The main question this thesis attempts to answer is: To what extent is Cyber Hygiene enough to protect high-profile individuals against the hybrid risks they face? Based on our research, we have...Show moreThe main question this thesis attempts to answer is: To what extent is Cyber Hygiene enough to protect high-profile individuals against the hybrid risks they face? Based on our research, we have defined the following 8 categories of high-profile individuals: public safety personnel, port personnel, politicians and government officials, civil servants, legal professionals, media contributors, scientists and representatives of interest groups. These high-profile individuals; 1) represent or symbolize an organisation or institution; 2) have access to an organisation’s ‘crown jewels’ (critical assets/targets ); 3) or (access to) power; and are, therefore, specifically interesting to various threat actors. It is not about task-oriented threats, threats by acquaintances nor about indiscriminate victims of threats of violence. There is an increase in individual threat levels, these threats increase in nature, severity and quantity. In this regard, there appears to be structural incidentalism. The threats high-profile individuals face nowadays are quite diverse. We have identified the most common threats we have encountered in our research into a model, distinguishing between expressive and instrumental threats and their manifestations, whether they are physical or digital. All our described threats are currently used against high-profile individuals, have (potential) physical or informational consequences, and are all intentional. In the context of threats to high-risk individuals, we see the following threat actors: 1) angry citizens (with or without underlying mental health issues), 2) hacktivists, 3) extremism and terrorism, 4) organised crime, 5) insider threats and 6) State (sponsored) actors. If, in the future, threat actors would expand their TTPs, and, for example, make greater use of resources available to State (sponsored) actors. Then digital and hybrid threats could increase significantly in both severity and scale, with potentially very dangerous consequences. Not only for the high-profile individuals themselves, but also in maintaining our legal order. Cyber hygiene encompasses the habits and precautions users or organisations can implement to ensure that sensitive data remains organised, secure, and protected against theft and external attacks. Cyber hygiene is frequently compared to personal hygiene. Just as individuals adopt specific personal hygiene routines to uphold good health and well-being, cyber hygiene practices safeguard and maintain data security. Our research concludes that Cyber Hygiene, particularly Vishwanath's (2020) Cyber Hygiene Inventory, does not provide sufficient measures to protect high-profile individuals from contemporary physical, digital and hybrid threats. Keeping high-profile individuals resilient in the future requires not only additional measures but also a different approach and more research.Show less
Background: Public Cloud usage is becoming mainstream with organisations increasing their dependence on Cloud technologies to build their digital platforms and services. Organisations are expected...Show moreBackground: Public Cloud usage is becoming mainstream with organisations increasing their dependence on Cloud technologies to build their digital platforms and services. Organisations are expected to spend over half a Trillion US dollars by 2023 in Cloud services spanning across workloads and types of businesses from large enterprises to small and medium sized businesses. As organisations transform to becoming more digital, there is an increasing need for speed to stay competitive in the market. This has led to them to adopt Agile methodologies to develop their digital platforms and solutions. These platforms and solutions make up a critical part of cyberspace and need to be secured. Adopting Cloud technologies and Agile methodology requires cultural and behavioural changes within organizations, including but not limited to how decisions are made, how risks are assessed, and most importantly skilling and readiness of employees. Objectives: The aim of the study is to observe security by design (SbD) practices from experts and practitioners, who build Cloud based solutions using Agile delivery methodologies. Furthermore, we seek to explore the challenges they face implementing SbD practices when building Cloud based solutions. Method: We use a qualitative approach using semi-structured interviews of 16 practitioners as our primary data collection method. We analyse the results of the interviews using a codebook created to identify themes, practices and challenges. Discussions: The fast paced and changing Cloud environment presents some contradictions, with opportunities and challenges that influence SbD practices. From our discussions with interview participants, we observed nine practices, and four other factors that influences these practices. Furthermore, we observed various challenges they faced across (i) Cloud operating model, (ii) people and organisation, (iii) process and methods, (iv) threat landscape and, (v) tools and technologies. Organisations look to proactively move security related activities early in their engineering cycles. This is often referred to as “shifting left”. Ability to effectively “shift left” depends on driving the right accountabilities, investing in automation, addressing the security skills gap, and creating a security mindset within the organisation.Show less
