The spread of Child Sexual Abuse Material (CSAM) and Terrorist Content Online (TCO) remains a pressing societal issue. Various organizations rely on hash databases to detect, flag, and remove harmful content. These databases function as storage of digital fingerprints of previously identified illegal material, enabling automated platform filtering. However, the effectiveness and reliability of such databases rely on the verification processes used to determine what content qualifies for inclusion.

This thesis investigates the characteristics of verification processes in CSAM and TCO hash databases, with a particular focus on triple verification. Using a multiphase mixed-methods design, the study integrates qualitative insights from stakeholder interviews, an annotation experiment, and a follow-up focus group with annotators.

The interviews with experts highlighted variations in verification workflows, ranging from single-rater decisions to triple verification models. While triple verification is seen as a standard for increasing trust and minimizing false positives, its feasibility in terms of emotional toll and volume has been questioned. Thematic insights centered around benefits (e.g., legal considerations), challenges (e.g., emotional toll, inconsistent thresholds), necessity (e.g., utility and impact), future opportunities (e.g., automation), and differences between CSAM and TCO workflows.

In the experiment, two raters from the Dutch National Police classified 2,031 real potentially illegal items under two different conditions. In the blind phase, raters voted independently, whereas in the non-blind phase, prior votes were visible. Overall inter-rater agreement rose from 89.4% in the blind condition to 97.1% in the non-blind condition. A statistically significant association was found between voting order and agreement rates, suggesting that seeing one or two prior votes can subtly influence rater alignment.

The focus group offered further insight into the found disagreements. A key theme was the importance of recognizing image series: individual images were often reclassified as illegal when identified as part of a known CSAM series. Age estimation was also a recurring source of ambiguity, particularly when visual quality was poor or when victims’ physical development and ethnicity made assessment difficult. Raters relied on indicators such as skin texture, body proportions, and dental features, though these cues were often interpreted differently.

The findings emphasize the need for verification systems that are both flexible and context-sensitive. Not all cases require the same level of scrutiny: while baseline CSAM could be classified with fewer checks, ambiguous cases require more checks. Rather than enforcing uniformity, organizations should accommodate interpretive differences while safeguarding consistency and accountability.

Courthouses in the Netherlands are grappling with substantial challenges stemming from escalating workloads and high burnout rates among court clerks. This strain not only compromises the well-being of essential judicial personnel but also hinders the overall efficiency and timeliness of the justice system. In response to this pressing issue, this research has delved into the potential application of Large Language Models (LLMs), a form of artificial intelligence like ChatGPT, as a means to alleviate these burdens. In order to investigate the potential of LLMs in the juridical field, the following main question has been drafted:
“How effective is an LLM in lowering the workload of the Dutch court clerks?”
The research employs a mixed research approach. The literature and desk review examines the tasks of the clerks, information about the available LLMs and prompt engineering technique. In addition to this, semi-structured interviews have been held to explore the different tasks of the clerks. Since the scope of this research is only big enough for one task, The task selection process utilized the elimination by aspects technique. After this, a targeted experiment has been conducted to analyse and evaluate the possible LLMs and select the most suitable model for this research. The effectiveness of the LLM-based prompt support have been evaluated using a mixed-methods approach, combining quantitative and qualitative data analysis, which are a within-subject experiment, semi-structured interviews, DeepEval Evaluation, expert evaluation, and a statistical analysis.
The results and the conclusion of this research are still under embargo.

As digitalization advances, cybersecurity departments are increasingly overwhelmed by alerts and potential threats, leading to decision fatigue among security analysts. In response, many are adopting Artificial Intelligence (AI) to automate routine tasks, prioritize alerts, and accelerate incident response. However, the pace of AI adoption in cybersecurity lags behind that of threat actors, revealing underlying challenges. This thesis explores these challenges through a case study of a large European bank's cybersecurity department, using a sociotechnical systems (STS) approach. Semi-structured interviews with security analysts, data scientists, and leadership revealed four key themes: (1) mixed perceptions of AI, (2) the influence of organizational factors on AI adoption, (3) the importance of interdisciplinary collaboration, and (4) the critical role of trust in AI systems. While AI offers potential benefits like improved threat detection and reduced decision fatigue, challenges such as data quality issues and lack of transparency persist. Organizational readiness, leadership support, and effective change management are crucial for successful AI integration. Building trust through transparency and active user involvement is essential for adoption. The thesis proposes a conceptual model that addresses these challenges by integrating technical and social factors, offering practical recommendations for enhancing AI adoption in cybersecurity. Future research should expand on these findings through diverse case studies, human-centered AI frameworks, and longitudinal studies to better understand AI’s impact on trust and collaboration in cybersecurity.

