Data sharing and data harvesting practices not only infringe the privacy rights of individuals but cause significant harms to others as well. Emissions of personally sensitive behavioural data are...Show moreData sharing and data harvesting practices not only infringe the privacy rights of individuals but cause significant harms to others as well. Emissions of personally sensitive behavioural data are leaked into the digital economy causing damage to social practices and destabilizing political and informational ecosystems. Data pollution is like industrial pollution, and environmental law suggestions can offer solutions to the problem. Will a Pigouvian tax on data extraction limit or constrain the negative externalities of data pollution? This explorative research aims to investigate whether a data pollution tax can operate as a regulatory instrument to curb data pollution and whether citizens support this measure. Do citizens support a data pollution tax designed so that harms to others, affecting their core human capabilities, will be taxed as a matter of principle? Suppose excessive (corporate) data sharing and extraction practices that cause harm to others will be taxed. Do individuals expect that persons and corporations will change their data transmission practices? Our survey findings show that (United States) citizens consider that harms caused by data pollution should be taxed. Respondents will also substantially decrease their data pollution behaviour once a tax is imposed. However, and to our surprise, our research findings also lay bare a possible ‘bad behaviour paradox’: the more significant the harm caused by some instances of data pollution, the less willing people are to change behaviour relative to the tax imposed.Show less
"Companies in the Netherlands - and elsewhere in the world - do not spend enough resources on Cybersecurity,” a statement that can be found often in Cybersecurity reports either published by...Show more"Companies in the Netherlands - and elsewhere in the world - do not spend enough resources on Cybersecurity,” a statement that can be found often in Cybersecurity reports either published by governmental organisations as well as private Cybersecurity companies, the latter suspiciously for commercial purposes. But what is the real impact that Cybersecurity Incidents have on the Dutch economy, especially on legal-entities in the Netherlands? Where is the data that objectively provides insight in the havoc that is wrecked by Cybersecurity Incidents and would justify an increase in investment? The conclusion drawn after analysing available data is puzzling: no reliable overview of actual Cybersecurity incidents and their impact on companies in the Netherlands exists. The landscape is a scattered scene of puzzle pieces, consisting of crime data, insurance claims, data breach reports and incidents reported to the National Cyber Security Center. So we are not sure whether companies over- or underinvest in Cyber Security, we simply cannot tell on the basis of facts. Threats are out there for sure, but when they do not materialize, it could well be that the defences are fit for purpose. The annual Cybersecurity Monitor produced by Statistics Netherlands (CBS) since 2017 is available, but not based on actual incidents occurred, but on surveys, which tend to show perception rather than reality. Though it is the best dataset available and the trends of four years (2017-2020) of data are valuable, despite lack of quantified financial impact. Is the Dutch situation unique? What have other nations done to get a better and more reliable view on the size and dimension of the impact of Cybersecurity Incidents? And what solutions could be available to get an objective view of the impact of Cybersecurity incidents on Dutch legal-entities? In the domain of Road Safety, impact data is carefully measured as policy- and lawmakers use it for improving policies with the objective to decrease the impact. Similar to natural disasters of which impact is reported in scales, such as Beaufort for storms, Mercalli for earthquakes, a scale may help to report on Cybersecurity Incident impact, and serve for policy makers to obtain objective and comparable data justifying their policy proposals. With this Thesis I aim to make a contribution towards providing objective insight into the impact of Cybersecurity Incidents, by means of proposing the Cybersecurity v Incident Impact (CSI2) scale. Only by proper measuring and reporting we know what is happening out there in Dutch Cyberspace, allowing for the right policies and laws to be proposed, as well as the right level of investments to be made.Show less
Content moderation is about optimizing the equilibrium between two important values: freedom of speech and a safe and secure digital space. The main tasks are defining what is admissible content...Show moreContent moderation is about optimizing the equilibrium between two important values: freedom of speech and a safe and secure digital space. The main tasks are defining what is admissible content and assuring that inadmissible content is not allowed into the digital public space. Commercial digital platforms cannot be expected to carry this responsibility on their own without any incentives or obligations. They have their own commercial goals to serve. Tightened and more precise regulation is necessary. Overfitting the regulation will compromise freedom of speech. Underfitting the regulation will compromise the security of the digital space. An important aspect of assessing this balance is transparency. In this thesis we looked at the historical timeline of drafted regulation and the rise of social media. The three layer-model of cyberspace was used to analyse AI facilitated content moderation. Transparency requirements on each level have been identified and existing and upcoming regulation on content moderation and AI has been assessed to identify gaps. Current regulation on transparency in content moderation lacks clarity, enforcement, and consistency, partly because the E-commerce Directive was drafted before the explosive rise of social media and AI. It is remarkable, however, that the basic requirement