In today's business landscape, software has become an integral part of operations for all companies, with a growing reliance on third-party components. This increasing complexity in software supply chains has led to a significant reduction in transparency and visibility, posing challenges for effective management and security. Software Bill of Materials (SBOMs) emerges as a promising concept to address this issue by providing detailed information about software components and their supply chain relationships, ultimately enhancing transparency within these supply chains. However, despite its potential benefits, SBOM adoption remains limited in practice. This research examines the perspectives of four key business stakeholders involved in the software supply chain to understand their incentives and disincentives surrounding SBOM adoption. Through a series of in-depth interviews with representatives from each stakeholder group, we aimed to identify stakeholder-specific risks, benefits, concerns, and incentives related to SBOM adoption. The analysis reveals that SBOM adoption potential is notably higher among system integrators and software vendors. These stakeholders perceive the benefits of enhanced transparency and supply chain risk mitigation, which align with their strategic objectives. On the contrary, B2B customers and Individual Developers exhibit the least motivation for SBOM adoption. Their limited interest stems from a perception that SBOMs may impose additional complexities without commensurate benefits. Given that B2B customers and individual developers are the primary consumers and suppliers of SBOMs, respectively, the findings suggest that the overall adoption potential of this technology remains restricted.

Mixing services try to distort cash flow tracking of cryptocurrencies and obfuscate the origin of customers’ earnings by substituting customers’ cryptocurrency funds with the funds of other customers or the mixers’ private assets. This quality makes mixing services interesting for money laundering, and they are therefore often used by criminals. As such, there is an urgent need to systematically understand how to restore the relationship between deposits and payouts of centralized mixing services. Unfortunately, there is minimal knowledge of how mixing processes of centralized mixing services work, and few attempts exist to create these demixing methods. This research aimed to develop a demixing method for centralized mixers with knowledge gained from ground-truth data. The ground-truth data contains information on orders and the transaction history of mixing service BestMixer. Demixing consists of collecting all addresses that are part of the mixer (attribution) and finding the correct payout to a deposit (reconstruction). Multiple statistical analysis techniques were applied to this data to verify existing attribution heuristics and find new characteristics of mixing services. Also, filtering techniques to reconstruct the relation between deposits and payouts were tested on the order data. This research verifies that BestMixer likely did not reuse addresses in the mixing process. It also showed that the lifespan of most addresses was shorter than 24 hours. In addition, many BestMixer addresses received or sent a transaction to another BestMixer address, which created sequences of BestMixer transactions. The sequences show that the mixer used a peeling chain pattern in combination with multi-input transactions. These characteristics can be used to attribute other centralized mixing services. The results also show that the mixer increased in popularity throughout time. Overall, the reconstruction attempt with filtering techniques did not perform well on BestMixer orders, as it returned an impracticable amount of possible payout combinations. The mixer showed less activity in the beginning days of the service, and there are signs that the reconstruction works better in this earlier stage of the mixer. This means that when a mixer becomes more popular, it could become more difficult to demix the orders correctly. From this research can be concluded that the ground-truth data of BestMixer does help in developing attribution heuristics for centralized mixers, but not in developing a general reconstruction method that correctly restores the relation between deposits and payouts, thus not suffice in demixing centralized mixers.

Connecting ‘things’ like a doorbell, webcam, lamp, or other objects to the web to provide a service or control is called the Internet of Things (IoT). These devices contain vulnerabilities that form risks for the device user and possibly the network owner through their heterogeneity. The identified knowledge gap is the need for more IoT governance but no specification on governance options and means to reach specific stakeholders. Using a dataset of network scan data of The Hague as the empirical context for the defined knowledge gap, this research aims to look into the vulnerabilities IoT devices carry, and then look into relevant stakeholders to see what they can do through governance and why they are not doing this. To answer the main research question: How can the municipality of The Hague use governance instruments to decrease cyber vulnerabilities in IoT devices? Using a literature study to define IoT concepts and the governance of IoT and current governance examples, background information is provided for the rest of this research. The database of 1649 IP addresses of network scan data from the area of The Hague is then used to find what vulnerabilities are present and what stakeholders are identifiable from this data. Exploring this network scan data showed only 191 devices are fully identifiable from the total number of IP addresses. These devices all carry vulnerabilities for the user of these devices, and being visible is by itself a vulnerability. No device owners could be directly identified, only the providers of the networks these devices are found in. This results in the identifiable stakeholders from the dataset: ISPs and device manufacturers. Governance options are defined for these stakeholders (e.g. security-by-design, informing users etc.). These options are assessed on viability and validity through semi-structured interviews with three ISPs and the municipality. The conclusion found is that the most viable action to take is informing device users since secure configuration and usage of a device would take away vulnerabilities while waiting for European legislation to be implemented. This legislation will force more security-by-design. The recommendation for the municipality is to take the role of leading actor, provide a better problematization with the data available, and use this to generate more urgency with other stakeholders. Starting public-private partnerships (with ISPs, device vendors, universities, other municipalities: different perspectives to progress the problem) and starting information campaigns and therefore try to reach as many people as possible. Even though ISPs can not provide in reaching vulnerable users directly, they can help in general information campaigns. Increasing security practices on the user side while waiting for legislation on the manufacturer's side.

