecting information,computer systems andcomputernetworks

Datasecurityandprivacy

University ofInsubria

Models,toolsandlanguagesformanaging access control andprivacypolicies/preferencesinadatamanagementsystem

DATA SECURITYFUNDAMENTALS

University ofInsubria

Basicknowledge for thedesignandverificationofmechanismsfor data protection ininformation systems andnetworks

InternetSecurityProtocols University ofTwente

MOOC to discuss the detailsofInternet security protocols,



such as HTTPS, SSH, DNSSEC,IPSecandWPA

Internet attacks anddefence

University ofTwente

MOOCtodiscusshowtodetectand mitigate Internet attacks.Topics include DDoS, IDS andFirewalls

Certified InformationSystems Auditor CISA -certification and exampreparation

SBAResearch The course helps in preparing for the exam in view of CISA certification.The Certified InformationSystems Auditor (CISA) is agloballyrecognizedcertificationforprofessionalsintheareasofauditing, control andinformationsecurity.

Certified InformationSecurity Manager CISM -certification and exampreparation

SBAResearch The course helps in preparing for the exam in view of CISM certification.The Certified InformationSecurity Manager (CISM) is agloballyrecognizedcertificationfor experts in the field ofinformation securitymanagementincompanies.

Certified InformationSystems SecurityProfessional CISSP -certification and exampreparation

SBAResearch The course helps in preparing for the exam in view of CISSP certification.TheCISSPexaminationcovers8areas of security which arenecessary for the essentialprotection of informationsystems, companies andnationalinfrastructures.

Certified Secure SoftwareLifecycle ProfessionalCSSLP - certification andexampreparation

SBAResearch The course helps in preparing for the exam in view of CSSLP certification.The CSSLP certificationguarantees that you havecomprehensiveknowledgeinallareasofthesecuredevelopmentlifecycle.

CyberSecurityEssentials SBAResearch The aim of the course is toprovide participants with anintroduction to the topics ofcybersecurityaswellasITandinformation security. Thecourse provides participantswith sound basic knowledgeandessentialthreatscenariosaswell as modern solutions andmethods for copingwith cyberrisks.



IncidentResponse SBAResearch The aim is to learn tools andtechniquesforclarifyinganAPTincident. The courseparticipants will also have thepractical opportunity toinvestigate a simulated APTattack using hard disks andmemoryimages.

WindowsHacking SBAResearch The aim is to convey themostfrequentanddangerousgapsinWindows networks and thusprovide the necessaryknowledge for securingsecurity-relevant networks andservers.

SecureCodinginC/C++ SBAResearch This training is especiallydesignedforC/C++developers.It covers secure softwaredevelopment practices andattacks.

WebApplicationSecurity SBAResearch The course teaches developersthe most common anddangerous bugs in webapplication development.Testers learn how to testsecurityaspects.

IoTSecurityEssentials SBAResearch The course teaches the typicaland dangerous securityvulnerabilities of Internet-enabledhardware,includingtheOWASP InternetOfThingsTop10.



A.5.5.CoursesofferonNISmapvs.JobsopenedonLinkedIn

EUCountryAcademic CoursesofferENISAmap

Jobsopened-Entry&Associate levels -Oct'19

Jobs opened -Total-Oct'19

Germany 148 511 762UnitedKingdom 97 1,068 1,459CzechRepublic 46 18 30France 33 150 229Belgium 31 54 98Netherlands 22 375 559Spain 22 63 124Finland 18 9 18Portugal 16 313 347Italy 15 134 192Cyprus 12 0 1Slovenia 12 0 0Sweden 10 24 68Ireland 7 58 120Austria 6 15 29Greece 5 4 7Romania 4 35 78Estonia 3 5 11Latvia 2 3 5Denmark 1 20 41Hungary 1 9 21Luxembourg 1 19 31Bulgaria 1 15 27Croatia 1 0 0Malta 1 0 0Poland 0 96 145Lithuania 0 5 8SlovakRepublic 0 5 11



