ETSI TR 103 603 V1.1.1 (2019-03)

TECHNICAL REPORT
User Group;
User Centric Approach;
Guidance for providers and standardization makers

2 ETSI TR 103 603 V1.1.1 (2019-03)

Reference
DTR/USER-0048
Keywords
IoT, user
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2019.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM TM
3GPP and LTE are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and
of the oneM2M Partners. ®
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI
3 ETSI TR 103 603 V1.1.1 (2019-03)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
Introduction . 4
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definition of terms, symbols and abbreviations . 7
3.1 Terms . 7
3.2 Symbols . 8
3.3 Abbreviations . 8
4 Provider Service Platform . 9
4.1 Open Service Platform . 9
4.2 Providers. 10
4.2.1 Provider services management . 10
4.2.1.1 From QoS to QoE . 10
4.2.1.2 The UX pyramid . 11
4.2.2 Security, data protection and privacy . 12
4.2.2.1 Security . 12
4.2.2.2 Data protection . 14
4.2.2.3 Privacy . 15
4.2.3 Provider offers (PaaS) . 16
4.3 Service composition . 19
5 Provider process for Smart Meter (functional model) . 19
6 Profiles (Information Model) . 21
6.1 User profile . 21
6.2 Resource profile . 22
6.2.0 Introduction. 22
6.2.1 Equipment profile . 23
6.2.2 Network profile . 24
6.2.3 Applicative service profile . 25
6.3 Data protection . 27
7 Recommendations . 28
7.1 End-to-end QoS . 28
7.2 Provider and digital Services . 28
7.3 Provider and data . 29
7.3.1 Knowledge base . 29
7.3.2 Security, Data protection and privacy . 29
7.3.2.1 Security . 29
7.3.2.2 Data protection . 30
7.3.2.3 Privacy . 30
Annex A: Additional Information for Security Recommendations . 31
A.1 Acronyms and definitions for table of Cybersecurity Implementation levels . 31
A.2 Offers and regulation for Data Protection . 32
Annex B: Bibliography . 33
Annex C: Authors & contributors . 34
History . 35
ETSI
4 ETSI TR 103 603 V1.1.1 (2019-03)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Technical Report (TR) has been produced by ETSI User Group (USER).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
The present document has been produced by the STF 543 experts.
The concept of the full Project is to define a 5 dimension model called ACIFO. The 5 dimension model is based on
5 sub-models defined as:
• Architectural Model Acifo: defines the global structure, including semantics and is optimized for the stated
objectives.
• Communication Model aCifo: defines the exchange protocols, including APIs and HMIs, over three planes:
- Management (Monitoring).
- Control.
- Usage.
• Information Model acIfo: defines the information of the whole ecosystem (equipment, network, applications,
services, HMIs, User, etc.) from the offer to the availability of resources for Users, Providers and any other
partners. It is a knowledge data base representing the whole ecosystem.
• Functional Model aciFo: defines the functionalities (the process) to compose any service based on "micro-
services".
ETSI
5 ETSI TR 103 603 V1.1.1 (2019-03)
• Organization Model acifO: defines the role of any actor and which actor is responsible of each action. ("Who
is doing what?").
These five dimensions should be shared by the user and the supplier/provider. For the user, it should be possible to
define (or to choose) the level of autonomy and control for the personalized composition of services.
The four deliverables produced by STF 543 define the different dimensions:
• ETSI TR 103 438 [i.1] focuses on the Architecture and the Organization:
- It includes the use cases and the results of the survey.
• ETSI EG 203 602 [i.2] focuses on the information and the functionalities:
- It is dedicated to the user. It provides analysis and recommendations from the information and
functionalities.
• ETSI TR 103 603 (the present document) addresses all the dimensions to the supplier, in order to produce the
APIs according to the user expectations and whatever the number and types of additional suppliers.
• ETSI TR 103 604 [i.3] focuses on the communication and in particular on the HMIs.