In order to combat financially-economically related crime the government implemented a new directive ensuring that virtual currency exchanges now have to adhere to requirements from legislation countering money laundering. This thesis researches what the extent is of effects that this legislation posed to the daily operations of virtual currency exchanges.

The Internet is a relatively new technology that the world has become immensely dependent on. It is a tool that makes it possible to simplify our lives and better our society. But as with many things, there are people who with to exploit this tool we have for their own malicious gain. One of the mechanisms that we can use for protection against these malicious actors is the intrusion detection system. Machine learning-based intrusion detection systems (IDS) have been heavily researched for a number of years now. Much of this research, though, appears to be conducted using improper methodologies and incorrect evaluation. Such methodologies include training and testing IDSs with unrealistic data and using uninformative metrics to determine performance. In this research, we perform a case study using one such IDS. This IDS is trained and evaluated using real network traffic collected from a real-world network. Additionally, we test its performance on actual attack traffic. This research demonstrates that an IDS that is trained with unrealistic data performs nowhere near as well as is claimed by the author when trained using real network traffic. Finally, we propose CAML-IDS, a framework for the correct assessment of machine learning-based intrusion detection systems. This framework can assist future IDS research by preventing incorrect evaluation, in turn preventing the formulation of incorrect research.

Cybercrime thrives and online anonymous markets, or darknet markets, play an important role in the cybercriminal ecosystem. Vendors active on darknet markets invest in security mechanisms to compromise the availability or usefulness of evidence to Law Enforcement Agencies. Therefore, difficulties arise in linking identities or machines to cybercrimes facilitated by darknet markets. As a result, many cybercrime investigations are ineffective. This thesis consists of an exploratory case study based on the full administration of the Hansa Market. The Hansa Market (2015-2017) was infiltrated and eventually taken over and shut down by the Dutch Police. The data used in this thesis originates from the server that hosted the market and is made available by the Dutch National High Tech Crime Unit (NHTCU) and the Fiscal Information and Investigation Service (FIOD). This data is used to answer the research question: “Which factors influence the security behaviour of darknet market vendors active on Hansa Market?”. To answer this question, vendors that are similar regarding a) their experience, b) the activity on other markets, c) the amount of physical items sold, e.g. drugs and d) the amount of digital items sold, e.g. stolen credit card information, are clustered into five `vendor types' using Latent Profile Analysis. It is researched whether these clusters of vendors differ in terms of the following security behaviours observed: a) authentication related security practices (password strength, password uniqueness and two-factor authentication usage), b) encryption of communication, in the form of PGP-adoption and PGP-key strengths used, c) the linkability of a vendors' pseudonym through PGP-key matching and d) a vendors' choice of Online Financial Service Providers within the bitcoin ecosystem, measured by querying a service that provides contextual information on bitcoin transactions and addresses. The findings indicate that approximately causal relationships may be inferred between on the one hand vendor types, that represent a combination of business success in terms of physical and digital sales, experience and activity on other markets and on the other hand security behaviour. Vendors offering digital items tend to behave less securely than vendors selling large amounts of drugs. This thesis explains the observed (differences in) suboptimal security behaviours by arguing that vendors on Hansa Market conduct subjective risk assessments. This implies that the probability of being targeted by LEA and the value of the vendors' assets that are at stake (e.g. informational assets containing incriminating evidence or `years of freedom') are of influence on security behaviour. Lastly, recommendations to Law Enforcement Agencies include to exploit the subjectiveness in cybercriminals' risk assessments and to consider focusing on vendors transacting digital items. Academics are recommended to extend this research by investigating cybercriminal security behaviours through improved measurement methodologies in larger and more recent datasets.

