The third pillar of the EU Directive concerns the market operators. The EU requires Member States to impose cybersecurity requirements on operators of critical infrastructures and providers of digital services. Here, the EU chooses a mixed regulatory approach, however, with slight differences between the two kinds of companies: Operators of essential services have to take technical and organisational measures to manage the risks posed to the security of their network and information systems. Here, the operator’s measures must be appropriate to the specific risks. The directive does not specify which concrete measures are to be taken. However, Member States have to carefully identify the operators of essential services and ensure compliance with the obligations, for example by conducting security audits or inspecting results of independent audits. Therefore, it is up to the Member States to more specifically define what technical and organizational measures meet compliance requirements. Penalties for the infringements of the security provisions have to be laid down under national law (art. 21).
The regulation of digital services is less rule based. The inclusion of digital services was one of the focal points of the political debate. In particular, US based over‐the‐top providers massively rejected specific security regulations for their services. Following lengthy discussions in the legislative process EU institutions agreed to include a part of the digital services in the regulation, but those which are especially relevant for the digital economy. These are online marketplaces (including app stores), online search engines, and cloud computing services. Beyond that, the concept of cloud services is interpreted very broadly (“a digital service that enables access to a scalable and elastic pool of shareable computing resources,” Art. 4, No. 19).
For the provider of such digital services the Directive presents much more specific requirements on the technical and organizational means to protect their services (see Art. 16 NIS directive). However, for digital services, Member States are not required to identify companies governed by these regulations or to check their compliance with the obligations. Both groups, operators of essential services and digital service providers must report security incidents to the appropriate authorities. If there were a public interest in knowing about the incident, the competent authority should inform the public.
With the mixed approach regulation and the extension of minimum security standards to digital service providers, the EU is taking a major step in regulating the security of cyberspace. The italic fields in Table 29.2 show the negative and positive incentives that the EU directive takes to enhance cybersecurity. The table is based on a scheme developed by Kristina Irion out of the variety of policy instruments for cybersecurity found in literature. It shows that European regulators take up a majority of respective policy instruments. By May 2018, the Directive must be implemented by the Member States to their national law. It goes into effect for market operators after that implementation. Table 29.2Policy instruments used in the EU directive. (Source: Own adaption, based on Irion [4])
Policy
Instruments
Positive Incentives
Negative Incentives
Legal and regulatory measures
Public ICT security trustmark
National legislation/regulation of information security
Setting‐up national CERT functionality
Mandating best practices to enhance information security
Liabilities in case of failure to meet required standards
Security breach information duties
Compulsory memberships in professional organizations/PPP
Economic measures
Tax credits and privileges for certain initiatives
Financial penalties for violation of legal/regulatory provisions (compensatory, punitive)
Public subsidies for certain investments in information security
Payments for access to valuable information
Insurance markets
Technical measures
Technical guidance
Information security standards
Offering technical assistance
Mandating security testing, audits or peer‐evaluation
Education and training relevant to ICT security
Mandating participation in security exercises
Informational measures
National and international information sharing in information security
Publication of individual operator’s ICT security breach notifications
29.3 EU Directive and Technology Development – A Critical View
A major objective of the EU’s cybersecurity strategy is to enhance cybersecurity in technology development and digital business innovation. Companies are requested to use advanced cybersecurity technology and to take cyber risks into account when digital business models are further developed. In this respect, the Directive could be characterised as a first attempt to incentivize more secure technology and services. The regulation of cyber risks is still in its infancy. Worldwide it is based on a weak empirical basis. Also, the EU proposal was based on an extremely limited number of well‐evaluated cyber incidents [13]. Risk assessment and risk regulation of cyber risks are not yet appropriately developed, i. e. compared to the banking and finance sector, where regulation followed much more substantial risk models [13].
With the mixed regulation approach, the EU has chosen the regulation method with the best prospects of success [7]. It combines a “check box approach,” i. e. the need for market operators to meet compliance requirements, with an obligation to set‐up or improve a particular risk management system. The central requirement for private companies to “take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems” (art. 14, similar in art. 16) is open for a sector or company specific choice of measures. Therefore, “the EU approach has the potential to set an example to the rest of the world regarding the interests and values to be preserved through legislation in this field” [7].
