Both intentional attacks and accidental technical failures can lead to abnormal behaviour in components of industrial control systems. In our previous work, we developed a framework for constructing Bayesian Network (BN) models to enable operators to distinguish between those two classes, including knowledge elicitation to construct the directed acyclic graph of BN models. In this paper, we add a systematic method for knowledge elicitation to construct the Conditional Probability Tables (CPTs) of BN models, thereby completing a holistic framework to distinguish between attacks and technical failures. In order to elicit reliable probabilities from experts, we need to reduce the workload of experts in probability elicitation by reducing the number of conditional probabilities to elicit and facilitating individual probability entry. We utilise DeMorgan models to reduce the number of conditional probabilities to elicit as they are suitable for modelling opposing influences i.e., combinations of influences that promote and inhibit the child event. To facilitate individual probability entry, we use probability scales with numerical and verbal anchors. We demonstrate the proposed approach using an example from the water management domain.

Water management infrastructures such as floodgates are critical and increasingly operated by Industrial Control Systems (ICS). These systems are becoming more connected to the internet, either directly or through the corporate networks. This makes them vulnerable to cyber-attacks. Abnormal behaviour in floodgates operated by ICS could be caused by both (intentional) attacks and (accidental) technical failures. When operators notice abnormal behaviour, they should be able to distinguish between those two causes to take appropriate measures, because for example replacing a sensor in case of intentional incorrect sensor measurements would be ineffective and would not block corresponding the attack vector. In the previous work, we developed the attack-failure distinguisher framework for constructing Bayesian Network (BN) models to enable operators to distinguish between those two causes, including the knowledge elicitation method to construct the directed acyclic graph and conditional probability tables of BN models. As a full case study of the attack-failure distinguisher framework, this paper presents a BN model constructed to distinguish between attacks and technical failures for the problem of incorrect sensor measurements in floodgates, addressing the problem of floodgate operators. We utilised experts who associate themselves with the safety and/or security community to construct the BN model and validate the qualitative part of constructed BN model. The constructed BN model is usable in water management infrastructures to distinguish between intentional attacks and accidental technical failures in case of incorrect sensor measurements. This could help to decide on appropriate response strategies and avoid further complications in case of incorrect sensor measurements.

Risk assessments in the (cyber) security domain are often, if not always, based on subjective expert judgement. For the first time, to the best of our knowledge, the individual preferences of professionals from the security domain are studied. In on online survey they are asked to mention, rate and rank their preferences when assessing a security risk. The survey setup allows to differentiate between easily accessible or “on top of mind” attributes and guided or stimulated attributes. The security professionals are also challenged to both non-compensatory and compensatory decision making on the relevance of the attributes. The results of this explorative study indicate a clear difference and shift in the individual perceived relevance of attributes in these different settings. Another remarkable finding of this study is the predominant focus on impact attributes by the respondents and the less significant position of likelihood or probability. The majority of professionals seem to ignore likelihood in their security risk assessment. This might be due to so called probability neglect as introduced by other scholars. the security in organisations and society is depending on the assessment and judgement of these professionals, understanding their preferences and the influence of cognitive biases is paramount. This study contributes to this body of knowledge and might raise attention to this important topic in both the academic and professional security domain.

Given the significant privacy and security risks of Internet-of-Things (IoT) devices, it seems desirable to nudge consumers towards buying more secure devices and taking privacy into account in the purchase decision. In order to support this goal, this study examines the effect of security and privacy on IoT device purchase behaviour and assesses whether these effects are sensitive to framing, using a mixed methods approach. The first part of the study focuses on quantifying the effect of security and privacy compared to the effect of other device attributes such as price or functionality, by testing a causal model with choice models that have been developed from stated choice data. The second part aims to reveal the underlying mechanisms that determine the effect of privacy and security on purchase behaviour by means of a qualitative survey. The results suggest that security and privacy can strongly affect purchase behaviour, under the circumstances that privacy- and security-related information is available and communicated in an understandable manner, allowing consumers to compare devices. Moreover, the results show that a description of security that focuses on gains is more effective in nudging consumers towards buying secure devices. Future efforts could build upon this study by comparing the effect of security and privacy to more device attributes, such as ease of use or cost reduction. The results can serve as a basis for interventions that nudge consumers towards buying more secure and privacy-friendly devices.

