Cybersecurity threat and incident managers in large organizations, especially in the financial sector, are confronted more and more with an increase in volume and complexity of threats and incidents. At the same time, these managers have to deal with many internal processes and criteria, in addition to requirements from external parties, such as regulators that pose an additional challenge to handling threats and incidents. Little research has been carried out to understand to what extent decision support can aid these professionals in managing threats and incidents. The purpose of this research was to develop decision support for cybersecurity threat and incident managers in the financial sector. To this end, we carried out a cognitive task analysis and the first two phases of a cognitive work analysis, based on two rounds of in-depth interviews with ten professionals from three financial institutions. Our results show that decision support should address the problem of balancing the bigger picture with details. That is, being able to simultaneously keep the broader operational context in mind as well as adequately investigating, containing and remediating a cyberattack. In close consultation with the three financial institutions involved, we developed a critical-thinking memory aid that follows typical incident response process steps, but adds big picture elements and critical thinking steps. This should make cybersecurity threat and incident managers more aware of the broader operational implications of threats and incidents while keeping a critical mindset. Although a summative evaluation was beyond the scope of the present research, we conducted iterative formative evaluations of the memory aid that show its potential.
DOCUMENT
Cybersecurity is meer dan alleen het nemen van technische maatregelen. En alhoewel gebruikers ten onrechte vaak alleen worden aangemerkt als ‘de zwakke schakel’ binnen die cybersecurity, moet een deel van de maatregelen zich toch echt wel richten op deze groep. Gebruikers gedragen zich immers soms bewust of onbewust onveilig: - ze klikken op hyperlinks als ze dat niet moeten doen; - reageren op een phishingmail; - gebruiken zwakke wachtwoorden; - hergebruiken wachtwoorden; - melden incidenten niet; - geven (te) veel gegevens prijs van zichzelf op social media; - maken niet consequent back-ups van hun data. Sinds jaar en dag lijken organisaties ‘awareness’ te zien als de sleutel om van gebruikers iets minder de zwakke schakel te maken. De gedachte daarachter is kortgezegd dat gebruikers zich ‘beter’ gaan gedragen als we ze voeden met informatie over dreigingen, goed en fout gedrag en het cybersecurity-beleid. Het is inmiddels echter wel duidelijk dat een beleid dat alleen gericht is op ‘awareness’ niet gaatzorgen voor het gewenste effect. Onderzoek toont bijvoorbeeld aan dat anti-phishingcampagnes, waar nepphishingmails worden verstuurd, niet heel lang beklijven. Cybersecuritybedrijven geven dan ook steeds vaker aan dat het niet alleen gaat om het verhogen van kennis en bewustwording, maar ook om andere aspecten die gedrag lijken te beïnvloeden. Recent wetenschappelijk experimenteel onderzoek laat zelfs zien dat het hebben van meer kennis kan leiden tot onveiliger gedrag: gebruikers die (een beetje) meer weten, gedragen zich nog onveiliger. Mogelijk komt dat doordat die groep zichzelf overschat en daardoor ten onrechte grotere risico’s durft te nemen. We moeten dus verder komen dan alleen awareness. Het lab observeert dat er twee grote vraagstukken spelen. 1. Wat moeten we dan verder nog doen? Het is duidelijk dat er geen simpele oplossing is voor het bevorderen van veilig cybergedrag. Toch is het goed om nieuwe oplossingsrichtingen te onderzoeken die richting geven aan het verbeteren van cyberveilig gedrag. 2. Hoe zorgen we ervoor dat organisaties daadwerkelijk verder gaan dan alleen het creëren van meer awareness? Individuele organisaties hebben lang niet altijd de kennis en kunde om dit zelf te doen. Moet de overheid dit stimuleren? Zo ja, hoe dan? Kan het aan de markt zelf (lees: cybersecurity bedrijven) overgelaten worden? Wat kunnen we leren over het stimuleren van effectieve gedragsinterventies binnen andere vakgebieden? https://nl.linkedin.com/in/rutgerleukfeldt
MULTIFILE
In general, people are poorly protected against cyberthreats, with the main reason being user behaviour. For the study described in this paper, a ques-tionnaire was developed in order to understand how people’s knowledge of and attitude towards both cyberthreats and cyber security controls affect in-tention to adopt cybersecure behaviour. The study divides attitude into a cog-nitive and an affective component. Although only the cognitive component of attitude is usually studied, the results from a questionnaire of 300 respond-ents show that both the affective and cognitive components of attitude have a clearly positive, albeit varying, influence on behavioural intention, with the affective component having an even greater effect on attitude than the cog-nitive aspect. No correlation was found between knowledge and behavioural intention. The results indicate that attitude is an important factor to include when developing behavioural interventions, but also that different kinds of attitude should be addressed differently in interventions.