What is astounding is the almost total abandonment of self‐regulation elements in the Directive. In particular, a cooperative element could help to improve the technical measures to be taken [4]. An example of such an instrument can be found in the German IT security law of 2015, adopted before the passing of the Directive. There, critical infrastructure operators are entitled to define industry standards as minimum security standards. After approval by the competent authority, these standards are obligatory for the relevant industry [14]. The EU Directive leaves it open to Member States’ implementation for incorporating such participatory elements – at least for the essential services. However, in the design of technical standards in the context of such self‐regulation, European or internationally accepted market standards must be taken into account (art. 19). Regarding the sector of digital services, the consideration of participatory elements is not possible as the Member States have very little implementation flexibility. The European Commission is entitled to adopt implementing acts to specify the standards digital service providers have to comply with. An involvement of the private sector in the development of these standards is not provided. The cooperation group, composed of European Commission, ENISA, and Member States, will only discuss standards with representatives from the relevant European standardisation organisations (art. 11).
Internationally ground‐breaking is the specification of security requirements of digital services [7]. By regulating not only the critical infrastructure, but also the most important digital services (especially the cloud services), the Directive will immediately influence the technology development of digitization. Here, Europe goes far beyond the approach of the United States, which is solely targeting critical infrastructure. In Europe, the “internet giants [are] involved in the goal of achieving critical infrastructure p
rotection” [7].
More could have been done by the EU to stimulate the development of security technology. After all, the “mismatch between functional ICT developments and an appropriate level of cybersecurity to those developments” [15] is one of the biggest challenges for cybersecurity, so far barely seen by regulators. Only Germany and Japan have addressed this issue in their cybersecurity strategies. Japan particularly addresses the cybersecurity challenge from a more technological viewpoint, taking into account the need for technical agility to address the dynamic cyber threats [15].
In this regard, the issue of stronger liability of ICT producers for vulnerabilities in their products had been discussed in the legislation process. One of the most important reasons for security incidents is the exploitation of vulnerabilities in immature software products. Unfortunately, the Directive could not bring about a system which increases the liability. To tackle the root of many cybersecurity problems, an increased liability of ICT producers cannot be avoided. The existing liability regimes have not led software manufacturers to bring mature products to the market, even if those products are intended for use in essential services.
For now, the EU Directive at least offers an initial starting point to come to greater responsibility of manufacturers. By requiring “state‐of‐the‐art” security technology for appropriate cybersecurity, the EU Directive stimulates the development of industry‐specific and cross‐industry market standards. First manufacturer organisations have developed state‐of‐the‐art handbooks to assist market operators in choosing the best technology (for example [16] in Germany). For the operators of essential services, Member States may take up the European regulation further; for the digital service providers, it is up to the European Commission to enhance technological cybersecurity by adopting demanding implementing acts.
References
1.
European Commission, “A Digital Single Market Strategy for Europe {COM(2015) 192 final},” 2015.
2.
OECD, “OECD Communications Outlook 2013,” 2013. [Online]. Available: http://www.oecd.org/sti/broadband/oecd-communications-outlook-19991460.htm. [Accessed 26 08 2016].
3.
S. Muylle und E. Vijverman, “Online Jobs Boosting Europe’s Competitiveness,” 2013. [Online]. Available: http://www.vlerick.com/en/research-and-faculty/knowledge-items/knowledge/online-jobs-boost-europes-competitiveness. [Accessed 25 08 2016].
4.
K. Irion, “The Governance of Network and Information Security in the European Union: The European Public-Private Partnership for Resilience (EP3R),” in 27th European Communications Policy Research Conference (EUROCPR), 2012.
5.
Council of Europe, “Convention of Cybercrime,” European Treaty Series, Nr. 185, 23 11 2001.
6.
Council of Europe, “Chart of signatures and ratifications of Treaty 185 (Convention of Cybercrime),” 2016. [Online]. Available: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/signatures?p_auth=JhfeP2x7. [Accessed 25 8 2016].
7.
A. Segura Serrano, “Cybersecurity: towards a global standard in the protection of critical information infrastructures,” European Journal of Law and Technology, Nr. 3, pp. 1–24, 2015.
8.
S. J. Shackelford und A. Kastelic, “Toward a State-Centric Cyber Peace: Analyzing the Role of National Cybersecurity Strategies in Enhancing Global Cybersecurity,” New York University Journal of Legislation and Public Policy, Nr. 4, pp. 895–984, 2015.
9.
F. Massacci, R. Ruprai, M. Collinson und J. Williams, “Economic Impacts of Rules- versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers,” IEEE Security & Privacy, Bd. 14, Nr. 3, pp. 52–60, 2016.Crossref
10.
European Commission, “Impact Assessment – accompanying the document ”Proposal for a Directive of the European Parliament and of the Council concerning measures to ensure a high level of network and information security across the Union“ {COM (2013) 48 final},” 2013.