Cyber crisis management is a relatively new and under researched topic in scientific literature. Most research on cyber crises is focused on defining it and developing exercises. But to make sense...Show moreCyber crisis management is a relatively new and under researched topic in scientific literature. Most research on cyber crises is focused on defining it and developing exercises. But to make sense of a cyber crisis has not been thoroughly examined. The current study aims to explore how incident response (IR) and crisis response (CR) teams in governmental (GOV) and critical infrastructure (CI) organizations make sense of a cyber crisis, in the context of a Dutch national cyber exercise, “ISIDOOR IV”. Through a questionnaire, observers of participating teams were asked to indicate how these teams show behavior related to the Data/Frame theory (Klein, 2010) and on the questions they ask in relation to situational, identity-oriented, and action-oriented sensemaking (Kalkman, 2019). In interviews, experts were asked to indicate challenges in sensemaking and suggest how sensemaking in teams, organizations and between organizations can be improved. This study revealed that IR and CR teams within GOV and CI organizations utilize framing strategies derived from the Data/Frame theory, with a particular focus on Identifying a frame. Behavior on other steps in the framework appears less pronounced. Especially Questioning a frame seems to pose challenges. The study demonstrated that IR and CR teams in GOV and CI organizations ask sensemaking questions. Particularly noteworthy are the high scores observed in Information sharing. And finally, the questionnaire and interviews provided insight into what the challenges to sensemaking in cyber crises are, and what can be improved on team, organizational and inter-organizational level when it comes to sensemaking.Show less
This thesis is written as part of a master's degree in cybersecurity at the Faculty of Governance and Global Affairs (FGGA) at Leiden University in cooperation with the Cybersecurity Department of...Show moreThis thesis is written as part of a master's degree in cybersecurity at the Faculty of Governance and Global Affairs (FGGA) at Leiden University in cooperation with the Cybersecurity Department of the Faculty of Electrical Engineering, Mathematics and Computer Science of Delft University of Technology. It describes the results of a study into the extent and effectiveness of IPv6 scanning on the internet. IPv6 scanning is becoming more active as the adoption of IPv6 on the Internet grows. The discovery of active IPv6 addresses is a complicating factor in effectively scanning the Internet for active services. Actors therefore use different methods of finding active systems. In this thesis, a comprehensive view is given of the methodology used by these scanners and to what extent IPv6 scanning is happening. Other studies have researched this problem using their own infrastructure. This study focuses on IPv6 scanning behavior within public cloud infrastructure. A custom-designed and developed data collection platform is used comprised of 39 collection probes, that collect data of scanning activity on the internet. Data is sent to a data processing environment that enriches the data to gather information about the actors that are scanning the probes. The probes are spread across two different cloud platforms that both have a unique method of assigning an IPv6 subnet to a probe. The results show that the method of assigning addresses that cloud providers use can make a significant difference in the discovery of new addresses by scanners. At one cloud provider addresses are discovered within an average of 2 hours, compared to the other providers of which some probes were never discovered. While previous studies have reported similar behavior that matches what is observed in the second provider, the ease of discovery that is shown at the first cloud provider has never been observed in previous research. Three experiments ran during the study in which probes, that were still undiscovered, simulated the behavior of regular systems on the internet. The results show that some scanners run legitimate services on the Internet which are used by various kinds of devices. Scanners can use this to collect active IPv6 addresses and use this information to scan these networks. This behavior is observed during this study and has identified three scanners that use this method of discovering active IPv6 addresses. Additional results of this thesis show that IPv6 scanning is becoming more active and that it is mostly performed by commercial parties. Both the results of the extent and effectiveness matched or even exceeded the results of previous research. Showing an increase in scanning activity by 55\% compared to a study in 2022. Future research is proposed based on the results of this study. These include: (1) creating a methodology for discovering legitimate services that are used to collect active IPv6 addresses; and (2) a comparison of the effectiveness of scanners in different environments, like home networks, business networks, and cloud infrastructure.Show less