Annex B: Startup scene (T3.5) Muchinnovation inthecybersecuritysectorhasbeendriven inthestart-upworldandtaskT3.5wasalsotryingtoassesstrendsandtomapstakeholdersinEU.Buyingorinvestingincybersecuritystart-upshasbeenmorefrequentthaninotherITareas,creatingthereforeastrongexitmarketforcyber-security-focusedstart-ups.In this overviewwepresent several initiatives that target cybersecurity start-ups,including corporate-led incubators (Google and Thales Station F), public sectorinitatives(Ciberemprende),andpan-Europeanservicesprovidedbypublic-privatepartnershipcompanies(ECSOCyberinvestormatchmakingandEITDigitalservicesforstart-ups).We spoke, for example, to some start-ups from Google Startups Accelerator1thatkickedoffinOctober2019inMalaga,Spain.Withafocusoncybersecuritystartups,itincludes companies like Koodous (collaborative antivirus, it is spin off fromHispasec),SecureKids(targetingprotectionofminors,ownersofIS4K),TechHeroX(focusedononlineeducationforcybersec),Keynetic(with SDNsecuritysolution),CyberSmart (digital compliance), Keystroke DNA (authentication), CyberBlue orironChip.GoogleforStartupsinitiativewasalreadypresentinSpainandin2018itmadeanimportantimpact(seefigurebelow),includingstartupecosystemdiversity(especiallytargetingwomenentrepreneurs).

FigureB1.ImpactofGoogleforStartupinitativeinSpainfor2018(source:Google)

InConcordiaconsortiawehaveonestart-upCyber-detectthatreceivedsupportfromStation F, cybersecurity startup incubator in Francemanaged by Thales. In 2019many other start-ups were selected by this incubator to access services such asvisibilityboostorsupportforfundraising.Thefigurebelowshowsstart-upsthathavebeenselectedwiththereareoffocusorsolutiondescription.

1 https://www.blog.google/outreach-initiatives/entrepreneurs/google-startups-accelerator-empowers-ai-startups-europe/





FigureB2:start-upsselectedbyStationFincubatorin2018and2019

Anotherimitative,thistimewithpublicfundingthattargetscybersecuritystart-upsisCiberemprendeinSpain,managedbyNationalInstituteforCybersecurity(INCIBE).In 2019 they awarded 34.000 to DirectDump (DFTools), forensic monitoringsoftware,whiletheotherwinnerswereClickDefense(24.000€)fortheirsolutionfordetectionofillegitimateclicksinonlineadvertising,AuthUSB(20.000€)forsolutionrelatedtosecureaccesstoUSBstorage.Otherstart-upmentionedintheirreport(andsomeoftheminterviewedforConcordia)wereAcerodocs,documentprotectionandusage control, CriptoCert,certification software;, CyberBlue, decision support andcybercrime detection through emotion analysis, TechHeroX, cybersecurityawareness; Eurocybcar, vehicle cybersecurity; InprOTech (Inprosec Auto),cybersecurity in converged IT (Information Technology) and OT (OperationTechnology); and finally RKL Integral, that targets risk assessment for convergedsafetyandsecurity.On pan-EU levelwe had severalmeetingswith cybersecurity startups during twoECSO Cyberinvestor events, discussing what can we offer from Concordia. Theseevents(14May14thinMadridandOct15thinLuxembourg)revealedthatECSOisdoingalreadygreatworkforcreatingavibrantcybersecurityecosystemandallstart-upsinterviewedweresatisfiedwiththesupport.ECSOisusuallycollaboratingwithlocalorganizers(e.g.INCIBE,EENandFundacionConocimientosMadrid,inthecaseofMadridevent),andisopenforthecollaborationwithConcordia.For the event in Luxembourg, Concordiawas included as a strategic partner (seefigurebelow)andweplantocontinuethiscollaborationwithECSOin2020.



