"Companies in the Netherlands - and elsewhere in the world - do not spend enough resources on Cybersecurity,” a statement that can be found often in Cybersecurity reports either published by...Show more"Companies in the Netherlands - and elsewhere in the world - do not spend enough resources on Cybersecurity,” a statement that can be found often in Cybersecurity reports either published by governmental organisations as well as private Cybersecurity companies, the latter suspiciously for commercial purposes. But what is the real impact that Cybersecurity Incidents have on the Dutch economy, especially on legal-entities in the Netherlands? Where is the data that objectively provides insight in the havoc that is wrecked by Cybersecurity Incidents and would justify an increase in investment? The conclusion drawn after analysing available data is puzzling: no reliable overview of actual Cybersecurity incidents and their impact on companies in the Netherlands exists. The landscape is a scattered scene of puzzle pieces, consisting of crime data, insurance claims, data breach reports and incidents reported to the National Cyber Security Center. So we are not sure whether companies over- or underinvest in Cyber Security, we simply cannot tell on the basis of facts. Threats are out there for sure, but when they do not materialize, it could well be that the defences are fit for purpose. The annual Cybersecurity Monitor produced by Statistics Netherlands (CBS) since 2017 is available, but not based on actual incidents occurred, but on surveys, which tend to show perception rather than reality. Though it is the best dataset available and the trends of four years (2017-2020) of data are valuable, despite lack of quantified financial impact. Is the Dutch situation unique? What have other nations done to get a better and more reliable view on the size and dimension of the impact of Cybersecurity Incidents? And what solutions could be available to get an objective view of the impact of Cybersecurity incidents on Dutch legal-entities? In the domain of Road Safety, impact data is carefully measured as policy- and lawmakers use it for improving policies with the objective to decrease the impact. Similar to natural disasters of which impact is reported in scales, such as Beaufort for storms, Mercalli for earthquakes, a scale may help to report on Cybersecurity Incident impact, and serve for policy makers to obtain objective and comparable data justifying their policy proposals. With this Thesis I aim to make a contribution towards providing objective insight into the impact of Cybersecurity Incidents, by means of proposing the Cybersecurity v Incident Impact (CSI2) scale. Only by proper measuring and reporting we know what is happening out there in Dutch Cyberspace, allowing for the right policies and laws to be proposed, as well as the right level of investments to be made.Show less
This thesis compares Russian cyber operations against Ukraine and the United States of America between 2014 and 2019. It aims to research which factors influence the different outcomes in the...Show moreThis thesis compares Russian cyber operations against Ukraine and the United States of America between 2014 and 2019. It aims to research which factors influence the different outcomes in the studied operations. The studied operations involve cyberattacks on power grids on the one hand and digital information operations interfering in elections on the other. The results show that Russian power grid cyberattacks in Ukraine are more disruptive than in the USA, while their information operations were more effective in the USA. The argument put forward in this research is that Russia is less hesitant to disrupt critical infrastructure in Ukraine due to is involvement in the Ukrainian conflict. Moreover, there is limited potential of escalation of applying such disruptions in Ukraine. Finally, Ukraine provides Russia with opportunities to test its cyber operations without risking large scale retribution from powerful states. Information operations targeting the presidential elections have been more effective in the USA than similar operations in Ukraine. In this research it is argued that Ukraine is both more familiar and more resilient to Russian (dis)information operations. Furthermore, the conflict scenario between the two countries causes Ukrainians to be suspicious of pro-Russian narratives. Western media on the other hand amplified the Russian disinformation in the USA. In both countries Russia succeeded in deepening the social polarisation between opposing groups.Show less
When discussing the concepts of crime and cybercrime, their victims are important key players to understand why these criminal acts takes place. More importantly, with these players taken into...Show moreWhen discussing the concepts of crime and cybercrime, their victims are important key players to understand why these criminal acts takes place. More importantly, with these players taken into account, it is not only possible to understand this concept but also to predict and prevent the crimes that take place. In this thesis, the research focuses on individual victims of cybercrime in the Netherlands and their behavioural characteristics. The aim of this research is to study which behavioural risk factors have a predictive value for victimization, both in the offline as the online world. To answer this question, I designed a digital survey to compare two types of crime; one in the offline world and one in the online world. These two criminal acts have in common that they are comparable with each other, with the only difference that they take place in different worlds. The chosen criminal acts are doorstep scams in the offline world, and phishing in the online world. A scientific literature review, the data collected from the digital questionnaire and the subsequent analysis will answer the sub-questions of this research. It seemed that certain risk factors like socio-economic status, online activities, optimism bias, loneliness, capable guardianship and offline victimization had a significant correlation with victimization. For the factors optimism bias, capable guardianship and loneliness, these results had even a predictive value. Although there is quite an amount of scientific research available on risk factors and victimization, this research shows that there is still not enough knowledge about the behaviour of victims. This is because the studied risk factors have little to do with the actual behaviour of potential victims. Researchers must take a step back to study which existing theories should be better investigated for the existence of other, potential risk factors. With a descent description and formulation of the new risk factors, it would be easier in the future to reduce online and offline victimization based on these risk factors.Show less