Today’s world sees information being created with a lower barrier of entry and disseminated faster than ever before, which we can largely attribute to advancements in telecommunications and the...Show moreToday’s world sees information being created with a lower barrier of entry and disseminated faster than ever before, which we can largely attribute to advancements in telecommunications and the Internet in particular. These advancements are not entirely without drawbacks, as one of the urgent threats to online society is that of disinformation and misinformation. While the concept is hardly new and has been employed throughout human history in various forms, it benefits from the same Internet as the rest of the information flow. Various actors, including state-level ones, seek to utilise these weapons of the mind for profit or propaganda reasons. In this multidisciplinary study, we set out to explore the problem we set out to deal with, what this information warfare and information operations entail, how people process this information, and attempt to link it to personality traits related to the OCEAN model’s conscientiousness. The central research question as part of this study is: “To what degree do people process online disinformation differently, and to what extent can their approach to online disinformation be manipulated?”. Two hypotheses were constructed to help answer this, namely: “People who encounter online information and score high on conscientiousness are able to more accurately label its veracity compared to those who score lower.” and “It is possible to trick the viewer of online news through altering environmental factors that would negatively impact facets such as control and caution, subsequently reducing the viewer’s ability to adequately judge the information’s veracity.” Contrary to the initial prediction, the statistical analysis revealed that the accuracy of responses to questions 6-10 was not substantially different between the two experimental groups. Despite the nuanced differences in response times, the lack of a decisive impact on accuracy indicates that participants maintained a consistent level of judgment even when time was limited. This begs for a more in-depth investigation of the complex interaction between temporal pressure and cognitive decision-making in the context of online information processing. When conscientiousness scores from the survey were compared with the performance in the game for a possible relation to information judgment, the results revealed that there was no significant link between these variables. This suggests that persons with higher levels of conscientiousness did not have a significantly stronger ability to appropriately categorise the validity of online material than their less conscientious counterparts. As such, both of the hypotheses saw themselves rejected, leaving the research question without a satisfying answer.Show less
Modern civilisation exists within a digital framework, whereby human activity is inherently supported by digital technology. Many activities that were traditionally carried out offline are...Show moreModern civilisation exists within a digital framework, whereby human activity is inherently supported by digital technology. Many activities that were traditionally carried out offline are increasing being automated and digitised. Banking, shopping, communicating and entertaining all have digital elements in the lives of citizens of most western nations. This trend is true even within the world of manufacturing. The air-gapped factory no longer exists in modern industrial environments as manufacturing is evolving with the digital evolution. Interconnectedness prevails for the modern supply chain and data drives the execution of most processes in the industrial sectors. With this increase in digitalisation, manufacturing systems become more exposed to security risks, and with increasing frequency, we hear about cybersecurity issues affecting industrial control systems in the media. However, factories have unique environmental factors that impact the selection of security measures, with many factors impeding the implementation of standard IT solutions. This thesis investigates the current authentication solutions used in manufacturing today, and determines the requirements and best practises needed to solve the authentication needs of the increasing exposed smart factory of the future.Show less
On 27th June, 2017 AP Maersk became collateral damage in a ransomware attack that originated from the Russian Federation and was intended to disrupt Ukrainian society. The NotPetya ransomware...Show moreOn 27th June, 2017 AP Maersk became collateral damage in a ransomware attack that originated from the Russian Federation and was intended to disrupt Ukrainian society. The NotPetya ransomware attack was just one example of the Russian Federation using cyberoperations to support their efforts in the Russo-Ukraine conflict that was raging since the #Euromaidan uprising in Ukraine in 2013. From the start of the Russo-Ukraine conflict multiple cyberoperations are attributed to the Russian Federation that clearly target Ukraine. After the invasion on 24th February, 2022 these attacks have only increased. This thesis asks how the methods, frequency, targets and actors of cyberoperations have evolved during the Russo-Ukraine conflict (2014 - present day)? To answer this question it uses secondary analysis of publicly available data to study the evolution of cyberoperations conducted in the context of the Russo-Ukraine conflict starting in 2013 until the summer of 2023. This thesis finds that cyberoperations are conducted both in support of Ukraine and in support of the Russian Federation, but their impact appears to be limited except from a few isolated events. This thesis also finds that non-state, hacktivist and criminal actors play a significant role, which is not limited to the Russian Federation and Ukraine. This might influence the way in which conflicts between states are studied in the political sciences. The thesis also reveals the limitations of using western oriented publicly available data to study a conflict between to non-western statesShow less