For example, for Energy (production, distribution, consumption), the supplier will create an API for the user. The
information will be exchanged between the supplier and the user, but will not be used only by the supplier: the user will
have access to all the information and will be able to use this information to optimize their energy consumption. This
data base is a source to provide new services and new applications (for the user and for the supplier). One major
challenge and constraint is to ensure that all the private data may be checked and monitored by the user (the contract
needs to define clearly these points). The data are not used only by the supplier, the user should have access to the data
and may refuse that the data be used or known meaning that an interaction "cursor" between the user and the supplier
defines the freedom (GDPR [i.11]).

ETSI
6 ETSI TR 103 603 V1.1.1 (2019-03)
1 Scope
The present document defines guidance to the providers and standard makers to ensure that each service component is
provided with the information needed by the user to make an informed choice. It addresses all the dimensions of
ACIFO to the supplier, in order to produce the APIs according to the user expectations and whatever the number and
types of additional suppliers.
The present document is designed in conjunction with the user guide, ETSI EG 203 602 [i.2]. Each recommendation
which has been identified as important for the user finds its parallel for the supplier offer, as defined in the present
document.
For each need and expectation, by user categories, the present document recommends relevant service information and
functions. This is to facilitate, on the one hand, easy access for the user and on other hand, consistently create
manageable services that are easily incorporated into a service definition that can support Service Level Agreement
(SLA).
The recommendations are intended for the user to be able to compose own services according to the needs, the location
and activities. The concept of this new vision is detailed in ETSI TR 103 438 [i.1].
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI TR 103 438: "User Group; User centric approach in Digital Ecosystem".
[i.2] ETSI EG 203 602: "User Group; User Centric Approach: Guidance for users; Best practices to
interact in the Digital Ecosystem".
[i.3] ETSI TR 103 604: "User Group; User centric approach Qualification of the interaction with the
digital ecosystem".
[i.4] ETSI EG 202 009-1: "User Group; Quality of telecom services; Part 1: Methodology for
identification of indicators relevant to the Users".
[i.5] ETSI TR 103 304: "CYBER; Personally Identifiable Information (PII) Protection in mobile and
cloud services".
[i.6] ETSI TR 103 309: "CYBER; Secure by Default - platform security technology".
[i.7] ETSI EN 301 549: "Accessibility requirements for ICT products and services".
[i.8] ISO/IEC 27001: "Information technology - Security techniques - Information security
management systems - Requirements".
[i.9] ISO/IEC 27002: "Information technology - Security techniques - Code of practice for information
security controls".
ETSI
7 ETSI TR 103 603 V1.1.1 (2019-03)
[i.10] ISO 15408: "Information technology -- Security techniques -- Evaluation criteria for IT security".
[i.11] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
NOTE: Available at https://eur-lex.europa.eu/eli/reg/2016/679/oj.
[i.12] Arc Advisory Group: "Cybersecurity Maturity Model".
NOTE: Available at https://www.arcweb.com/industry-concepts/cybersecurity-maturity-model.
[i.13] Dan Blum: "How to Assess Security Maturity and Make Improvements", Security Architects
Partners.
NOTE: Available at http://security-architect.com/how-to-assess-security-maturity-and-roadmap-improvements/.
[i.14] Gregory White: "The Community Cyber Security Maturity Model", Research Gate.
NOTE: Available at https://www.researchgate.net/figure/Community-Cyber-Security-Maturity-Model-CCSMM-
5-Levels_fig1_235142909.
[i.15] NCSC: "Guidance B3 Data security".
NOTE: Available at https://www.ncsc.gov.uk/guidance/b3-data-security.
[i.16] Information Commissioner's Office: "Data protection by design and default".
NOTE: Available at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-
gdpr/accountability-and-governance/data-protection-by-design-and-default/.
[i.17] NCSC: "General Data Protection Regulation (GDPR)".
