Data sharing and data harvesting practices not only infringe the privacy rights of individuals but cause significant harms to others as well. Emissions of personally sensitive behavioural data are...Show moreData sharing and data harvesting practices not only infringe the privacy rights of individuals but cause significant harms to others as well. Emissions of personally sensitive behavioural data are leaked into the digital economy causing damage to social practices and destabilizing political and informational ecosystems. Data pollution is like industrial pollution, and environmental law suggestions can offer solutions to the problem. Will a Pigouvian tax on data extraction limit or constrain the negative externalities of data pollution? This explorative research aims to investigate whether a data pollution tax can operate as a regulatory instrument to curb data pollution and whether citizens support this measure. Do citizens support a data pollution tax designed so that harms to others, affecting their core human capabilities, will be taxed as a matter of principle? Suppose excessive (corporate) data sharing and extraction practices that cause harm to others will be taxed. Do individuals expect that persons and corporations will change their data transmission practices? Our survey findings show that (United States) citizens consider that harms caused by data pollution should be taxed. Respondents will also substantially decrease their data pollution behaviour once a tax is imposed. However, and to our surprise, our research findings also lay bare a possible ‘bad behaviour paradox’: the more significant the harm caused by some instances of data pollution, the less willing people are to change behaviour relative to the tax imposed.Show less
"Companies in the Netherlands - and elsewhere in the world - do not spend enough resources on Cybersecurity,” a statement that can be found often in Cybersecurity reports either published by...Show more"Companies in the Netherlands - and elsewhere in the world - do not spend enough resources on Cybersecurity,” a statement that can be found often in Cybersecurity reports either published by governmental organisations as well as private Cybersecurity companies, the latter suspiciously for commercial purposes. But what is the real impact that Cybersecurity Incidents have on the Dutch economy, especially on legal-entities in the Netherlands? Where is the data that objectively provides insight in the havoc that is wrecked by Cybersecurity Incidents and would justify an increase in investment? The conclusion drawn after analysing available data is puzzling: no reliable overview of actual Cybersecurity incidents and their impact on companies in the Netherlands exists. The landscape is a scattered scene of puzzle pieces, consisting of crime data, insurance claims, data breach reports and incidents reported to the National Cyber Security Center. So we are not sure whether companies over- or underinvest in Cyber Security, we simply cannot tell on the basis of facts. Threats are out there for sure, but when they do not materialize, it could well be that the defences are fit for purpose. The annual Cybersecurity Monitor produced by Statistics Netherlands (CBS) since 2017 is available, but not based on actual incidents occurred, but on surveys, which tend to show perception rather than reality. Though it is the best dataset available and the trends of four years (2017-2020) of data are valuable, despite lack of quantified financial impact. Is the Dutch situation unique? What have other nations done to get a better and more reliable view on the size and dimension of the impact of Cybersecurity Incidents? And what solutions could be available to get an objective view of the impact of Cybersecurity incidents on Dutch legal-entities? In the domain of Road Safety, impact data is carefully measured as policy- and lawmakers use it for improving policies with the objective to decrease the impact. Similar to natural disasters of which impact is reported in scales, such as Beaufort for storms, Mercalli for earthquakes, a scale may help to report on Cybersecurity Incident impact, and serve for policy makers to obtain objective and comparable data justifying their policy proposals. With this Thesis I aim to make a contribution towards providing objective insight into the impact of Cybersecurity Incidents, by means of proposing the Cybersecurity v Incident Impact (CSI2) scale. Only by proper measuring and reporting we know what is happening out there in Dutch Cyberspace, allowing for the right policies and laws to be proposed, as well as the right level of investments to be made.Show less
Content moderation is about optimizing the equilibrium between two important values: freedom of speech and a safe and secure digital space. The main tasks are defining what is admissible content...Show moreContent moderation is about optimizing the equilibrium between two important values: freedom of speech and a safe and secure digital space. The main tasks are defining what is admissible content and assuring that inadmissible content is not allowed into the digital public space. Commercial digital platforms cannot be expected to carry this responsibility on their own without any incentives or obligations. They have their own commercial goals to serve. Tightened and more precise regulation is necessary. Overfitting the regulation will compromise freedom of speech. Underfitting the regulation will compromise the security of the digital space. An important aspect of assessing this balance is transparency. In this thesis we looked at the historical timeline of drafted regulation and the rise of social media. The three layer-model of cyberspace was used to analyse AI facilitated content moderation. Transparency requirements on each level have been identified and existing and upcoming regulation on content moderation and AI has been assessed to identify gaps. Current regulation on transparency in content moderation lacks clarity, enforcement, and consistency, partly because the E-commerce Directive was drafted before the explosive rise of social media and AI. It is remarkable, however, that the basic requirement for notice and takedown