The information security (IS) risk assessment process is an essential part to organisation's their protection of digital assets. However, the fast changing IS environment causes for limited knowledge of eventualities, dependencies and values of systems and phenomena. Consequently, the IS risk assessment process is depending on the judgment of cybersecurity professionals to complement the incomplete knowledge. The outset of this research is to understand how cybersecurity professionals provide judgment when they experience uncertainty about the IS environment. First, the perception of uncertainty with cybersecurity professionals is analysed, guided by the theory on perceived environmental uncertainty. Second, the judgment operations of the cybersecurity professionals are analysed, guided by the theory on judgment heuristics. These two concepts are synthesised against the backdrop of the ISO27005 information security risk asessment methodology, that serves as different components of the information security environment. The results show that cybersecurity professionals perceive uncertainty about the IS environment in which it is difficult to: grasp the different interrelations in the organisation’s landscape of information and information systems, assign accurate values to the occurrence of changes/events in the IS environment and to determine the impact from changes/events to the organisation. This uncertainty is caused by the complexity and dynamism dimensions within the organisation’s IS environment. Indicated factors attributed to these dimensions are shadow IT, the innovation processes within an organisation and the organisational structuring. The judgment operations of the cybersecurity professionals are partly explained with the help from judgment heuristics. The data shows that the selective accessibility model is predominantly used to provide judgment about the IS environment during risk assessments. Thereby heavily relying on the information provided to them from different sources, consequently staying close to the initial values. The availability and representative heuristic are also identified but are referenced in fewer instances. This would suggest that the cybersecurity professional assess the information more on a case–by–case basis, rather than providing judgment based on similarity or the ease with which a scenario is retrieved from memory. Aside from the identified heuristics, the cybersecurity professional is observed not to be included in the final judgment. In such cases the uncertainty is then accepted because it is not part of their responsibility. Additionally, the security policy and philosophy paradigm shift from prevention to detection and response allow the cybersecurity professional to accept that not all IS incidents can be prevented. But that detection and response of IS incidents allow the impact to the organisation to be minimised. Finally the cybersecurity professional also judges the security awareness of the people involved when providing judgment operations during an IS risk assessment.

Organizations benefit from improved cybersecurity threat detection capabilities if they share information in a community of their peers. However, organizations are unlikely to share the sensitive information that is most valuable as this poses individual risks. Information sharing in cybersecurity communities therefore forms a collective action problem. Currently, cybersecurity information sharing is being studied primarily as a technological challenge. Drawing on theory from economics and the social sciences, this study proposes governance requirements to overcome individual interests and improve information sharing. These are used to design a governance structure for the case of the National Detection Network, a cybersecurity community initiated by the government of the Netherlands. The proposed governance meets interests of parties through a process of interactive decision-making in four phases, while incentivizing sharing of cybersecurity information. Lessons are drawn from the case for cybersecurity communities in general.

This study investigates organizations’ approaches to managing cybersecurity challenges that are associated with high levels of teleworking. Over the last two and a half years the pandemic forced organizations to implement teleworking models that resulted in a large share of the workforce working from home. The increasing use of teleworking resulted in organizations being worried about their ability to handle cyberthreats, while at the same time they sidestepped on their cybersecurity to implement a proper teleworking model. There is a large body of literature showing what the security risks and practices are related to these high levels of teleworking, while it is not clear what the related security challenges are and how organizations are approaching these. So, there is a gap in the literature regarding the understanding of the current cybersecurity challenges and approaches that are associated with these high levels of teleworking. Semi-structured interviews were conducted with both cybersecurity consultants and individuals that fulfill a role in an organization that makes them responsible for the cybersecurity management of the organization. Thematic analysis was used that led to the identification of four main security challenges and four approaches used to manage these challenges. The following four challenges were identified: ‘Security vs. privacy’ which shows how it is challenging for organizations to secure the private environments of their organizations without invading their privacy. Secondly, the ‘Control & awareness which addresses the balance between control and awareness. More restrictions can lead to less security if there is a lack of awareness and knowledge among employees. Thirdly, the ’Lack of resources’ challenge, not all organizations have the monetary resources to achieve the desired level of security. Finally, the ’Priorities’ challenge shows how according to the consultants, cybersecurity is still seen as a burden and is being neglected by organizations, regardless of the increase in cybersecurity attention and the increased risks related to high levels of teleworking. The identified approaches start with ‘Technology & Processes’ as this is most often the first choice for organizations. Using device management systems with corporate devices or BYOD devices with an enclave to ensure security without invading privacy. Education of the workforce is deemed one of the most successful approaches, since the security of the organizations is now more dependent on the workforce, raising awareness through education is of great importance. An approach that at first glance seems more counter-intuitive is the establishment of a security culture that takes years to achieve. Cybersecurity is involved into the daily tasks of the complete workforce. Without forcing and too many controls, but nudging employees by discussion and giving them responsibilities. The last approach shows that despite the priority challenge that is only mentioned by consultants, organizations want to become more mature, and organizations are currently giving cybersecurity a higher priority.

