This study examines non-compliance with policy, or not following the rules, within the cybersecurity domain, which is commonly perceived as the cause of cybersecurity incidents. Specifically, it...Show moreThis study examines non-compliance with policy, or not following the rules, within the cybersecurity domain, which is commonly perceived as the cause of cybersecurity incidents. Specifically, it researches contributing factors of motivation. For this, literature from other domains is examined for approaches on using motivation to increase compliance, and whether these could be applied to cybersecurity. To this end the underlying theoretical frameworks of governance, policy, compliance, non-compliance, and motivation are first examined. The motivational approach to stimulate compliance with policy rules were identified as either extrinsic or intrinsic motivation. The former relies on incentives or deterrents, as stipulated by General Deterrence Theory (GDT), and is commonly employed in cybersecurity. The latter uses autonomy, competence, and relatedness from Cognitive Evaluation Theory (CET), which could be used as an alternative approach within cybersecurity. The different approaches from other domains which successfully increased compliance were examined and found to utilize alternative styles of governance, policy, communication, and education. These approaches could either directly or indirectly be related to CET, indicating viability for application in the cybersecurity domain. Based on this, alternative approaches for application to cybersecurity were hypothesized. Although further research for their application is required, the findings of this study provide a foundation for an alternative approach within cybersecurity which could improve compliance with cybersecurity policy.Show less
This thesis explores how technological vulnerabilities leading to cyber operations against critical infrastructures can be explained, with focus on the aviation sector. The answer is Technical Debt...Show moreThis thesis explores how technological vulnerabilities leading to cyber operations against critical infrastructures can be explained, with focus on the aviation sector. The answer is Technical Debt Theory, which suits older technologies and, with some improvements, can provide good explanations of newer technologies’ vulnerabilities as well. The research begins with a literature review on vulnerabilities in older and newer technologies in this industry, followed by the application of Technical Debt Theory (TDT) to older technologies, revealing a gap in research regarding cybersecurity vulnerabilities in newer technologies. To fill this gap, the researcher adopts qualitative secondary analysis and abductive research. In some newer technologies TDT fits well, while to explain vulnerabilities in other technologies, complementation of TDT is needed: the main addition to the theory is a direct line between security debt and technical debt compared to older technologies.Show less
With the attribution problem of “who has done it” being increasingly easier to solve through better research techniques, the problem shifts towards how to respond to cyber incidents. Egloff &...Show moreWith the attribution problem of “who has done it” being increasingly easier to solve through better research techniques, the problem shifts towards how to respond to cyber incidents. Egloff & Smeets (2021) theorize that states use public attribution statements to set norms of appropriate behavior in cyberspace. To test this hypothesis six cyber incidents over three states, namely the US, UK and the Netherlands, are analyzed through the framework of Finnemore & Hollis (2016). The conclusion is that states do use public attribution to set norms of appropriate behavior in cyberspace. However, this is not always the case and sometimes they promote other norms than those that might have been expected.Show less
This research aims to contribute to the debates on the democratic deficit of the European Union by researching the added value of EU membership in the field of cybersecurity. One of the main...Show moreThis research aims to contribute to the debates on the democratic deficit of the European Union by researching the added value of EU membership in the field of cybersecurity. One of the main arguments when discussing the democratic deficit of the EU, argues that the EU fulfils its democratic purposes, if it works ‘for’ the people. By providing effective governance and polity, the EU membership makes cyberspace safer and more secure for its member states, which is beneficial for all EU citizens. The EU and its agencies facilitate effective and operative cooperation that works ‘for’ the people. This research focused on two member states as case studies, The Netherlands and Hungary and found evidence that the EU provides a trusted and operative environment which contributes to cybersecurity in unique ways like no other international cooperation. This research looks for evidence that Europeanization, securitization, and interdependence drive the integration in cybersecurity at the European level.Show less
