NISlecture 2016/1

Our digital society and pervasive vulnerabilities

Published material: Video

Speaker : Sofie Nystrøm, Director CCIS & Member of the Norwegian Governments Digital Vulnerability Committee - Regjeringes Digitale Sårbarhetsutvalg

Abstract : After evaluating our digital vulnerabilities in our society, the governments committee - Regjeringens Digitale Sårbarhetsutvalg - published the Official Norwegian Report (NOU 2015: 13) to the Ministry of Justice and Public Security 30. November. The important observations include how our critical societal functions have become dependent on long and complex value chains, which generally span over several sectors and countries. The findings have implications for how we should respond to intentional and unintentional incidents. Privacy and our strategies of digitalisation raise important discussions on striking a balance. Do we have an operational capability and police to support our citizens, trade and private industry, government, and critical infrastructure? Should cryptography be regulated? One thing is certain, we experience new threats, e.g., that machines and infrastructure in Norway are attacked by anonymous players who are often located in other countries. The NISlecture will address some of the findings and policy recommendations summarised in the official report.

About the Lecturer:

Sofie Nystrøm is director of CCIS, Center for Cyber and Information Security at NTNU. CCIS is a partner-funded research and education centre. Defence, security authorities, industry, and academia have joined forces to form a strong partnership model. Nystrøm was a member of the Norwegian government’s Digital Vulnerability Committee. Previously she served as Vice President and Head of Group Security, Telenor Group and Vice President, and Chief Information Security Officer at DNB Bank with corporate responsibility in providing security, compliance and risk management. Nystrøm led the establishment of NorCERT within the Norwegian National Security Authority (NSM), and has experience of SIS (now NorSIS) at SINTEF, the largest independent research organisation in Scandinavia. Nystrøm has a master's degree from Purdue University, USA in Computer Sciences and Information Security; there she has also worked and researched at the Centre for Education and Research in Information Assurance and Security (CERIAS).


NISlecture 2016/2

Unpatchable: Living with a vulnerable implanted device

Published material: Video (the lecture starts about 10 minutes into the recording)

If you need the slides of this lecture, please contact jingjing.yang2@ntnu.no.

Speaker: Dr. Marie Moe, Research Scientist at SINTEF and Associate Professor at NTNU


Gradually we are all becoming more and more dependent on machines, we will be able to live longer with an increased quality of life due to machines integrated into our body. However, our dependence on technology grows faster than our ability to secure it, and a security failure of a medical device can have fatal consequences. This talk is about Marie's personal experience with being the host of a vulnerable medical implant, and how this has forced her to become a human part of the "Internet-of-Things”.
Marie’s life depends on the working of a medical device, a pacemaker that generates every single beat of her heart. As a security-professional Marie is worried about her heart's attack surface. How can she trust the machine inside her body, when it is running on proprietary code and there is no transparency? This is why she acquired medical devices that can communicate with her pacemaker, and started a project on investigating the security of her medical implant, together with a team of volunteer hackers.

About the Speaker:

Dr. Marie Moe is a Research Scientist at SINTEF ICT, and has an MSc in Mathematics and a PhD in Information Security. She has experience as a team leader at NorCERT, the Norwegian National CERT (Computer Emergency Response Team). Marie also holds a position as Associate Professor II at NTNU in Gjøvik, where she supervises students and teaches a class on incident management and contingency planning. Marie is passionate about incident handling and information sharing, she cares about public safety and securing systems that may impact human lives, this is why she has joined the grassroots organization “I Am The Cavalry”.


NISlecture 2016/3

Quantification of Cyber Risk Accumulation - one of the biggest challenges for insurers

Published material: Video

Speaker : Dr. Maya Bundt, Head Cyber and Digital Strategy, Swiss Re Reinsurance

Abstract : Cyber risk might accumulate in an insurance book in different ways: many insureds might be hit by the same cyber event. This event could be a common attack to a given business segment (e.g. e-commerce or financial institutions) or a major service provider, for example a large cloud provider, could be compromised and ceases operations. In both cases many different companies might be affected, and several of them might be insured by the same insurance company, thus creating an accumulation risk.