NOTE: Available at https://www.ncsc.gov.uk/GDPR.
[i.18] Federal Trade Commission: "US-EU Safe Harbour Framework".
NOTE: Available at https://www.ftc.gov/tips-advice/business-center/privacy-and-security/u.s.-eu-safe-harbor-
framework.
[i.19] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement
of such data.
[i.20] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and information systems
across the Union (NIS Directive).
3 Definition of terms, symbols and abbreviations
3.1 Terms
For the purposes of the present document, the following terms apply:
ACIFO: 5-dimension model, based on recommendations and common objectives for Users and Providers, giving the
capability for the User to compose the needed services
NOTE: The 5-dimension model creates one unique and integrated solution.
cloud: network of remote servers hosted on the Internet and used to store, manage, and process data in place of local
servers or personal computers
ETSI
8 ETSI TR 103 603 V1.1.1 (2019-03)
dew: programming model for enabling ubiquitous, pervasive, and convenient ready-to-go, plug-in facility empowered
personal network
NOTE: Dew computing is a new computing paradigm appeared after the widely acceptance of cloud computing.
Dew computing has two key features: first, local computers (desktops, laptops, tablets, and smart phones)
provide rich micro-services independent of cloud services; second, these micro services inherently
collaborate with cloud services. Dew computing concerns the distribution of workloads between cloud
servers and local computers, and its focus is the software organization of local computers. The goal of
dew computing is to fully realize the potentials of local computers and cloud services.
edge: distributed computing paradigm in which computation is largely or completely performed on distributed device
nodes
equipment (terminal): user and provider equipments, including terminals, gateways, boxes, routers
fog: provides close computation, data storage and application services
NOTE: Fog computing, also known as fog networking or fogging, is a decentralized computing infrastructure in
which data, processing, storage and applications are distributed in the most logical, efficient place
between the data source and the cloud. Fog computing essentially extends cloud computing and services
to the edge of the network, bringing the advantages and power of the cloud closer to where data is created
and acted upon.
micro-service: basic and simple service (with SoA properties) that be combined for the composition of services as
expected by the User
NOTE: The basic concept behind this term is that each service performs a unique feature (e.g. for security,
"authentication" is a micro-service, for discovery, "find" is a micro-service).
profile: information template (model) to provide or to access to personalized services
user-centric: user who is the heart of the ecosystem
NOTE: This means that the user constrains the whole environment, unlike other contexts where that is the
application (application-centric), or network (network-centric) or the system (system-centric) which
constrains the context.
3.2 Symbols
Void.
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ACIFO Architecture, Communication, Information, Functionality, Organization
ACL Access Control List
AES Advanced Encryption Standard
AKA Also Known As
ANSSI Agence Nationale de la Sécurité des Systèmes d'Information/National Agency for Information
Security Systems (France)
API Application Programming Interface
BYOD Bring Your Own Devices
CES Customer Effort Score
CIA Confidentially, Integrity and Availability (Model)
COOP Continuity Of Operations Plan
CPU Central Processing Unit
CX Customer eXperience
DDOS Distributed Denial-Of-Service
DMZ DeMilitarized Zone
DPA Data Protection Agency
DPO Data Protection Officers
ETSI
9 ETSI TR 103 603 V1.1.1 (2019-03)
DRP Disaster Recovery Plan
EN European Standard
EU European Union
GDPR General Data Protection Regulation
HMI Human Machine Interface
ICE Interactive Connectivity Establishment
ICS Industrial Control Systems
ICT Information and Communications Technology
ID Identity Document
IoT Internet of Things
ISO International Organization for Standardization
IT Information Technology
KPI Keu Performance Indicator
M2M Machine to Machine
MVP Minimum Value Product
NCSC National Cyber Security Centre (UK)
NGN New Generation Network
NIS Network and Information Security
NIST National Institute of Standards and Technology (USA)
NPS Net Promoter Score
OTTS Over The Top Services
PaaS Platform "as-a-Service"
PC Personal Computer
PDA Personal Digital Assistant
POC Proof Of Concept
QoE Quality of Experience
QoS Quality of Service
RAID Redundant Array of Independent Disks
RSA Rivest-Shamir-Adleman (public-key cryptosystems)
SaaS Software as a Service
SECaaS Security-as-a-Service
SIEM Security Incident and Event Management
SLA Service Level Agreement
SLO Service Level Objective
Vapp Virtual application
VM Virtual Machine
VoIP Voice over Internet Protocol
WiFi Wireless Fidelity
UMTS Universal Mobile Telecommunications System
UX User eXperience
4 Provider Service Platform
4.1 Open Service Platform
The generic model, as defined in ETSI TR 103 438 [i.1] is to design autonomic services, easing service composition to
build a digital ecosystem where everything is offered in service.
