Patchwork security
Municipal Cybersecurity Measures in Practice
A.M. Ethembabaoglu (TU Delft - Technology, Policy and Management)
M.J.G. van Eeten – Promotor (TU Delft - Technology, Policy and Management)
R.S. van Wegberg – Promotor (TU Delft - Technology, Policy and Management)
Y. Zhauniarovich – Copromotor (TU Delft - Technology, Policy and Management)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Municipalities play a central role in delivering essential public services, including civil registration, social services, taxation, communication, and local democratic processes. In doing so, they increasingly rely on digital systems. Cyber incidents affecting these systems can disrupt service delivery, expose sensitive personal data, and impose significant recovery costs. Because municipalities are often the most visible and accessible layer of government for citizens, such incidents may also affect public trust. In addition, municipalities operate and oversee systems that support local critical infrastructure, such as water management, traffic control, and energy distribution, placing them within the scope of both financially motivated cybercriminals and state-sponsored advanced persistent threats (APTs).
In response to this threat landscape, municipalities are expected to implement a range of cybersecurity measures. These include complying with security frameworks and standards, managing vulnerabilities through patching and configuration, participating in information sharing and coordination structures, and preparing for incident response and recovery. At the same time, municipalities typically operate under constraints that distinguish them from many other organizations, including limited internal cybersecurity capacity, extensive reliance on outsourcing and shared service providers, and complex internal structures in which responsibility for systems and data is distributed across departments and external parties.
As a result, municipal cybersecurity is rarely a matter of isolated technical controls. Instead, it is shaped by interactions between municipalities and a broader ecosystem of actors, including vendors, managed service providers, sectoral and national CSIRTs, and commercial security firms. Information about threats and vulnerabilities often reaches municipalities through intermediaries, and the ability to act on that information depends on institutional arrangements, contractual relationships, and organizational processes. Understanding municipal cybersecurity, therefore, requires examining not only which security measures are in place but also how those measures function in practice within this institutional context.
This dissertation examines the security measures municipalities use to address cyber threats and how they function in practice under these conditions. It investigates vulnerability remediation, institutional support for incident prevention and response, and the use of commercial threat intelligence, and asks how these security measures can be improved in practice, addressing the central research question: How can municipalities improve security measures to address cyber threats? To answer this question, the dissertation presents three empirical studies that combine technical measurements with practitioner perspectives, adopting a socio-technical approach that connects technical observations to organizational and institutional contexts.