The evaluation of the effectiveness of surveillance technology in intelligence agencies and oversight bodies is notably lacking. Assessments of surveillance technology concerning legal compliance, cost, and matters of privacy occupy a solid place, but effectiveness is rarely considered. Bureaucracy may explain this absence. Applying James Q. Wilson’s observations on bureaucracy reveals that effectiveness is minimally treated because it is more difficult to evaluate than budget assessments and legal compliance, and because intelligence outcomes are unobservable and difficult to oversee. Effectiveness evaluation is thus fettered by bureaucracy. Considerations of bringing in effectiveness assessment must appreciate the realities of bureaucratic constraints to be successful.

Domino effects are high-impact phenomena that have caused catastrophic damage to several chemical and process plants around the world through secondary incidents caused by primary ones. With the increasing trend of cyberattacks targeting critical infrastructures, there is a concern that such cyberattacks may trigger domino effects, by manipulating industrial control systems in such a way that the physical consequences are likely to escalate. In this study, we have demonstrated that via network segmentation of industrial control systems, the plant robustness against cyberattack-related domino effects can be improved. To this end, a risk-based decision-making methodology is developed based on Bayesian network and graph theory to investigate and evaluate the robustness of segmentation alternatives. The application of the methodology to an illustrative case study shows the efficacy of the approach as a viable cyber risk mitigation measure in chemical and process plants.

Individuals are regularly made responsible for risks they wish to take: one can consent to processing of personal data, and decide what to buy based on risk information on product labels. However, both large-scale processing of personal data and aggregated product choices may carry collective risks for society. In such situations, governance arrangements implying individual responsibility are at odds with uncertain collective risks from new technologies. We, therefore, investigate the governance challenges of what we call risk personalization: a form of governance for dealing with uncertain collective risks that allocates responsibility for governing those risks to individuals. We situate risk personalization at the intersection of two trends: governance of uncertain risk, and emphasis on individual responsibility. We then analyze three cases selected based on diversity: social media, nanomaterials, and Uber. Cross-case comparison highlights issues of risk personalization pertaining to (i) the nature of the risk, (ii) governance arrangements in place, and (iii) mechanisms for allocating responsibility to individuals. We identify governance challenges in terms of (i) meaningful choice, (ii) effectiveness in mitigating risk, and (iii) collective decision making capacity. We conclude that the risk personalization lens stimulates reflection on the effectiveness and legitimacy of risk governance in light of individual agency.

Cyber operations are relatively a new phenomenon of the last two decades. During that period, they have increased in number, complexity, and agility, while their design and development have been processes well kept under secrecy. As a consequence, limited data(sets) regarding these incidents are available. Although various academic and practitioner public communities addressed some of the key points and dilemmas that surround cyber operations (such as attack, target identification and selection, and collateral damage), still methodologies and models are needed in order to plan, execute, and assess them in a responsibly and legally compliant way. Based on these facts, it is the aim of this article to propose a model that i)) estimates and classifies the effects of cyber operations, and ii) assesses proportionality in order to support targeting decisions in cyber operations. In order to do that, a multi-layered fuzzy model was designed and implemented by analysing real and virtual realistic cyber operations combined with interviews and focus groups with technical – military experts. The proposed model was evaluated on two cyber operations use cases in a focus group with four technical – military experts. Both the design and the results of the evaluation are revealed in this article.