Increasing digitalization of systems bring about the grand challenge of keeping these systems secure from malicious prying eyes, and thus highlighting the need for increased Cybersecurity practices. Ransomware is among the most prevalent cybersecurity threats in our current digital era. The attacks are mainly done by advanced persistent threats (ATPs) to increase the impact done to organizations worldwide. Ransomware encrypt data using advanced cryptographic measures and lock users out of their systems to ask for a ransom that is typically paid through bitcoins. ATPs also exfiltrate sensitive data and utilize double and triple extortion methods where they either blackmail the organization with the public release or selling of their data, or they go to the customers to blackmail them, so they pressure the organization into paying the ransom. Defense against Ransomware is possible but in many cases, by the time, ransomware is detected the malicious actors already have strong access into the systems and data. All is not lost however as organizations can bring back their systems and data if there are backup & recovery policies that have been established prior. This thesis systematically explores the ransomware topic scoped on backups & recovery to identify how ransomware attack backups, what are the best practices for backups & recovery, and the corresponding challenges for organizations to produce policy recommendations. To this end, three methods are used. The methods are: semi-systematic literature review, qualitative content analysis, and semi-structured interviews. A triangulation of these methods over cybersecurity frameworks, expert knowledge and backup software provider reports establish essential insights. The main recommendations made are that organizations must ensure that they regularly must create redundant, airgapped, offline, and offsite backups that are stored in multiple storage media. Furthermore organizations must establish proper cyber hygiene practices in order to protect their backups. Lastly, organizations must ensure that they can test and maintain resilient backup & recovery policies through establishing responsibility and accountability of different stakeholders, streamlining their IT environments, and having a cybersecurity-enabling approach to organizational IT governance. The research is a rigorous and comprehensive overview of the backup & recovery topic against ransomware and is academically relevant as it fills research gaps on: how ransomware attacks target backups & recovery specifically, what the best practices offered by the most credible cybersecurity frameworks are, and why organizations still fail in setting up proper backup & recovery practices. The EPA relevance is characterized through navigating a branch of the grand challenge of cybersecurity, namely ransomware. This is a grand challenge as there are a plethora of stakeholders on an organizational level who have different opinions and views on the topic at hand where organizations are comprised of teams in different countries, subject to different regulations, etc. Therefore it is essential in this complex environment to see what could be made as policy recommendations for organizations of all levels against the treat of ransomware with respect to backup & recovery practices.

In recent years, more and more emphasis has been put on the importance of good preventative cyber security and vulnerability management techniques such as "Patch Tuesday".
Despite the increased importance, not all organisations have the same resources and knowledge when it comes to securing their networks against cyber adversaries.

This research tries to examine the vulnerability posture of Dutch municipal ICT networks.
To accomplish this a network ranges dataset was curated using open source intelligence techniques.
These networks, related to current and previous Dutch municipalities, have been used to collect network data scans and observe the changes in software products and versions.
Based on the data collected we can observe the software update moments for different organisations and analyse how often software products are kept up to date.
Using this network scan data and a subset of open-source products, we were able to construct a case study analysis about the general trends of vulnerability management and the influencing factors thereof.
This was done through timeline analysis, involving also software update releases, security advisories, and publicly disclosed vulnerability exploits.
Our findings show uncoordinated strategies within the different organisations and rare proactive security behaviour.

Another contribution of this study is in the sphere of reconnaissance and open source intelligence gathering, showing that publicly available information alone is a time-consuming procedure that renders very few useful data points.
These later findings have implications for both adversaries as well as security organisations, as reliable data could only be obtained through direct contact with the underlying municipality.