The Ukraine-Russian conflict in 2022 is illustrative for the dominant role played by social media in distributing narratives for both Ukraine and Russia. As a multitude of narratives enter the fray...Show moreThe Ukraine-Russian conflict in 2022 is illustrative for the dominant role played by social media in distributing narratives for both Ukraine and Russia. As a multitude of narratives enter the fray, a complex landscape arises in which audiences are persuaded in favour of either of them. This exploratory research aims to deepen understanding on cyber narratives in conflict by examining the presence or absence of the Narrative Analysis Framework characteristics in the Ukrainian cyber narrative. Based on a thorough examination, it is concluded that one of the four NAF-characteristics emerges in the Ukrainian cyber narrative. Therefore, this research provides a substantiated incentive to conduct future research regarding cyber narratives in conflict. Besides offering a substantiated incentive, this study also positions the NAF-characteristics in a cyber context, sets a benchmark to methodologically apply the quantification of this framework onto a contemporary use case and provides a holistic approach to comprehensively examine the prevailing topic of cyber narratives in conflict. Since the outcome of this research is based on a single case study and some characteristics do emerge in the use case, it is recommended that scholars conduct future research that complements the current results. One could, for example, examine the Russian cyber narrative distributed through Tiktok in 2023 and/or derive cyber narratives from the Israel-Hamas conflict that was triggered in 2023.Show less
At the heart of this comprehensive study lies the central research question: "What are the key security-related obstacles that organizations encounter when integrating DevSecOps/Secure DevOps, and...Show moreAt the heart of this comprehensive study lies the central research question: "What are the key security-related obstacles that organizations encounter when integrating DevSecOps/Secure DevOps, and how can these security challenges be effectively resolved or mitigated?" The primary achievement of this work is the identification and categorization of these challenges into four interconnected domains: People, Tools, Values, and Governance & Processes. This identification has been done via literature reviews and by employing interviews with members of the development-, security-, and operations teams, within a specific Dutch governmental IT organization. The categorization of the identified challenges has been performed via a cyclical coding process known as the Grounded theory from Strauss and Glaser. By shedding light on these four critical areas, this study provides a roadmap for organizations to navigate the complexities of a DevSecOps implementation. In the realm of people, cultural transformation emerges as a critical need, demanding a profound shift in mindset and behavior. This transformation encompasses the cultivation of trust, the nurturing of transparency, and an unwavering commitment to continuous learning. However, it extends beyond abstract ideals to encompass tangible actions. Team skill development becomes paramount, equipping personnel with the expertise needed to bolster the security posture. Concurrently, the cultivation of security awareness takes center stage, ensuring that every team member understands their role in safeguarding the organization. Ownership and accountabilities are clearly defined, reinforcing the importance of fostering a culture deeply rooted in security. As we delve into the Tools domain, we find that the choices made here have far-reaching consequences for the DevSecOps journey. Thoughtful tool selection is not merely a matter of preference; it is a strategic imperative. Overreliance on tools can lead to vanity and missed vulnerabilities, making it essential to strike a balance between automation and human judgment. Simultaneously, proper access controls must be carefully enforced to prevent unauthorized access to sensitive resources. Addressing legacy systems and grappling with technical debt necessitates incremental improvements, gradually modernizing the technological landscape while preserving security integrity. Continuing with the next domain, Values serve as the compass guiding organizations through the complex DevSecOps terrain. Continuous monitoring is an unwavering commitment, offering real-time insights into the security posture and identifying potential threats promptly. Striking the delicate equilibrium between speed and security highlighting the importance of avoiding undue haste within the team that might compromise safety. Embracing a culture of continuous improvement propels organizations forward, encouraging iterative enhancements and the evolution of security practices. Within this framework, DevSecOps control takes root, fostering a disciplined and principled approach to security integration. In the Governance & Processes domain, the foundation for a secure and collaborative culture is laid by securing management buy-in. Leadership commitment paves the way for organizational alignment and support, making security a top priority. The intricacies of compliance and regulations are diligently addressed through the integration of compliance experts and automated compliance checks. This ensures that DevSecOps practices are not only effective but also adhere to legal and industry standards. In essence, the challenges within these domains are not isolated silos but are indistinguishably intertwined. Success in the DevSecOps journey hinges on fostering a culture of security (People), making strategic choices about tools (Tools), upholding core values (Values), and establishing governance and processes (Governance & Processes) that collectively form a resilient and robust framework for secure software development and delivery.Show less