for notice and takedown still serves a very relevant purpose. An increased focus of regulation of the technical layer is required with the introduction of artificial intelligence tools in content moderation. Although regulation on artificial intelligence is fragmented and still in an early stage of development, the Digital Services Act and the EU White Paper on Artificial Intelligence include promising measures, such as record keeping and auditing. The overlap and mutual synergy between both regulations should be closely monitored. The last conclusion is on transparency of terminology. Terminology regarding transparency in the world of AI technology, often relates to insight into the technical functioning of algorithms and to the ability to predict the outcome of an artificial intelligence model. In the governance world, transparency is linked to accountability and clarity. This gap between the world of artificial intelligence technology and the world of governance will need extra attention when drafting further regulation on AI. There is a need for common terminology.Show less
Many have expressed their concerns of the increase and severity of ransomware attacks targeting the healthcare sector, in particular hospitals, during the corona-era. A combination of the...Show moreMany have expressed their concerns of the increase and severity of ransomware attacks targeting the healthcare sector, in particular hospitals, during the corona-era. A combination of the healthcare sector's reliance on its systems and the often urgent need to access (medical) data means that some cybercriminals have identified the healthcare sector as a suitable target. Some even claimed that the pandemic has cause a change in the modus operandi of offenders deploying ransomware. This qualitative research examines to what extent the COVID-19 pandemic truly changed the modus operandi of offenders who committed a ransomware attack targeting the healthcare sector. More specifically, it investigates how a ransomware attack was carried out at the healthcare sector during the pandemic through conducting a crime script analysis. Subsequently, it investigates whether this differs from the situation before the COVID-19 pandemic. The results of this study indicate that the modus operandi changed just a slightly bit from the situation before the COVID-19 pandemic, but no significant changes were identified. This indicates that we must be critical about most of the claims stating that COVID-19 has caused a serious change in ransomware attacks on the healthcare sector opening up new opportunities to avoid moral panic.Show less
When discussing the concepts of crime and cybercrime, their victims are important key players to understand why these criminal acts takes place. More importantly, with these players taken into...Show moreWhen discussing the concepts of crime and cybercrime, their victims are important key players to understand why these criminal acts takes place. More importantly, with these players taken into account, it is not only possible to understand this concept but also to predict and prevent the crimes that take place. In this thesis, the research focuses on individual victims of cybercrime in the Netherlands and their behavioural characteristics. The aim of this research is to study which behavioural risk factors have a predictive value for victimization, both in the offline as the online world. To answer this question, I designed a digital survey to compare two types of crime; one in the offline world and one in the online world. These two criminal acts have in common that they are comparable with each other, with the only difference that they take place in different worlds. The chosen criminal acts are doorstep scams in the offline world, and phishing in the online world. A scientific literature review, the data collected from the digital questionnaire and the subsequent analysis will answer the sub-questions of this research. It seemed that certain risk factors like socio-economic status, online activities, optimism bias, loneliness, capable guardianship and offline victimization had a significant correlation with victimization. For the factors optimism bias, capable guardianship and loneliness, these results had even a predictive value. Although there is quite an amount of scientific research available on risk factors and victimization, this research shows that there is still not enough knowledge about the behaviour of victims. This is because the studied risk factors have little to do with the actual behaviour of potential victims. Researchers must take a step back to study which existing theories should be better investigated for the existence of other, potential risk factors. With a descent description and formulation of the new risk factors, it would be easier in the future to reduce online and offline victimization based on these risk factors.Show less
Children make use of mobile applications on an ever increasing basis. A category of app that is increasingly popular amongst children in the Netherlands is mobile applications that focus on...Show moreChildren make use of mobile applications on an ever increasing basis. A category of app that is increasingly popular amongst children in the Netherlands is mobile applications that focus on education. This study takes a holistic approach to studying privacy related to the use of this type of mobile applications by approaching the subject using the different lenses of the three layer model. The governance layer is studied to see how privacy of children is regulated, the socio-technical layer addresses privacy concerns parents have when their children use such applications, and the technical layer elaborates upon what mobile applications claim to do and what they do in practice. Bringing these perspectives together shows that there are three keys themes relevant for the topic at hand: transparency, parental consent and data minimization. However, in none of these themes the observations of all three studied layers fully complement one another and contrasts can even be observed. Results show that providing parents with more control could possibly improve this.Show less