ETSI
10 ETSI TR 103 603 V1.1.1 (2019-03)

Figure 1: "User-Centric" Generic model
Nowadays cloud computing offers services over open platforms and changes the whole ecosystem of ICTs and
telecommunications. This is a strong desire to change the way to offer, to manage and to pay the digital services. These
systems are in an approach where "everything is service". They provide services accessible to a maximum of users who
only pay for what they consume.
Enterprises and organizations strive to adapt themselves to this new digital ecosystem, the objectives of which is to
provide services which are provided and managed in a transparent way with a relevant level of requested QoS.
The consumers' needs in QoS terms vary with their profiles (developer, service provider, final user), with the
application domain (business, IoT and M2M) and with their strategies (green, effective cost, etc.). These open platforms
need to have properties of elasticity, high availability, reliability, etc. to ensure SLAs (Service Level Agreements).
Furthermore, Quality of Service management all along service consumption needs a setting and dynamic adjustment of
resources when running. This dynamic process is possible only if the system is able to have and use pertinent
information to predict the relevant consumption of needed resources for the applications taken over. Monitoring
techniques are therefore needed to obtain measurements able to highlight a potential event of degradation or failure.
These measurements should also allow an autonomy of adaptation for each service.
The objective of the present document is to draw attention to expected properties for the management of user services
(clause 4.2.1), security (clause 4.2.2) and to characterize the PaaS which collects the applicative offers (clause 4.2.3).
Clause 4.2.3 is about analysis and modelling "as a service". It describes the structuring choices in terms of "cloud"
components to be built with functional and unfunctional parts. It presents a generic model to design autonomic services,
easing service composition to build a digital ecosystem where everything is offered in service.
4.2 Providers
4.2.1 Provider services management
4.2.1.1 From QoS to QoE
Quality in the service area can be evaluated from different perspectives and therefore using different measurement
methods:
a) the first is related to the reliability of the equipment and can be measured accurately via technical means,
although these measurements might be expensive because of both the dispersion of the test results and the size
of the sample to be tested;
b) the second is related to the service provision and is closely linked to the kind of use of the service. Therefore,
appropriate indicators have to be defined according to use;
ETSI
11 ETSI TR 103 603 V1.1.1 (2019-03)
c) the last is intended to measure the subjective satisfaction of the customer and there is often no other means
than a survey to get it.
In the two first categories, technical means can be used to perform the measurements and in such cases, standards are
often useful to achieve a common approach; such standards are given as references where appropriate. They include a
precise definition of what is meant as a failure: total failure, poor performance, back-up situation, etc. Assessing these
different aspects is of paramount importance to the provider who endeavours to improve the offered QoS.
From a user viewpoint, the end-to-end QoS is the most relevant. Hence objective and subjective measurements may be
usefully combined for a better assessment and the whole user approach and is called Quality of Experience (QoE). The
subjective part is named User eXperience (UX) or Customer eXperience (CX).