This study examines non-compliance with policy, or not following the rules, within the cybersecurity domain, which is commonly perceived as the cause of cybersecurity incidents. Specifically, it...Show moreThis study examines non-compliance with policy, or not following the rules, within the cybersecurity domain, which is commonly perceived as the cause of cybersecurity incidents. Specifically, it researches contributing factors of motivation. For this, literature from other domains is examined for approaches on using motivation to increase compliance, and whether these could be applied to cybersecurity. To this end the underlying theoretical frameworks of governance, policy, compliance, non-compliance, and motivation are first examined. The motivational approach to stimulate compliance with policy rules were identified as either extrinsic or intrinsic motivation. The former relies on incentives or deterrents, as stipulated by General Deterrence Theory (GDT), and is commonly employed in cybersecurity. The latter uses autonomy, competence, and relatedness from Cognitive Evaluation Theory (CET), which could be used as an alternative approach within cybersecurity. The different approaches from other domains which successfully increased compliance were examined and found to utilize alternative styles of governance, policy, communication, and education. These approaches could either directly or indirectly be related to CET, indicating viability for application in the cybersecurity domain. Based on this, alternative approaches for application to cybersecurity were hypothesized. Although further research for their application is required, the findings of this study provide a foundation for an alternative approach within cybersecurity which could improve compliance with cybersecurity policy.Show less
Transactions with government, either in the physical world or the digital world, can have uncertainty about the outcome and the level of risk, both for the citizen and the public service. Dealing...Show moreTransactions with government, either in the physical world or the digital world, can have uncertainty about the outcome and the level of risk, both for the citizen and the public service. Dealing with this uncertainty can be explained with the construct of trust, which is defined as a positive effect on the expected outcome and the acceptance of risk of a transaction in a certain context. Within the context of a transaction with government over the Internet (eGovernment), it shows that identity verification of the citizen can be a cumbersome problem, as no face-to-face verification is readily available. The use of biometric technology might solve this problem, and it is found that for people to trust this technology, and willing to use it, the trust factors of usability, security, privacy and reputation are the main constructs to implement. Within the European Union (EU), biometric identity verification is possible with the European ID-card, and with the design of an electronic identification (eID) solution with mobile biometrics it enables EU citizens to use the biometric data of the ID-card in identity verification over the Internet. The proposed solution is subject to a policy analysis, to investigate whether it is compliant to EU policies and if the found trust factors can be implemented to deliver a trustful eID solution. The analysis shows that the proposed solution is highly compliant and also ensures various trust aspects of biometric technology, mainly usability, security and privacy. The trust aspect of reputation is found to be more likely an aspect of the organisation implementing the whole solution and for eID solutions in particular, the eIDAS Regulation is built upon the construct of reputation. The question arises whether in this way the eIDAS Regulation enhances trust in eID solutions in an effective way. In the analysis of the GDPR the question is raised whether the storage and usage of the biometric data is compliant and in which way could explicit user consent bypass the objections of processing these data. Another complicating factor that is found is that all implementation is done at the Member State level, which makes that the research should be iterated for each Member State. Despite these problems, the findings of this research can be used to enhance the discussion about the implementation of biometric identity verification in the digital world. The constructs of usability, security, privacy and reputation can be used as guidance to deliver a trustworthy eID solution with mobile biometrics and with it ensure trust in transactions with eGovernment.Show less