Cyberattacks against healthcare institutions threaten patient care. The risk of being targeted by a damaging attack is increased when medical devices are used which rely on unmaintained legacy software that cannot be replaced and may have publicly known vulnerabilities. This review aims to provide insight into solutions presented in the literature that mitigate risks caused by legacy software on medical devices. We performed a scoping review by categorising and analysing the contributions of a selection of articles, taken from a literature set discovered through bidirectional citation searching. We found 18 solutions, each fitting at least one of the categories of intrusion detection and prevention, communication tunnelling or hardware protections. Approaches taken include proxying Bluetooth communication through smartphones, behaviour-specification based anomaly detection and authenticating signals based on physical characteristics. These solutions are applicable to various use-cases, ranging from securing pacemakers to medical sensor networks. Most of the solutions are based on intrusion detection and on tunnelling insecure wireless communications. These technologies have distinct application areas, and the decision which one is most appropriate will depend on the type of medical device.

Cyber Operations stopped being utopia or Sci-Fi based scenarios: they became reality. When planning and conducting them, military actors encounter difficulties since they lack methodologies and models that support their actions and assess their effects. To address these issues by tackling the underlying scientific and practical gap, this article proposes an assessment methodology for the intended and unintended effects of Cyber Operations, labeled as Military Advantage, Collateral Damage and Military Disadvantage, and aims at supporting the targeting process when engaging targets in Cyber Operations. To arrive at this methodology, an extensive review on literature, military doctrine and methodologies was conducted combined with two series of interviews with military commanders and field work in joint military exercises. The assessment methodology is proposed considering multidimensional factors, phases and steps in a technical - military approach. For validation, one realistic Cyber Operation case study was conducted in a focus group with nine military experts plus four face-to-face meetings with another four military experts.

Risk analysis is an essential methodology for cybersecurity as it allows organizations to deal with cyber threats potentially affecting them, prioritize the defense of their assets, and decide what security controls should be implemented. Many risk analysis methods are present in cybersecurity models, compliance frameworks, and international standards. However, most of them employ risk matrices, which suffer shortcomings that may lead to suboptimal resource allocations. We propose a comprehensive framework for cybersecurity risk analysis, covering the presence of both intentional and nonintentional threats and the use of insurance as part of the security portfolio. A simplified case study illustrates the proposed framework, serving as template for more complex problems.

Purpose: This study aims to explore how the public perceives the effectiveness of surveillance technology, and how people’s views on privacy and their views on effectiveness are related. Likewise, it looks at the relation between perceptions of effectiveness and opinions on the acceptable cost of surveillance technology. Design/methodology/approach: For this study, surveys of Dutch students and their parents were conducted over three consecutive years. Findings: A key finding of this paper is that the public does not engage in a trade-off neither with regard to privacy-effectiveness (exchanging more effectiveness for less privacy and vice versa) nor with effectiveness-cost, but rather expects all three elements to be achieved simultaneously. This paper also found that the correlation between perceived effectiveness and perceived privacy was stronger for parents than for students. Research limitations/implications: Participants for this study were exclusively in The Netherlands. Survey questions on the effectiveness of surveillance technology focused on one type of technology, and on private mobile device use in two scenarios. Social implications: The public’s perceptions of the effectiveness of surveillance technology potentially influence its acceptance of the technology, which, in turn, can affect the legitimacy and use of the technology. Originality/value: Within the much-discussed privacy-security debate lies a less-heard debate – that of the effectiveness of the surveillance technology in question. The public is one actor in this debate. This study examines the public’s perceptions of this less-heard debate.

Because of modern societies' dependence on industrial control systems, adequate response to system failures is essential. In order to take appropriate measures, it is crucial for operators to be able to distinguish between intentional attacks and accidental technical failures. However, adequate decision support for this matter is lacking. In this paper, we use Bayesian Networks (BNs) to distinguish between intentional attacks and accidental technical failures, based on contributory factors and observations (or test results). To facilitate knowledge elicitation, we use extended fishbone diagrams for discussions with experts, and then translate those into the BN formalism. We demonstrate the methodology using an example in a case study from the water management domain.

