In case of a major cyber incident, organizations usually rely on external providers of Cyber Incident Response (CIR) services. CIR consultants operate in a dynamic and constantly changing environment in which they must actively engage in information management and problem solving while adapting to complex circumstances. In this challenging environment CIR consultants need to make critical decisions about what to advise clients that are impacted by a major cyber incident. Despite its relevance, CIR decision making is an understudied topic. The objective of this preliminary investigation is therefore to understand what decision-making strategies experienced CIR consultants use during challenging incidents and to offer suggestions for training and decision-aiding. A general understanding of operational decision making under pressure, uncertainty, and high stakes was established by reviewing the body of knowledge known as Naturalistic Decision Making (NDM). The general conclusion of NDM research is that experts usually make adequate decisions based on (fast) recognition of the situation and applying the most obvious (default) response pattern that has worked in similar situations in the past. In exceptional situations, however, this way of recognition-primed decision-making results in suboptimal decisions as experts are likely to miss conflicting cues once the situation is quickly recognized under pressure. Understanding the default response pattern and the rare occasions in which this response pattern could be ineffective is therefore key for improving and aiding cyber incident response decision making. Therefore, we interviewed six experienced CIR consultants and used the critical decision method (CDM) to learn how they made decisions under challenging conditions. The main conclusion is that the default response pattern for CIR consultants during cyber breaches is to reduce uncertainty as much as possible by gathering and investigating data and thus delay decision making about eradication until the investigation is completed. According to the respondents, this strategy usually works well and provides the most assurance that the threat actor can be completely removed from the network. However, the majority of respondents could recall at least one case in which this strategy (in hindsight) resulted in unnecessary theft of data or damage. Interestingly, this finding is strikingly different from other operational decision-making domains such as the military, police and fire service in which there is a general tendency to act rapidly instead of searching for more information. The main advice is that training and decision aiding of (novice) cyber incident responders should be aimed at the following: (a) make cyber incident responders aware of how recognition-primed decision making works; (b) discuss the default response strategy that typically works well in several scenarios; (c) explain the exception and how the exception can be recognized; (d) provide alternative response strategies that work better in exceptional situations.
DOCUMENT
The growing sophistication, frequency and severity of cyberattacks targeting all sectors highlight their inevitability and the impossibility of completely protecting the integrity of critical computer systems. In this context, cyber-resilience offers an attractive alternative to the existing cybersecurity paradigm. We define cyber-resilience as the capacity to withstand, recover from and adapt to the external shocks caused by cyber-risks. This article seeks to provide a broader organizational understanding of cyber-resilience and the tensions associated with its implementation. We apply Weick's (1995) sensemaking framework to examine four foundational tensions of cyber-resilience: a definitional tension, an environmental tension, an internal tension, and a regulatory tension. We then document how these tensions are embedded in cyber-resilience practices at the preparatory, response and adaptive stages. We rely on qualitative data from a sample of 58 cybersecurity professionals to uncover these tensions and how they reverberate across cyber-resilience practices.
DOCUMENT
Presentation given at EURCRIM 2022 conference
DOCUMENT
Presentatie gegeven op de NVC congres 2022.