On 29 October 2021, the European Commission (EC) adopted a Delegated Regulation (Regulation (EU) 2022/30) under the Radio Equipment Directive (Directive 2014/53/EU). This delegated regulation...Show moreOn 29 October 2021, the European Commission (EC) adopted a Delegated Regulation (Regulation (EU) 2022/30) under the Radio Equipment Directive (Directive 2014/53/EU). This delegated regulation extends the existing requirements for radio equipment with “cybersecurity by design” requirements. Wireless internet-connected devices must comply with these cyber security requirements from August 2024 as a precondition for placing on the market IoT devices in the EU. The Radio Equipment Directive (RED) essential cyber security requirements objectives are to protect the network, ensure safeguards for the protection of personal data and privacy and contribute towards protection from fraud. The RED cyber security product legislation is part of the New Legislative Framework (NLF). The NLF establishes common procedures for placing products on the EU market. Its goals are establishing a proper functioning of the internal market and a high level of public interest protection. It contains common methodologies for product requirements via essential requirements, demonstration of compliance by manufacturers and monitoring of the compliance by supervisory authorities. In line with the NLF approach, the RED essential cyber security requirements set “objectives to be achieved” but do not impose technical solutions. A formal standardisation process exists in which essential requirements are converted to technical solutions in harmonised standards. The realization of this process is the responsibility of a specific joint committee of the multistakeholder standardisation organisations CEN (The European Committee for Standardization) and CENELEC (The European Committee for Electrotechnical Standardization CENELEC). The EC requires, in its EC standardisation request, that technical solutions (to be included in the harmonized standards for IoT devices) are proportional to the cyber security risk they aim to address. However, the RED legislation and the EC standardisation request do not provide information on accomplishing this. Moreover, there is currently no harmonised standard available for the cyber security of products that can serve as an example for the harmonised standards to be developed in support of the RED cyber security essential requirements. This thesis develops a model that can be used in standardization activities for the RED to determine whether technical solutions in harmonised standards for IoT devices are proportionate to the risk they aim to address. The developed model is referred to as the “RED cyber security management system” The model maps the RED processes in three layers. The Risk Governance layer maps the legislators' processes regulating the cyber risks of IoT devices. The Risk Management layer maps processes that members of standardization organizations perform in the development of RED harmonized standards. The Risk Assesment layer maps the processes for selecting technical solutions for RED harmonized standards. This thesis proposes to incorporate the ISO 27005 Risk Management framework and the Open FAIR Risk Assesment framework in the “RED cyber security management system”. The developed “RED cyber security management system” has shown to be beneficial for linking technical requirements to IoT devices. It was shown in a simple IoT scenario that the model could be used to determine the applicability of authentication and access control mechanism requirements for IoT devices.Show less
In the recent years, the maritime industry is applying Industrial Internet of Things devices, data trending and high-speed satellite connections. While these advances in technology make business...Show moreIn the recent years, the maritime industry is applying Industrial Internet of Things devices, data trending and high-speed satellite connections. While these advances in technology make business easier for the industry, there are also drawbacks with these advances. In the past the maritime industry had an air-gap between the different systems. The probability of a cyber incident would be limited, let alone the probability of an incident propagating to a different system. Now, systems are interconnected and the risk of a cyber incident occurring is high, similar for the risk of an incident on one system propagating to another system. There are different academic studies, which have looked at maritime cyber threats as well as measures. However, there are not many qualitative studies in how the maritime industry is actually dealing with cyber threats. For this thesis, first a literature survey was conducted on cyber security onboard ships. The survey showed that most of the literature is focussed on navigation and communication systems, where there are more systems which can be attacked, such as propulsion control systems and engine control systems. The literature study also shows that the focus on measurements against attacks are solved mainly in the governance domain. The main driver that is mentioned in the literature is IMO resolution MSC.428(98). The role of the shipyards and suppliers are equipment and systems are not mentioned in the literature, as these actors are not in the scope of the resolution. Following the literature survey, semi-interviews were held with eight people working at different organisations in the maritime industry. The interviewees were selected using expert sampling and snowballing. The interviews took approximately 30-45 minutes and were held online via Teams. After the interviews were held, the interviews were transcribed and subjected to thematic analysis, where the interviews were coded and themed. The combination of the literature survey and the semi-structured interviews provided the answer to what the maritime industry is doing to deal with cyber security on board ships. The conclusion is that while the maritime industry is lagging behind other industries, it is improving. The maritime industry is realising that cyber security is an important aspect of their daily business. Due to the many different actors involved in the maritime industry, there is a need for clear requirements and responsibilities. From top down, this starts with international organisations and classification societies in combination with owners enforcing requirements during the life time of a ship to the shipyards and suppliers of equipment and systems. To ensure that all parties are complying with the rules and regulations and that the systems on board the vessel work as intended, it is recommended to put one party in charge of cyber security on board ships.Show less