In media and public discourse, cyber incidents are typically covered in terms of cybercriminals or other external threat agents managing to gain access to sensitive data and systems through weaknesses in technology and/or human factors. Such a framing of incidents foregrounds the (problematic) access claims of “hackers” and the protection against those as the key issue in security. However, other access claims play a role in the same incidents, such as those of the data owners, service providers, advertising companies, intelligence agencies, etc. These access claims are made via different means, and they are backgrounded when the problem is framed in terms of unauthorised access through hacks. In this contribution, I investigate the activity of claiming access as a key analytical concept in a more symmetrical treatment of cybersecurity and associated incidents. Rather than implicit, normalised, and technologically congealed notions of threats and associated access claims, this analytical framework aims at highlighting all access claims within the scope of a cybersecurity phenomenon, in order to uncover the politics behind cybersecurity and associated discourses and infrastructures, and thereby increase transparency. By covering different types of resources and different means of access, the approach also has the potential to connect the rather separated discourses on cybersecurity, privacy, and social manipulation through technology.

The aim of this study was to explore the extent to which persuasion principles are used in successful social engineering attacks. Seventy-four scenarios were extracted from 4 books on social engineering (written by social engineers) and analysed. Each scenario was split into attack steps, containing single interactions between offender and target. For each attack step, persuasion principles were identified. The main findings are that (a) persuasion principles are often used in social engineering attacks, (b) authority (1 of the 6 persuasion principles) is used considerably more often than others, and (c) single-principle attack steps occur more often than multiple-principle ones. The social engineers identified in the scenarios more often used persuasion principles compared to other social influences. The scenario analysis illustrates how to exploit the human element in security. The findings support the view that security mechanisms should include not only technical but also social countermeasures.

Victims are often conceptualized as single, human and static entities with certain risk factors that make them more vulnerable and attractive for offenders. This framework is challenged by emerging forms of high-tech cybercrime, such as ransomware, botnets and virtual theft, in which the offender targets a composite of human, technical and virtual entities. This study critically assesses the current theorization of the cyber victim and offers an alternative approach. Drawing on actor-network theory and three empirical case studies, it analyses the cyber victim as a hybrid actor-network consisting of different entities that, together with the offender, make the victimization possible. The proposed concepts of victim composition, delegation and translation enable a more profound understanding of the hybrid and complex process of becoming a high-tech cyber victim. Keywords: cybercrime, cyber victimization, actor-network theory, botnet, ransomware, virtual theft.

Intelligence agencies routinely use surveillance technology to perform surveillance on digital data. This practice raises many questions that feed a societal debate, including whether the surveillance technology is effective in achieving the given security goal, whether it is cost-efficient, and whether it is proportionate. Oversight bodies are important actors in this debate, overseeing budgets, legal and privacy matters, and the performance of intelligence agencies. This paper examines how oversight bodies evaluate the questions above, using documents produced by American and British oversight mechanisms.

It is often suggested in the literature that employees regard technical security measures (TSMs) as user-unfriendly, indicating a trade-off between security and usability. However, there is little empirical evidence of such a trade-off, nor about the strength of the associated negative correlation and the importance employees attach to both properties. This paper intends to fill these knowledge gaps by studying employees’ trade-offs concerning the usability and security of TSMs within a discrete choice experiment (DCE) framework. In our DCE, employees are asked to indicate the most preferred security packages that describe combinations of TSMs. In addition, security and usability perceptions of the security packages are explicitly measured and modelled. The models estimated from these observed responses indicate how each TSM affects perceived security, perceived usability and preference. The paper further illustrates how the modelling results can be applied to design highly secure packages that are still preferred by employees. The paper also makes a methodological contribution to the literature by introducing discrete choice experiments to the field of information security.

In recent years, Western governments have come under sharp criticism for their use of surveillance technology. They have been accused of sweeping up massive amounts of information without evidence of the technologies being effective in improving security. The view of critics is clear, but what do intelligence officials themselves say? This paper analyzes statements of intelligence officials in the U.S. and U.K. from 2006 to 2016, examines what criteria officials use in their discourse on effectiveness, and investigates how considerations of cost and proportionality factor into the equation. It identifies seven measures of effectiveness in the statements of intelligence officials, and finds that cost, though rarely discussed, is the driver behind formalized evaluations of surveillance programs.