Connecting ‘things’ like a doorbell, webcam, lamp, or other objects to the web to provide a service or control is called the Internet of Things (IoT). These devices contain vulnerabilities that form risks for the device user and possibly the network owner through their heterogeneity. The identified knowledge gap is the need for more IoT governance but no specification on governance options and means to reach specific stakeholders. Using a dataset of network scan data of The Hague as the empirical context for the defined knowledge gap, this research aims to look into the vulnerabilities IoT devices carry, and then look into relevant stakeholders to see what they can do through governance and why they are not doing this. To answer the main research question: How can the municipality of The Hague use governance instruments to decrease cyber vulnerabilities in IoT devices? Using a literature study to define IoT concepts and the governance of IoT and current governance examples, background information is provided for the rest of this research. The database of 1649 IP addresses of network scan data from the area of The Hague is then used to find what vulnerabilities are present and what stakeholders are identifiable from this data. Exploring this network scan data showed only 191 devices are fully identifiable from the total number of IP addresses. These devices all carry vulnerabilities for the user of these devices, and being visible is by itself a vulnerability. No device owners could be directly identified, only the providers of the networks these devices are found in. This results in the identifiable stakeholders from the dataset: ISPs and device manufacturers. Governance options are defined for these stakeholders (e.g. security-by-design, informing users etc.). These options are assessed on viability and validity through semi-structured interviews with three ISPs and the municipality. The conclusion found is that the most viable action to take is informing device users since secure configuration and usage of a device would take away vulnerabilities while waiting for European legislation to be implemented. This legislation will force more security-by-design. The recommendation for the municipality is to take the role of leading actor, provide a better problematization with the data available, and use this to generate more urgency with other stakeholders. Starting public-private partnerships (with ISPs, device vendors, universities, other municipalities: different perspectives to progress the problem) and starting information campaigns and therefore try to reach as many people as possible. Even though ISPs can not provide in reaching vulnerable users directly, they can help in general information campaigns. Increasing security practices on the user side while waiting for legislation on the manufacturer's side.

In a rapidly evolving digital landscape, where information is the currency of progress, universities play a vital role in fostering innovation, research, and knowledge dissemination. However, this invaluable role also exposes universities to significant cybersecurity challenges. Cybersecurity is an increasingly important topic for organisations in all sectors, including universities. As repositories of valuable research data and other sensitive information, universities are attractive targets for cyber attacks. Addressing these challenges is crucial not only to protect intellectual property and sensitive data but also to maintain the trust and integrity of academic institutions. Despite the importance of cybersecurity for universities, there is a lack of research on how to effectively implement cybersecurity policies and practices in this context. The lack of a standardised approach to cybersecurity can leave universities vulnerable to cyber threats and hinder the sharing of best practices. This study is expected to identify key challenges and measures for cybersecurity policy in Dutch universities. It will provide insights into the implementation of effective cybersecurity policies and contribute to the development of an approach to cybersecurity in the higher education sector. The research question is: "How should the cybersecurity policies of Dutch universities be designed to mitigate cyber threats to ensure knowledge security?". To accomplish this research, a multidimensional approach was adopted. Extensive literature review provided a foundation for understanding cybersecurity standards and cyber ethics, while interviews were conducted with various Dutch universities to gain insights into their experiences and perspectives. Additionally, a comprehensive survey was administered to students and staff members of Dutch universities, enriching the study with diverse viewpoints. This work aligns with the objective of examining the quality of decision-making concerning grand societal challenges within the context of their socio-economic and political environments. It aspires to inform decision-makers in the public (policy) domain or at the intersection of the public and private spheres. By shedding light on the barriers faced by universities in implementing cybersecurity norms, this research aims to contribute to the ongoing discourse on securing knowledge assets in the face of emerging cyber threats. The thesis is structured as follows: it begins with an introduction that provides a comprehensive overview of the topic, delineating the problem at hand and outlining the proposed approach. Subsequently, the literature review section presents the findings of the extensive research conducted, exploring various subjects such as cybersecurity standards and cyber ethics, among others. The expected outcomes of this study are an overview of current cybersecurity challenges for Dutch universities, an understanding of the opinions and experiences of university staff and students, and recommendations for developing and implementing cybersecurity policies for Dutch universities.

