More effective and efficient risk communication in the cybersecurity field needs to be designed to improve risk awareness among people and to increase resiliency. The field of cyber risk communication is relatively new, which limits the current knowledge on how to design risk communication. In this study the risk perception of eleven laypeople and eight experts is researched using a mental model approach and semi-structured interviews combined with a three part scenario-based drawing task. The data is analyzed using the grounded theory method and a substantive theory is formed on the similarities and differences between the mental models of experts and laypeople of VPN in a professional services firm in the Netherlands. The accuracy of the perceptions in the theory are evaluated by a comparison with a real-world representation of VPN organization. Further research can use the results of this study to determine the completeness of the mental models described. Additionally, the study design can be repeated in other settings to determine the generalizability of the identified beliefs. Furthermore, the prevalence of the identified beliefs among similar or different populations can be researched. And finally, the mental models can already be used to design risk communication in a more effective and efficient manner by considering the identified beliefs.

Given the significant privacy and security risks of IoT devices, it seems desirable to nudge consumers towards buying more secure devices and taking privacy into account when purchasing these devices. In order to support this goal, this study has examined the effect of security and privacy on IoT device purchase behaviour and assessed whether these effects are sensitive to framing with a mixed methods approach. The first part of the study focuses on quantifying the effect of security and privacy compared to the effect of other device attributes such as the price or functionality by testing a causal model with choice models that have been developed from stated choice data. The second part aims to reveal the underlying mechanisms that determine the effect of privacy and security on purchase behaviour by means of a qualitative survey. The results suggest that security and privacy can strongly affect purchase behaviour, under the circumstances that privacy and security related information is available and communicated in an understandable manner that allows consumers to compare devices. Moreover, the results show that a description of security that focuses on gains is more effective in nudging consumers towards buying more secure devices. Future efforts could build upon this study by comparing the effect of security and privacy to more device attributes, such as ease of use or cost reduction or providing a technical, institutional or process design for a collaboratory effort to nudge users towards buying more secure devices and taking privacy into account when purchasing devices.

Water management infrastructures such as floodgates are critical and increasingly operated by Industrial Control Systems (ICS). These systems are becoming more connected to the internet, either directly or through the corporate networks. This makes them vulnerable to cyber-attacks. Abnormal behaviour in floodgates operated by ICS could be caused by both (intentional) attacks and (accidental) technical failures. When operators notice abnormal behaviour, they should be able to distinguish between those two causes to take appropriate measures, because for example replacing a sensor in case of intentional incorrect sensor measurements would be ineffective and would not block corresponding the attack vector.

In this thesis, we developed the attack-failure distinguisher framework for constructing Bayesian Network (BN) models which enable operators to distinguish between those two causes, including the knowledge elicitation method to construct the directed acyclic graph and conditional probability tables of BN models.

As a full case study of the attack-failure distinguisher framework, we constructed a BN model to distinguish between attacks and technical failures for the problem of incorrect sensor measurements in floodgates, addressing the problem of floodgate operators. We utilised experts who associate themselves with the safety and/or security community to construct the BN model and validate the qualitative part of constructed BN model. The constructed BN model is usable in water management infrastructures to distinguish between attacks and technical failures in case of incorrect sensor measurements. This could help to decide on appropriate response strategies and avoid further complications in case of incorrect sensor measurements.

The information security (IS) risk assessment process is an essential part to organisation's their protection of digital assets. However, the fast changing IS environment causes for limited knowledge of eventualities, dependencies and values of systems and phenomena. Consequently, the IS risk assessment process is depending on the judgment of cybersecurity professionals to complement the incomplete knowledge. The outset of this research is to understand how cybersecurity professionals provide judgment when they experience uncertainty about the IS environment. First, the perception of uncertainty with cybersecurity professionals is analysed, guided by the theory on perceived environmental uncertainty. Second, the judgment operations of the cybersecurity professionals are analysed, guided by the theory on judgment heuristics. These two concepts are synthesised against the backdrop of the ISO27005 information security risk asessment methodology, that serves as different components of the information security environment. The results show that cybersecurity professionals perceive uncertainty about the IS environment in which it is difficult to: grasp the different interrelations in the organisation’s landscape of information and information systems, assign accurate values to the occurrence of changes/events in the IS environment and to determine the impact from changes/events to the organisation. This uncertainty is caused by the complexity and dynamism dimensions within the organisation’s IS environment. Indicated factors attributed to these dimensions are shadow IT, the innovation processes within an organisation and the organisational structuring. The judgment operations of the cybersecurity professionals are partly explained with the help from judgment heuristics. The data shows that the selective accessibility model is predominantly used to provide judgment about the IS environment during risk assessments. Thereby heavily relying on the information provided to them from different sources, consequently staying close to the initial values. The availability and representative heuristic are also identified but are referenced in fewer instances. This would suggest that the cybersecurity professional assess the information more on a case–by–case basis, rather than providing judgment based on similarity or the ease with which a scenario is retrieved from memory. Aside from the identified heuristics, the cybersecurity professional is observed not to be included in the final judgment. In such cases the uncertainty is then accepted because it is not part of their responsibility. Additionally, the security policy and philosophy paradigm shift from prevention to detection and response allow the cybersecurity professional to accept that not all IS incidents can be prevented. But that detection and response of IS incidents allow the impact to the organisation to be minimised. Finally the cybersecurity professional also judges the security awareness of the people involved when providing judgment operations during an IS risk assessment.