DOCUMENT
NL samenvatting: In dit verkennend onderzoek werden social engineering-aanvallen bestudeerd, vooral de aanvallen die mislukten, om organisaties te helpen weerbaarder te worden. Fysieke, telefonische en digitale aanvallen werden uitgevoerd met behulp van een script volgens de 'social engineering-cyclus'. We gebruikten het COM-B model van gedragsverandering, verfijnd door het Theoretical Domains Framework, om door middel van een enquête te onderzoeken hoe Capability, Motivational en vooral Opportunity factoren helpen om de weerbaarheid van organisaties tegen social engineering-aanvallen te vergroten. Binnen Opportunity leek sociale invloed van extra belang. Werknemers die in kleine ondernemingen werken (<50 werknemers) waren succesvoller in het weerstaan van digitale social engineering-aanvallen dan werknemers die in grotere organisaties werken. Een verklaring hiervoor zou een grotere mate van sociale controle kunnen zijn; deze medewerkers werken dicht bij elkaar, waardoor ze in staat zijn om onregelmatigheden te controleren of elkaar te waarschuwen. Ook het installeren van een gespreksprotocol over hoe om te gaan met buitenstaanders was een maatregel die door alle organisaties werd genomen waar telefonische aanvallen faalden. Daarom is het moeilijker voor een buitenstaander om toegang te krijgen tot de organisatie door middel van social engineering. Dit artikel eindigt met een discussie en enkele aanbevelingen voor organisaties, bijvoorbeeld met betrekking tot het ontwerp van de werkomgeving, om hun weerbaarheid tegen social engineering-aanvallen te vergroten. ENG abstract: In this explorative research social engineering attacks were studied, especially the ones that failed, in order to help organisations to become more resilient. Physical, phone and digital attacks were carried out using a script following the ‘social engineering cycle’. We used the COM-B model of behaviour change, refined by the Theoretical Domains Framework, to examine by means of a survey how Capability, Motivational and foremost Opportunity factors help to increase resilience of organisations against social engineering attacks. Within Opportunity, social influence seemed of extra importance. Employees who work in small sized enterprises (<50 employees) were more successful in withstanding digital social engineering attacks than employees who work in larger organisations. An explanation for this could be a greater amount of social control; these employees work in close proximity to one another, so they are able to check irregularities or warn each other. Also, having a conversation protocol installed on how to interact with outsiders, was a measure taken by all organisations where attacks by telephone failed. Therefore, it is more difficult for an outsider to get access to the organisation by means of social engineering. This paper ends with a discussion and some recommendations for organisations, e.g. the design of the work environment, to help increase their resilience against social engineering attacks. https://openaccess.cms-conferences.org/publications/book/978-1-958651-29-2/article/978-1-958651-29-2_8 DOI: 10.54941/ahfe1002203
DOCUMENT
Elke periode kent zijn eigen revolutie en elke revolutie brengt zijn eigen organisatorische model met zich mee. We bevinden ons nu in de 4e industri¨ele revolutie, waar het internet van dingen ons verbindt met autonome embedded systemen. Deze systemen zijn actief in de virtuele ’cyber’ wereld, alsook in de echte ’fysieke’ wereld om ons heen. Deze zogenoemde ’Cyber-Fysieke’ Systemen volgen daarmee een modern organisatorisch model, namelijk zelfmanagement, en zijn dan ook in staat zelf proactieve acties te ondernemen. Dit proefschrift belicht productiesystemen vanuit het Cyber-Fysieke perspectief. De productiesystemen zijn hier herconfigureerbaar, autonoom en zeer flexibel. Dit kan enkel worden bereikt door het ontwikkelen van nieuwe methodes en het toepassen van nieuwe technologie¨en die flexibiliteit verder bevorderen. Echter, effici¨entie is ook van belang, bijvoorbeeld door productassemblage zo flexibel te maken dat het daardoor kosteneffici¨ent is om de productie van diverse producten met een lage oplage, zogenaamde high-mix, low volume producten, te automatiseren. De mogelijkheid om zo flexibel te kunnen produceren moet bereikt worden door de creatie van nieuwe methoden en middelen, waarbij nieuwe technologie¨en worden gecombineerd; een belangrijk aspect hierbij is dat dit toepasbaar getest moet worden door gebruik van simulatoren en speciaal hiervoor ontwikkelde productiesystemen. Dit onderzoek zal beginnen met het introduceren van het concept achter de bijbehorende productiemethodologie, welke Grid Manufacturing is genoemd. Grid Manufacturing wordt uitgevoerd door autonome entiteiten (agenten) die zowel de productiesystemen zelf, als de producten representeren. Producten leven dan al in de virtuele cyber wereld voordat zij daadwerkelijk zijn gebouwd, en zijn zich bewust uit welke onderdelen zij gemaakt moeten worden. De producten communiceren en overleggen met de autonome herconfigureerbare productiesystemen, de zogenaamde