When discussing the concepts of crime and cybercrime, their victims are important key players to understand why these criminal acts takes place. More importantly, with these players taken into...Show moreWhen discussing the concepts of crime and cybercrime, their victims are important key players to understand why these criminal acts takes place. More importantly, with these players taken into account, it is not only possible to understand this concept but also to predict and prevent the crimes that take place. In this thesis, the research focuses on individual victims of cybercrime in the Netherlands and their behavioural characteristics. The aim of this research is to study which behavioural risk factors have a predictive value for victimization, both in the offline as the online world. To answer this question, I designed a digital survey to compare two types of crime; one in the offline world and one in the online world. These two criminal acts have in common that they are comparable with each other, with the only difference that they take place in different worlds. The chosen criminal acts are doorstep scams in the offline world, and phishing in the online world. A scientific literature review, the data collected from the digital questionnaire and the subsequent analysis will answer the sub-questions of this research. It seemed that certain risk factors like socio-economic status, online activities, optimism bias, loneliness, capable guardianship and offline victimization had a significant correlation with victimization. For the factors optimism bias, capable guardianship and loneliness, these results had even a predictive value. Although there is quite an amount of scientific research available on risk factors and victimization, this research shows that there is still not enough knowledge about the behaviour of victims. This is because the studied risk factors have little to do with the actual behaviour of potential victims. Researchers must take a step back to study which existing theories should be better investigated for the existence of other, potential risk factors. With a descent description and formulation of the new risk factors, it would be easier in the future to reduce online and offline victimization based on these risk factors.Show less
This report describes the results of the research in the context of the Master's degree in Cyber Security. This study researched the problem that public tenders contain information that can be...Show moreThis report describes the results of the research in the context of the Master's degree in Cyber Security. This study researched the problem that public tenders contain information that can be collected by hackers during their preparation for a cyber-attack. Adversaries can easily access this information and abuse it against the tendering organizations. Therefore, the main goal of this research is to establish guidelines aimed at identifying and reducing sensitive information in tenders, in order to prevent that malicious parties gather and use this information in the preparation of cyber-attacks against tendering organizations. To this end, the various concepts of open data, procurement, reconnaissance, cyber kill chain, and open source intelligence were examined. In addition, interviews were held to both identify the risks for tendering organizations due to the above identified problem and to evaluate on the established guidelines. The research results have shown that the information in tenders is public due to the principles on which the rules regarding tenders are based. This is to offer fair opportunities to companies to win contracts through tenders. Due to the public nature of information in tenders, the comparison can be made with the concept of open data. As a result, the risks inherent to open data, such as abuse by malicious parties, also apply to information in tenders.Further research into the reconnaissance activities of hackers has made it clear that hackers are looking for specific types of information in preparation for cyber-attacks. It has been determined through document analysis on real tenders and interviews with security professionals that these types of information occur in tenders. This means that malicious parties can use tenders to collect information about organizations that is relevant for the preparation of cyber-attacks, against the tendering organizations. As a result, the tendering organizations face risks with regard to the confidentiality, integrity and availability of company assets. In particular, the likelihood that such risks arise is increased because the information is easily accessible to malicious parties. In order to prevent this, guidelines have been established. These guidelines should be used in follow-up research where a final solution is created that implements the described functionalities of the guidelines. The established guidelines focus in particular on identifying and reducing information that is relevant to hackers in tenders, before the tenders are made public. In this way the risks for tendering organizations can be prevented because this information can no longer be collected by malicious parties. The likelihood of the identified risks occurring is reduced. In addition, techniques have been suggested for these guidelines on which they can be implemented.The techniques regular expressions, text mining, comparison with known information, optical character recognition, and image recognition are discussed. Furthermore, guidelines have also been established that focus on the practical side of a final solution and the fact that this solution must be used in an existing context: people, processes and organizations. The guidelines and the results of the study were evaluated in interviews with senior purchasers. From these interviews it can be concluded that a solution based on the guidelines is of added value in practice in order to reduce sensitive information in tenders and prevent risks for tendering organizations. The results of this research thus result in recommendations for follow-up research, where the aim is to create an automated solution based on the guidelines that have been established.Show less