Given the significant privacy and security risks of Internet-of-Things (IoT) devices, it seems desirable to nudge consumers towards buying more secure devices and taking privacy into account in the purchase decision. In order to support this goal, this study examines the effect of security and privacy on IoT device purchase behaviour and assesses whether these effects are sensitive to framing, using a mixed methods approach. The first part of the study focuses on quantifying the effect of security and privacy compared to the effect of other device attributes such as price or functionality, by testing a causal model with choice models that have been developed from stated choice data. The second part aims to reveal the underlying mechanisms that determine the effect of privacy and security on purchase behaviour by means of a qualitative survey. The results suggest that security and privacy can strongly affect purchase behaviour, under the circumstances that privacy- and security-related information is available and communicated in an understandable manner, allowing consumers to compare devices. Moreover, the results show that a description of security that focuses on gains is more effective in nudging consumers towards buying secure devices. Future efforts could build upon this study by comparing the effect of security and privacy to more device attributes, such as ease of use or cost reduction. The results can serve as a basis for interventions that nudge consumers towards buying more secure and privacy-friendly devices.

Individuals are regularly made responsible for risks they wish to take: one can consent to processing of personal data, and decide what to buy based on risk information on product labels. However, both large-scale processing of personal data and aggregated product choices may carry collective risks for society. In such situations, governance arrangements implying individual responsibility are at odds with uncertain collective risks from new technologies. We, therefore, investigate the governance challenges of what we call risk personalization: a form of governance for dealing with uncertain collective risks that allocates responsibility for governing those risks to individuals. We situate risk personalization at the intersection of two trends: governance of uncertain risk, and emphasis on individual responsibility. We then analyze three cases selected based on diversity: social media, nanomaterials, and Uber. Cross-case comparison highlights issues of risk personalization pertaining to (i) the nature of the risk, (ii) governance arrangements in place, and (iii) mechanisms for allocating responsibility to individuals. We identify governance challenges in terms of (i) meaningful choice, (ii) effectiveness in mitigating risk, and (iii) collective decision making capacity. We conclude that the risk personalization lens stimulates reflection on the effectiveness and legitimacy of risk governance in light of individual agency.

The evaluation of the effectiveness of surveillance technology in intelligence agencies and oversight bodies is notably lacking. Assessments of surveillance technology concerning legal compliance, cost, and matters of privacy occupy a solid place, but effectiveness is rarely considered. Bureaucracy may explain this absence. Applying James Q. Wilson’s observations on bureaucracy reveals that effectiveness is minimally treated because it is more difficult to evaluate than budget assessments and legal compliance, and because intelligence outcomes are unobservable and difficult to oversee. Effectiveness evaluation is thus fettered by bureaucracy. Considerations of bringing in effectiveness assessment must appreciate the realities of bureaucratic constraints to be successful.

Cyber operations are relatively a new phenomenon of the last two decades. During that period, they have increased in number, complexity, and agility, while their design and development have been processes well kept under secrecy. As a consequence, limited data(sets) regarding these incidents are available. Although various academic and practitioner public communities addressed some of the key points and dilemmas that surround cyber operations (such as attack, target identification and selection, and collateral damage), still methodologies and models are needed in order to plan, execute, and assess them in a responsibly and legally compliant way. Based on these facts, it is the aim of this article to propose a model that i)) estimates and classifies the effects of cyber operations, and ii) assesses proportionality in order to support targeting decisions in cyber operations. In order to do that, a multi-layered fuzzy model was designed and implemented by analysing real and virtual realistic cyber operations combined with interviews and focus groups with technical – military experts. The proposed model was evaluated on two cyber operations use cases in a focus group with four technical – military experts. Both the design and the results of the evaluation are revealed in this article.

Domino effects are high-impact phenomena that have caused catastrophic damage to several chemical and process plants around the world through secondary incidents caused by primary ones. With the increasing trend of cyberattacks targeting critical infrastructures, there is a concern that such cyberattacks may trigger domino effects, by manipulating industrial control systems in such a way that the physical consequences are likely to escalate. In this study, we have demonstrated that via network segmentation of industrial control systems, the plant robustness against cyberattack-related domino effects can be improved. To this end, a risk-based decision-making methodology is developed based on Bayesian network and graph theory to investigate and evaluate the robustness of segmentation alternatives. The application of the methodology to an illustrative case study shows the efficacy of the approach as a viable cyber risk mitigation measure in chemical and process plants.