The EU General Data Protection Regulation (EU GDPR) is about to come in force in May 2018. It poses new queries for both policymakers and businesses. Policymakers want o know how effective the new EU GDPR will be while the businesses would like to know how the EU GDPR should be implemented. To answer that question, empirical studies on how businesses/organizations implement privacy and data protection as well as their perception towards the EU GDPR are needed. This thesis aims to answer the fill this gap by mixed methods. Literature review and interview are exercised to get the current practices, while survey and statistic analyses are done to investigate the organizations' plans to change related to the EU GDPR. The findings are interesting, which include but not limited to the existence of DPO and organizations' high dependency would not limit the organizations' plan to change. Based on the findings, a number of recommendations are formulated for both policymakers and the practitioners, such as the encouragement to designate a DPO, to specify different approach of enforcement by policymaker for different industrial sectors and to be open to having menu of contracts by organizations for a balanced flexibility.

In the current digitalised society keeping assets secure is one of the most prominent challenges organisations face. In the ongoing arms race between attackers and defenders, software security patching is a well-recognised and effective strategy to mitigate vulnerabilities in software products. However, organisations struggle with the best practice to “patch early and often”, resulting in vulnerabilities in software being exposed for much longer than desired. Prior research indicates the socio-technical nature of this practice forms the core of delays in software patch management. Developing a deeper understanding of the decision-making of IT practitioners and what socio-technical factors play a role in this process allows organisations to address the ineffectiveness of their security patch process. The main research question in this explorative research is: What socio-technical factors influence the effectiveness and timeliness of the security patching process in organisations? This Mixed Methods research combines qualitative data from interviews with IT practitioners, with a quantitative data exploration of the meaningfulness of organisational measurements. Findings show that IT practitioners go through a funnel of decision-making that influences the decision of what to patch, and when to patch. The presence and interplay of different socio-technical factors related to four main aspects of this decision (i.e., security, applicability, operability, and availability) result in tensions and trade-offs influencing the decision space of IT. Furthermore, this study indicates the interrelations between the significance of socio-technical factors, which is reduced by certain coping strategies applied by IT practitioners. This research reveals that having some measurement in place helps to understand the existence of challenges and the working of coping strategies, therefore contributing to an understanding of socio-technical challenges. However, it also reveals several limitations to the quality of existing data and difficulties in coming to measurements that provide meaningful information, due to socio-technical factors. The main contribution of this research is a better understanding of how socio-technical factors influence the decision-making process of IT practitioners. This research is limited in the way it uses quantitative data to understand patching activity. Future research is recommended to compare the potential discrepancy between what IT practitioners state influences the effectiveness of their security patch process and what the actual patching activity of IT practitioners reveals about the effectiveness of patching. This research furthermore hypothesises that not all socio-technical factors have the same level of significance. It is recommended to investigate the possibilities of quantification of the importance of each of the socio-technical challenges identified in this explorative study.

Network measurments are mostly used to studynetwork topology, performance and security. The thesis uses network measurements in relation to large Internet corporations like Salesforce, Netflix and Snapchat. The thesis attempts to verify whether it is possible to predict company performance by monitoring network measurements. For the three corporations considered, the measurements provide insider information on the company, before it is made available to the public or released by the corporation itself. Network measurements can be used by managers effectively as a tool to understand and predict company perofrmance.