Digitalization adds convenience to our lives in many ways. We communicate and do shopping online, turn the heating up at home while leaving the office, and connect the lights to remote control them...Show moreDigitalization adds convenience to our lives in many ways. We communicate and do shopping online, turn the heating up at home while leaving the office, and connect the lights to remote control them from the couch. The examples illustrate how technology has shaped our lives in the past decades. Our interaction with technology has changed dramatically. This development affects organizations as well. Organizations adopt new technologies to service their clients in order to gain competitive advantage. Processes and services are offered digital and in many cases, online. Independent of the processes and services offered, organizations require adequate security measures to protect their assets. As examples in the news illustrate, not doing so may result in serious business impact like loss of reputation, financial losses, operational or legal impact, or even worst case scenarios like bankruptcy. At the same time, there are numerous challenges that organizations face in securing their assets. These challenges include a rapid changing threat landscape, new technologies, vulnerabilities in software, and the strongly interconnected and inherent complex nature of the cyber domain. To what extent are organizations able to protect their assets against cybersecurity threats? How do organizations assess their cybersecurity risks? Do these approaches fit the current cybersecurity challenges? Identifying, analyzing and evaluating cybersecurity risks can become a daunting task. Fortunately, there are many risk frameworks, methods and techniques available that organizations can adopt. Maybe even that many that selecting a fit for purpose approach becomes daunting by itself. This qualitative research explores the current state of cybersecurity risk assessment practices in organizations by researching to what extent the available cybersecurity risk assessment methods and techniques actually have been adopted by organizations. Second, the research investigates whether the chosen approach caters for the challenges in the cyber domain, and what benefits and limitations are perceived.Show less
Children make use of mobile applications on an ever increasing basis. A category of app that is increasingly popular amongst children in the Netherlands is mobile applications that focus on...Show moreChildren make use of mobile applications on an ever increasing basis. A category of app that is increasingly popular amongst children in the Netherlands is mobile applications that focus on education. This study takes a holistic approach to studying privacy related to the use of this type of mobile applications by approaching the subject using the different lenses of the three layer model. The governance layer is studied to see how privacy of children is regulated, the socio-technical layer addresses privacy concerns parents have when their children use such applications, and the technical layer elaborates upon what mobile applications claim to do and what they do in practice. Bringing these perspectives together shows that there are three keys themes relevant for the topic at hand: transparency, parental consent and data minimization. However, in none of these themes the observations of all three studied layers fully complement one another and contrasts can even be observed. Results show that providing parents with more control could possibly improve this.Show less
When discussing the concepts of crime and cybercrime, their victims are important key players to understand why these criminal acts takes place. More importantly, with these players taken into...Show moreWhen discussing the concepts of crime and cybercrime, their victims are important key players to understand why these criminal acts takes place. More importantly, with these players taken into account, it is not only possible to understand this concept but also to predict and prevent the crimes that take place. In this thesis, the research focuses on individual victims of cybercrime in the Netherlands and their behavioural characteristics. The aim of this research is to study which behavioural risk factors have a predictive value for victimization, both in the offline as the online world. To answer this question, I designed a digital survey to compare two types of crime; one in the offline world and one in the online world. These two criminal acts have in common that they are comparable with each other, with the only difference that they take place in different worlds. The chosen criminal acts are doorstep scams in the offline world, and phishing in the online world. A scientific literature review, the data collected from the digital questionnaire and the subsequent analysis will answer the sub-questions of this research. It seemed that certain risk factors like socio-economic status, online activities, optimism bias, loneliness, capable guardianship and offline victimization had a significant correlation with victimization. For the factors optimism bias, capable guardianship and loneliness, these results had even a predictive value. Although there is quite an amount of scientific research available on risk factors and victimization, this research shows that there is still not enough knowledge about the behaviour of victims. This is because the studied risk factors have little to do with the actual behaviour of potential victims. Researchers must take a step back to study which existing theories should be better investigated for the existence of other, potential risk factors. With a descent description and formulation of the new risk factors, it would be easier in the future to reduce online and offline victimization based on these risk factors.Show less
Data sharing and data harvesting practices not only infringe the privacy rights of individuals but cause significant harms to others as well. Emissions of personally sensitive behavioural data are...Show moreData sharing and data harvesting practices not only infringe the privacy rights of individuals but cause significant harms to others as well. Emissions of personally sensitive behavioural data are leaked into the digital economy causing damage to social practices and destabilizing political and informational ecosystems. Data pollution is like industrial pollution, and environmental law suggestions can offer solutions to the problem. Will a Pigouvian tax on data extraction limit or constrain the negative externalities of data pollution? This explorative research aims to investigate whether a data pollution tax can operate as a regulatory instrument to curb data pollution and whether citizens support this measure. Do citizens support a data pollution tax designed so that harms to others, affecting their core human capabilities, will be taxed as a matter of principle? Suppose excessive (corporate) data sharing and extraction practices that cause harm to others will be taxed. Do individuals expect that persons and corporations will change their data transmission practices? Our survey findings show that (United States) citizens consider that harms caused by data pollution should be taxed. Respondents will also substantially decrease their data pollution behaviour once a tax is imposed. However, and to our surprise, our research findings also lay bare a possible ‘bad behaviour paradox’: the more significant the harm caused by some instances of data pollution, the less willing people are to change behaviour relative to the tax imposed.Show less