The methodology for identification of indicators relevant to the users in order to measure the quality of telecom services
is giving in an ETSI guide produced by the User Group: ETSI EG 202 009-1 [i.4].
This ETSI guide describes the methodology for evaluating the quality of service throughout a customer's journey:
Pre-sales, Sales, Provisioning, Service Operation, Service Breakdowns & Interruptions, Claims, Billing/Payment and
Termination. The concepts of service and supply are specified as well as that of "Service Level Objective". Finally,
ETSI EG 202 009-1 [i.4] specifies the methods for analysing user expectations in terms of quality of service based on
four criteria (availability, integrity, time and capacity) and three types of needs (flexibility, ergonomics and security).
4.2.1.2 The UX pyramid
On a subjective perspective named User Experience (UX), the gap between the expected quality and the perceived
quality is evaluated.
Providers should consider 3 levels of user requirements:
• The basic one is about the utility of the service:
As seen in the survey results available in ETSI TR 103 438 [i.1] if people do not understand the benefit of a
service the users are not willing to use it and dissatisfied if the service has been subscribed. To ensure the
usefulness of a service provider can make some pre-tests with users, as Proof of Concept (POC). It is
interesting in this context to work on a minimum of high value functionality, generally named Minimum Value
Product (MVP).
• The second level focuses on the affordance (intuitive ergonomics) of the service:
The survey shows that setting a smartphone or a box is not very easy and that there are high expectations in the
ergonomics of telecom services.
A key indicator of the customer experience seen from the point of view of ease of use is the Customer Effort
Score (CES) promoted at the Harvard Business Review in 2010 (https://hbr.org). It measures the level of pain
to use a service, and it can be applied on the whole customer journey.
• The last level regards the pleasure of use:
In the Kano model (https://www.kanomodel.com/) the user satisfaction is high when all customer requirements
are perfectly performed, and, from this point it is possible to provide some non-expected services for a
"positive surprise" effect.
The current and easy way to measure this level of satisfaction is to use the Net Promotor Score (NPS) indicator.
ETSI
12 ETSI TR 103 603 V1.1.1 (2019-03)

Figure 2: The UX pyramid
4.2.2 Security, data protection and privacy
4.2.2.1 Security
This clause aims to show what is expected of service providers to be compliant with regulation by ensuring they have
sufficient measures in place to provide cybersecurity, data protection and maintain the privacy of sensitive information
either their own or their customers data (Regulation (EU) 2016/679 [i.11]).
The Confidentially, Integrity and Availability (CIA) model is a guide for measures in information security. Information
security is a key component within cybersecurity. Information security influences how information technology is used.
Information technologies are already widely used in organizations and homes. This condition means that organizations
and homes are subject to information security issues. Thus, it is necessary for such organizations and households to
apply information security measures. These measures should protect valuable information, such as proprietary
information of businesses and personal or financial information of individual users. Information security teams use the
CIA triad to develop security measures. The CIA model shows the fundamental and mandatory goals that should be
included in information security measures. The CIA model serves as a tool or guide for securing information systems
and networks and related technological assets. This means the service or business provider has a responsibility with
their actions and choices they undertake to protect data, information and assets also they need to be compliant with
regulations and the law. This has become vitally important to a business or service provider wants to avoid being
investigated and fined under GDPR if they fail to adequately take measures to protect data in their care. Cyber
insurance is encouraging companies to become more compliant in order to secure lower premiums by implementing
information and cybersecurity measures. User choice and responsibility - education and awareness/settings and
permissions with applications and devices:
• Confidentiality - is the protection of information from unauthorized access. This is ensured by data or an
information system is accessed by only an authorized person. User Id's and passwords, access control lists
(ACL) and policy-based security are some of the methods through which confidentiality is achieved.