In this thesis I investigate possibilities for expanding freedom of choice in the development and use of digital education technologies. This thesis may be of interest to university policy-makers, students, professors, software-developers, or anyone interested in expanding freedom of choice in the development and use of digital education technologies.
This research aims to investigate possibilities for the creation of a free space in the cultural sphere for digital education technology to protect from intervention by intellectual (near-) monopolies. Intellectual monopolies are companies that build their wealth by excessive monopolising access to knowledge and converting it into intellectual rents, a type of intangible assets.
The thesis are examined against the background of an overarching perspective on society as consisting of three spheres. Legal-political sphere is to develop laws and regulations; Economic sphere is about production, distribution (trading) and consumption of goods; Cultural sphere is to generate idea and knowledge. In each sphere, there also are three aspects belonging to legal-politics, economics, and culture.
The thesis consists of two parts and adopts a macro-to-micro research framework. In the first part, the research focuses on the macro-socialistic level first and then zooms in to business level (education technology) by analysing existing literature. This part investigates how intellectual monopolies emerge, first in general and then more specifically in digital education technology, and how they reduce freedom of education. More specifically, the thesis identifies economic, legal-political and cultural factors that promote intellectual monopoly in the digital industry, and explains how intellectual (near-)monopoly in digital education (e.g. in online-learning platforms, LMSs or video-conferencing software) arises as a consequence of particular relationships between the economic, legal-political and cultural sphere, where governments and international organisations give laws and regulation (e.g. IP law, education laws and regulation, the standardisation of education) that support the concentration of R&D in a few giant digital high-tech companies and the growth of (near-)monopoly positions in the digital education technology market, enabling high-tech giants to extract what in this study is called ‘learning-related rent’ (tangible and intangible assets formed by controlling learning tools and learning content), and reducing freedom of education (the core component of the cultural sphere).
In the second part, the thesis zoom in further to the university level and examines the possibilities decision-makers at universities have to expand freedom of choice in digital education technology for professors and students through a case study of a Dutch university. An interview is conducted as the main method of the case study to collect data. From the interview results, legal-political, economic and cultural hurdles in establishing free space in choosing education technology in the cultural sphere have been identified.

In the past several years, financial applications of the blockchain technology experienced significant growth, development and adoption among the public and institutional investors. With the rise of stablecoins and major events such as the announcement of Facebook’s own cryptocurency Libra in 2019, the EU regulators felt the urgent need to address the digital currencies that may pose financial and security risks if left unsupervised. In 2020, the European Commission introduced the Markets in Crypto-Assets (MiCA) framework to regulate the crypto-asset issuers and service providers located in the EU or serving EU clients from abroad. One of the regulation’s objectives is to address the risks of the crypto-markets while leveraging its benefits, yet there has been no evaluation of the proposed regulation besides the Commission’s own impact assessment.

Thus, this research offers an evaluation of the MiCA framework by adopting World Economic Forum’s DeFi white paper risk framework and interviews with the industry experts to generate both qualitative and quantitative data that is used to construct policy considerations for future amendments. By conducting interviews with 8 legal experts, the study provides insights into the strengths and weaknesses of the MiCA framework, while the interviews with 2 respondents from crypto-asset issuer entities, 6 from crypto-asset service providers entities and 3 from institutional investors entities provided further insights into the perceptions of the industry participants on the EU crypto regulation. Moreover, the study presents the risk perceptions of each respondent groups as during the interview rounds the participants were presented 18 risks of DeFi and were asked to select the most 5 critical risks perceived by them. This information is used to reveal what risks are perceived by each group. Lastly, the study presents a content analysis to assess the extent to which the 18 risks ranked by the interviewees are addressed in the MiCA framework. In summary, the results of the study suggest many points of improvement to the MiCA framework with respect to definitions, scoping, classifications and the regulatory approach. Moreover, the results suggest that the policy makers should focus on the unaddressed risks in the future amendments and policies, most importantly on technical and operational risks that have been left out from the framework.