This study investigates organizations’ approaches to managing cybersecurity challenges that are associated with high levels of teleworking. Over the last two and a half years the pandemic forced organizations to implement teleworking models that resulted in a large share of the workforce working from home. The increasing use of teleworking resulted in organizations being worried about their ability to handle cyberthreats, while at the same time they sidestepped on their cybersecurity to implement a proper teleworking model. There is a large body of literature showing what the security risks and practices are related to these high levels of teleworking, while it is not clear what the related security challenges are and how organizations are approaching these. So, there is a gap in the literature regarding the understanding of the current cybersecurity challenges and approaches that are associated with these high levels of teleworking. Semi-structured interviews were conducted with both cybersecurity consultants and individuals that fulfill a role in an organization that makes them responsible for the cybersecurity management of the organization. Thematic analysis was used that led to the identification of four main security challenges and four approaches used to manage these challenges. The following four challenges were identified: ‘Security vs. privacy’ which shows how it is challenging for organizations to secure the private environments of their organizations without invading their privacy. Secondly, the ‘Control & awareness which addresses the balance between control and awareness. More restrictions can lead to less security if there is a lack of awareness and knowledge among employees. Thirdly, the ’Lack of resources’ challenge, not all organizations have the monetary resources to achieve the desired level of security. Finally, the ’Priorities’ challenge shows how according to the consultants, cybersecurity is still seen as a burden and is being neglected by organizations, regardless of the increase in cybersecurity attention and the increased risks related to high levels of teleworking. The identified approaches start with ‘Technology & Processes’ as this is most often the first choice for organizations. Using device management systems with corporate devices or BYOD devices with an enclave to ensure security without invading privacy. Education of the workforce is deemed one of the most successful approaches, since the security of the organizations is now more dependent on the workforce, raising awareness through education is of great importance. An approach that at first glance seems more counter-intuitive is the establishment of a security culture that takes years to achieve. Cybersecurity is involved into the daily tasks of the complete workforce. Without forcing and too many controls, but nudging employees by discussion and giving them responsibilities. The last approach shows that despite the priority challenge that is only mentioned by consultants, organizations want to become more mature, and organizations are currently giving cybersecurity a higher priority.

In the current digitalised society keeping assets secure is one of the most prominent challenges organisations face. In the ongoing arms race between attackers and defenders, software security patching is a well-recognised and effective strategy to mitigate vulnerabilities in software products. However, organisations struggle with the best practice to “patch early and often”, resulting in vulnerabilities in software being exposed for much longer than desired. Prior research indicates the socio-technical nature of this practice forms the core of delays in software patch management. Developing a deeper understanding of the decision-making of IT practitioners and what socio-technical factors play a role in this process allows organisations to address the ineffectiveness of their security patch process. The main research question in this explorative research is: What socio-technical factors influence the effectiveness and timeliness of the security patching process in organisations? This Mixed Methods research combines qualitative data from interviews with IT practitioners, with a quantitative data exploration of the meaningfulness of organisational measurements. Findings show that IT practitioners go through a funnel of decision-making that influences the decision of what to patch, and when to patch. The presence and interplay of different socio-technical factors related to four main aspects of this decision (i.e., security, applicability, operability, and availability) result in tensions and trade-offs influencing the decision space of IT. Furthermore, this study indicates the interrelations between the significance of socio-technical factors, which is reduced by certain coping strategies applied by IT practitioners. This research reveals that having some measurement in place helps to understand the existence of challenges and the working of coping strategies, therefore contributing to an understanding of socio-technical challenges. However, it also reveals several limitations to the quality of existing data and difficulties in coming to measurements that provide meaningful information, due to socio-technical factors. The main contribution of this research is a better understanding of how socio-technical factors influence the decision-making process of IT practitioners. This research is limited in the way it uses quantitative data to understand patching activity. Future research is recommended to compare the potential discrepancy between what IT practitioners state influences the effectiveness of their security patch process and what the actual patching activity of IT practitioners reveals about the effectiveness of patching. This research furthermore hypothesises that not all socio-technical factors have the same level of significance. It is recommended to investigate the possibilities of quantification of the importance of each of the socio-technical challenges identified in this explorative study.