FigureB3:strategicpartnersofECSOCyberinvestordays

Ifwelookatstart-upsthathavebeenselectedforCyberinvestordaysbyECSO,weobservedthatthereisapredominanceof localstart-ups(SpanishinMadridevent,andBeneluxinLuxembourgevent)andthatsomestart-upsrepeattheexperience.TheECSOCyberInvestorDaysinLuxembourgreceivedsupportbythegovernmentandwerekickedoffwithapressconferencebyÉtienneSchneider,Ministerof theEconomy of Luxembourg. Pascal Steichen, CEO of the SECURITYMADEIN.LU,presentedthelocalcybersecurityecosystem.Finalreportfortheseeventsisstillnotavailable, but the report for the previous events can be found athttps://www.thehaguesecuritydelta.com/media/com_hsd/report/224/document/Final-ECSO-Report.pdf



FigureB4:StartupsselectedbyECSOfortheCyberinvestordaysinMadrid

FigureB5:StartupsselectedbyECSOforCyberinvestordaysinLuxembourg

Finally, EIT Digital, which is Concordia partner, was also interviewed in severaloccasions.Morespecifically,opportunitiesforcollaborationwerementioned,suchasEIT Venture program in RIS countries, support for summer course (not linked tocreditsofmasterstudy),orCybersecurity360programforProfessionals.However,EITdigitalhasnoeffortintaskT3.5andthecollaborationintheareaofservicesforstartups in 2019 was not considered. EIT digital regional nodes (e.g. Madrid),however,areorganizingeventsthatcanalsobeofinterestforConcordia.OneoftheregionsthatwouldbeespeciallyinterestingforConcordia,asitwasexpressedbytheadvisory board feedback received during the Concordia Open Doors event, is theEasternEurope(inEITDigitalthisregioniscoveredbyregionalinnovationscheme–RIS1.

1https://eit.europa.eu/our-activities/eit-regional-innovation-scheme-ris



IncollaborationwithStartupWiseGuysaccelerator,cybersecurityfocusedprogramCyberNorth was started to receive investment and take part in a 3 month longacceleration in Tallinn, Estonia. In 2019 selected teams are autom8 (Turkey, NLPframeworkstoautomatethedetectionofsecurityandotherflawsinsourcecode),Odin Vision (Ukraine, biometric identification), Cyber Struggle (Turkey, cybersecurity certifications), Cyex.io (Hungary, AI-based cybersecurity exercisegenerator),Fakeskiller(Ukraine,detectionoffakeidentification),Hive.id(Ukraine,digital identity verification), Scoriff (Estonia, identifying high risk companies),Webtotem(Kazakhstan,SaaSforsecuringandmonitoringwebsite).OutsideofEITDigital, we have established contacts with Oxolabs cybersecurity incubator fromHungarythatstarteditsworkin20191.Again,thefollow-upandfurthercollaborationwilldependonresourcesavailableforstartupfactoryandincubator(tasksT3.5andT5.1)andrelatedservices.Asanadditionalideaforstartupfactoryconcept,technologytransferfundingwasalsoconsidered. Academic research is often considered high-risk by the traditionalinvestors,somorerecentlyTTfundsareenabledbyInnovFinEquity–managedbyEIF.Theyformpartof“InnovFin–EUFinanceforInnovators”,aninitiativelaunchedbytheEuropeanCommissionandtheEIBGroupintheframeworkofHorizon2020.Some examples of European investors in TT funds include K.U. Leuven/CD3(Belgium),IPGroup(UK),ChalmersInnovationSeedFund(Göteborg,Sweden),theUMIPPremierFund(Manchester,UK)andKarolinskaDevelopment(Sweden).

1https://cybersecurity.oxolabs.eu/

Documents

Cybersecurity, Trustworthy ICT Research & Innovation