In the current digitalised society keeping assets secure is one of the most prominent challenges organisations face. In the ongoing arms race between attackers and defenders, software security patching is a well-recognised and effective strategy to mitigate vulnerabilities in software products. However, organisations struggle with the best practice to “patch early and often”, resulting in vulnerabilities in software being exposed for much longer than desired. Prior research indicates the socio-technical nature of this practice forms the core of delays in software patch management. Developing a deeper understanding of the decision-making of IT practitioners and what socio-technical factors play a role in this process allows organisations to address the ineffectiveness of their security patch process. The main research question in this explorative research is: What socio-technical factors influence the effectiveness and timeliness of the security patching process in organisations? This Mixed Methods research combines qualitative data from interviews with IT practitioners, with a quantitative data exploration of the meaningfulness of organisational measurements. Findings show that IT practitioners go through a funnel of decision-making that influences the decision of what to patch, and when to patch. The presence and interplay of different socio-technical factors related to four main aspects of this decision (i.e., security, applicability, operability, and availability) result in tensions and trade-offs influencing the decision space of IT. Furthermore, this study indicates the interrelations between the significance of socio-technical factors, which is reduced by certain coping strategies applied by IT practitioners. This research reveals that having some measurement in place helps to understand the existence of challenges and the working of coping strategies, therefore contributing to an understanding of socio-technical challenges. However, it also reveals several limitations to the quality of existing data and difficulties in coming to measurements that provide meaningful information, due to socio-technical factors. The main contribution of this research is a better understanding of how socio-technical factors influence the decision-making process of IT practitioners. This research is limited in the way it uses quantitative data to understand patching activity. Future research is recommended to compare the potential discrepancy between what IT practitioners state influences the effectiveness of their security patch process and what the actual patching activity of IT practitioners reveals about the effectiveness of patching. This research furthermore hypothesises that not all socio-technical factors have the same level of significance. It is recommended to investigate the possibilities of quantification of the importance of each of the socio-technical challenges identified in this explorative study.

How did Avalanche, a botnet with an active lifetime of 8 years while serving 20+ malware families, ensure a smooth operation of business? Avalanche had the attention of security researchers and law enforcement, yet it managed to persevere for a long period of time.
In this work, we answer this question by analyzing Avalanche’s security controls and its business model based on longitudinal ground truth data from its criminal investigation by German law enforcement. We first analyzed previous botnet research and identified five research challenges: (1) the botnet phenomenon keeps evolving, so continuous research is required, (2) there is not yet a framework to categorize or interpret botnet evasion techniques, (3) botnet research is challenging due to the lack of large real-world datasets, (4) botnet takedowns are challenging and costly, so other avenues for intervening in botnets should be explored, and (5) more research is being done into botnet economics, but it is mostly based on case studies methodologies without access to ground truth data.
We defined the adversarial context of botnets and showed how their responses – evasion techniques – can be interpreted as security controls according to deviant security theory. We created a framework for categorizing these security controls, based on security control types and the type of threat. Turning to our data, we performed an exploratory analysis in which we processed, validated and interpreted the available data based on their different types: server images, network data and databases. Based on the insights from this analysis, we applied the business model canvas and described Avalanche’s business model. We describe how Avalanche provides it customers with proxying and domain registration services, generating on aver- age $7,500 of revenue per month from 59 customers. We identified seven security controls, three technical controls and four administrative controls, that were applied to evade detection, to increase resilience against takedowns and to conceal the ownership by the botnet operators.
Our findings show that Avalanche configured itself to adequately respond to the threats in its adversarial context. Its business model – through using different key partners and many replaceable resources – and its application of security controls – such as backups, bot monitoring and proxy architecture – created redun- dancy in Avalanche’s operation, allowing it to detect and resolve threats quickly.

Research shows that most of the security issues arise through human shortcomings, instead of technical issues (Abawajy, 2014). Therefore, users of information systems have to become more security aware. The reasonable solution to these human shortcomings was to provide users with policies that tell them what to do and have the technical systems behind them for support. However, within an organisational environment, information technology is increasingly needed for the completion of work activities. This creates problems for users to follow policies that require an excessive amount of effort and introduces human errors. Mainly caused by employees feeling like the amount of effort is unreasonable and not fitting into their daily work activities (Kirlappos, Parkin, & Sasse, 2014). Subsequently, cyber attacks are mostly caused by liabilities created due to the human error and social engineering (Schneier, 2015). Therefore, it is of importance for organisations to find a way to manage security in an effective manner, by taking into account the interactions between the social and physical environment. Accordingly, there is a possibility that employees find complying to security rules and procedures to have higher costs than benefits to their company. Finally, it is fundamental to find aspects where the business and security processes clash, in order to improve the security and productivity of the organisation (Beautement, Becker, Parkin, Krol, & Sasse, 2016).