Another possibility is that different insurance covers are triggered by the same event. A typical example here would be the stealing and deleting of customers data by a hacker triggering insurance covers for privacy data breach (liability) and business interruption (because the data have been deleted at the same time) and the subsequent triggering of the D&O (Directors and Officers) insurance due to the fact the directors of the affected company might not have conformed to their fiduciary duties.

An insurance company needs to quantify this accumulation in order to answer the question: How much am I willing to loose with this business if an event happens?

Cyber risk makes the quantification of the accumulation potential extremely difficult. The main reason for this is the hard-to-understand interconnectivity and interdependency of the IT systems and services used by the different companies and the lack of geographical limitations of an event propagation.

Swiss Re has recently introduced a scenario based accumulation control mechanism, which is used to calculate the cyber accumulation in its reinsurance book of business due to cyber induced business interruption and continues to invest a lot of research into understanding cyber accumulation triggered by different cyber events.

About the Lecturer:

Maya Bundt is the Head Cyber and Digital Strategy at Swiss Re Reinsurance and in this role is responsible to further develop and implement the Reinsurance cyber risk strategy and to drive important digital initiatives. Before, Maya was the Chief of Staff of Group Strategy reporting directly Group's Chief Strategy Officer and driving the cyber risk topic from a Group Strategy perspective. Before she joined the Group Strategy team, Maya held a position in the Information Technology Division of Swiss Re. Maya joined Swiss Re from The Boston Consulting Group where she spent 3 years as a strategy consultant serving a variety of industries. Maya holds a PhD in Environmental Science from the ETH Zurich.


NISlecture 2016/4 (29.4.2016, 12.15-13.00 in K 102, non-public, please register)

Statkraft Challenges on Critical Infrastructure Protection

Speaker : Johnny Næss Langsrud, Moderated by Sokratis Katsikas

Abstract : In this lecture Johnny Næss Langsrud will talk about Statkraft, a leading power company with interactional ambitions. He will describe Statkraft's
security challenges as a power company highly dependent on infrastructure and solution, it's local versus central regulations, as well as examples
of attacks. The talk will present Statkraft's approach to IT and information security resulting from the differences between IT and information security and their organizational accountabilities. It will give a view of Statkraft's basic security architecture and attack vector commonalities and protection.

About the Lecturer:

Johnny Næss Langsrud is a Senior Vice President and CIO in Statkraft. He is also a board member of the KraftCERT and works on more secure and robust ICS systems by assisting the energy sector by preparing for relevant vulnerabilities and threats and be capable to detect and mitigate digital attacks. He has more than 20 years of experience in IT processes, infrastructure architecture and strategy process in the business area. Has a solid experience in outsourcing, vendor and supply management as well as strategy work.


NISlecture 2016/5 (27.5.2016, 12.15-13.00 in K 102)

Some ethical dilemmas of hacking

Speaker : May Thorseth, Professor of Philosophy, Department of Philosophy and Religious Studies, NTNU 
Published material: Video

Abstract : In this talk I shall reflect upon risk aspects of hacking from an ethical point of view. Do we have to choose between protecting of privacy on the one hand, and maintenance of trust relations on the other? Is the action of hacking always the same kind of action? Compare e.g., civilian hacking in the name of civil obedience to the authorities’ hacking for safety reasons. Conflicting interest between security and privacy are part of this picture as maintenance of security and trust relations may be conditioned by infringement of privacy.

About the Speaker : May Thorseth holds a professorship position at the Department of Philosophy and Religious Studies at NTNU, Trondheim. She is director of NTNU’s Programme for Applied Ethics, member of the management group of NTNU Sustainability (area Ethical Perspectives), and vice-chairman of NTNU’s Research ethical committee. Her current areas of interest are: ethics and political philosophy; applied ethics/research ethics; environmental ethics; information- and communication ethics; multicultural conflicts; democracy/fundamentalism. She is an author of many scientific publications.