• Integrity - is the condition where information is kept accurate and consistent unless authorized changes are
made. It is possible for information to change because of careless access and use, errors in the information
system, or unauthorized access and use. This is ensured that it is edited by only authorized persons and
remains in its original state when at rest. Data encryption and hashing algorithms are key processes in
providing integrity. Also, version control may be used to prevent erroneous changes or accidental deletion by
authorized users becoming a problem and backups or redundancies should be available to restore the affected
data to its correct state. As well what often considered standard and basic security measures that can help
maintain integrity are firewalls (control network access) and anti-malware/virus software.
ETSI
13 ETSI TR 103 603 V1.1.1 (2019-03)
• Availability - is the situation where information is available when and where it is rightly needed. The main
concern in the CIA model is that the information should be available when authorized users need to access it.
Availability is maintained when all components of the information system are working properly. This involves
appropriate scheduling of hardware maintenance, software patching and/or upgrading and network
optimization to ensure maximum availability for end-users. Also, providing adequate communication
bandwidth and preventing the occurrence of bottlenecks are equally important. Redundancy, failover, RAID
even high-availability clusters can mitigate serious consequences when hardware issues do occur. Fast and
adaptive disaster recovery is essential for the worst-case scenarios; that capacity is reliant on the existence of a
comprehensive disaster recovery plan (DRP). Safeguards against data loss or interruptions in connections
should include unpredictable events such as natural disasters and fire. To prevent data loss from such
occurrences, a backup copy may be stored in a geographically-isolated location, perhaps even in a fireproof,
waterproof safe. Extra security equipment or software such as firewalls and proxy servers can guard against
downtime and unreachable data due to malicious actions such as distributed denial-of-service (DDoS) attacks
and network intrusions.
There are different Levels of Protection in cybersecurity they are presented below as a table and text description. While
it focuses on the role of service providers and their responsibilities the awareness and their implementation of
cybersecurity is relevant to end-user consumers as well. The content of Table 1 is ensembled thanks to the information
derived from three sources [i.12], [i.13] and [i.14]. The table aims to provide an overview of the different levels of
cybersecurity protection. Each level contains the elements of the one below it. They move from being passive, to being
reactive and finally proactive in terms of cybersecurity. The cost of people and resources needed to implement each
level increases in order for them to be implemented. For companies and individual end-users, not all aspects of these
cybersecurity levels are valid to their requirements. There has to be a requirement for them to be implemented otherwise
they can be an expanse of money and time that is wasted.
Table 1: Cybersecurity Implementation Levels
Level 1 Level 2 Level 3 Level 4 Level 5
Initial Advanced Self-Assessed Integrated Anticipate
People Minimal cyber Leadership aware of Leadership promotes End-users Awareness a
awareness cyber threats - security awareness aware of business and
encourages training cybersecurity community
issues imperative
A formal training Education of Culture supports
program established cybersecurity continuous
is promoted by improvement of
organisations security skills,
process and
technology
Minimal cyber Informal info Formal info Analysis and Fully integrated info
info sharing sharing/communication sharing/communication sharing of analysis to combine
in the community in the community collected info all physical and cyber
Defined roles to manage between info to create and
different share a near real-
cybersecurity policy
communities world picture of cyber
events
Process Minimal cyber Initial evaluation of Routine audit programs Verification of Continuous
assessments policies and procedures but minimal verification cyber plans verification of plans
and policy and and through risked and
procedure assessment to quantitative tests
evaluations improvement
Little inclusion Aware of the need to Includes cyber in COOP Integrate Continuous
of cyber into integrate cybersecurity cyber in improvements of
COOP into COOP COOP and cyber in COOP and
has an testing and
incident verification of plans
response and
recovery plan
ETSI
14 ETSI TR 103 603 V1.1.1 (2019-03)
Level 1 Level 2 Level 3 Level 4 Level 5
Initial Advanced Self-Assessed Integrated Anticipate
Technology Physical Unidirectional Gateways Zone Firewalls SIEM Anomaly and Breach
Security software, Detection
device and
Asset DMZs ICS Device Firewalls
Inventory service
Device Firewalls and Anti- Application, device and Automatic log Threat Intelligence
Hardening Malware network whitelisting and incident
Patch Access Control management
Management
The cybersecurity implementation levels would be carried out mainly by the Service Provider within the User digital
ecosystem to ensure their systems and data are protected from cyber-attack. For large service providers, they will be
able to carry out many of these actions 'in-house' and working in partnership with select cloud network and
cybersecurity providers to protect their systems and data. While smaller service providers, while they should be able to
carry out basic cybersecurity process on their own, will pick and choose different cybersecurity packages which they
can afford and/or meets their requirements from cloud network and cybersecurity providers.
