In the modern digital age, software vulnerabilities pose significant threats to security and privacy. These vulnerabilities are weaknesses in software products that can be exploited for malicious purposes. To manage and coordinate information about these vulnerabilities, the Common Vulnerabilities and Exposures (CVE) system is widely used. Although a lot of research has been done on coordinated CVEs, there is less focus on vulnerabilities that did not receive a CVE number. This research aims to estimate the number of vulnerabilities in open-source projects that do not receive CVE identification numbers and are consequently overlooked by the community. The focus of the research is on quantifying the prevalence of security issues in the issue tracker of GitHub projects, examining these security issues to find hidden CVEs and determining their severity based on the CVSS 3.1 scoring methodology. The methods used for the research are data extraction and analysis, transformer-based models for the classification of security issues, and expert validation for CVE identification and severity scoring. The findings of the research reveal crucial insights into the scale and nature of security threats in open-source software. The DeBERTaV3 model fine-tuned on the Chromium dataset demonstrated good performance metrics for the task of classifying security issues, achieving an f1 score of 0.9 with threshold modification. The case-study application of the model on the gRPC project demonstrated that in the issue tracker, 2.4\% of issues have been predicted as being security issues, out of which 52 were validated as CVEs with an average severity score CVSS 3.1 score of 5.3, compared to 11 CVEs attributed to the gRPC project on NVD. These findings suggest a need for revising current practices in vulnerability reporting and management in open-source projects, potentially influencing future security protocols and policies. The results of the study serve as information for the decision-making process of improving the coordinated vulnerability disclosure process in open-source software. An initial intervention suggestion is provided to induce behavior change and incentivize discoverers to disclose sensitive vulnerability information in private communication channels. Future work on understanding the motivations of discoverers to post such sensitive information in public trackers is required to create well-informed and effective policies for coordinated vulnerability disclosure.

Privacy-enhancing technologies (PETs) have historically been used for safeguarding individual privacy from both public and private interference. But lately, tech companies have started using PETs as one instrument for the expansion of their power over different actors, as appears to be unfolding in the case of Amazon’s Sidewalk service: a United States-only privacy-preserving crowdsourced service that promises connectivity to Internet of Things (IoT) devices manufactured by third parties in smart-home, logistics, and utilities use-cases. Compatible IoT devices (‘endpoints’) are granted connectivity by ‘gateways’, namely smart-home devices from Amazon’s Echo (smart speakers) and Ring (smart cameras and doorbells) series that donate a portion of their bandwidth to endpoints that might be owned by others. Amazon pushed a software update to these Echo and Ring devices, that turned them from smart-home devices to contributors to the Sidewalk network, unless users actively opted out, yielding a coverage of at least 90% of the US population. With Sidewalk, Amazon leverages PETs (namely end-to-end encryption and device identifier obfuscation) to mitigate privacy concerns that the crowdsourced architecture yields. However, this necessitates significant investments from third-party manufacturers to make their devices Sidewalk-compatible, suggesting a power emergence shaped by PETs.

I answered the research question “How does Amazon’s use of privacy-enhancing technologies in Sidewalk affect its power over IoT manufacturers?” by reviewing grey literature, analysing the Sidewalk technology, and elite interviewing with high-ranking employees of Sidewalk-adopting manufacturers. I have shown that Amazon leveraged PETs to mitigate public security concerns, but in the meantime reshapes how manufacturers produce their devices. Part of this ploy is cementing AWS in their production processes. Amazon also uses this leverage to mobilise manufacturers’ and silicon providers’ resources to improve Sidewalk’s public reception, technology, and governance.

These reconfigurations are expensive and complicated to realise, but manufacturers stressed the importance of Sidewalk adoption to leverage Amazon’s reputation vis-à-vis suppliers and customers, and “befriend the giant” for they rely on Amazon’s Marketplace, cloud, and logistics.

Meanwhile, Amazon’s reductionist framing of privacy and security as protecting user identity and data confidentiality, means that confidentiality of manufacturers’ business-sensitive information is not discussed. With this vantage point, Amazon can learn which endpoint types are popular and how they work; but Sidewalk might also be a vehicle for Amazon to attract more IoT developers to AWS.