The rapid development of technology gives many opportunities but brings threats as well. The digitization of the financial sector has made the threat for cyber attacks significant. Cyber attacks such as the Petya virus or the Wannacry attack have exposed the vulnerability of the critical infrastructure. The financial sector is especially prone to cyber attacks within the critical infrastructure. The financial sector must be available at all times. Even a minor disruption could cause wrongful or unexecuted transactions leading to cascading effects on careers, organizations, or entire industries. The way to cope with disruptive cyber events is through digital operational resilience. In order to ensure this the European Commission has proposed the Digital Operational Resilience Act. A regulation that harmonizes existing guidelines aimed at ensuring resilience against cyber attacks for the financial sector in the EU. To estimate the regulatory performance of the DORA, insight is to be created into the perceptions of the stakeholders. Therefore, the research question of this thesis is: What is the perception of the financial sector towards the expectation of the Digital Operational Resilience Act? In order to answer this research question, interviews were conducted with high-level security managers of financial service organizations (FSOs) in the Netherlands, ICT providers and supervisory authorities. From insights gathered through the interviews, it can be concluded that the participants share a predominantly positive perception of the DORA. They were confident about there ability to be compliant within the given 24 months. The DORA is also seen as a step in the right direction towards a digital operational resilient financial sector. Recommendations are made for supervisory authorities regarding the implementation and supervision of the DORA and for the FSOs on the implementation and compliance with the DORA.

Phishing attacks are a growing cause of cybersecurity incidents such as data breaches. With these attacks, malicious actors try to gain access to systems by exploiting the vulnerability of employees. Particularly, intruders use different tricks to create convincing phishing emails to force people to behave less securely. Unfortunately, technological applications are insufficient in detecting all possible phishing attempts. As the consequences of a successful breach can be disastrous for a company, especially in the banking sector, pressure is put on employees to recognise and report potential phishing emails. To aid them in this task, phishing training is provided by employers. Employees are taught what phishing emails look like and which actions they should take if an email appears malicious. However, the effectiveness of these training sessions is difficult to evaluate. To understand the interaction of employees with phishing emails without influencing their behaviour, we study the emails employees report as suspicious to characterise the security culture at a bank. A better understanding of the behaviour provides grounds for recommendations to improve anti-phishing training and create a safer environment. The newfound metrics can provide an alternative to current methods. This research uses Exploratory Data Analysis (EDA) to evaluate the email reporting behaviour of employees at a bank to answer the Research Question How can email reporting patterns in a large organisation measure the relationship between phishing training, reported emails and employee behaviour? With this case study, we apply EDA to a large dataset containing bank employees' reported emails over 16 months. We analysed the reported emails and related them to the provided phishing training events. Moreover, we did a text analysis of the emails' content using the Term Frequency - Inverse Document Frequency (TF-IDF) method. Additionally, we extract the dominant topics of the emails using topic modelling. Lastly, with the help of interviews, the results are tied to employees' experiences to understand their behaviour. The major findings of the research are, firstly, the new metrics we identified to measure the security culture of a company. These metrics were found from both the analysis of employee behaviour over time, as well as the analysis of the email content. From the analysis of the reporting behaviour over time, new metrics include the unique reporters in relation to the total reported emails over time. Besides the unique reporters, unique reported emails can uncover the presence of campaigns. For example, a single email can explain the increase from 50 to 350 daily benign reports. The difference between the total reports and unique reports uncovered this. Secondly, topic analysis and content comparison show similarities between benign and malicious reported emails, indicating an increased vigilance of employees on these attributes. A second finding originates from the analysis of the email components. One of the components was used in all simulation emails, while it was not present in all the benign and malicious reported emails. This shows that the simulation emails can be extended to include different scenarios. Therefore, we recommend the company to extend the phishing simulation emails to contain varied phishing tactics to expose employees to other types of attacks and incorporate all aspects taught during the E-learning. Lastly, the analysis shows no concrete relation between the number of reported emails and the timing of the simulation wave. Although the reported p-value of benign emails after the simulation is 0.03, this significance can also be explained by external factors. With these results, we can measure employees' security culture and