This is a second version of an ongoing work that builds on the rationale at the Cybersecurity Report issued by the High Level Advisory Group of the EC Scientific Advice Mechanism in March 2017, where it is stated that:
“Cybersecurity is not a clearly demarcated field of academic study that lends itself readily to scientific investigation. Rather, cybersecurity combines a multiplicity of disciplines from the technical to behavioural and cultural. Scientific study is further complicated by the rapidly evolving nature of threats, the difficulty to undertake controlled experiments and the pace of technical change and innovation. In short, cybersecurity is much more than a science”.
In this report, after further reflection and validation on the different dimensions of the cybersecurity domain, and using as sources some of the most widely accepted standards, international working group classification systems, regulations, best-practices, and recommendations in the cybersecurity domain, a high level set of definitions and categorisation domains are proposed so that they:
- Can be used by a broad range of EU cybersecurity initiatives.
- Become a point of reference for the cybersecurity activities (research, industrial, marketing, operational, training, education) in the DSM by all sectors/industries (health, telecom, finance, transport, space, defence, banking etc.).
- Can be used to index the cybersecurity research entities (e.g. research organisations/laboratories/ associations/academic institutions/groups, operational centres/academies) in Europe.
- Meet compliance with international cybersecurity standards.
- Can be sustainable, easily modifiable and extensible.
The report has been delivered in the context of the European Commission proposal to set up a European Cybersecurity Industrial, Technology and Research Competence Centre with a Network of National Coordination Centres (COM/2018/630). The overall mission of the Competence Centre and the Network (CCCN) is to help the Union retain and develop the cybersecurity technological and industrial capacities necessary to secure its Digital Single Market. This goes hand-in-hand with the key objective to increase the competitiveness of the Union's cybersecurity industry and turn cybersecurity into competitive advantage of other European industries.
In order to assess essential aspects of the CCCN regulation proposal, the Commission launched a pilot phase under Horizon 2020. In particular, the proposals CONCORDIA, ECHO, SPARTA and CyberSec4Europe were selected as the four pilot projects to assist the EU in the establishment of a European Cybersecurity Competence Network of cybersecurity centres of excellence. The pilots bring together more than 170 partners, including big companies, SMEs, universities and cybersecurity research institutes, from 26 EU Member States.
The four pilot projects were asked to review the proposed taxonomy and provided feedback, which was used to improve the first version of the taxonomy in order to publish this second enhanced version.
Based on a first analysis, a survey was also conducted where more than 600 institutions participated and registered their cybersecurity expertise
The taxonomy was then used for the categorisation and mapping of existing EU cybersecurity centres (e.g. research organisations, laboratories, associations, academic institutions, groups, operational centres, etc.) according to their cybersecurity expertise in specific domains.