In sum, I have demonstrated that strictly pursuing user privacy (or confidentiality) in digital services may have unforeseen effects on production. Therefore, I call upon privacy and competition scholars, advocates, and regulators to question how privacy protection actually augments companies’ power, and stepping away from their narrow “consumer harm” lenses. These actors should debate a right to personal control over devices. A mere consumer focus in studying these developments is insufficient: I established that business-to-business relations and businesses’ production processes are more significantly affected than consumers. The production focus of this work lays bare the novel power dynamics between Amazon and manufacturers, shaped by PETs.

It goes without saying that the Internet is far from secure. As the number of Internet-connected devices increases, so do the number of cyberattacks we have to deal with. Numerous industry reports reveal significant upswings in software vulnerabilities year after year. These are issues plaguing enterprises of all sizes, within the public and private sector. In light of these findings, it becomes imperative for businesses, regardless of size, to prioritize cybersecurity and re-evaluate their current defense mechanisms against this evolving threat landscape. The evolving cyber threat landscape has emphasized the importance of adopting proactive approaches to manage and mitigate cybersecurity risks. Organizations can take a great many steps to achieve this, but mainly choose security measures that revolve around compliance requirements and standardized methodologies and frameworks to improve overall security posture. However, it remains unclear to which extent such investments have their desired effect. This is mainly because security is a latent property that cannot be measured directly. Alternative approaches have recently emerged that aim to measure security in a more direct manner. Instead of relying on self-reported data, internal or otherwise, firms gather externally accessible data and subsequently train a classifier using this data, enabling it to predict, with a certain level of accuracy, which organizations are likely to experience (large-scale) breaches. Still, it is not clear how metrics derived from purely external measurements compare to the security level derived from internal measurements of an organization's network. This reveals the necessity of taking into account the internal state of networks when observing external security signals, instead of exclusively relying on externally observable or publicly reported data breaches. This dissertation studies the feasibility of security incident prediction and risk estimation. It examines how external network scan data can be leveraged to infer information about the internal state of security of an organization's network. Thus, we aim to answer the following research question: How can internal security incidents be predicted through the leverage of external network signals?

This paper explores the potential of smart contracts in the reinsurance industry to address escalating non-productive costs driven by market dynamics. Reinsurers, aiming to enhance stability amid increasing inflation, claim severity, and frequency, have adopted stricter underwriting criteria and raised premiums. This has led to a more detailed drafting of reinsurance contracts, reminiscent of the formalization trend that began in the 1970s. However, this formalization has inadvertently inflated administrative and dispute resolution costs, counter to the industry's core objective of efficient risk and capital allocation.

The study delves into how smart contracts can offer a solution. Smart contracts are computerized protocols that can automate contract clauses, potentially aligning better with industry goals. The examination focuses on their impact on transaction costs, involving expenses incurred by insurers and reinsurers to execute transactions.

Findings reveal that smart contracts can effectively reduce administrative costs by automating tasks, particularly in high-volume and standardized scenarios. However, their effect on dispute resolution costs is more nuanced, as the reinsurance sector still benefits from human interpretation.

In conclusion, while smart contracts hold promise for reducing transaction costs in reinsurance, the industry's unique complexities and high financial stakes may pose challenges and necessitate post-implementation adjustments. The paper recommends exploring smart contract applications in industries with smaller disputed amounts and lower trust levels than reinsurance.

The EU Artificial Intelligence Act (AI Act) proposed by the European Commission is a significant legislative effort to regulate AI systems. It is the first legal framework that specifically addresses the risks associated with AI systems, aiming to ensure their trustworthiness and alignment with the values enshrined in the Charter of the Fundamental Rights of the EU and the Union values. Thus, the draft of the AI Act emphasizes the importance of fundamental rights in Europe's AI approach.

The AI Act covers various AI applications, including machine learning, logical, statistical, and knowledge-based approaches. It provides a classification framework based on the purpose and risks posed by AI applications: Prohibited/Unacceptable risk, High-Risk, Limited-Risk, and Minimal/No risk. However, there are concerns about the clarity of the classification criteria mentioned in the AI Act. Some AI systems may fall into multiple classifications, leading to ambiguity. For example, a social robot used in patient treatment could be classified as High-Risk or Limited-Risk. This ambiguity is also observed in classifying AI systems in enterprise functions, where 40{\%} of the classifications remain unclear.

