Digital help provides good cyber hygiene

Jun 9, 2021

Tekst: Anne-Lise Aakervik
Foto: Geir Morgen/NTNU

Data loss, hacking, storing data in the wrong places; These are some examples of what bad cybersecurity can lead to. In the hunt for a good risk assessment system, Gaute Wangen and Vebjørn Slyngstadli developed their own.

A happy three-leaf clover. – For the first time, there is a commercialization project from the staff at NTNU. Hege Tokerud, project manager at NTNU Technology Transfer, thinks so. This is a product we see has great potential; she says. Developers Gaute Wangen (center) and Vebjørn Slyngstadli look forward to putting pilot customers in place.

– All organizations experience security breaches from time to time. Often there are minor things, but major attacks also occur. It costs money. Nevertheless, risk assessment of computer systems is often neglected, says Gaute Wangen. He wrote his Ph.D.thesis on cybersecurity in 2017 and was employed by NTNU to work with precisely this issue. Together with colleague Vebjørn Slyngstadli at NTNU Gjøvik, he works in the Section for Digital Security at NTNU.  “With us, we probably work with between 6-800 different systems,” says Slyngstadli. We can say that we contribute to solving the Excel nightmare that all security people sometimes get, says senior adviser Gaute Wangen. Pulling the risk assessment through a system that summarizes the challenges you face is something we have been looking for.
Reveals security holes Lack of good-enough tools that make it easier for the user of the system to conduct a risk assessment led them to develop a new software; DIRI (Digitized Intelligent Risk Identification) This program will guide the users through a process that lets them identify the risks and then suggests what it takes for the computer system/program to be secured. This is how you can avoid hacking or data getting lost. Other incidents are identity theft or sharing information that should not have been shared at all.
There are often standard issues that recur about most risk assessments, says Vebjørn Slyngstadli, security architect at the Section for Digital Security, NTNU. It inspired us to develop DIRI AS.

Applies to all Challenges around cybersecurity apply to all types of organizations, from universities to the health, municipal and financial sectors. “Yes, basically all types of sectors that have computer systems and customer care,” says Wangen. “Even the Norwegian Parliament has challenges,” says Slyngstadli and aims for last year’s hacking of e-mail accounts for several representatives.  “It may seem that poor cyber hygiene was the cause. It can e.g. be a two-factor login.” Today,  mostly IT experts make such risk assessments, but Wangen does not think it is necessary. He says there are not enough experts in the world to make all the assessments. It’s about putting things in order, finding common denominators and things to report on. Standards and norms Everyone should be able to achieve this with a little help, according to the founders of DIRI AS. They have experienced that many issues recur in risk assessments. That can be how to handle their users, who should be allowed to log in, who should handle the data, where should you store them, etc. It can be compared to building or rehabilitating a house, where several norms and standards come into play, such as the wet room norm. TEK 10 and 17 are two other standards that state how the house must be built for it to be approved. “In the same way, we have norms and security standards for the construction of digital infrastructure,” says Gaute Wangen. – But unfortunately, they are not used much. The software from DIRI will help a company find the small things that can make errors. “The system comes from unique research and development at NTNU,” says Hege Tokerud project manager at NTNU Technology Transfer in Gjøvik. Based on the answers you give; a risk matrix and a report are prepared. An understandable summary of what the problem is, and what one should possibly do to prevent it from happening. There are many frustrated technologists with poor tools to convey risk to management. DIRI will help them visualize and communicate. First innovation from staff “The funds we received from NTNU Discovery in the start-up were crucial for us. Without them we would not have come anyway, then we would still have just walked around and talked about this,” says Gaute Wangen. Once again, the support from NTNU Discovery in the early phase spills out funds from other actors. DIRI received 300,000 NOK from Gjøvik municipality when starting up, and 500,000 NOK from the Research Council. “This shows that early funding from NTNU Discovery is important for more support. TTO prioritizes this because we see it can reach an internationally scalable market in all industries around the world,” says Tokerud.  Here we are talking about knowledge for a better world in all industries.  In the long run, DIRI will be a company that both sells licenses and provides security consulting. ” And we are very sure that cybersecurity must be given much higher priority if you want to be competitive in the future., concludes Wangen and Slyngtadli.
The developers are pleased to have created a system and user interface that clarifies what needs to be addressed. – Carrying out a risk assessment to find the security holes is one thing but reporting comprehensibly on it is often a challenge. This is where DIRI comes into its own, says Vebjørn Slyngstadli.
 

 

Kontakt:

Prosjektleder
Jan Hassel
Epost: jan.hassel@ntnu.no
Telefon: 906 53 180
Kontor: Hovedbygget, sokkel

Håvard Wibe
Epost: havard.wibe@ntnu.no
Telefon: 41 47 37 68
Kontor: Hovedbygget, sokkel

Personvernerklæring

Brosjyrer og årsrapporter:

Årsrapporter