awareness in real-world circumstances without influencing the employees' behaviour, providing a new approach to investigating phishing behaviour. Adding to the research of Steves et al. (2020),, the click rates can be explained by more than solely the employees' awareness levels, and new explanations come forward to handle phishing threats. Moreover, the absence of a required test environment for the analysis created a solution for existing gaps. For example, as seen in (Hillman et al., 2023). A limitation of exploratory data analysis is that results are often ambiguous and mainly provide possible directions for future research. Furthermore, external factors influencing the behaviour could provide alternative reasons for the discussed interactions. To conclude, by using the reported emails to measure security behaviour related to phishing, we found new metrics which do not influence the employees in their daily behaviour while still providing insights to improve the tactics of a company in combating phishing attacks. Reporting behaviour can be used to analyse the current anti-phishing tactics of a company and provide suggestions for improvements. Future research should explore the differences in applying the method in other companies and across sectors. Overlap and differences can create an understanding of the diversity in security culture and the effect of external factors. Combining these results with a comprehensive understanding of a company's operations can expose directions for improvement in the security approach. Additionally, the effect of the recommendations can be analysed using the metrics we proposed. This can be done with a follow-up analysis of the behaviour to see whether the desired effect can be observed.

Existing research has shown that due to the increasing digitalization and the adoption of digital technologies and complex (big) data solutions, along with higher firm-level productivity, comes a growing and more dynamic threat environment. Organisations rely on data and digital environments. These environments enlarge the potential attack surface, as every end-point device or network node is a potential entry for malicious actors. The (un)intentional insider threat is also increasingly important for the protection of Intellectual property (IP) and business assets. Not only the attack surface has grown over the years, but also the consequences of security breaches have become more severe. Loss of confidentiality, integrity and availability can heavily disrupt working practices or even threaten the continuity of organisations. The stakes for organisational security have therefore never been higher. Current trends in coping with this new threat landscape are, among others, to increase oversight and ensure strict regulations, both via internal policy and external regulators. Extant literature also emphasises an increase in security spending, as well as technical measures to protect business assets. This paper proposes a framework for determining the maturity of security governance within organisations. Security governance is concerned with the alignment of business goals on the one hand and security goals on the other hand, i.e. working productively and working securely. Good governance would mean that both business- and security goals can be reached without conflicting interests; preferably even by complementing one another. The research argues that security governance consists of more than merely technical measures and punitive oversight. It also parts from existing views about how more security (spending, measures, policies, etc,) is better and how security is predominantly addressed in isolation. Instead, security governance should be in alignment with ’the business’ of an organisation. This brings forward the notion of security governance, as the alignment between security policies and business goals. Literature has found that these two concepts can often be conflicting, as more security in most cases impacts productivity. Therefore, the concept of maturity is coupled with the research. Maturity emphasises the alignment between security goals and business goals. The research adopts both a conventional view of maturity, as well as a social view of maturity. The conventional view focuses on the effectiveness of security governance. A higher level of maturity indicates improving one or both of the pillars of governance, i.e. the contribution to business goals and security goals. This could mean working more productively/efficiently given certain security policies. Or - the other way around - working more securely whilst also doing projects efficiently. The social view focuses specifically on the way alignment between the two pillars of security governance is reached. It acknowledges that not all perceived governance problems in organisations have a single solution that can be imposed top-down. Instead, employees in organisations have to cope with different challenges and perceive issues related to security governance differently. The social view on maturity therefore argues that dialogue is required between a representative stakeholder group, with different viewpoints and expertise, whereby policies are drafted in concordance. By means of a case study at Damen Naval - a large Naval shipbuilding organisation relying heavily on IP and bound by strict regulations - input was gathered regarding security governance in three individual security fields: ’access control’, ’data classification, and ’monitoring & incident response. Incorporating results from a literature review, individual interviews and a focus group session, a framework was built with both a conventional assessment of security governance and a social