This thesis examines the cyber security challenges of leveraging third-party ICT in the financial sector (FS). Although new EU regulation such as DORA (2023) has taken steps to mitigate the...Show moreThis thesis examines the cyber security challenges of leveraging third-party ICT in the financial sector (FS). Although new EU regulation such as DORA (2023) has taken steps to mitigate the challenges of adopting third-party providers (TPPs) in the recently securitised financial sector, there remains limited qualitative research on this phenomenon. Academic research is urgently needed to explore the reasons behind the FS’s reliance on TPPs, despite their apparent risks and the organisational challenges they are likely to face whilst outsourcing their critical services. Using a qualitative, deductive approach, the thesis collected its data from interviews with cyber security experts and from secondary literature. Using Atlas.ti, a qualitative analysis software, the thesis conducted a thematic analysis with pre-defined codes using the organisational behaviour model (OBM) from Graham and Zelikow (1999). The thesis found that despite an awareness of its many risks, the FS has made exceptional use of TPPs. This can be explained by its low costs for installation and shifting market demands. Furthermore, the thesis found that despite a willingness to improve their third- party risk management (TPRM), the FS has difficulty to achieve this due to their organisational behaviour. A culture of minimising costs, not wanting to exceed regulatory compliance and an inability to establish standard operating procedures (SOPs) for their TPPs are only a few of the organisational challenges that will prevent the FS to face the cyber security challenges of expanding its supply chain. The findings of this paper have important implications as a successful supply chain attack on the EU financial sector could cause unprecedented disruptions to the global financial system. Furthermore, this research will support policymakers and FS leaders to better understand and mitigate the cyber challenges of TPPs for the financial sector.Show less
In the recent years, the maritime industry is applying Industrial Internet of Things devices, data trending and high-speed satellite connections. While these advances in technology make business...Show moreIn the recent years, the maritime industry is applying Industrial Internet of Things devices, data trending and high-speed satellite connections. While these advances in technology make business easier for the industry, there are also drawbacks with these advances. In the past the maritime industry had an air-gap between the different systems. The probability of a cyber incident would be limited, let alone the probability of an incident propagating to a different system. Now, systems are interconnected and the risk of a cyber incident occurring is high, similar for the risk of an incident on one system propagating to another system. There are different academic studies, which have looked at maritime cyber threats as well as measures. However, there are not many qualitative studies in how the maritime industry is actually dealing with cyber threats. For this thesis, first a literature survey was conducted on cyber security onboard ships. The survey showed that most of the literature is focussed on navigation and communication systems, where there are more systems which can be attacked, such as propulsion control systems and engine control systems. The literature study also shows that the focus on measurements against attacks are solved mainly in the governance domain. The main driver that is mentioned in the literature is IMO resolution MSC.428(98). The role of the shipyards and suppliers are equipment and systems are not mentioned in the literature, as these actors are not in the scope of the resolution. Following the literature survey, semi-interviews were held with eight people working at different organisations in the maritime industry. The interviewees were selected using expert sampling and snowballing. The interviews took approximately 30-45 minutes and were held online via Teams. After the interviews were held, the interviews were transcribed and subjected to thematic analysis, where the interviews were coded and themed. The combination of the literature survey and the semi-structured interviews provided the answer to what the maritime industry is doing to deal with cyber security on board ships. The conclusion is that while the maritime industry is lagging behind other industries, it is improving. The maritime industry is realising that cyber security is an important aspect of their daily business. Due to the many different actors involved in the maritime industry, there is a need for clear requirements and responsibilities. From top down, this starts with international organisations and classification societies in combination with owners enforcing requirements during the life time of a ship to the shipyards and suppliers of equipment and systems. To ensure that all parties are complying with the rules and regulations and that the systems on board the vessel work as intended, it is recommended to put one party in charge of cyber security on board ships.Show less
Cyberspace has become the fifth domain for states to fight for power and poses serious security challenges for states. Where the expectation lay in cyber conflict to evolve into cyber war, the last...Show moreCyberspace has become the fifth domain for states to fight for power and poses serious security challenges for states. Where the expectation lay in cyber conflict to evolve into cyber war, the last decades have shown that cyber conflict remained to be ways for states to conduct subversion campaigns and gain a strategical advantage. Especially large states are dominant players in this arena and responsible for numerous impactful attacks. On the receiving end, small states have considerable disadvantages in handling these attacks. Small states lack the resources and knowledge to respond adequately to attacks and don’t have the power to deter effectively or retaliate. Therefore, the behaviour in this domain is expected to differ from conventional warfare, where states tend to respect a state’s sovereignty and follow international law. However, the nature of this domain creates an image of small states as ‘sitting ducks’ on the receiving end of cyber campaigns by larger states. In this thesis, we examined how small states respond to cyber attacks, presumably conducted by a large state, to answer the research question; To what extent does small state theory explain the cyber response to cyber attacks. We did so by analysing the cases of Estonia and The Netherlands in their respective response to presumed state-sponsored cyber attacks. From the analysis, it becomes clear that models of small state theory apply to the cases in the majority. Both cases exhibit methods of seeking alliances, enforcing institutions and evoking a sense of identity and norms.Show less