Connecting ‘things’ like a doorbell, webcam, lamp, or other objects to the web to provide a service or control is called the Internet of Things (IoT). These devices contain vulnerabilities that form risks for the device user and possibly the network owner through their heterogeneity. The identified knowledge gap is the need for more IoT governance but no specification on governance options and means to reach specific stakeholders. Using a dataset of network scan data of The Hague as the empirical context for the defined knowledge gap, this research aims to look into the vulnerabilities IoT devices carry, and then look into relevant stakeholders to see what they can do through governance and why they are not doing this. To answer the main research question: How can the municipality of The Hague use governance instruments to decrease cyber vulnerabilities in IoT devices?
Using a literature study to define IoT concepts and the governance of IoT and current governance examples, background information is provided for the rest of this research. The database of 1649 IP addresses of network scan data from the area of The Hague is then used to find what vulnerabilities are present and what stakeholders are identifiable from this data. Exploring this network scan data showed only 191 devices are fully identifiable from the total number of IP addresses. These devices all carry vulnerabilities for the user of these devices, and being visible is by itself a vulnerability. No device owners could be directly identified, only the providers of the networks these devices are found in. This results in the identifiable stakeholders from the dataset: ISPs and device manufacturers.
Governance options are defined for these stakeholders (e.g. security-by-design, informing users etc.). These options are assessed on viability and validity through semi-structured interviews with three ISPs and the municipality.
The conclusion found is that the most viable action to take is informing device users since secure configuration and usage of a device would take away vulnerabilities while waiting for European legislation to be implemented. This legislation will force more security-by-design. The recommendation for the municipality is to take the role of leading actor, provide a better problematization with the data available, and use this to generate more urgency with other stakeholders. Starting public-private partnerships (with ISPs, device vendors, universities, other municipalities: different perspectives to progress the problem) and starting information campaigns and therefore try to reach as many people as possible. Even though ISPs can not provide in reaching vulnerable users directly, they can help in general information campaigns. Increasing security practices on the user side while waiting for legislation on the manufacturer's side.

In the battle against ever-changing cyber threats, a new ally has joined in: Cyber Threat Intelligence. Evolved from historical blacklists and anti-virus, Threat Intelligence aims to protect and inform its clients against both nation state actors, as well as cyber criminals. Threat Intelligence comes in many shapes and sizes, and for a wide range of prices. For the average consumer of Threat Intelligence, it is unknown which form will fit their needs, nor which price range is suitable for them.

This mystery surrounding Threat Intelligence, caused by its prohibitively high pricing, shows in the limited amount of research that has been conducted on the topic. Bouwman et al. lifted a tip of the veil, interviewing professionals regarding their use of Threat Intelligence and presenting descriptive statistics of its contents. They found very limited overlap between Threat Intelligence sources and that acquisition is largely based on gut-feeling. However, it is still largely unknown if these findings generalize to the whole field of Threat Intelligence and if these findings on macro level translate to more granular levels, it is our goal to find this out.

Background: A lot of scientists have tried to shed light on dark web markets. They did this by scraping these marketplaces over a period of time and describe what they were seeing. However, the methods used to measure these markets were never validated before. Research goal: This research will identify and validate the methods that are used in the literature to measure darknet marketplaces. Methods: To validate these methods, a novel dataset is used, namely the confiscated backend of a market. This dataset is cleaned and used to analyze the accuracy of these proxies on. Results: It is found that the number of transactions, revenue, and market share can be estimated with a high amount of explained variance. The predictions are precise enough to find prominent vendors on the market. The designed method of calculating the illegally obtained profits of a darknet vendor is easy to understand and could be used by law enforcement agencies. Finally, it is found that some vendors register to a market early as a strategy to ensure their business continuity.