aspect of how the alignment of policies (security- and business-related) can best be reached. The foundation of the framework consists of six dimensions of security governance: 1. Organisation-wide security and responsibility/accountability 2. Risk-based approach 3. Direction of acquisition and commitment of resources 4. Conformance with internal and external requirements 5. Security positive/conscious culture 6. Security performance measurement/alignment These dimensions were used to guide and structure the individual interviews and led to a list of performance indicators. Each indicator steers on improving security (in terms of policy-setting) and/or productivity (in terms of contribution to business goals). The research showed that although the security fields were different from each other, most indicators could be applied to all the security fields, showing that the indicators are generalisable to an organisation-wide level. The indicators led to practical recommendations for security governance at Damen Naval. The most important takeaways are to better empower engineers in making decisions on data classification, as currently engineers feel uncomfortable in doing this due to the negative consequences of ’under classifying’, which leads to information being classified higher rather than lower. Also, performance expectations should be clear for employees and additional hours spent on dealing with security measures should not be absorbed by engineers. In line with this, more effort should be put into quantifying the total costs of imposed security measures, both direct and indirect. This will make current security policies better explainable or address issues that need to be improved. The final stage of the research aimed at reaching concordance on security governance. This was researched via a focus group session in which the metaphor of a doctor-patient relationship about a negotiated treatment plan was used to see whether and to what extent this relationship would be possible in an organisation such as Damen Naval. Despite the fact that such a relationship is hard to pursue in a large organisation with multiple stakeholders as well as being limited in autonomy due to external legislators, the results indicate that concordance would be possible, although on different levels inter- and intra-organisational. Intraorganisational, this research suggests composing an organisational structure wherein employees of the business, ICT and security are represented to discuss matters that are related to security. The focus group session itself proved that this contributed to reaching alignment. Inter organisational, dialogue with external regulators should be pursued. Using the framework for security governance and the security performance indicators, potential misalignment can be determined systematically and a more comprehensive discussion can take place. Finally, future research could focus on improving the framework to enable a Capability Maturity Model (CMM) approach and to conduct a similar case study with the inclusion of an external regulator.

Research shows that most of the security issues arise through human shortcomings, instead of technical issues (Abawajy, 2014). Therefore, users of information systems have to become more security aware. The reasonable solution to these human shortcomings was to provide users with policies that tell them what to do and have the technical systems behind them for support. However, within an organisational environment, information technology is increasingly needed for the completion of work activities. This creates problems for users to follow policies that require an excessive amount of effort and introduces human errors. Mainly caused by employees feeling like the amount of effort is unreasonable and not fitting into their daily work activities (Kirlappos, Parkin, & Sasse, 2014). Subsequently, cyber attacks are mostly caused by liabilities created due to the human error and social engineering (Schneier, 2015). Therefore, it is of importance for organisations to find a way to manage security in an effective manner, by taking into account the interactions between the social and physical environment. Accordingly, there is a possibility that employees find complying to security rules and procedures to have higher costs than benefits to their company. Finally, it is fundamental to find aspects where the business and security processes clash, in order to improve the security and productivity of the organisation (Beautement, Becker, Parkin, Krol, & Sasse, 2016).

Addressing the growing problem of phishing attacks requires nurturing a reporting culture within organizations. This research examines the factors influencing reporting behavior and the role of infrastructure & support in enhancing reporting rates. By adopting a mixed methods approach and analyzing phishing simulation logs and user perspectives, the study utilizes the COMB model to identify key factors that affect reporting behavior. The research emphasizes the importance of reassessing the desired level of reporting to ensure the benefits of reporting do not overshadow the associated costs. To foster a reporting culture, organizations should ensure a user-friendly reporting process and offer regular reminders and training programs. Emphasizing communication, transparency, and trust-building are vital in encouraging reporting and providing timely feedback. Leveraging technology to optimize the reporting process and appreciating users' efforts further enhance reporting rates. Overall, embracing a paradigm shift that recognizes users as part of the solution is crucial in nurturing a reporting culture and ensuring a secure digital environment.