Therefore, these challenges provide an opportunity to improve the classification process of AI systems under the AI Act, facilitating the classification process and accommodating emerging AI technologies. The main research question addressed in this thesis is: \textbf{"To what extent can the process of AI systems classification under the AI Act be improved?"}

The research focuses specifically on AI systems classification. It explores specific provisions of the AI Act, including Prohibited Risk, Classification Rules for High-Risk AI systems, Transparency Obligations, and Annexes II and III.

To achieve the objective of improving the classification accuracy of AI systems based on the AI Act, the study adopts the Design Science Methodology. This methodology involves systematically studying existing AI systems classifications and challenges, extracting themes to develop a framework, and evaluating the framework through feedback from AI experts.

A decision tree is designed as the proposed framework. It is evaluated on 16 respondents from two different backgrounds: legal and non-legal. In order to obtain comprehensive insights, the evaluation is designed to incorporate an experiment where respondents are tasked to classify AI systems to the risk level with the AI Act only. Then in the second experiment, they have to classify AI systems using the proposed decision tree framework. It is important to note that the study acknowledges the possibility of overestimating or underestimating respondents' ability to classify AI systems due to their diverse backgrounds and levels of understanding of the AI Act. Furthermore, a semi-structured interview is conducted to strengthen the analysis.

Based on the evaluation, the decision tree's performance revealed higher accuracy than the classification approach without the decision tree. However, the overall accuracy remained low, indicating room for improvement. Challenges identified include the need for additional context and understanding of terms, definitions, and examples in the decision tree and the potential for misclassification due to vague definitions and assumptions. Respondents also expressed the need for more detailed information about AI system use cases to improve classification accuracy.

The decision tree's performance varied between obvious and non-obvious use cases, with non-obvious cases presenting challenges in accurate classification. The accuracy for obvious cases was higher, highlighting the difficulty of distinguishing between High-Risk and Unacceptable Risk categories. Lack of clarity in terms and definitions and limited contextual information contributed to the challenges faced in classifying non-obvious cases.

Legal experts demonstrated higher accuracy than non-legal respondents, indicating familiarity with legal terminology and the AI Act. However, legal and non-legal respondents encountered difficulties classifying non-obvious cases, emphasizing the need for clearer frameworks and tools to enhance clarity and streamline the classification process. Greater clarity in the AI Act and an interdisciplinary approach were recommended to address these challenges and facilitate understanding of the risks associated with AI systems.

Based on the analysis, several areas for improving AI systems classification under the AI Act have been identified. The current classification process faces challenges related to ambiguities in definitions, lack of contextual information, and difficulties in distinguishing between different risk levels.

To address these challenges and enhance the classification process, it is recommended to introduce clearer guidelines and refine the decision tree used for classification. The decision tree should incorporate additional criteria and features that provide more clarity and context. It is important to consider biases, subjective interpretations, clarity, and the dynamic nature of AI technologies in these improvements.

The study has certain limitations. The small sample size of respondents may impact the generalizability of the findings. The number of participants might not be representative of the entire population. Additionally, the limited number of use cases utilized in the research may limit the comprehensiveness of the classification framework. The study is based on the latest amendment of a policy proposal, and there is a potential for changes in the regulation's details, which may affect the effectiveness of the results. Finally, potential biases may exist in the development of the research, such as in making the decision tree and selecting the use cases.

Future research should explore the continuity of the decision tree's performance over time and its evaluation. There should be more research on non-obvious cases in specific domains or industries. It is crucial to focus on potential issues in classifying certain risk levels in the AI Act that hinder classification accuracy. Understanding the differences between legal and non-legal perspectives on the AI Act is also important to establish standardized understanding among stakeholders. Additionally, conducting quantitative research with larger and more diverse respondents from industrial backgrounds can further evaluate the proposed framework.

Addressing the growing problem of phishing attacks requires nurturing a reporting culture within organizations. This research examines the factors influencing reporting behavior and the role of infrastructure & support in enhancing reporting rates. By adopting a mixed methods approach and analyzing phishing simulation logs and user perspectives, the study utilizes the COMB model to identify key factors that affect reporting behavior. The research emphasizes the importance of reassessing the desired level of reporting to ensure the benefits of reporting do not overshadow the associated costs. To foster a reporting culture, organizations should ensure a user-friendly reporting process and offer regular reminders and training programs. Emphasizing communication, transparency, and trust-building are vital in encouraging reporting and providing timely feedback. Leveraging technology to optimize the reporting process and appreciating users' efforts further enhance reporting rates. Overall, embracing a paradigm shift that recognizes users as part of the solution is crucial in nurturing a reporting culture and ensuring a secure digital environment.