NISlecture 2016/6 (03.06.2016, 10.00-11.00 in K113)

Transforming big data to actionable small data: Opportunities and Challenges of putting patient-generated health data in action

Speaker : Dr. Pei-Yun Sabrina Hsueh, IBM T.J. Watson Research Center


The rise of consumer health awareness and the recent advent of personal health management tools (including mobile and health wearable devices) have contributed to the recent shift transforming the healthcare landscape. Despite the rising trend of health consumers, the impact of user-generated health data remains to be validated. Past research has shown that 60% of health determinants are related to exogenous factors including social, environmental and behavior factors. However, how to measure and incorporate these factors into standard care practice is still an emerging field. In fact, many applications are hinged on the lack of a good platform that can provide better integration and sense-making of a multitude of “exogenous" patient-generated health data (PGHD) sources. In this talk we shall discuss both the success stories and the areas that fall short with the use of PGHD, walk through our experience with generating insights from PGHD, and discuss the associated challenges. In particular, we shall review the proposed behavioral learning and adaptation platform to make PGHD effective for the next-generation behavioral healthcare systems “on the cloud” as well as for the on-device intelligent systems “on the edges.” First, we evaluate the need of integrating multiple sources and the methodologies for understanding individual risk factors. Secondly, we optimize and adaptive deployment of behavioral interventions based on a more granular level of behavioral input and ecological momentary responses. Finally, we bridge the gap between system and user initiatives by creating systems that can think "outside the box" to find an alternative solution that would be more amenable to this individual by self-experimentation. The integrated platform enables the recommendation of care plans based on population data and adapts them plans with emerging evidence at the individual level. Finally, key dimensions such as including security and trust management issues will be discussed in the context of creating the behavioral learning and adaptation platform to make sense of PGHD.

About the lecturer:

Dr. Pei-Yun Sabrina Hsueh is currently working as Research Staff Member in the Group of Computational Behavioral and Decision Science at IBM T.J. Watson Research Center, leading the technical and thought leadership building initiatives of Cognitive Behavioral Learning and Adaptation for consumer and pervasive health informatics. She is instrumental to the development of behavioral analytics and instrumented health framework to put patient-generated data in action. She is also serving as the co-chair of IBM Health Informatics Professional Interest Community (PIC) and the Secretary of Consumer and Pervasive Health Informatics Working Group at American Medical Informatics Association (AMIA CPHI-WG). In 2014, she was the co-lead of IBM healthcare global technology topic. Dr. Hsueh specializes in translating real-world problems into pilot designs that can be illuminated with cognitive services on the edge with the adaptive personalization need learned from mobiles/wearables/bio-sensors. Her background and experience enables her to consult, publish and patent avidly in the areas of healthcare cognitive service design, computational linguistics, big-data and personalization analytics. She holds 20+ patent disclosures, 40+ peer-reviewed publications, and organizes a series of workshops and panels on the use of patient-controlled devices and patient-generated data in healthcare. She is a serial recipient of IBM Innovation and Manager Choice Awards and active in ACM, IEEE, EFMI and IMIA. Prior to IBM, she has served as European Google Anita Borg Scholar, worked in EU FP projects with 22 partner sites across 7 countries, and consulted in advanced technology lab and pharmaceutical sector. She received Masters in Information Management & Systems and the Ph.D. in Informatics from University of California, Berkeley and the University of Edinburgh respectively.