Future Element - General Framework in Europe on Cybersecurity
The NIS (Network and Information Security) Directive, which requires some European companies to improve their
ability to withstand cyber-attacks, has been adopted by the European Parliament in July 2016 and transposed by the
Member States into their national laws before 9 May 2018. Member States have identified operators of essential
services before 9 November 2018.
The NIS Directive [i.20] establishes common cybersecurity standards and strengthens cooperation between the
countries of the Union and a culture of security across sectors which are vital for our economy and society and
moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare
and digital infrastructure. Businesses in these sectors that are identified by the Member States as operators of essential
services will have to take appropriate security measures and to notify serious incidents to the relevant national authority.
Also, key digital service providers (search engines, cloud computing services and online marketplaces) will have to
comply with the security and notification requirements under the new Directive.
The goal is to prevent cyber-attacks but also boost consumer confidence in the use of digital services.
4.2.2.2 Data protection
The methods for data protection are essential to providing the end-user with a secure and reliable service. The section of
'People' refers to the service provider employers and how they can inform the user about cyber threats. The section
'Process' is how Service Providers develop their cybersecurity strategy and its implementation. Also, how they
certificate the different cybersecurity standards that include ISO/IEC 27001 [i.8] and ISO/IEC 27002 [i.9]. The NIST
Cybersecurity Framework and ISO 15408 [i.10] also called "Common Criteria". Cybersecurity standards are techniques
generally set forth in published materials that attempt to protect the cyber environment of a user or organization. This
environment includes users themselves, networks, devices, all software, processes, information in storage or transit,
applications, services, and systems that can be connected directly or indirectly to networks. The principal objective is to
reduce the risks, including the prevention or mitigation of cyber-attacks. These published materials consist of
collections of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions,
training, best practices, assurance and technologies. The section 'Technology' are the tools that the service provider
would need to implement to protect their systems and data from attack. Also, these tools ensure they are compliant with
the implementation of cybersecurity standards. As well some of the elements of 'Technology' are relevant to the end-
user device and network connections these include physical security, patch management (application/device updates),
firewalls, anti-malware software and access control (usernames and passwords).
There is a need to achieve human-centric cybersecurity which means moving away from protecting devices and services
from vulnerabilities towards designing cybersecurity around the behaviours and requirements of the end-user. These
involve taking steps to improve user behaviour in cybersecurity through education, awareness and actions to active
measures to ensure user take steps to improve their own cybersecurity on the devices, networks and services they use.
As well as implementing secure by design or default as the standard method of incorporating cybersecurity to devices
and services instead of adding cybersecurity on afterwards.
ETSI
15 ETSI TR 103 603 V1.1.1 (2019-03)
Data protection has become vital and will remain a cornerstone with a user-centric digital ecosystem. Data protection is
about trust and confidence the end-user has in the companies and service provider they give their information to, in
order to access chosen applications and services. ([i.17]) Companies now have an obligation to manage and protect data
under the General Data Protection Regulation 2016/679 (GDPR) [i.11] and other related regulations including the NIS
Directive [i.20] on cybersecurity and the upcoming European Union e-Privacy Regulation. GDPR supersedes the Data
Protection Directive 95/46/EC [i.19] and it was adopted on 14 April 2016 and became enforceable be
...