Digitalization adds convenience to our lives in many ways. We communicate and do shopping online, turn the heating up at home while leaving the office, and connect the lights to remote control them...Show moreDigitalization adds convenience to our lives in many ways. We communicate and do shopping online, turn the heating up at home while leaving the office, and connect the lights to remote control them from the couch. The examples illustrate how technology has shaped our lives in the past decades. Our interaction with technology has changed dramatically. This development affects organizations as well. Organizations adopt new technologies to service their clients in order to gain competitive advantage. Processes and services are offered digital and in many cases, online. Independent of the processes and services offered, organizations require adequate security measures to protect their assets. As examples in the news illustrate, not doing so may result in serious business impact like loss of reputation, financial losses, operational or legal impact, or even worst case scenarios like bankruptcy. At the same time, there are numerous challenges that organizations face in securing their assets. These challenges include a rapid changing threat landscape, new technologies, vulnerabilities in software, and the strongly interconnected and inherent complex nature of the cyber domain. To what extent are organizations able to protect their assets against cybersecurity threats? How do organizations assess their cybersecurity risks? Do these approaches fit the current cybersecurity challenges? Identifying, analyzing and evaluating cybersecurity risks can become a daunting task. Fortunately, there are many risk frameworks, methods and techniques available that organizations can adopt. Maybe even that many that selecting a fit for purpose approach becomes daunting by itself. This qualitative research explores the current state of cybersecurity risk assessment practices in organizations by researching to what extent the available cybersecurity risk assessment methods and techniques actually have been adopted by organizations. Second, the research investigates whether the chosen approach caters for the challenges in the cyber domain, and what benefits and limitations are perceived.Show less
How can we understand the institutional development of EU cybersecurity cooperation from 2001 to 2018 and what are the consequences of this process? The problem of integration is an old, the domain...Show moreHow can we understand the institutional development of EU cybersecurity cooperation from 2001 to 2018 and what are the consequences of this process? The problem of integration is an old, the domain of cyber is new, controversial and interesting. The issue of cooperation within cyberspace is becoming paramount. This however has influence for the EU-member-state relationship as the classical understanding of sovereignty is eroded by cybersecurity. As cooperation is key to success within cyberspace there must be policy coherence in order to achieve this. The EU has several institutions to achieve this. This thesis will examine in detail the development of one of its cybersecurity institutions; the European Network and Information Security Agency, ENISA. By connecting the theory of institutionalism and using three mechanisms this agency is used as a casestudy to show how and why ENISA has developed from a small and insignificant agency to a big and influential agency within the span of just fourteen years.Show less
Vulnerabilities in information systems have always been the Achilles heel of digital security. Ransomware-campaigns such as WannaCry and (Not)Petya highlighted the global and multidimensional...Show moreVulnerabilities in information systems have always been the Achilles heel of digital security. Ransomware-campaigns such as WannaCry and (Not)Petya highlighted the global and multidimensional nature of vulnerabilities and showed how substantial the impact of these could be for many aspects of the daily life. Vulnerability disclosure is a valuable instrument to report and solve these vulnerabilities to increase the security of information systems and prevent such events from happening. However, EU’s legal landscape for vulnerability disclosure is fragmented, and vulnerability researchers have to deal with legal uncertainty. Therefore, this thesis focuses on how the EU can increase the resilience of its cyber ecosystem through stimulating vulnerability disclosure. The purpose of this study will be to describe the different policy instruments the EU may use to stimulate coordinated vulnerability disclosure and prescribe which ones would be most valuable for increasing the EU’s cyber resilience. Coordinated vulnerability disclosure refers to the approach of disclosing vulnerabilities in the security of information systems in a controlled and responsible manner. This thesis will combine an analysis of primary and secondary sources – using technical and non-technical perspectives to bring these two worlds closer together to develop effective cybersecurity policies. To provide a deeper understanding of how the EU could construct a resilient cyber ecosystem: insight on cybersecurity, the resilience of ecosystems and security governance will be combined. Concluding, it is recommended that the EU uses a mix of regulatory instruments making optimal use of the expertise of the private sector to stimulate coordinated vulnerability disclosure. The outcomes are timely because in September 2017 a new EU Cyberstrategy will be presented.Show less
