Municipalities play a central role in delivering essential public services, including civil registration, social services, taxation, communication, and local democratic processes. In doing so, they increasingly rely on digital systems. Cyber incidents affecting these systems can disrupt service delivery, expose sensitive personal data, and impose significant recovery costs. Because municipalities are often the most visible and accessible layer of government for citizens, such incidents may also affect public trust. In addition, municipalities operate and oversee systems that support local critical infrastructure, such as water management, traffic control, and energy distribution, placing them within the scope of both financially motivated cybercriminals and state-sponsored advanced persistent threats (APTs).

In response to this threat landscape, municipalities are expected to implement a range of cybersecurity measures. These include complying with security frameworks and standards, managing vulnerabilities through patching and configuration, participating in information sharing and coordination structures, and preparing for incident response and recovery. At the same time, municipalities typically operate under constraints that distinguish them from many other organizations, including limited internal cybersecurity capacity, extensive reliance on outsourcing and shared service providers, and complex internal structures in which responsibility for systems and data is distributed across departments and external parties.

As a result, municipal cybersecurity is rarely a matter of isolated technical controls. Instead, it is shaped by interactions between municipalities and a broader ecosystem of actors, including vendors, managed service providers, sectoral and national CSIRTs, and commercial security firms. Information about threats and vulnerabilities often reaches municipalities through intermediaries, and the ability to act on that information depends on institutional arrangements, contractual relationships, and organizational processes. Understanding municipal cybersecurity, therefore, requires examining not only which security measures are in place but also how those measures function in practice within this institutional context.

This dissertation examines the security measures municipalities use to address cyber threats and how they function in practice under these conditions. It investigates vulnerability remediation, institutional support for incident prevention and response, and the use of commercial threat intelligence, and asks how these security measures can be improved in practice, addressing the central research question: How can municipalities improve security measures to address cyber threats? To answer this question, the dissertation presents three empirical studies that combine technical measurements with practitioner perspectives, adopting a socio-technical approach that connects technical observations to organizational and institutional contexts.
... Read more

In this paper, we study the experiences of practitioners in sectoral Computer Security Incident Response Teams (CSIRTs)—specialized teams that mediate between national cybersecurity authorities and the sector constituency. Through interviews with 18 professionals connected to the Informatiebeveiligingsdienst (IBD-CSIRT) for Dutch local governments, we uncover tensions in how key services are valued. For vulnerability notifications, while the CSIRT staff consider them a core service, many constituents hardly mention them, and systemic gaps in information forwarding mean that crucial alerts often never arrive. We extend these insights with 5 interviews across other sector CSIRTs and a validation workshop with 7 participants, all security officers from sector CSIRTs, revealing shared challenges in balancing technical expertise with sector knowledge, building trust-based relationships, and navigating institutional bottlenecks. Our findings contribute the first systematic account of how sector CSIRT professionals understand and perform their role, highlighting the tensions in providing sector-wide support to professionals with differing security needs. ... Read more

Exposing intrusion campaigns has become a geopolitical tool, with governments and commercial firms publishing threat intelligence reports about hacking attempts and modus operandi. U.S. government officials have explained this as not just a defensive practice but also as a way to ‘impose cost’ on attackers by forcing them to develop new infrastructure, tools, and techniques, consuming their scarce resources. We empirically examine this claim by analyzing attacker behavior before and after the publication of indicators of compromise (IOCs). Using IOC feeds from two leading commercial providers – deemed to best enable detection of sophisticated threats – we matched IOCs against a large dataset of real-world network traffic metadata. This enabled us to generate sightings retroactively, capturing malicious activity up to 150 days before and after publication. Unlike prior work focused on post-publication malicious activity, our method provides a more complete view over time. Our results show that most IOCs point to resources that attackers had already abandoned by the time of IOC publication, limiting their utility for detecting ongoing attacks and undermining the idea of ‘imposing costs’. Statistical modeling further reveals that publication status has low explanatory power for sightings, suggesting that confounding variables exist. We also observed a 30-day delay between the peak of threat actor activity and IOC publication for one provider. This study is the first empirical assessment linking threat intelligence publication to attacker behavior, bridging computer science and international relations. ... Read more

Many organizations continue to expose vulnerable systems for which patches exist, opening themselves up for cyberattacks. Local governments are found to be especially affected by this problem. Why are these systems not patched? Prior work relied on vulnerability scanning to observe unpatched systems, notification studies on remediating them, and on user studies of sysadmins to describe self-reported patching behavior, but they are rarely used together as we do in this study. We analyze scan data following standard industry practices and detect unpatched hosts across the set of 322 Dutch municipalities. Our first question is: Are these detections false positives? We engage with 29 security professionals working for 54 municipalities to collect ground truth.

All detections were accurate. Our approach also uncovers a major misalignment between systems that the responsible CERT attributes to the municipalities and the systems the practitioners at municipalities believe they are responsible for. We then interviewed the professionals as to why these vulnerable systems were still exposed. We identify four explanations for non-patching: unaware, unable, retired and shut down. The institutional framework to mitigate cyber threats assumes that vulnerable systems are first correctly identified, then correctly attributed and notified, and finally correctly mitigated. Our findings illustrate that the first assumption is correct, the second one is not and the third one is more complicated in practice. We end with reflections on how to better remediate vulnerable hosts. ... Read more