Involved PIs: Jörn Müller-Quade,Thorsten Strufe

Active Researchers: Laurin Benz, Robin Berger, Christoph Coijanovic, Christian Martin, Markus Raiber, Daniel Schadt

Networked communication is ubiquitous in today’s world. As tasks such as instant messaging or computations on secret data are often very sensitive, protocols with strong guarantees are desirable. Such guarantees may be cryptographic, guaranteeing, e.g., the integrity or the confidentiality of inputs, or with respect to privacy, e.g., protecting the parties’ identities. Often, either guarantee is worthless without the other. In this Research Area, we systematically collect privacy-related and cryptographic properties for different primitives and protocols. We also provide novel definitions with a specific focus on privacy and investigate what building blocks are necessary to achieve them. Based on the collected properties and definitions, we develop quantitative indicators for important properties. To make our results accessible, we present a visualization of our quantification results for one cryptographic building block. Networked communication is ubiquitous in today’s world. As tasks such as instant messaging or computations on secret data are often very sensitive, protocols with strong guarantees are desirable. Such guarantees may be cryptographic, guaranteeing, e.g., the integrity or the confidentiality of inputs, or with respect to privacy, e.g., protecting the parties’ identities. Often, either guarantee is worthless without the other. In this Research Area, we systematically collect privacy-related and cryptographic properties for different primitives and protocols. We also provide novel definitions with a specific focus on privacy and investigate what building blocks are necessary to achieve them. Based on the collected properties and definitions, we develop quantitative indicators for important properties.

Involved PIs: Bernhard Beckert (Head), Ralf Reussner

Active Researchers: Florian Lanzinger, Frederik Reiche, Samuel Teuber

Most formal methods see the correctness of a software system as a binary decision. However, proving the correctness of complex systems completely is difficult because they are composed of multiple components, usage scenarios, and environments.

In the QuAC project, we formalized and implemented a modular approach for quantifying the safety of service-oriented software systems by combining software architecture modeling with deductive source-code verification. We first formally analyze the source code to find weaknesses, i.e., inputs for which the software may behave incorrectly. We then combine these weaknesses with the model of the service-oriented architecture as well as the probabilistic usage scenarios of the system. This combined model can then be analyzed, leveraging our previous research on quantification, to compute the probability that the software will behave correctly.

To quantify the security of software, we extended QuAC with attack models. We model the capabilities and possible actions of an attacker based on the weaknesses found by our deductive verification. This security analysis has been applied in the Security Lab Energy, where we analyzed various security requirements using a model of EVerest electronic-vehicle charging stations. It has also been applied in Research Group Quantification, where we analyzed manipulation attacks on the software powering the CoRReCt demonstrator.

Involved PIs: Jürgen Beyerer, Marcus Wiens (Head)

Active Researchers: Ingmar Bergmann, Jürgen Beyerer, Pascal Birnstill, Jeremias Mechler, Ankush Meshram, Jörn Müller-Quade, Jonas Vogl, Paul Georg Wagner, Marcus Wiens

Economic Cost Assessment & Optimal Allocation of Defense Resources

Investing in cyber security should be both effective and efficient. This presents companies with non-trivial problems for several reasons.

The “Mapping-Problem”: Many types of risks (e.g., data breach) cannot be directly assigned to specific business processes, which is a prerequisite for impact valuation. Our approach is to apply Process-Value-Analysis (PVA) as an established method to determine the value of disrupted processes, either on an industry-level or a supply-chain-level (Kaiser et al. 2021a).

The “Prioritization-Problem”: It is intricate to prioritize system elements and potentially affected business processes, which is mainly due to the systems’ interconnectedness.

The “Scalability-Problem”: Even if you know which defensive measures to focus on primarily, these should often be scalable in practice. Scalability gives companies additional flexibility. On the market for security solutions, “off-the-shelf” products are not necessarily suitable for all companies and must be tailored to specific needs. For SMEs, this option makes some security solutions affordable. We approach the Prioritization-Problem and the Scalability-Problem by combining game-theoretic analysis, Cyber Threat Intelligence (CTI, Kaiser et al. 2023), and an approach for Countermeasure Selection & Allocation (CSA). The CSA-approach was developed for Industrial Control Systems (ICS), with the KASTEL-Production Lab PoC-demonstrator of Fraunhofer IOSB as a use case.

The “Assessment-Problem”: In order to arrive at a coherent risk assessment, it is difficult to assess the expected damage. Attack probabilities result jointly from a highly dynamic attack landscape and the system’s vulnerabilities; the consequences of cyberattacks include tangible and intangible, direct and indirect, monetary and non-monetary costs. We use Cyber Threat Intelligence (CTI) to monitor and simulate attack frequencies and attack targets. To improve cost assessment, we transfer our research from the areas of supply chain risk management and humanitarian logistics to the area of cyber risk management (Diehlmann et al. 2021; Kaiser et al. 2021b).

Game-Theoretic Analysis of Privacy & Security

Interactive assistance plays an increasingly important role in many modern production processes. Since these systems acquire and process information about human workers to assist them in their tasks, designing assistance systems in a privacy-respecting and secure fashion is a major concern. With the Production Lab 4Crypt-demonstrator of Fraunhofer IOSB, we develop and analyze interactive assistance systems that are both transparent—in the sense of being comprehensible for their users, but also in the sense of data protection duties of operators—as well as trustworthy—in the sense of being privacy-respecting and comprehensibly secure.