The thesis reconstructed and analysed transaction-level data of a particular darknet market. Moreover, the thesis reveals what kind of vendors are active on this darknet market, based on their characteristics. Finally, this research identified what the relative importance is of different vendor characteristics for vendor performance on darknet markets.

The European financial sector is a frequent victim of banking malware leading to massive losses. It appears that not all customers’ banks are equally attractive targets among cybercriminals who deploy banking malware. This research established a comprehensive regression model explaining why certain banks are more attractive to cybercriminals. The model proves that large banks, banks that are part of a banking group, banks with a high brand value, and banks which websites have a high domain-popularity, bear a higher probability to be (more frequently) targeted. Two-factor authentication doesn’t seem as effective as might expected. The use of this security measure does not decrease the chance for a bank to be targeted. However, the presence of this measure has an influence on a lower target frequency. Furthermore, it is shown that banks offering a largely spoken language on their website do not ease the banking malware attacks. Further research is needed to enhance and improve the model. The independence in the model can be reduced and more bank characteristics could be added, especially factors related to the ease to launder money.

How did Avalanche, a botnet with an active lifetime of 8 years while serving 20+ malware families, ensure a smooth operation of business? Avalanche had the attention of security researchers and law enforcement, yet it managed to persevere for a long period of time. In this work, we answer this question by analyzing Avalanche’s security controls and its business model based on longitudinal ground truth data from its criminal investigation by German law enforcement. We first analyzed previous botnet research and identified five research challenges: (1) the botnet phenomenon keeps evolving, so continuous research is required, (2) there is not yet a framework to categorize or interpret botnet evasion techniques, (3) botnet research is challenging due to the lack of large real-world datasets, (4) botnet takedowns are challenging and costly, so other avenues for intervening in botnets should be explored, and (5) more research is being done into botnet economics, but it is mostly based on case studies methodologies without access to ground truth data. We defined the adversarial context of botnets and showed how their responses – evasion techniques – can be interpreted as security controls according to deviant security theory. We created a framework for categorizing these security controls, based on security control types and the type of threat. Turning to our data, we performed an exploratory analysis in which we processed, validated and interpreted the available data based on their different types: server images, network data and databases. Based on the insights from this analysis, we applied the business model canvas and described Avalanche’s business model. We describe how Avalanche provides it customers with proxying and domain registration services, generating on aver- age $7,500 of revenue per month from 59 customers. We identified seven security controls, three technical controls and four administrative controls, that were applied to evade detection, to increase resilience against takedowns and to conceal the ownership by the botnet operators. Our findings show that Avalanche configured itself to adequately respond to the threats in its adversarial context. Its business model – through using different key partners and many replaceable resources – and its application of security controls – such as backups, bot monitoring and proxy architecture – created redun- dancy in Avalanche’s operation, allowing it to detect and resolve threats quickly.

The frequency of online banking fraud incidents has increased over the last years. A method used by different cybercriminals is the injection of malicious code into the targeted web pages. For example, attackers might inject an additional piece code into the webpage of a targeted bank asking users to enter extra personal information (e.g., the PIN of the card). By comparing attack instances of web injected code attacks from different malware families an answer will given on how cyber criminals evolve the code of financial malware that is been used in injected code attacks against financial institutions. The contribution of this thesis is to verify the current literature of the existence of code re-use among different code instances using different code similarity tools and to explore how and why the code is evolved.