11.
European Commission; High Representative of the European Union for Foreign Affairs and Security Policy, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace {JOIN(2013) 1 final}, 2013, pp. 1–20.
12.
European Parliament and Council of the European Union, “Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union,” Official Journal of the European Union, Nr. L194, 19 7 2016.
13.
E. Fahey, “The EU’s Cybercrime and Cyber-Security Rulemaking: Mapping the Internal and External Dimensions of EU Security,” European Journal of Risk Regulation, Bd. 5, Nr. 1, pp. 46–60, 2014.Crossref
14.
A. Könen, “IT-Sicherheit gesetzlich geregelt,” Datenschutz und Datensicherung, Nr. 1, pp. 12–16, 2016.Crossref
15.
E. Luiijf, K. Besseling und P. de Graaf, “Nineteen national cyber security strategies,” Int. J. Critical Infrastructures, Bd. 9, Nr. 1/2, pp. 3–31, 2013.Crossref
16.
TeleTrusT e. V., “Handreichung zum ”Stand der Technik“ im Sinne des IT-Sicherheitsgesetzes (German),” 2016. [Online]. Available: https://www.teletrust.de/fileadmin/docs/fachgruppen/ag-stand-der-technik/TeleTrusT-Handreichung_Stand_der_Technik.pdf. [Accessed 26 08 2016].
Further Reading
17.
E. G. Baud, P. Bru, L. de Muyter, E. Fortunet, J. Little und S. Macchi di Cellere, “Europe proposes new laws and regulations on cybersecurity,” 2 1 2014. [Online]. Available: http://www.lexology.com/library/detail.aspx?g=1f872876-3d23-44e7-a8f1-92a9be8d080b. [Accessed 25 8 2016].
© Springer-Verlag GmbH Germany 2018
Claudia Linnhoff-Popien, Ralf Schneider and Michael Zaddach (eds.)Digital Marketplaces Unleashedhttps://doi.org/10.1007/978-3-662-49275-8_30
30. The Future of Machine Learning and Predictive Analytics
Ali Reza Samanpour1 , André Ruegenberg1 and Robin Ahlers1
(1)University of Applied Sciences South Westphalia, Iserlohn, Germany
Ali Reza Samanpour (Corresponding author)
Email: [email protected]
André Ruegenberg
Email: [email protected]
Robin Ahlers
Email: [email protected]
30.1 Introduction
The World Wide Web offers a multitude of opportunities for anyone who wants to share their views with a wide audience or comment on products, movies etc., in particular through social media platforms like Twitter and Facebook.
Assuming that all profit‐seeking companies aspire to maximize their share of the market – if not to become market leader – they depend on a high degree of customer satisfaction and will therefore strive to fulfill as many customer wishes as possible.
Companies are extremely keen to make good use of any information they can garner from social media in order to achieve this goal. Reviews and opinions that consumers share voluntarily on the Internet can be collated and analyzed to draw conclusions about customer preferences and identify potential product improvements. Thanks to information systems like sentiment analysis the wealth of information available can be translated effectively into useable knowledge. The challenge lies in obtaining sufficiently accurate data and applying efficient analysis methods [1].
This article aims to provide an insight into the enigma of artificial intelligence – no longer limited to science fiction – and to illustrate some useful applications for companies with a strong consumer focus, as well as a brief look ahead to the future of machine learning.
30.2 Categorization – Machine Learning and Data Mining
&nb
sp; As Fig. 30.1 shows, in addition to machine learning and data mining there are several other terms which should be defined here. Data mining refers to a process of pattern recognition in existing, structured data. This process may be carried out automatically with the help of machine learning or semi‐automatically by applying statistical methods [2].
Fig. 30.1Venn diagram – Categorization. (WinfWiki [3])
Whereas data mining draws from structured data stored in databases, the huge quantities of data we want to analyze from the web are largely unstructured. According [31] to more than 80% of this data is in text form, which is where text mining comes in, i. e. the extraction of useable information from input text. Text mining tasks include linguistic analysis and statistical pre‐processing [4]. Text mining starts with document or information retrieval, followed by document preparation. First of all, text is tokenized, in other words broken up into segments, usually individual words, and the punctuation removed. Stop words (non‐content words), such as articles and conjunctions are usually discarded. The next step is part‐of‐speech tagging, which involves marking each token with a word category. Many tokens can be further reduced to their root form by lemmatizing and stemming. Tokenization thus converts a text into a format that lends itself to more effective analysis. These final steps of document preparation are followed by document transformation.
Digital Marketplaces Unleashed Page 42