still serves a very relevant purpose. An increased focus of regulation of the technical layer is required with the introduction of artificial intelligence tools in content moderation. Although regulation on artificial intelligence is fragmented and still in an early stage of development, the Digital Services Act and the EU White Paper on Artificial Intelligence include promising measures, such as record keeping and auditing. The overlap and mutual synergy between both regulations should be closely monitored. The last conclusion is on transparency of terminology. Terminology regarding transparency in the world of AI technology, often relates to insight into the technical functioning of algorithms and to the ability to predict the outcome of an artificial intelligence model. In the governance world, transparency is linked to accountability and clarity. This gap between the world of artificial intelligence technology and the world of governance will need extra attention when drafting further regulation on AI. There is a need for common terminology.Show less
This thesis compares Russian cyber operations against Ukraine and the United States of America between 2014 and 2019. It aims to research which factors influence the different outcomes in the...Show moreThis thesis compares Russian cyber operations against Ukraine and the United States of America between 2014 and 2019. It aims to research which factors influence the different outcomes in the studied operations. The studied operations involve cyberattacks on power grids on the one hand and digital information operations interfering in elections on the other. The results show that Russian power grid cyberattacks in Ukraine are more disruptive than in the USA, while their information operations were more effective in the USA. The argument put forward in this research is that Russia is less hesitant to disrupt critical infrastructure in Ukraine due to is involvement in the Ukrainian conflict. Moreover, there is limited potential of escalation of applying such disruptions in Ukraine. Finally, Ukraine provides Russia with opportunities to test its cyber operations without risking large scale retribution from powerful states. Information operations targeting the presidential elections have been more effective in the USA than similar operations in Ukraine. In this research it is argued that Ukraine is both more familiar and more resilient to Russian (dis)information operations. Furthermore, the conflict scenario between the two countries causes Ukrainians to be suspicious of pro-Russian narratives. Western media on the other hand amplified the Russian disinformation in the USA. In both countries Russia succeeded in deepening the social polarisation between opposing groups.Show less
Many have expressed their concerns of the increase and severity of ransomware attacks targeting the healthcare sector, in particular hospitals, during the corona-era. A combination of the...Show moreMany have expressed their concerns of the increase and severity of ransomware attacks targeting the healthcare sector, in particular hospitals, during the corona-era. A combination of the healthcare sector's reliance on its systems and the often urgent need to access (medical) data means that some cybercriminals have identified the healthcare sector as a suitable target. Some even claimed that the pandemic has cause a change in the modus operandi of offenders deploying ransomware. This qualitative research examines to what extent the COVID-19 pandemic truly changed the modus operandi of offenders who committed a ransomware attack targeting the healthcare sector. More specifically, it investigates how a ransomware attack was carried out at the healthcare sector during the pandemic through conducting a crime script analysis. Subsequently, it investigates whether this differs from the situation before the COVID-19 pandemic. The results of this study indicate that the modus operandi changed just a slightly bit from the situation before the COVID-19 pandemic, but no significant changes were identified. This indicates that we must be critical about most of the claims stating that COVID-19 has caused a serious change in ransomware attacks on the healthcare sector opening up new opportunities to avoid moral panic.Show less
When discussing the concepts of crime and cybercrime, their victims are important key players to understand why these criminal acts takes place. More importantly, with these players taken into...Show moreWhen discussing the concepts of crime and cybercrime, their victims are important key players to understand why these criminal acts takes place. More importantly, with these players taken into account, it is not only possible to understand this concept but also to predict and prevent the crimes that take place. In this thesis, the research focuses on individual victims of cybercrime in the Netherlands and their behavioural characteristics. The aim of this research is to study which behavioural risk factors have a predictive value for victimization, both in the offline as the online world. To answer this question, I designed a digital survey to compare two types of crime; one in the offline world and one in the online world. These two criminal acts have in common that they are comparable with each other, with the only difference that they take place in different worlds. The chosen criminal acts are doorstep scams in the offline world, and phishing in the online world. A scientific literature review, the data collected from the digital questionnaire and the subsequent analysis will answer the sub-questions of this research. It seemed that certain risk factors like socio-economic status, online activities, optimism bias, loneliness, capable guardianship and offline victimization had a significant correlation with victimization. For the factors optimism bias, capable guardianship and loneliness, these results had even a predictive value. Although there is quite an amount of scientific research available on risk factors and victimization, this research shows that there is still not enough knowledge about the behaviour of victims. This is because the studied risk factors have little to do with the actual behaviour of potential victims. Researchers must take a step back to study which existing theories should be better investigated for the existence of other, potential risk factors. With a descent description and formulation of the new risk factors, it would be easier in the future to reduce online and offline victimization based on these risk factors.Show less