The increasingly important availability of online services is constantly threatened by malicious software such as botnets. Attackers have gained power through devices that are part of the rising Internet of Things (IoT), mostly through infections caused by Mirai. The botnets created by Mirai are used for the purpose of DDoS attacks, which can take away the availability of an online service. Although Mirai can be detected relatively easily due to its superficial signature, the remediation process of Mirai infected IoT devices runs far from smoothly. As end-users often do not notice the presence of Mirai and manufacturers lack incentives to invest in better security or support, ISPs like KPN are amongst the few viable actors that could defend against botnets like Mirai. As ISPs are able to link infection feeds to their customers, they are able to send out notifications accompanied by protocols that can resolve Mirai infections when executed properly. Although research exists on the remediation rates, it is not clear what processes take place at end-users homes during the remediation process and what critical points of error exist throughout the phases of the anti-botnet cycle. As the remediation rate of Mirai infections is currently only 60 – 76 percent, it can be worth looking into the remediation processes to see where they could be improved. The main research question is the following: “What do we learn about how and to what extent Internet Service Providers can improve the remediation process of malware infected Internet of Things devices by monitoring end-users while they are cleaning their Mirai infections?”. To answer this question, we have closely followed 17 Mirai infected end-users over a period of 7 weeks, at the KPN Abuse Desk, after a 1 week pilot phase to test our email notification and think aloud protocol. We have prepared and analyzed all steps from identification of a Mirai infection until successful remediation took place. The lion’s share of this experiment is about a virtual visit; a phone call with an option to upgrade to a video conference, in which infected end-users get advanced support in performing the 5 cleaning steps stated in the protocol they received. As the end-users thought aloud during the calls, we were able to follow them closely and pinpoint arising issues. Using a thematic content analysis, we synthesized the personal stories that end-users shared. During the 7 week experiment, we saw 37 unique IP addresses infected with Mirai, of which 12 were excluded due to the ISP policy of not providing support during the weekends. Of the 25 remaining IP addresses, 3 could not be notified due to technical issues within KPN, 2 did not pick up the phone after being notified and 3 were not willing to take part in the experiment due to trust issues. 16 out of 17 participants that were responsible for the internet security were male, but their varying household sizes shows that this does not relate to men becoming infected more often. The age of the end-users was normally distributed between 21 and 80 and we found a household size of 1 to 6, excluding 3 small business locations that became victim of Mirai. End-users can often only identify 1 or 2 IoT devices in their network (13 out of 17) and are almost always able to pinpoint the infected device (16 out of 17). Many issues arose during the virtual visits, such as a lack of trust, not willing to spend effort, a lack of support by the manufacturer, or the idea that regular protection measures should have protected against Mirai. Only 6 out of 17 end-users were able to perform all steps successfully. In most cases end-users failed to change the password of their device or performed a regular reset on their router instead of a factory reset. This caused 3 failing remediation efforts and 5 reinfections during the experiment phase. The remediation process has barriers in each phase that could be addressed. The biggest improvement can be made in the awareness of end-users, which would lead to higher prevention of infections. Prevention would keep the many potential issues in the remediation process from arising altogether.

Cyberattacks are a constant threat to organisations worldwide. The uncertainty and difficulty of properly conducting cyber risk management processes do not make it easier for organisations to cope with cyberattacks. Cyber insurance can be a partial solution to the dilemma that organisations face. However, it has not seen the expected growth which is likely because the actual effects of cyber insurance are still unclear. Furthermore, barely any literature is available on the insurance policies that insurers can utilise to positively influence the ecosystem. Additionally, the researches in current literature, whilst providing useful insights, still lack the chaos, interconnectedness and unpredictability (dynamicity) that characterises the cyber security ecosystem. In order to close this knowledge gap and tackle the issue of dynamicity, a modelling study was conducted utilising agent-based modelling. The agent-based model was built to simulate the cyber security ecosystem and to test the effects of various cyber insurance policies. The main findings from this research were that the various insurance policy options had positive but rather small influences. The combination of several policy options into a synergetic design provided results with more observable effects on ecosystem level. However, altogether there were still no large positive effects brought forth by the insurance policies on the cyber security ecosystem.

In the battle against ever-changing cyber threats, a new ally has joined in: Cyber Threat Intelligence. Evolved from historical blacklists and anti-virus, Threat Intelligence aims to protect and inform its clients against both nation state actors, as well as cyber criminals. Threat Intelligence comes in many shapes and sizes, and for a wide range of prices. For the average consumer of Threat Intelligence, it is unknown which form will fit their needs, nor which price range is suitable for them. This mystery surrounding Threat Intelligence, caused by its prohibitively high pricing, shows in the limited amount of research that has been conducted on the topic. Bouwman et al. lifted a tip of the veil, interviewing professionals regarding their use of Threat Intelligence and presenting descriptive statistics of its contents. They found very limited overlap between Threat Intelligence sources and that acquisition is largely based on gut-feeling. However, it is still largely unknown if these findings generalize to the whole field of Threat Intelligence and if these findings on macro level translate to more granular levels, it is our goal to find this out.