Cyberattacks against healthcare institutions threaten patient care. The risk of being targeted by a damaging attack is increased when medical devices are used which rely on unmaintained legacy software that cannot be replaced and may have publicly known vulnerabilities. This review aims to provide insight into solutions presented in the literature that mitigate risks caused by legacy software on medical devices. We performed a scoping review by categorising and analysing the contributions of a selection of articles, taken from a literature set discovered through bidirectional citation searching. We found 18 solutions, each fitting at least one of the categories of intrusion detection and prevention, communication tunnelling or hardware protections. Approaches taken include proxying Bluetooth communication through smartphones, behaviour-specification based anomaly detection and authenticating signals based on physical characteristics. These solutions are applicable to various use-cases, ranging from securing pacemakers to medical sensor networks. Most of the solutions are based on intrusion detection and on tunnelling insecure wireless communications. These technologies have distinct application areas, and the decision which one is most appropriate will depend on the type of medical device.

Cyber Operations stopped being utopia or Sci-Fi based scenarios: they became reality. When planning and conducting them, military actors encounter difficulties since they lack methodologies and models that support their actions and assess their effects. To address these issues by tackling the underlying scientific and practical gap, this article proposes an assessment methodology for the intended and unintended effects of Cyber Operations, labeled as Military Advantage, Collateral Damage and Military Disadvantage, and aims at supporting the targeting process when engaging targets in Cyber Operations. To arrive at this methodology, an extensive review on literature, military doctrine and methodologies was conducted combined with two series of interviews with military commanders and field work in joint military exercises. The assessment methodology is proposed considering multidimensional factors, phases and steps in a technical - military approach. For validation, one realistic Cyber Operation case study was conducted in a focus group with nine military experts plus four face-to-face meetings with another four military experts.

Purpose: This study aims to explore how the public perceives the effectiveness of surveillance technology, and how people’s views on privacy and their views on effectiveness are related. Likewise, it looks at the relation between perceptions of effectiveness and opinions on the acceptable cost of surveillance technology. Design/methodology/approach: For this study, surveys of Dutch students and their parents were conducted over three consecutive years. Findings: A key finding of this paper is that the public does not engage in a trade-off neither with regard to privacy-effectiveness (exchanging more effectiveness for less privacy and vice versa) nor with effectiveness-cost, but rather expects all three elements to be achieved simultaneously. This paper also found that the correlation between perceived effectiveness and perceived privacy was stronger for parents than for students. Research limitations/implications: Participants for this study were exclusively in The Netherlands. Survey questions on the effectiveness of surveillance technology focused on one type of technology, and on private mobile device use in two scenarios. Social implications: The public’s perceptions of the effectiveness of surveillance technology potentially influence its acceptance of the technology, which, in turn, can affect the legitimacy and use of the technology. Originality/value: Within the much-discussed privacy-security debate lies a less-heard debate – that of the effectiveness of the surveillance technology in question. The public is one actor in this debate. This study examines the public’s perceptions of this less-heard debate.

Risk analysis is an essential methodology for cybersecurity as it allows organizations to deal with cyber threats potentially affecting them, prioritize the defense of their assets, and decide what security controls should be implemented. Many risk analysis methods are present in cybersecurity models, compliance frameworks, and international standards. However, most of them employ risk matrices, which suffer shortcomings that may lead to suboptimal resource allocations. We propose a comprehensive framework for cybersecurity risk analysis, covering the presence of both intentional and nonintentional threats and the use of insurance as part of the security portfolio. A simplified case study illustrates the proposed framework, serving as template for more complex problems.

In media and public discourse, cyber incidents are typically covered in terms of cybercriminals or other external threat agents managing to gain access to sensitive data and systems through weaknesses in technology and/or human factors. Such a framing of incidents foregrounds the (problematic) access claims of “hackers” and the protection against those as the key issue in security. However, other access claims play a role in the same incidents, such as those of the data owners, service providers, advertising companies, intelligence agencies, etc. These access claims are made via different means, and they are backgrounded when the problem is framed in terms of unauthorised access through hacks. In this contribution, I investigate the activity of claiming access as a key analytical concept in a more symmetrical treatment of cybersecurity and associated incidents. Rather than implicit, normalised, and technologically congealed notions of threats and associated access claims, this analytical framework aims at highlighting all access claims within the scope of a cybersecurity phenomenon, in order to uncover the politics behind cybersecurity and associated discourses and infrastructures, and thereby increase transparency. By covering different types of resources and different means of access, the approach also has the potential to connect the rather separated discourses on cybersecurity, privacy, and social manipulation through technology.

Victims are often conceptualized as single, human and static entities with certain risk factors that make them more vulnerable and attractive for offenders. This framework is challenged by emerging forms of high-tech cybercrime, such as ransomware, botnets and virtual theft, in which the offender targets a composite of human, technical and virtual entities. This study critically assesses the current theorization of the cyber victim and offers an alternative approach. Drawing on actor-network theory and three empirical case studies, it analyses the cyber victim as a hybrid actor-network consisting of different entities that, together with the offender, make the victimization possible. The proposed concepts of victim composition, delegation and translation enable a more profound understanding of the hybrid and complex process of becoming a high-tech cyber victim. Keywords: cybercrime, cyber victimization, actor-network theory, botnet, ransomware, virtual theft.