In today's business landscape, software has become an integral part of operations for all companies, with a growing reliance on third-party components. This increasing complexity in software supply chains has led to a significant reduction in transparency and visibility, posing challenges for effective management and security. Software Bill of Materials (SBOMs) emerges as a promising concept to address this issue by providing detailed information about software components and their supply chain relationships, ultimately enhancing transparency within these supply chains. However, despite its potential benefits, SBOM adoption remains limited in practice.

This research examines the perspectives of four key business stakeholders involved in the software supply chain to understand their incentives and disincentives surrounding SBOM adoption. Through a series of in-depth interviews with representatives from each stakeholder group, we aimed to identify stakeholder-specific risks, benefits, concerns, and incentives related to SBOM adoption. The analysis reveals that SBOM adoption potential is notably higher among system integrators and software vendors. These stakeholders perceive the benefits of enhanced transparency and supply chain risk mitigation, which align with their strategic objectives. On the contrary, B2B customers and Individual Developers exhibit the least motivation for SBOM adoption. Their limited interest stems from a perception that SBOMs may impose additional complexities without commensurate benefits. Given that B2B customers and individual developers are the primary consumers and suppliers of SBOMs, respectively, the findings suggest that the overall adoption potential of this technology remains restricted.

This study investigates organizations’ approaches to managing cybersecurity challenges that are associated with high levels of teleworking. Over the last two and a half years the pandemic forced organizations to implement teleworking models that resulted in a large share of the workforce working from home. The increasing use of teleworking resulted in organizations being worried about their ability to handle cyberthreats, while at the same time they sidestepped on their cybersecurity to implement a proper teleworking model. There is a large body of literature showing what the security risks and practices are related to these high levels of teleworking, while it is not clear what the related security challenges are and how organizations are approaching these. So, there is a gap in the literature regarding the understanding of the current cybersecurity challenges and approaches that are associated with these high levels of teleworking. Semi-structured interviews were conducted with both cybersecurity consultants and individuals that fulfill a role in an organization that makes them responsible for the cybersecurity management of the organization. Thematic analysis was used that led to the identification of four main security challenges and four approaches used to manage these challenges. The following four challenges were identified: ‘Security vs. privacy’ which shows how it is challenging for organizations to secure the private environments of their organizations without invading their privacy. Secondly, the ‘Control & awareness which addresses the balance between control and awareness. More restrictions can lead to less security if there is a lack of awareness and knowledge among employees. Thirdly, the ’Lack of resources’ challenge, not all organizations have the monetary resources to achieve the desired level of security. Finally, the ’Priorities’ challenge shows how according to the consultants, cybersecurity is still seen as a burden and is being neglected by organizations, regardless of the increase in cybersecurity attention and the increased risks related to high levels of teleworking.
The identified approaches start with ‘Technology & Processes’ as this is most often the first choice for organizations. Using device management systems with corporate devices or BYOD devices with an enclave to ensure security without invading privacy. Education of the workforce is deemed one of the most successful approaches, since the security of the organizations is now more dependent on the workforce, raising awareness through education is of great importance. An approach that at first glance seems more counter-intuitive is the establishment of a security culture that takes years to achieve. Cybersecurity is involved into the daily tasks of the complete workforce. Without forcing and too many controls, but nudging employees by discussion and giving them responsibilities. The last approach shows that despite the priority challenge that is only mentioned by consultants, organizations want to become more mature, and organizations are currently giving cybersecurity a higher priority.