The game-theoretical analysis shows that an employer has a systematic incentive to make illegitimate requests to inspect the video recordings, which leads to discrimination, increased stress, and reduced trust among workers. This illustrates the particular relevance of the cryptographic solution. Looking at assistance systems through the lens of signaling games, it should not be possible to draw conclusions about the individual worker in the event of a failed approval (counterproductive signal). From a game theory perspective, the system is only information-proof if an independently acting works council is responsible for granting consensus. In companies without a works council (< 5 employees), this role could be assumed by an elected shop steward. However, this could not avoid the signaling effect.

The trust level of the workers is of great importance for the working atmosphere and labor productivity. The game-theoretical analysis confirms that the two most important sources of trust are (I) the “integrity of encryption components” and (II) the independence and consensus principle of information release. These requirements are generally not met by established video assistance systems, highlighting that 4Crypt makes a key contribution to increasing security and privacy at the workplace.

Involved PIs: Bernhard Beckert, Jürgen Beyerer (Head), Jörn Müller-Quade

Active Researchers: Pascal Birnstill, Felix Dörre, Florian Lanzinger, Christian Martin, Jeremias Mechler,  Paul-Georg Wagner

The theoretical results in the above research areas are applied in the research area Security Analyses. The goal of our research is to not only show the practical validity and value of our results, but also to establish a (general) quantification methodology.

To this end, we are currently performing the following quantitative analyses:

• We performed a cryptographic security proof of the 4Crypt demonstrator in the Universal Composability framework. In order to extend this security proof to a quantitative analysis covering the actual real-world system, we are currently in the process of researching a methodology that extends cryptographic security proofs to attack trees in a systematic way, mapping security mechanisms of the model to security mechanisms of the real world. Using this attack tree, the costs of an adversary to break the security of 4Crypt relative to the considered adversarial model will be determined by quantifying the assumptions security relies on.

Additionally, we are also in the process of performing a game-theoretic analysis which quantifies the impact of the system as well as of the technical security measures on workers interacting with the system.

•  For the CoRReCt demonstrator, we are applying the approach developed in the Research Area 4 QuAC to quantify the security of a critical component.

Involved PI: Emilia Grass

Active Researchers: Abhilasha Bakre, Stephan Helfrich, Aiman Zainab

This research addresses the urgent and growing challenge posed by cyber threats to digitally connected healthcare systems. As healthcare providers increasingly rely on interoperable digital infrastructure, the risk of cyber incidents with severe consequences for patient care, operational continuity, and financial stability has become a pressing concern. This research is developed in close collaboration with Imperial College London, UK Trusts and several hospitals in Baden-Württemberg, combining academic and clinical perspectives to ensure the practical relevance and applicability of its outcomes. We aim to understand how healthcare networks can be made resilient – not only at the level of individual hospitals, but across interconnected systems  by integrating analytical modeling, simulation, and stochastic programming.

The project is grounded in the understanding that healthcare is uniquely vulnerable to cyber threats due to its complexity, reliance on outdated technologies, and chronic underinvestment in cybersecurity. The overarching goal is to develop a comprehensive framework that captures the propagation of cyber threats across hospital networks and assesses the cascading effects on clinical services, with a focus on ensuring patient safety. A major innovation of the proposal is the recognition that cyber-attacks can cause indirect harm beyond the initially affected facility, as disruptions force patient redirections and overwhelm other hospitals within the network. Building resilience, therefore, requires a systemic perspective that accounts for network interdependencies and operational dynamics.

This research was advanced through two core methodological contributions. The first is a stochastic optimization model developed specifically for the UK National Health Service (Grass et al., 2024). This two-stage model supports decision-makers in selecting optimal cybersecurity countermeasures under uncertainty. It anticipates future attack scenarios and incorporates the Conditional Value-at-Risk (CVaR) as a risk metric to account for low-probability, high-impact incidents. Numerical results from a realistic NHS Trust case study show that incorporating stochastic modeling yields more robust decisions compared to traditional deterministic approaches. In high-risk scenarios, the optimized strategies reduced the number of rejected patients by 44%, highlighting the model’s relevance to patient-centered cybersecurity planning.

Complementing this, the second strand of the research applied discrete event simulation to assess operational disruptions in the event of cyber-attacks, focusing on medical devices and emergency department workflows (Angler et a., 2024). The study modeled a hospital’s emergency department and evaluated how technology partnerships could improve cybersecurity readiness and recovery. By simulating different damage scenarios the study quantified the financial and non-financial impacts of cyber incidents, including lost patient revenue, increased length of stay, and staff overload. When technology partnerships were integrated into the model, recovery times improved by 25%, and estimated cost savings ranged from €245,579 to €315,768 over a 21-day period. These findings suggest that outsourcing certain cybersecurity functions to trusted partners with specialized expertise can offer a viable strategy for hospitals with limited in-house capacity.

The conceptual foundation for these models is supported by the development of the Essentials of Cybersecurity in Healthcare Organizations (ECHO) framework, presented in the Delphi consensus study (O’Brien et al., 2021). This study engaged 42 international experts to identify core components of a globally relevant cybersecurity readiness framework for healthcare providers. The resulting ECHO framework consists of 51 components organized across six categories, emphasizing governance, infrastructure, and organizational preparedness. It reflects the healthcare sector’s specific requirements and serves as a practical planning tool, particularly for institutions with limited resources or in lower-income settings.

In sum, this research contributes a novel, evidence-based approach to understanding and enhancing cyber resilience in healthcare. By combining risk-based optimization, process simulation, and expert-informed frameworks, it demonstrates that a network-aware strategy is essential to mitigating the impact of cyber threats. The findings emphasize that resilience must go beyond prevention to include robust recovery planning, capacity coordination, and cross-institutional collaboration. In doing so, the project provides actionable insights for healthcare providers, policymakers, and technology partners working to safeguard patient care in an increasingly digital and threat-prone environment.