Navigation auf uzh.ch

Suche

Digital Society Initiative

Cybersecurity governance framework

For over three years, researchers from the Digital Society Initiative (DSI) of the University of Zurich and the University of Lausanne have been examining the ethical and legal aspects of cybersecurity, developing findings and recommendations.

Cybersecurity is characterized by rapid technological progress. New security vulnerabilities are constantly emerging, making technical protection measures necessary. The speed of this development overwhelms many people and prevents them from making informed decisions about their usage behavior. The rule of law is also being challenged by this technological change, as democratically supported legislative procedures cannot always keep pace with the speed of technological development. This leads to governance and legal loopholes that make effective and democratically supported cyber security more difficult.

In the project «Creating an ethical and legal governance framework for trustworthy cybersecurity in Switzerland», researchers from the DSI and the University of Lausanne have developed findings and recommendations on non-technical aspects of cybersecurity as part of National Research Program 77 «Digital Transformation».

The project pursued three goals:

  1. To identify the need for regulation in the area of cybersecurity resulting from the mismatch between technological and legislative speed.
  2. Obtain data through surveys of critical infrastructure operators and cybersecurity professionals to support the national cybersecurity strategy.
  3. Based on the results of the first two objectives, to create a governance framework consisting of recommendations for legislators and ethical guidelines for professionals.

The project developed an overview of the legal situation in the area of cybersecurity in Switzerland in the form of two dissertations and several publications. Significant legal gaps were identified. The resulting recommendations concern proposals for adapting the legal framework, in particular the Information Security Act and its ordinance.

In interviews and surveys among cyber security experts, specific information exchange practices, expectations of the legislator and of the new Federal Office for Cyber Security were identified and published in several publications (including those in the general media). In particular, it emerged that more regulation is expected for prevention, while there should be greater legal leeway for operational measures to deal with cybersecurity incidents, especially for critical infrastructures. In an ongoing survey (as of June 2024), specific determinants of decision-making during the management of incidents are being determined. The results of the legal and empirical analyses have been incorporated into consultations on Switzerland's cybersecurity strategy, on the new reporting obligation for cybersecurity incidents and on measures for better protection against ransomware attacks.

The need for legislation was specified at several events for the attention of national and cantonal parliaments, the research community and the business community. In particular, the project aims to address the following points:

  1. A sharpening of the legal definition of the concept of «critical infrastructure» and an expansion of the scope of application of the minimum cyber security requirements in the Information Security Act.
  2. A tightening of the existing legal minimum requirements for cyber security.
  3. The introduction of additional legal requirements for IT services, in particular for digital security services.

Furthermore, guidelines for the creation of a value-oriented cybersecurity culture were developed, which are aimed in particular at CERTs (Computer Emergency Response Teams). This is intended to ensure that ethical and legal uncertainties are addressed early enough so that they do not hinder the decision-making process in the event of cyber security incidents that require rapid decision-making.

Research in the field of cyber security will continue at the DSI. The DSI is currently home to the DIZH structure CYREN ZH, which aims to promote research and education in the field of cybersecurity at the UZH and ZHAW and contribute to the development of a volunteer network in the field of cybersecurity.


Researchers involved

  • Dr. Markus Christen (DSI; PI)
  • David-Olivier Jaquet-Chiffelle (University of Lausanne, co-PI)
  • Sylvain Métille (University of Lausanne, co-PI)
  • Reto Inversini (Swiss GovCERT)
  • Manuel, Suter (National Center for Cyber Security)
  • Christophe Hauert (University of Lausanne)
  • Melanie Knieps (UZH)
  • Pauline Meyer (University of Lausanne)
  • Sara Pangrazzi (UZH)
  • Delphine Sarrasin (University of Lausanne)


Project Advisory Board

  • Endre Bangerter (Bern University of Applied Sciences / Threatray)
  • Josep Domingo-Ferrer (University Rovira i Virgili, Catalonia)
  • Gloria González Fuster (Vrije Universiteit Brussel, Belgium)
  • Dominik Herrmann (Otto-Friedrich-Universität Bamberg, Germany)
  • Alexey Kirichenko (F-Secure, Finland)


Funding

Swiss National Science Foundation, National Research Programme 77 «Digital Transformation».