Mixing services try to distort cash flow tracking of cryptocurrencies and obfuscate the origin of customers’ earnings by substituting customers’ cryptocurrency funds with the funds of other customers or the mixers’ private assets. This quality makes mixing services interesting for money laundering, and they are therefore often used by criminals. As such, there is an urgent need to systematically understand how to restore the relationship between deposits and payouts of centralized mixing services. Unfortunately, there is minimal knowledge of how mixing processes of centralized mixing services work, and few attempts exist to create these demixing methods. This research aimed to develop a demixing method for centralized mixers with knowledge gained from ground-truth data. The ground-truth data contains information on orders and the transaction history of mixing service BestMixer. Demixing consists of collecting all addresses that are part of the mixer (attribution) and finding the correct payout to a deposit (reconstruction). Multiple statistical analysis techniques were applied to this data to verify existing attribution heuristics and find new characteristics of mixing services. Also, filtering techniques to reconstruct the relation between deposits and payouts were tested on the order data. This research verifies that BestMixer likely did not reuse addresses in the mixing process. It also showed that the lifespan of most addresses was shorter than 24 hours. In addition, many BestMixer addresses received or sent a transaction to another BestMixer address, which created sequences of BestMixer transactions. The sequences show that the mixer used a peeling chain pattern in combination with multi-input transactions. These characteristics can be used to attribute other centralized mixing services. The results also show that the mixer increased in popularity throughout time.
Overall, the reconstruction attempt with filtering techniques did not perform well on BestMixer orders, as it returned an impracticable amount of possible payout combinations. The mixer showed less activity in the beginning days of the service, and there are signs that the reconstruction works better in this earlier stage of the mixer. This means that when a mixer becomes more popular, it could become more difficult to demix the orders correctly.
From this research can be concluded that the ground-truth data of BestMixer does help in developing attribution heuristics for centralized mixers, but not in developing a general reconstruction method that correctly restores the relation between deposits and payouts, thus not suffice in demixing centralized mixers.

Due to the increasing use of Internet-of-Things (IoT) devices people have created an entirely new digital world for themselves. However, the security and privacy risk in this world are emerging. People using smart devices for everything in their lives are not realising that every interaction is collected and stored in databases. This study has researched whether people take responsible action when it comes to purchasing an IoT device via displaying security and privacy related reviews.
The research was executed via a mixed methodology, with the quantative method being a discrete choice experimentation in the form of a survey and a website design. The study has found that out of a hundred respondents forty-four people chose a device with positive S\&P related reviews. Furthermore, more than half of the respondents chose the design as the main reason for choosing it. However, the qualitative data has shown that the reviews were often used as a last measure factor to pick between their 'favorite' devices. At that moment most of the respondent picked a device that had positive S\&P related reviews.
This research has contributed to science by showing how S\&P reviews interact with the customer purchase decision. Furthermore, it elaborates on the S\&P awareness process prior to the purchase instead of after. Thereby, it also presents the framing effect in the IoT field, showing that people are sensitive towards positive S\&P related reviews and therefore becoming more risk-averse. In addition, the study gave more insight in the IoT Trust/Value Paradox and the Privacy Paradox in relation the the IoT purchase decision. At last, it has shown the customer-to-customer effect to have an impact on the purchase decision even though is it not always the main reason of purchasing a certain IoT device.

IP spoofing is the act of forging source IP addresses assigned to a host machine. Spoofing provides users the ability to hide their identity and impersonate another machine. Malicious users use spoofing to invoke a variety of attacks. Examples are Distributed Denial of Service (DDoS) attacks, policy evasion and a range of application-level attacks. Despite source IP address spoofing being a known vulnerability for at least 25 years, and despite many efforts to shed light on the problem, spoofing remains a popular attack method for redirection, amplification and anonymity. Defeating these attacks requires operators to ensure that their networks filter packets with spoofed source IP addresses. This is a Best Current Practice (BCP), known as Source Address Validation (SAV). Yet, widespread SAV adoption is hindered by a misalignment of incentives: networks that adopt SAV incur the cost of deployment, while the security benefits diffuse to all other networks. The challenges posed by SAV adoption exemplify the failure of traditional governance models to provide solutions in the Internet ecosystem. Policy interventions usually require transparency in measurements to quantify and assess the vulnerability landscape. However, measuring SAV requires a vantage point inside the network or in the upstream provider of the network. Once a packet with a spoofed source address leaves the upstream network provider, it is almost impossible to ascertain its origin...