Malicious software such as botnets are a threat to society and increasingly so through Internet of Things (IoT) devices. The large volume, pervasiveness and high vulnerability of IoT devices make them low hanging fruit for malicious actors. Currently, the biggest threat for insecure IoT devices is Mirai, a botnet which is deployed for DDoS attacks. Home users often fail to detect and resolve Mirai on their IoT devices. For this reason, Internet Service Providers (ISP) increasingly take efforts to increase remediation. Sending their infected customers a notifications containing cleanup instructions is currently the most feasible measure on a large scale. However, previous studies point out that it is not clear how people process these notifications, if they comply with it and how this effects the remediation rate and speed. The central research question of this study is ‘What is the role of IoT device end users in Mirailike bot remediation?’. We have conducted an eight-week experiment at the KPN Abuse Desk that notifies customers about abuse incidents. 177 Mirai-infected consumers have been randomly assigned to a walled garden notification (i.e., a quarantined environment), an e-mail notification, or control group. All subjects within the experiment have been tracked for two weeks to estimate the infection time and are contacted afterward for interview purposes. Male consumers and consumers younger than 54 years possess relatively more often a Miraiinfected device compared to other consumers. Both e-mail and walled garden notifications are effective in reaching consumers, informing them and encouraging them to take action. The majority of consumers do not follow the recommendations provided by the notification. In contrast, the number of actions that are performed while not mentioned in the notifications is remarkably high. Since many consumers asked for additional help, we conclude that consumers appear don’t have a full understanding of how to tackle the problem. In the control group, several consumers remediated Mirai unintentionally. However, these cases do not explain all observed remediation. Using two survival analysis modeling techniques, we find that consumers placed in a walled garden have a 29% to 85% shorter infection time than other consumers. We conclude that there is a discrepancy between stated behavior and the actual behavior of consumers. Although we cannot observe all cleanup efforts of consumers, we observed that awareness of the Mirai-infection and the intention to comply with the recommended actions influence that unobserved behavior. Gender also influences the unobserved behavior. Women clean up their device quicker than men while their statements during the interviews contradict this. One explanation is that women may unintentionally clean up their device. We conclude that age, consumer market, device type and customer satisfaction have no significant influence on remediation. We believe that it is unlikely that all unexplained remediation can be attributed to the unobserved behavior. We thus cannot explain all observed remediation from the user perspective. Therefore, we argue that future work must also focus on the attacker perspective. Since we only observed Mirai-infections, we cannot exclude the possibility that competing malware confiscated infected devices within our experiment. In addition, novel Mirai variants may have evolved scanning behavior which obstructed proper detection of infected bots.

The Internet is a relatively new technology that the world has become immensely dependent on. It is a tool that makes it possible to simplify our lives and better our society. But as with many things, there are people who with to exploit this tool we have for their own malicious gain. One of the mechanisms that we can use for protection against these malicious actors is the intrusion detection system. Machine learning-based intrusion detection systems (IDS) have been heavily researched for a number of years now. Much of this research, though, appears to be conducted using improper methodologies and incorrect evaluation.
Such methodologies include training and testing IDSs with unrealistic data and using uninformative metrics to determine performance. In this research, we perform a case study using one such IDS. This IDS is trained and evaluated using real network traffic collected from a real-world network. Additionally, we test its performance on actual attack traffic. This research demonstrates that an IDS that is trained with unrealistic data performs nowhere near as well as is claimed by the author when trained using real network traffic. Finally, we propose CAML-IDS, a framework for the correct assessment of machine learning-based intrusion detection systems. This framework can assist future IDS research by preventing incorrect evaluation, in turn preventing the formulation of incorrect research.

Network measurments are mostly used to studynetwork topology, performance and security. The thesis uses network measurements in relation to large Internet corporations like Salesforce, Netflix and Snapchat. The thesis attempts to verify whether it is possible to predict company performance by monitoring network measurements. For the three corporations considered, the measurements provide insider information on the company, before it is made available to the public or released by the corporation itself. Network measurements can be used by managers effectively as a tool to understand and predict company perofrmance.

The frequency of online banking fraud incidents has increased over the last years. A method used by different cybercriminals is the injection of malicious code into the targeted web pages. For example, attackers might inject an additional piece code into the webpage of a targeted bank asking users to enter extra personal information (e.g., the PIN of the card). By comparing attack instances of web injected code attacks from different malware families an answer will given on how cyber criminals evolve the code of financial malware that is been used in injected code attacks against financial institutions. The contribution of this thesis is to verify the current literature of the existence of code re-use among different code instances using different code similarity tools and to explore how and why the code is evolved.

Currently, DDoS attacks have become inevitable for financial services and their threat keeps rising. Numerous researches have focused on the technical since the rise of DDoS amplification attacks. However, there is less understanding regarding their target selection on financial services. This research uses a mixed method approach to capture factors that influence cybercriminals in their selection of victims. Via data from amplification DDoS honeypots, various factors are identified and explanatory models are provided. In addition, financial cyber security experts are consulted to assess their perspective on target selection. The analysis demonstrates that certain countries have significantly higher or lower victims, which can partially be explained through country level factors such as the ICT development and Normal GDP Per capita. In addition, the ICT development influences the duration of the attack significantly. The findings also indicate that organizational size, as measured by market value, showed a limited effect on the number of attacks. Contrary, experts regarded the size as a highly influential factor. The analyses furthermore demonstrate that financial organisations incur significantly more attacks on Friday than on any other day. Moreover, the experts mention additional target selection factors such as,
reputation, media attention, patching, having capable employees, and mitigation parties. Finally, this paper reflects on the implications of these findings for the financial sector and related sectors.