equiplets. Deze equiplets leveren generieke diensten aan een grote diversiteit aan producten, die hierdoor op elk moment geproduceerd kunnen worden. Het onderzoek focust hierbij specifiek op de equiplets en de technische uitdagingen om dynamisch geautomatiseerde productie mogelijk te maken. Om Grid Manufacturing mogelijk te maken is er een set van technologische uitdagingen onderzocht. De achtergrond, onderzoeksaanpak en concepten zijn dan ook de eerste drie inleidende hoofdstukken. Daarna begint het onderzoek met Hoofdstuk 4 Object Awareness. Dit hoofdstuk beschrijft een dynamische manier waarop informatie uit verschillende autonome systemen gecombineerd wordt om objecten te herkennen, lokaliseren en daarmee te kunnen manipuleren. Hoofdstuk 5 Herconfiguratie beschrijft hoe producten communiceren met de equiplets en welke achterliggende systemen ervoor zorgen dat, ondanks | Dutch Summary 232 dat het product niet bekend is met de hardware van de equiplet, deze toch in staat is acties uit te voeren. Tevens beschrijft het hoofdstuk hoe de equiplets omgaan met verschillende hardwareconfiguraties en ondanks de aanpassingen zichzelf toch kunnen besturen. De equiplet kan dan ook aangepast worden zonder dat deze opnieuw geprogrammeerd hoeft te worden. In Hoofdstuk 6 Architectuur wordt vervolgens dieper ingegaan op de bovenliggende architectuur van de equiplets. Hier worden prestaties gecombineerd met flexibiliteit, waarvoor een hybride architectuur is ontwikkeld die het grid van equiplets controleert door het gebruik van twee platformen: Multi-Agent System (MAS) en Robot Operating System (ROS). Nadat de architectuur is vastgesteld, wordt er in Hoofdstuk 7 onderzocht hoe deze veilig ingezet kan worden. Hierbij wordt een controlesysteem ingevoerd dat het systeemgedrag bepaalt, waarmee het gedrag van de equiplets transparant wordt gemaakt. Tevens zal een simulatie met input van de sensoren uit de fysieke wereld ’live’ controleren of alle bewegingen veilig uitgevoerd kunnen worden. Nadat de basisfunctionaliteit van het Grid nu compleet is, wordt in Hoofdstuk 8 Validatie en Utilisatie gekeken naar hoe Grid Manufacturing gebruikt kan worden en welke nieuwe mogelijkheden deze kan opleveren. Zo wordt er besproken hoe zowel een hi¨erarchische als een heterarchische aanpak, waar alle systemen gelijk zijn, gebruikt kan worden. Daarnaast laat het hoofdstuk o.a. aan de hand van enkele voorbeelden en simulaties zien welke effecten herconfiguratie kan hebben, en welke voordelen deze aanpak zoal kan bieden.. Het proefschrift laat zien hoe met technische middelen geautomatiseerde flexibiliteit mogelijk wordt gemaakt. Hoewel het gehele concept nog volwassen zal moeten worden, worden er enkele aspecten getoond die op de korte termijn toepasbaar zijn in de industrie. Enkele voorbeelden hiervan zijn: (1) het combineren van gegevens uit diverse (autonome) bronnen voor 6D-lokalisatie; (2) een data-gedreven systeem, de zogeheten hardware-abstractielaag, die herconfigureerbare systemen controleert en de mogelijkheid biedt om deze productiesystemen aan te passen zonder deze te hoeven herprogrammeren; en (3) het gebruik van Cyber-Fysieke systemen om de veiligheid te verhogen.
MULTIFILE
Entrepreneurs are likely to be victims of ransomware. Previous studies have found that entrepreneurs tend to adopt few preventive measures, thereby increasing their chances of victimization. Due to a lack of research, however, not much is known about why entrepreneurs lack self-protective behaviors and how they can be encouraged to change said behaviors. Therefore, the purpose of this study is to explain, by means of an extended model of the Protection Motivation Theory (PMT), the motivation for entrepreneurs using protective measures against ransomware in the future. The data for our study were collected thanks to a questionnaire that was answered by 1,020 Dutch entrepreneurs with up to 250 employees. Our Structural Equation Modelling (SEM) analysis revealed that entrepreneurs are more likely to take preventive measures against ransomware if they perceive the risk of ransomware as severe (perceived severity), if they perceive their company as being vulnerable (perceived vulnerability), if they are concerned about the risks (affective response), and if they think that the people and companies around them expect them to apply preventive measures (subjective norms). However, if entrepreneurs think that they are capable of handling the risk (self-efficacy) and are convinced that their adopted preventive measures are effective (response efficacy), they are less likely to take preventive measures. Furthermore, for entrepreneurs that outsource IT security, the significant effect of perceived vulnerability and subjective norms disappears. The likelihood of entrepreneurs protecting their business against ransomware is thus influenced by a complex interplay of various motivational factors and is partly dependent on the business’ characteristics. Based on these findings, we will discuss security professionals’ prospects for increasing the cyber resilience of entrepreneurs, thus preventing cybercrime victimization.
