"Companies in the Netherlands - and elsewhere in the world - do not spend enough resources on Cybersecurity,” a statement that can be found often in Cybersecurity reports either published by...Show more"Companies in the Netherlands - and elsewhere in the world - do not spend enough resources on Cybersecurity,” a statement that can be found often in Cybersecurity reports either published by governmental organisations as well as private Cybersecurity companies, the latter suspiciously for commercial purposes. But what is the real impact that Cybersecurity Incidents have on the Dutch economy, especially on legal-entities in the Netherlands? Where is the data that objectively provides insight in the havoc that is wrecked by Cybersecurity Incidents and would justify an increase in investment? The conclusion drawn after analysing available data is puzzling: no reliable overview of actual Cybersecurity incidents and their impact on companies in the Netherlands exists. The landscape is a scattered scene of puzzle pieces, consisting of crime data, insurance claims, data breach reports and incidents reported to the National Cyber Security Center. So we are not sure whether companies over- or underinvest in Cyber Security, we simply cannot tell on the basis of facts. Threats are out there for sure, but when they do not materialize, it could well be that the defences are fit for purpose. The annual Cybersecurity Monitor produced by Statistics Netherlands (CBS) since 2017 is available, but not based on actual incidents occurred, but on surveys, which tend to show perception rather than reality. Though it is the best dataset available and the trends of four years (2017-2020) of data are valuable, despite lack of quantified financial impact. Is the Dutch situation unique? What have other nations done to get a better and more reliable view on the size and dimension of the impact of Cybersecurity Incidents? And what solutions could be available to get an objective view of the impact of Cybersecurity incidents on Dutch legal-entities? In the domain of Road Safety, impact data is carefully measured as policy- and lawmakers use it for improving policies with the objective to decrease the impact. Similar to natural disasters of which impact is reported in scales, such as Beaufort for storms, Mercalli for earthquakes, a scale may help to report on Cybersecurity Incident impact, and serve for policy makers to obtain objective and comparable data justifying their policy proposals. With this Thesis I aim to make a contribution towards providing objective insight into the impact of Cybersecurity Incidents, by means of proposing the Cybersecurity v Incident Impact (CSI2) scale. Only by proper measuring and reporting we know what is happening out there in Dutch Cyberspace, allowing for the right policies and laws to be proposed, as well as the right level of investments to be made.Show less
Data sharing and data harvesting practices not only infringe the privacy rights of individuals but cause significant harms to others as well. Emissions of personally sensitive behavioural data are...Show moreData sharing and data harvesting practices not only infringe the privacy rights of individuals but cause significant harms to others as well. Emissions of personally sensitive behavioural data are leaked into the digital economy causing damage to social practices and destabilizing political and informational ecosystems. Data pollution is like industrial pollution, and environmental law suggestions can offer solutions to the problem. Will a Pigouvian tax on data extraction limit or constrain the negative externalities of data pollution? This explorative research aims to investigate whether a data pollution tax can operate as a regulatory instrument to curb data pollution and whether citizens support this measure. Do citizens support a data pollution tax designed so that harms to others, affecting their core human capabilities, will be taxed as a matter of principle? Suppose excessive (corporate) data sharing and extraction practices that cause harm to others will be taxed. Do individuals expect that persons and corporations will change their data transmission practices? Our survey findings show that (United States) citizens consider that harms caused by data pollution should be taxed. Respondents will also substantially decrease their data pollution behaviour once a tax is imposed. However, and to our surprise, our research findings also lay bare a possible ‘bad behaviour paradox’: the more significant the harm caused by some instances of data pollution, the less willing people are to change behaviour relative to the tax imposed.Show less