As the IoT is widely deployed in people’s homes, adversaries are busy exploiting the vulnerabilities of these devices. One kind of such device is the NAS device made by the company QNAP. Unfortunately, these devices are prone to the QSnatch malware. Unlike previous malware such as Mirai has this nasty habit, it settles deeper into the machine. In this way, the malware gains reboot persistence. Therefore, we consider the malware as persistent IoT malware compared to the non-persistent IoT malware. This affects the clean-up of the virus, as changing the passwords and rebooting the device is not enough to remove the virus. As a result, other steps are needed to get rid of the virus. If we take a look at the NAS device market, we see that the manufacturers of these devices have little incentive to invest a lot in the security of the devices. It is then challenging for the customer to estimate which devices are secure and are mainly tempted by discounts and devices that can be configured quickly. Then, the ISP is the link in the process that, with the help of the non-profit organisation Shadow Server, can determine which of its customers may be infected with certain malware. Shadow Server uses servers to receive the malicious traffic and forwards the corresponding IP addresses to the ISP. The ISP then knows which customer is dealing with possible infection and can inform them. This also happens for the QSnatch malware. The ISP sends the infected customer a notification informing them about the infection and providing steps to clean their device. These steps are a simplified and Dutch-translated version of the steps provided by QNAP. From that moment on, it is up to the infected customer to take action. Previous research has made a tremendous effort in understanding the efforts of infected customers in remediating the issue and showed that various resources could be used by the ISP to improve the results of this process.

In order to combat financially-economically related crime the government implemented a new directive ensuring that virtual currency exchanges now have to adhere to requirements from legislation countering money laundering. This thesis researches what the extent is of effects that this legislation posed to the daily operations of virtual currency exchanges.

To protect critical services in today's society it is necessary to mitigate and prevent risks threatening the reliability of the internet. Internet-of-Things (IoT) devices are the number one attack target on the internet. The situation will become worse as there will be an expected 40 billion IoT devices in 2025. IoT bot activity represented 78% malware network activity or detection events in carrier networks in 2018. The vulnerability and large volume of IoT devices make them a likely target for cybercriminals in distributed denial-of-service (DDoS) attacks. The rise of IoT is increasing the volume of DDoS attacks. A lot of (critical) infrastructure are therefore susceptible being shut down by DDoS attacks. DDoS attacks are commoditized with booter services, which perform attacks on targets in return for money. This allows a wider audience to utilize DDoS attacks as the only necessary prerequisite is money. These services have increased attack frequencies and attack power of the attacks. The DDoS-as-a-Service landscape has mainly used amplification attacks to take down their victims, however, it is yet unclear if they are also utilizing the growth of IoT for their purposes. This research will look at the impact of IoT-based DDoS attacks on the victims, with the main research question being: What patterns of commoditization and victimization can we observe with IoT­-based DDoS attacks compared to amplification attacks? Conclusively, vulnerable IoT devices are already a serious threat. They are commoditized and they bring significant differences to DDoS attack characteristics and victimization patterns. As DDoS remains an arms race where adaptation is important, this research showcases a concrete example of how emerging technology can change the existing marketplaces and attack patterns. It also showed its value by looking at IoT from a holistic view to gain understanding of the technical as well as the social impacts. However, more research is needed in this field as the quickly changing field needs to be monitored. Questions still remain which factors can explain the country-level effects in more detail. Expansion of the tools and capabilities to investigate underground chat data would be fruitful as well.

Cybersecurity is important to hospitals and patients alike and is becoming more important as healthcare is experiencing more cybercrime over time. It is the result of complex interactions between actors and their environment during procurement, but research has not yet studied the combination of cybersecurity, healthcare and procurement together. The main research question is: What is the role of cybersecurity in hospital procurement processes and how can that role be analysed across the sector? Nine semi-structured interviews were conducted with hospital cybersecurity experts. Using a combination of a purchase process model and complex decision-making framework and using semi-grounded theory techniques for analysis, five key factors and their interrelations were identified: supplier-hospital relationship, knowledge exchange and retention, alternative purchase processes, cloud transition and conflicting priorities. These factors influence the decision power of hospitals and their internal departments before and after signing off on a purchase. Based on the results, a complementary survey was developed to scale this research across Dutch hospitals. This survey serves as a stepping stonet for future research efforts.