DOCUMENT
The Internet and computers increasingly determine our daily lives. This goes for almost everyone in the Netherlands. Still, it is mostly teenagers who are well informed on how to use all the possibilities of new technologies. They are building a digital world of their own that parents usually know very little about. This booklet intends to inform teachers, parents and other interested parties on what teenagers are actually doing online and how important it is to keep abreast of the new developments that the Internet and computers bring into their world. On the basis of research into these issues in the Netherlands and abroad we attempt to indicate what the digital world of teenagers looks like and how it differs from that of grown-ups. What do they do, exactly, and why? We also look into teenagers’ ICT behaviour and into dangers and abuse of the Internet. Moreover we provide tips for parents and teachers on how to handle certain phenomena. This book does not pretend to provide an exhaustive overview of the digital world of teenagers. It is focused on some important characteristics and parts of that world. It reports on research of the INHOLLAND Centre for eLearning into various aspects of ICT behaviour among teenagers. The research was undertaken in the spring of 2006, focusing mainly on texting, networking, gaming, dangers and abuse on the Internet and the digital relation between school and the home. Ultimately we are especially concerned with the question of what teenagers really learn in their digital world, and how education can profit. This book also addresses that issue.
DOCUMENT
Author supplied: Abstract—The growing importance and impact of new technologies are changing many industries. This effect is especially noticeable in the manufacturing industry. This paper explores a practical implementation of a hybrid architecture for the newest generation of manufacturing systems. The papers starts with a proposition that envisions reconfigurable systems that work together autonomously to create Manufacturing as a Service (MaaS). It introduces a number of problems in this area and shows the requirements for an architecture that can be the main research platform to solve a number of these problems, including the need for safe and flexible system behaviour and the ability to reconfigure with limited interference to other systems within the manufacturing environment. The paper highlights the infrastructure and architecture itself that can support the requirements to solve the mentioned problems in the future. A concept system named Grid Manufacturing is then introduced that shows both the hardware and software systems to handle the challenges. The paper then moves towards the design of the architecture and introduces all systems involved, including the specific hardware platforms that will be controlled by the software platform called REXOS (Reconfigurable EQuipletS Operating System). The design choices are provided that show why it has become a hybrid platform that uses Java Agent Development Framework (JADE) and Robot Operating System (ROS). Finally, to validate REXOS, the performance is measured and discussed, which shows that REXOS can be used as a practical basis for more specific research for robust autonomous reconfigurable systems and application in industry 4.0. This paper shows practical examples of how to successfully combine several technologies that are meant to lead to a faster adoption and a better business case for autonomous and reconfigurable systems in industry.
DOCUMENT
Repeat victimization has been widely studied from the perspective of environmental criminology for several decades. During this period, criminologists have identified a set of repeat victimization premises that are observed for many crimes; however, it is unknown whether these premises are also valid for cybercrime. In this study we rely on more than 9 million Zone-H data records from 2010 to 2017 to test whether these premises apply for the cybercrime of website defacement. We show that the phenomenon of repeat victimization is also observed in defaced cyber places (i.e. websites). In particular, we found that repeats contributed little to crime rates, that repeats occurred even several years after the original incident, that they were committed disproportionately by prolific offenders, and that few offenders returned to victimize previous targets. The results suggest that some traditional premises of repeat victimization may also be valid for understanding cybercrime events such as website defacement, implying that environmental criminology theories also constitute a useful framework for cybercrime analysis. The implications of these results in terms of criminological theory, cybercrime prevention, and the limitations derived from the use of Zone-H data are discussed
DOCUMENT