Artificial intelligence (AI) and cyber security failure are two of the highest impact risk areas of this decade, with developments surrounding these two topics going hand in hand. For instance, AI...Show moreArtificial intelligence (AI) and cyber security failure are two of the highest impact risk areas of this decade, with developments surrounding these two topics going hand in hand. For instance, AI can act as force multiplier for existing cyber threats and can be an enabler for new cyber threats. Moreover, AI can bolster cyber defences, and AI-powered systems can provide a new attack surface for cyber threats. Due to increased investment into and utilisation of AI, rising cyber threats, a growing cyber risk awareness in society and resultant regulatory, governance and technical risk treatment efforts, the last area of concern is especially relevant. In this regard, the financial sector is of specific interest due to its high investments into AI and cyber risk management, as well as high exposure to cyber risks. Financial institutions active in the EU also must consider upcoming legislation like the Digital Operational Resilience Act (DORA) and AI Act, which require them to adequately manage cyber risks for their AI systems. In contrast to more established technologies, there is no universal cyber risk management or security control framework designed for AI-powered systems, and such systems pose unfamiliar risks and provide new challenges. This is problematic since appropriate guidance is important for the implementation of effective cyber risk management practices. Furthermore, without insight in current cyber risk management practices for AI-powered systems, it is difficult to determine whether legislation or guidelines are fit for purpose, which is of importance from a regulatory perspective. As such, this thesis sets out to study which cyber risks AI-powered systems face, how cyber risks for AI-powered systems are managed in the financial sector, and which internal governance and control practices are used in relevant cyber risk management processes. The research is primarily based on a literature review, with the supportive method being semi-structured interviews. For scoping purposes, the interviews were conducted with experts and practitioners active in the Dutch financial sector. Still, due to the cross-border nature of the sector, results are likely to be applicable to the broader European financial sector. The five main findings are that: 1) While regulatory developments like DORA and the AI Act have resulted in increased financial sector attention for cyber risk management for AI-powered systems, the current state of play is that AI use is not widespread, with AI complexity being low and it often being used in a low-risk environment, resulting in relevant cyber risk management practices not being top of mind; 2) important focus areas in cyber risk management for AI systems are data and model risk; 3) next to AI data and model dependencies, AI system interconnectivity is another important source of risk, resulting in AI supply chain risks being an important focus area for cyber risk management; 4) concerning cyber risk identification and analysis practices, interview findings show that any cyber risk management for AI system framework should use an ecosystem perspective that considers the environment in which the system and organisation operate in, and 5) while increased regulatory attention to cyber risk management for AI is generally seen as a good thing, the multifaceted characteristics of AI systems and the risks they face require due consideration of potential contradictory regulatory requirements.Show less
Data sharing and data harvesting practices not only infringe the privacy rights of individuals but cause significant harms to others as well. Emissions of personally sensitive behavioural data are...Show moreData sharing and data harvesting practices not only infringe the privacy rights of individuals but cause significant harms to others as well. Emissions of personally sensitive behavioural data are leaked into the digital economy causing damage to social practices and destabilizing political and informational ecosystems. Data pollution is like industrial pollution, and environmental law suggestions can offer solutions to the problem. Will a Pigouvian tax on data extraction limit or constrain the negative externalities of data pollution? This explorative research aims to investigate whether a data pollution tax can operate as a regulatory instrument to curb data pollution and whether citizens support this measure. Do citizens support a data pollution tax designed so that harms to others, affecting their core human capabilities, will be taxed as a matter of principle? Suppose excessive (corporate) data sharing and extraction practices that cause harm to others will be taxed. Do individuals expect that persons and corporations will change their data transmission practices? Our survey findings show that (United States) citizens consider that harms caused by data pollution should be taxed. Respondents will also substantially decrease their data pollution behaviour once a tax is imposed. However, and to our surprise, our research findings also lay bare a possible ‘bad behaviour paradox’: the more significant the harm caused by some instances of data pollution, the less willing people are to change behaviour relative to the tax imposed.Show less