Digitalization adds convenience to our lives in many ways. We communicate and do shopping online, turn the heating up at home while leaving the office, and connect the lights to remote control them...Show moreDigitalization adds convenience to our lives in many ways. We communicate and do shopping online, turn the heating up at home while leaving the office, and connect the lights to remote control them from the couch. The examples illustrate how technology has shaped our lives in the past decades. Our interaction with technology has changed dramatically. This development affects organizations as well. Organizations adopt new technologies to service their clients in order to gain competitive advantage. Processes and services are offered digital and in many cases, online. Independent of the processes and services offered, organizations require adequate security measures to protect their assets. As examples in the news illustrate, not doing so may result in serious business impact like loss of reputation, financial losses, operational or legal impact, or even worst case scenarios like bankruptcy. At the same time, there are numerous challenges that organizations face in securing their assets. These challenges include a rapid changing threat landscape, new technologies, vulnerabilities in software, and the strongly interconnected and inherent complex nature of the cyber domain. To what extent are organizations able to protect their assets against cybersecurity threats? How do organizations assess their cybersecurity risks? Do these approaches fit the current cybersecurity challenges? Identifying, analyzing and evaluating cybersecurity risks can become a daunting task. Fortunately, there are many risk frameworks, methods and techniques available that organizations can adopt. Maybe even that many that selecting a fit for purpose approach becomes daunting by itself. This qualitative research explores the current state of cybersecurity risk assessment practices in organizations by researching to what extent the available cybersecurity risk assessment methods and techniques actually have been adopted by organizations. Second, the research investigates whether the chosen approach caters for the challenges in the cyber domain, and what benefits and limitations are perceived.Show less
Children make use of mobile applications on an ever increasing basis. A category of app that is increasingly popular amongst children in the Netherlands is mobile applications that focus on...Show moreChildren make use of mobile applications on an ever increasing basis. A category of app that is increasingly popular amongst children in the Netherlands is mobile applications that focus on education. This study takes a holistic approach to studying privacy related to the use of this type of mobile applications by approaching the subject using the different lenses of the three layer model. The governance layer is studied to see how privacy of children is regulated, the socio-technical layer addresses privacy concerns parents have when their children use such applications, and the technical layer elaborates upon what mobile applications claim to do and what they do in practice. Bringing these perspectives together shows that there are three keys themes relevant for the topic at hand: transparency, parental consent and data minimization. However, in none of these themes the observations of all three studied layers fully complement one another and contrasts can even be observed. Results show that providing parents with more control could possibly improve this.Show less
When discussing the concepts of crime and cybercrime, their victims are important key players to understand why these criminal acts takes place. More importantly, with these players taken into...Show moreWhen discussing the concepts of crime and cybercrime, their victims are important key players to understand why these criminal acts takes place. More importantly, with these players taken into account, it is not only possible to understand this concept but also to predict and prevent the crimes that take place. In this thesis, the research focuses on individual victims of cybercrime in the Netherlands and their behavioural characteristics. The aim of this research is to study which behavioural risk factors have a predictive value for victimization, both in the offline as the online world. To answer this question, I designed a digital survey to compare two types of crime; one in the offline world and one in the online world. These two criminal acts have in common that they are comparable with each other, with the only difference that they take place in different worlds. The chosen criminal acts are doorstep scams in the offline world, and phishing in the online world. A scientific literature review, the data collected from the digital questionnaire and the subsequent analysis will answer the sub-questions of this research. It seemed that certain risk factors like socio-economic status, online activities, optimism bias, loneliness, capable guardianship and offline victimization had a significant correlation with victimization. For the factors optimism bias, capable guardianship and loneliness, these results had even a predictive value. Although there is quite an amount of scientific research available on risk factors and victimization, this research shows that there is still not enough knowledge about the behaviour of victims. This is because the studied risk factors have little to do with the actual behaviour of potential victims. Researchers must take a step back to study which existing theories should be better investigated for the existence of other, potential risk factors. With a descent description and formulation of the new risk factors, it would be easier in the future to reduce online and offline victimization based on these risk factors.Show less