This study aims to make recommendations about how the Internet can be more thoroughly cleaned of Child Sexual Abuse Material (CSAM), focusing on the Dutch government policies. In the past years, several organizations, including the European Commission, called out the Netherlands for the role Dutch companies have in the hosting of CSAM. According to INHOPE, the CSAM hotline umbrella organization, the Netherlands is responsible for 20\% of the hosted CSAM worldwide and 79\% within the EU. For this study, a mixed-methods approach is chosen. A mixed-methods approach combines a qualitative and a quantitative method. The qualitative analysis is used to reveal relevant stakeholders, their positions, how they participate in the policymaking process, how they evaluate the government policies, and what they believe are the most significant improvements to the system. The quantitative results map information flows and processing times of the Dutch CSAM NTD mechanism. Combining the qualitative and quantitative research has revealed several pitfalls. Firstly, much CSAM remains unfound. Secondly, hotlines have a very important but also insecure position in the government policies. Further, are direct incentives for the sector more than moral duty are missing and the organizational degree of the sector is low. Also, the set norms and policies of the government and self-regulation are not accounting for the high diversity of the sector. There is a lack of financial resources. Finally, several stakeholders question the adequacy of law enforcement in regard to CSAM. Consequently, recommendations in three areas are made: (1) expanding and strengthen the current policies, (2) enhancing the collaboration between the stakeholders and their own position and (3) introducing new policy initiatives.

Cybercrime thrives and online anonymous markets, or darknet markets, play an important role in the cybercriminal ecosystem. Vendors active on darknet markets invest in security mechanisms to compromise the availability or usefulness of evidence to Law Enforcement Agencies. Therefore, difficulties arise in linking identities or machines to cybercrimes facilitated by darknet markets. As a result, many cybercrime investigations are ineffective. This thesis consists of an exploratory case study based on the full administration of the Hansa Market. The Hansa Market (2015-2017) was infiltrated and eventually taken over and shut down by the Dutch Police. The data used in this thesis originates from the server that hosted the market and is made available by the Dutch National High Tech Crime Unit (NHTCU) and the Fiscal Information and Investigation Service (FIOD). This data is used to answer the research question: “Which factors influence the security behaviour of darknet market vendors active on Hansa Market?”. To answer this question, vendors that are similar regarding a) their experience, b) the activity on other markets, c) the amount of physical items sold, e.g. drugs and d) the amount of digital items sold, e.g. stolen credit card information, are clustered into five `vendor types' using Latent Profile Analysis. It is researched whether these clusters of vendors differ in terms of the following security behaviours observed: a) authentication related security practices (password strength, password uniqueness and two-factor authentication usage), b) encryption of communication, in the form of PGP-adoption and PGP-key strengths used, c) the linkability of a vendors' pseudonym through PGP-key matching and d) a vendors' choice of Online Financial Service Providers within the bitcoin ecosystem, measured by querying a service that provides contextual information on bitcoin transactions and addresses. The findings indicate that approximately causal relationships may be inferred between on the one hand vendor types, that represent a combination of business success in terms of physical and digital sales, experience and activity on other markets and on the other hand security behaviour. Vendors offering digital items tend to behave less securely than vendors selling large amounts of drugs. This thesis explains the observed (differences in) suboptimal security behaviours by arguing that vendors on Hansa Market conduct subjective risk assessments. This implies that the probability of being targeted by LEA and the value of the vendors' assets that are at stake (e.g. informational assets containing incriminating evidence or `years of freedom') are of influence on security behaviour. Lastly, recommendations to Law Enforcement Agencies include to exploit the subjectiveness in cybercriminals' risk assessments and to consider focusing on vendors transacting digital items. Academics are recommended to extend this research by investigating cybercriminal security behaviours through improved measurement methodologies in larger and more recent datasets.