The increased decentralisation and heterogeneity of critical infrastructure systems pose a threat to the safe and secure operation of critical infrastructures by complicating cybersecurity procedures. The increased frequency and impact of cyberthreats have led to the desire to develop coherent security policies. In order to explore the effects of such policies, an ecosystem-level framework for cyberincidents in critical infrastructure systems has been developed. This framework can be used to explore the effects of conceptual defensive strategy designs. The aggregation of these concepts was operationalised around a central degree of critical infrastructure operability. A practical application of the framework is provided in the form of an agent-based modelling study that is capable of simulating the effects of coherent defensive strategies. The framework by itself is limited to exploratory modelling for the sake of generalisability and requires further specification of concepts based on representative infrastructure scenarios for more advanced analysis and design of tangible security policies.

Cyber security is getting more attention in the last decades. Unfortunately, the 100% cyber security protection is impractical and impossible, and therefore, we need to consider other cyber risk management strategies. One of them is cyber insurance, but its adoption has been slow in Europe and even more among SMEs. This thesis presents a qualitative study based on empirical data collection about the SMEs’ decision-making process to adopt cyber insurance. PMT is used as an underlying theory to build the interview questionnaire. The results show the different elements that make a company select this product or reject it. To the best of knowledge of the researcher, this is the first decision-making model for cyber insurance adoption focused on SMEs that has been done.
The model is unique in the way that it probes real behavior by SMEs when they are considering adopting cyber insurance and allows a dynamic use of it by showing the main stages as companies do not have the will to focus in the whole process but prefer to give a more significant weight to specific elements. Finally, the questionnaire used in this research could be used to gather additional data, which means, performing more interviews.

Humanitarian assistance is driven by data and information. Through the whole
chain of actions – from early warning systems to evaluation – information
determines priorities, resource allocation, and donors’ willingness to donate.
However, the potential harm that comes with data is often overlooked. Inadequate
data management increases the potential of data to harm the same people
humanitarians are trying to help. The goal of the presented research is to identify
the characteristics and mechanisms that influence humanitarian interaction,
with the aim to find those mechanisms that can influence humanitarians towards
better information security. The most influential characteristics are analysed in
order to determine what is likely to increase information security sector-wide.

Employees are often referred to as the main cause of cyber security incidents in organizations. These incidents can lead to huge company risks and enormous losses. Therefore insight in how organizations can improve employees’ information security behavior is important, realizing that technical measures alone cannot reduce all security risks. This paper examines the relation between organizational information security climate factors and employees information security behavior. The organizational climate concerns the tangible factors which relate to the atmosphere and work practices in the organization, like management support and openness on information security incidents. After a literature review and semi-structured interviews with information security experts, organizational factors are identified which influence information security behavior. A conceptual model is developed and quantitatively tested, with data collected via a survey under 289 employees. Structural equation modeling is used to analyze these data. The organizational factors education and communication, managerial commitment, employee involvement, work impediment and openness on information security, are confirmed to have a significant relation with the information security behavior of employees. Organizations can use these insights to strengthen their information security climate in order to improve employees’ information security behavior.

