Cascading effects are high-impact, low-probability phenomena that have caused catastrophic impacts in various chemical and process plants around the world. With the increasing trend of cyberattacks targeting critical infrastructures, there is a concern that accidents caused by cyberattacks may trigger cascading effects in these facilities. In this study, we have demonstrated that the implementation of network segmentation to ICS networks to improve its robustness against the risk of cyberattack-related cascading effects. A risk-based methodology is developed to investigate and evaluate the robustness of design alternatives. The risk-based methodology also incorporates a risk assessment method based on Bayesian networks for cascading effects modeling. Further, this thesis also presents some design guidelines for developing robust networks segmentation designs, which includes the application of a graph-theoretic approach that enables early identification of the severity of cascading effects in network design alternatives. The risk-based methodology and the design guidelines are applied to a case study in which the efficacy of the approaches are demonstrated. The outcome of the risk-based methodology offers an alternative risk mitigation technique that can be considered in the risk management process.

The information security (IS) risk assessment process is an essential part to organisation's their protection of digital assets. However, the fast changing IS environment causes for limited knowledge of eventualities, dependencies and values of systems and phenomena. Consequently, the IS risk assessment process is depending on the judgment of cybersecurity professionals to complement the incomplete knowledge. The outset of this research is to understand how cybersecurity professionals provide judgment when they experience uncertainty about the IS environment. First, the perception of uncertainty with cybersecurity professionals is analysed, guided by the theory on perceived environmental uncertainty. Second, the judgment operations of the cybersecurity professionals are analysed, guided by the theory on judgment heuristics. These two concepts are synthesised against the backdrop of the ISO27005 information security risk asessment methodology, that serves as different components of the information security environment. The results show that cybersecurity professionals perceive uncertainty about the IS environment in which it is difficult to: grasp the different interrelations in the organisation’s landscape of information and information systems, assign accurate values to the occurrence of changes/events in the IS environment and to determine the impact from changes/events to the organisation. This uncertainty is caused by the complexity and dynamism dimensions within the organisation’s IS environment. Indicated factors attributed to these dimensions are shadow IT, the innovation processes within an organisation and the organisational structuring. The judgment operations of the cybersecurity professionals are partly explained with the help from judgment heuristics. The data shows that the selective accessibility model is predominantly used to provide judgment about the IS environment during risk assessments. Thereby heavily relying on the information provided to them from different sources, consequently staying close to the initial values. The availability and representative heuristic are also identified but are referenced in fewer instances. This would suggest that the cybersecurity professional assess the information more on a case–by–case basis, rather than providing judgment based on similarity or the ease with which a scenario is retrieved from memory. Aside from the identified heuristics, the cybersecurity professional is observed not to be included in the final judgment. In such cases the uncertainty is then accepted because it is not part of their responsibility. Additionally, the security policy and philosophy paradigm shift from prevention to detection and response allow the cybersecurity professional to accept that not all IS incidents can be prevented. But that detection and response of IS incidents allow the impact to the organisation to be minimised. Finally the cybersecurity professional also judges the security awareness of the people involved when providing judgment operations during an IS risk assessment.

The increased decentralisation and heterogeneity of critical infrastructure systems pose a threat to the safe and secure operation of critical infrastructures by complicating cybersecurity procedures. The increased frequency and impact of cyberthreats have led to the desire to develop coherent security policies. In order to explore the effects of such policies, an ecosystem-level framework for cyberincidents in critical infrastructure systems has been developed. This framework can be used to explore the effects of conceptual defensive strategy designs. The aggregation of these concepts was operationalised around a central degree of critical infrastructure operability. A practical application of the framework is provided in the form of an agent-based modelling study that is capable of simulating the effects of coherent defensive strategies. The framework by itself is limited to exploratory modelling for the sake of generalisability and requires further specification of concepts based on representative infrastructure scenarios for more advanced analysis and design of tangible security policies.

Humanitarian assistance is driven by data and information. Through the whole chain of actions – from early warning systems to evaluation – information determines priorities, resource allocation, and donors’ willingness to donate. However, the potential harm that comes with data is often overlooked. Inadequate data management increases the potential of data to harm the same people humanitarians are trying to help. The goal of the presented research is to identify the characteristics and mechanisms that influence humanitarian interaction, with the aim to find those mechanisms that can influence humanitarians towards better information security. The most influential characteristics are analysed in order to determine what is likely to increase information security sector-wide.

Cyberattacks are a constant threat to organisations worldwide. The uncertainty and difficulty of properly conducting cyber risk management processes do not make it easier for organisations to cope with cyberattacks. Cyber insurance can be a partial solution to the dilemma that organisations face. However, it has not seen the expected growth which is likely because the actual effects of cyber insurance are still unclear. Furthermore, barely any literature is available on the insurance policies that insurers can utilise to positively influence the ecosystem. Additionally, the researches in current literature, whilst providing useful insights, still lack the chaos, interconnectedness and unpredictability (dynamicity) that characterises the cyber security ecosystem. In order to close this knowledge gap and tackle the issue of dynamicity, a modelling study was conducted utilising agent-based modelling. The agent-based model was built to simulate the cyber security ecosystem and to test the effects of various cyber insurance policies. The main findings from this research were that the various insurance policy options had positive but rather small influences. The combination of several policy options into a synergetic design provided results with more observable effects on ecosystem level. However, altogether there were still no large positive effects brought forth by the insurance policies on the cyber security ecosystem.

One of the leading perspectives from literature is that decisions about investments should be made based on a comprehensive cost-benefit analysis and on a cyber-risk assessment. However, many organizations do not undertake this sophisticated analyses due to the lack of available data about costs, benefits and the impact and likelihood of attacks. This study tries to increase the understanding of this decision-making process, and how organizational factors and individual perspectives influence this process. The Global Information Security Survey has been subjected to a latent class analysis to find investment strategies and organizational factors that influence these. Four different investment strategies were identified and mainly differ in their initial investment and change in the coming twelve months. Organizational factors that influence these investment strategies are size, revenue, type (public/private) and budget and other factors as regulation, management awareness, incidents and type of risks. We used the q-method to investigate underlying perspectives from decision-makers. Four different perspective were found and differ in their focus on concerns, resilience, hierarchy and flexibility.

Water management infrastructures such as floodgates are critical and increasingly operated by Industrial Control Systems (ICS). These systems are becoming more connected to the internet, either directly or through the corporate networks. This makes them vulnerable to cyber-attacks. Abnormal behaviour in floodgates operated by ICS could be caused by both (intentional) attacks and (accidental) technical failures. When operators notice abnormal behaviour, they should be able to distinguish between those two causes to take appropriate measures, because for example replacing a sensor in case of intentional incorrect sensor measurements would be ineffective and would not block corresponding the attack vector. In this thesis, we developed the attack-failure distinguisher framework for constructing Bayesian Network (BN) models which enable operators to distinguish between those two causes, including the knowledge elicitation method to construct the directed acyclic graph and conditional probability tables of BN models. As a full case study of the attack-failure distinguisher framework, we constructed a BN model to distinguish between attacks and technical failures for the problem of incorrect sensor measurements in floodgates, addressing the problem of floodgate operators. We utilised experts who associate themselves with the safety and/or security community to construct the BN model and validate the qualitative part of constructed BN model. The constructed BN model is usable in water management infrastructures to distinguish between attacks and technical failures in case of incorrect sensor measurements. This could help to decide on appropriate response strategies and avoid further complications in case of incorrect sensor measurements.@en