The increasingly important availability of online services is constantly threatened by malicious software such as botnets. Attackers have gained power through devices that are part of the rising Internet of Things (IoT), mostly through infections caused by Mirai. The botnets created by Mirai are used for the purpose of DDoS attacks, which can take away the availability of an online service. Although Mirai can be detected relatively easily due to its superficial signature, the remediation process of Mirai infected IoT devices runs far from smoothly.
As end-users often do not notice the presence of Mirai and manufacturers lack incentives to invest in better security or support, ISPs like KPN are amongst the few viable actors that could defend against botnets like Mirai. As ISPs are able to link infection feeds to their customers, they are able to send out notifications accompanied by protocols that can resolve Mirai infections when executed properly. Although research exists on the remediation rates, it is not clear what processes take place at end-users homes during the remediation process and what critical points of error exist throughout the phases of the anti-botnet cycle. As the remediation rate of Mirai infections is currently only 60 – 76 percent, it can be worth looking into the remediation processes to see where they could be improved.
The main research question is the following: “What do we learn about how and to what extent Internet Service Providers can improve the remediation process of malware infected Internet of Things devices by monitoring end-users while they are cleaning their Mirai infections?”. To answer this question, we have closely followed 17 Mirai infected end-users over a period of 7 weeks, at the KPN Abuse Desk, after a 1 week pilot phase to test our email notification and think aloud protocol. We have prepared and analyzed all steps from identification of a Mirai infection until successful remediation took place. The lion’s share of this experiment is about a virtual visit; a phone call with an option to upgrade to a video conference, in which infected end-users get advanced support in performing the 5 cleaning steps stated in the protocol they received. As the end-users thought aloud during the calls, we were able to follow them closely and pinpoint arising issues. Using a thematic content analysis, we synthesized the personal stories that end-users shared.
During the 7 week experiment, we saw 37 unique IP addresses infected with Mirai, of which 12 were excluded due to the ISP policy of not providing support during the weekends. Of the 25 remaining IP addresses, 3 could not be notified due to technical issues within KPN, 2 did not pick up the phone after being notified and 3 were not willing to take part in the experiment due to trust issues.
16 out of 17 participants that were responsible for the internet security were male, but their varying household sizes shows that this does not relate to men becoming infected more often. The age of the end-users was normally distributed between 21 and 80 and we found a household size of 1 to 6, excluding 3 small business locations that became victim of Mirai. End-users can often only identify 1 or 2 IoT devices in their network (13 out of 17) and are almost always able to pinpoint the infected device (16 out of 17). Many issues arose during the virtual visits, such as a lack of trust, not willing to spend effort, a lack of support by the manufacturer, or the idea that regular protection measures should have protected against Mirai.
Only 6 out of 17 end-users were able to perform all steps successfully. In most cases end-users failed to change the password of their device or performed a regular reset on their router instead of a factory reset. This caused 3 failing remediation efforts and 5 reinfections during the experiment phase. The remediation process has barriers in each phase that could be addressed. The biggest improvement can be made in the awareness of end-users, which would lead to higher prevention of infections. Prevention would keep the many potential issues in the remediation process from arising altogether.

Many scientific studies and industry reports have observed the emergence of so-called cybercrime-as-a-service. The idea is that specialized suppliers in the underground economy cater to criminal entrepreneurs in need of certain capabilities – substituting specialized technical knowledge with “knowing what to buy”. The impact of this trend could be dramatic, as technical skill becomes an insignificant entry barrier for cybercrime. Forms of cybercrime motivated by financial gain, make use of a unique configuration of technical capabilities to be successful. Profit-driven cybercrimes, as they are called, range from carding to financial malware, and from extortion to cryptojacking. Given their reliance on technical capabilities, particularly these forms of cybercrime benefit from a changing crime paradigm: the commoditization of cybercrime. That is, standardized offerings of technical capabilities supplied through structured markets by specialized vendors that cybercriminals can contract to fulfill tools and techniques used in their business model. Commoditization enables outsourcing of components used in cybercrime - i.e., a botnet or cash-out solution. Thus lowering entry barriers for aspiring criminals, and potentially driving further growth in cybercrime. As many cybercriminal entrepreneurs lack the skills to provision certain parts of their business model, this incentivizes them to outsource these parts to specialized criminal vendors. With online anonymous markets - like Silk Road or AlphaBay - these entrepreneurs have found a new platform to contract vendors and acquire technical capabilities for a range of cybercriminal business models. A configuration of technical capabilities used in a business model reflects the value chain of resources. Here, not the criminal activities themselves, but the technical enablers for all these criminal activities are depicted. To create a comprehensive understanding of how businessmodels in profit-driven cybercrime are impacted by the commoditization of cybercrime, we investigate how outsourced components can fulfill technical capabilities needed in profit-driven cybercrime. This is where we use an economic lens to deliver an overview of criminal activities, resources and strategies in profit-driven cybercrime. In turn, knowing how outsourcing fulfils parts of the value chain, can help law enforcement exploit ‘chokepoints’ – i.e., use the weakest link in the value chain where criminals appear to be vulnerable.