Cascading effects are high-impact, low-probability phenomena that have caused catastrophic impacts in various chemical and process plants around the world. With the increasing trend of cyberattacks targeting critical infrastructures, there is a concern that accidents caused by cyberattacks may trigger cascading effects in these facilities. In this study, we have demonstrated that the implementation of network segmentation to ICS networks to improve its robustness against the risk of cyberattack-related cascading effects. A risk-based methodology is developed to investigate and evaluate the robustness of design alternatives. The risk-based methodology also incorporates a risk assessment method based on Bayesian networks for cascading effects modeling. Further, this thesis also presents some design guidelines for developing robust networks segmentation designs, which includes the application of a graph-theoretic approach that enables early identification of the severity of cascading effects in network design alternatives. The risk-based methodology and the design guidelines are applied to a case study in which the efficacy of the approaches are demonstrated. The outcome of the risk-based methodology offers an alternative risk mitigation technique that can be considered in the risk management process.

Cyberattacks are a constant threat to organisations worldwide. The uncertainty and difficulty of properly conducting cyber risk management processes do not make it easier for organisations to cope with cyberattacks. Cyber insurance can be a partial solution to the dilemma that organisations face. However, it has not seen the expected growth which is likely because the actual effects of cyber insurance are still unclear. Furthermore, barely any literature is available on the insurance policies that insurers can utilise to positively influence the ecosystem. Additionally, the researches in current literature, whilst providing useful insights, still lack the chaos, interconnectedness and unpredictability (dynamicity) that characterises the cyber security ecosystem. In order to close this knowledge gap and tackle the issue of dynamicity, a modelling study was conducted utilising agent-based modelling. The agent-based model was built to simulate the cyber security ecosystem and to test the effects of various cyber insurance policies. The main findings from this research were that the various insurance policy options had positive but rather small influences. The combination of several policy options into a synergetic design provided results with more observable effects on ecosystem level. However, altogether there were still no large positive effects brought forth by the insurance policies on the cyber security ecosystem.

One of the leading perspectives from literature is that decisions about investments should be made based on a comprehensive cost-benefit analysis and on a cyber-risk assessment. However, many organizations do not undertake this sophisticated analyses due to the lack of available data about costs, benefits and the impact and likelihood of attacks. This study tries to increase the understanding of this decision-making process, and how organizational factors and individual perspectives influence this process. The Global Information Security Survey has been subjected to a latent class analysis to find investment strategies and organizational factors that influence these. Four different investment strategies were identified and mainly differ in their initial investment and change in the coming twelve months. Organizational factors that influence these investment strategies are size, revenue, type (public/private) and budget and other factors as regulation, management awareness, incidents and type of risks. We used the q-method to investigate underlying perspectives from decision-makers. Four different perspective were found and differ in their focus on concerns, resilience, hierarchy and flexibility.

In the Internet of Things paradigm, everyday objects communicate with each other to form a worldwide dynamic network which provides opportunities for innovative services and applications in almost every field. Nevertheless, such a dynamic network also brings serious security issues to users, society, and even to the internet. Things that lack of basic security requirements turn out to be an attractive target for hackers and a doorway into the information technologies’ infrastructure and personal data. To reduce the impact of security failures and take advantage of the growing opportunities that the IoT brings to users and businesses, a secure development of the IoT must be encouraged. A secure system development can be achieved by disseminating knowledge of security and development among academy and industry. However, it seems that there is a gap between developers’ management of requirements and security requirements frameworks and methods. Based on a qualitative study, we collect data on developers’ practices to handle security requirements of IoT medical applications, and the context of development. Developers’ practices to manage security requirements are compared with recommended practices of the security requirements engineering field. Besides, factors that influence developer’s practices are identified. The results show that small companies do not have a distinctive process to handle security requirements. Moreover, practices, as described by the field of security requirements engineering, are partially adopted. Differences occur because of incorrect assumptions regarding developers’ motivations to address security, methods that do not match development approaches, and the dynamic nature of security. This research contributes to the security field by providing insights on how developers perceptions and practices to handle security requirements during the development of IoT medical applications.

With the extensive use of the internet nowadays, companies are becoming more and more at risk from cyber-attacks. Especially SMEs are vulnerable, as they lack in cybersecurity. This is due to time, resource and knowledge constraints. In the literature no clear solutions can be found in order to help SMEs with their cybersecurity. To overcome these issues, this research aims in developing a method with which a tool can be developed that can help SMEs in getting insights in their cybersecurity status. This tool should be capable of letting an SME do their own risk assessment without investing too much money or time. In order to do this, existing methods are analyzed. After the analysis, the TREsPASS method is used a basis for the tool. This method is slimmed down in order to fit the needs of SMEs. By creating a knowledge based system, the SMEs can use the knowledge of cybersecurity experts without the requirement to have to knowledge in-house.