NISlecture 2016/7 (26.08.2016, 12.15-13.00 in K102)

Title: Practical Risk Assessments: A Trial by Fire

Speaker : Gaute Wangen, NTNU i Gjøvik 
Published material: Video

Abstract :

Risk assessments make up the cornerstone of information security, as they assist in deciding what to protect and how. In the course "A-IMT1132 Risk Assessment: Methodologies and Standards", the first-year students learn the basics by getting tossed into the deep water:  they first learn a formal risk assessment method and then apply it to a real-world information system on behalf of NTNU IT. Which requires the project participants to gather and review extensive information about the target, conduct interviews, and obtain an excellent understanding of the system. On top of this, the students have to manage large groups of up to ten people to solve the task. This talk will discuss the practical experiences in training for and carry out the assessments. We will discuss the ups and downs of running a risk assessment project for the first time, pitfalls, what works, and what doesn't work.

About the lecturer:

Gaute Wangen has got a Bachelor and a Masters degree in information security, both from NTNU Gjøvik. He is currently in his fourth year in the Ph.D. program here at Gjøvik researching and teaching information security risk assessment. He has previously worked as a special adviser on information security in Health care, working with governance and risk management. Gaute is also a Certified Information Systems Auditor (CISA).


NISlecture 2016/8 (30.09.2016, 12.15-13.00 in K102)

Title: Computer security at CERN: risks, vulnerabilities, threats, incidents etc. - trends and lessons learnt

Speaker : Sebastian Lopienski, CERN 
Published material: Video

Abstract :

In this lecture, Sebastian will present the computer security risk landscape of an international research laboratory, overview various motivations behind attacks, and explain how these threats are addressed at CERN. He will then go into details of several types of vulnerabilities, and incidents affecting CERN in the past - and will discuss lessons learnt. The lecture will conclude with a summary of possible future trends, and ways of responding to them.

About the lecturer: 
Sebastian Lopienski is CERN's deputy Computer Security Officer.
He works on security strategy and policies; offers internal consultancy and audit services; develops and maintains security tools for vulnerability assessment and intrusion detection; provides training and awareness raising; and does incident investigation and response. He graduated from the University of Warsaw, Poland (MSc in Computer Science) in 2002, and earned an MBA degree at the Enterprise Administration Institute in Aix-en-Provence, France in 2010. His professional interests include software and network security, distributed systems, and Web and mobile technologies.


NISlecture 2016/10 (28.10.2016, 10.00-16.00 in Atrium, A-Building)

Title: Cybersecurity Strategy for US, Europe and Norway

Agenda:  SikkertNOK 2016


NISlecture 2016/10 (25.11.2016, 12.15-13.00 in K102)

Title: Kan vi håndtere cybertrusselen?

Speaker : Arne Helme, Partner KPMG and member of CCIS

Abstract : In this lecture Arne will review status for cyber security in 2016 and postulate about the future landscape ahead.

About the lecturer:

Arne Helme received a Cand. Scient degree for research on distributed operating systems at the University of Tromsø in 1992 and a Doctorate degree in security engineering from the technical University of Twente, The Netherlands, in 1997.  For the past 20 years he has helped public and private organization in Europe to improve their security capabilities – particularly in the area of electronic ID and national security infrastructures. He is currently Partner and Cyber Security Lead at KPMG Norway.


NISlecture 2016/12 (16.12.2016, 12.15-13.00 in K102)

Title: Ethics in Information Security

Speaker : Bishop Solveig Fiske, Bishop of Hamar, Church of Norway

Abstract : How to handle privacy and information aspects we learn about other people in our jobs – «the thin line» between more security and privacy.

About the lecturer: Ms. Solveig Fiske, Bishop in the Church of Norway, the Diocese of Hamar.

Born in 1952. Ordained pastor in January 1982. Consecrated bishop December 2006. Worked several years as chaplain and vicar in local parishes. Former leader of Norwegian association of female theologians. Member of the Norwegian delegation at the Pastoral Conference of Great Lakes in Africa in 2003 and 2004. Representing the Church of Norway’s Bishops conference in the Coordination council on abuse issues. Representative in the board of the Practical-Theological Seminar at the University of Oslo. Leader of the board of The Church’s Resource Centre against violence and sexual abuse. Part of the campaign-board for the national Stop violence against women campaign.