DOCUMENT
Adversarial thinking is essential when dealing with cyber incidents and for finding security vulnerabilities. Capture the Flag (CTF) competitions are used all around the world to stimulate adversarial thinking. Jeopardy-style CTFs, given their challenge-and-answer based nature, are used more and more in cybersecurity education as a fun and engaging way to inspire students. Just like traditional written exams, Jeopardy-style CTFs can be used as summative assessment. Did a student provide the correct answer, yes or no. Did the participant in the CTF competition solve the challenge, yes or no. This research project provides a framework for measuring the learning outcomes of a Jeopardy-style CTF and applies this framework to two CTF events as case studies. During these case studies, participants were tested on their knowledge and skills in the field of cybersecurity and queried on their attitude towards CTF education. Results show that the main difference between traditional written exam and a Jeopardy-style CTF is the way in which questions a re formulated. CTF education is stated to be challenging and fun because questions are formulated as puzzles that need to be solved in a gamified and competitive environment. Just like traditional written exams, no additional insight into why the participant thinks the correct answer is the correct answer has been observed or if the participant really did learn anything new by participating. Given that the main difference between a traditional written exam and a Jeopardy-style CTF is the way in which questions are formulated, learning outcomes can be measured in the same way. We can ask ourselves how many participants solved which challenge and to which measurable statements about “knowledge, skill and attitude” in the field of cybersecurity each challenge is related. However, when mapping the descriptions of the quiz-questions and challenges from the two CTF events as case studies to the NICE framework on Knowledge, Skills and Abilities in cybersecurity, the NICE framework did not provide us with detailed measurable statements that could be used in education. Where the descriptions of the quiz-questions and challenges were specific, the learning outcomes of the NICE framework are only formulated in a quite general matter. Finally, some evidence for Csíkszentmihályi’s theory of Flow has been observed. Following the theory of Flow, a person can become fully immersed in performing a task, also known as “being in the zone” if the “challenge level” of the task is in line with the person’s “skill level”. The persons mental state towards a task will be different depending on the challenge level of the task and required skill level for completing it. Results show that participants state that some challenges were difficult and fun, where other challenges were easy and boring. As a result of this9 project, a guide / checklist is provided for those intending to use CTF in education.
DOCUMENT
Om mkb’ers in staat te stellen hun cyberweerbaarheid te verhogen, heeft de Haagse Hogeschool, samen met het Platform Veilig Ondernemen (PVO) en de VeiligheidsAlliantie regio Rotterdam (VAR) een webapplicatie ontwikkeld. Voor de financiering van de webapplicatie heeft het PVO een subsidie ontvangen van het Centrum voor Criminaliteitspreventie en Veiligheid (CCV). Cyberweerbaarheid is hier gedefinieerd als het vermogen om weerstand te bieden tegen bekende en onbekende vormen van cybercriminaliteit en snel te herstellen van een cybercrisis. Naast het ontwikkelen van de app is het doel om mkb’ers in de regio Rotterdam die de app hebben gebruikt: (1) meer bewust te maken van de risico’s van cybercriminaliteit in zijn algemeenheid en ook voor hun bedrijf specifiek; (2) inzicht te geven in weten welke maatregelen ze kunnen treffen om slachtofferschap te voorkomen en schade bij slachtofferschap te beperken; en (3) daadwerkelijk aan de slag te laten gaan met de gegeven tips. De evaluatie van de app vond plaats onder negen mkb’ers in de regio Rotterdam. Zij zijn geworven op cybersecurity congressen in Barendrecht en Dordrecht. De evaluatie bestond uit een nulmeting en een effectmeting op vier relevante kwaliteiten uit de ISO 25010-norm, namelijk de bruikbaarheid, effectiviteit, efficiëntie en het vertrouwen in de uitkomsten. De evaluatie laat zien dat het gebruik van de app door mkb’ers leidt tot meer bewustzijn van cyberrisico’s. Drie van de negen mkb’ers hebben ook daadwerkelijk adviezen die volgen uit het gebruik van de app opgevolgd en daarmee hun cyberweerbaarheid verhoogd. Een verbetermogelijkheid is de vraagstelling die in de app wordt gebruikt om de adviezen te bepalen. Deze was hier en daar verwarrend of sloot niet goed aan bij de organisatie en haar context. En hoewel de deelnemers aan de evaluatie over het algemeen enthousiast waren over de app bleek het in de praktijk lastig om deelnemers te werven. Ook het bewerkstelligen van gedragsverandering is een knelpunt gebleken, zoals blijkt uit het geringe aantal mkb’ers dat daadwerkelijk maatregelen heeft genomen op basis van de adviezen die volgden uit het gebruik van de app. Mogelijke verklaring hiervoor is de lage prioriteit die mkb’ers toekennen aan het nemen van maatregelen om hun cyberweerbaarheid te vergroten. Samenvattend kunnen we concluderen dat de app in de huidige vorm voldoende kwaliteit heeft om mkb’ers te helpen bij het verhogen van de cyberweerbaarheid. Vervolgonderzoek zou zich kunnen richten op de vraag hoe mkb’ers te motiveren in het gebruikmaken van de app en het opvolgen van adviezen.
DOCUMENT
Hoewel de meeste ondernemers zich wel degelij k bewust zij n van de gevaren van cybercriminaliteit in het algemeen, blij ken ze zich er in veel gevallen toch nog te weinig tegen te beschermen. “Het lijkt erop dat ondernemers de risico’s van cybercriminaliteit vaak niet op hun eigen situatie betrekken. Dat is ten onrechte. Cybersecurity verdient de alertheid van íedere ondernemer. Continu!
DOCUMENT
In case of a major cyber incident, organizations usually rely on external providers of Cyber Incident Response (CIR) services. CIR consultants operate in a dynamic and constantly changing environment in which they must actively engage in information management and problem solving while adapting to complex circumstances. In this challenging environment CIR consultants need to make critical decisions about what to advise clients that are impacted by a major cyber incident. Despite its relevance, CIR decision making is an understudied topic. The objective of this preliminary investigation is therefore to understand what decision-making strategies experienced CIR consultants use during challenging incidents and to offer suggestions for training and decision-aiding. A general understanding of operational decision making under pressure, uncertainty, and high stakes was established by reviewing the body of knowledge known as Naturalistic Decision Making (NDM). The general conclusion of NDM research is that experts usually make adequate decisions based on (fast) recognition of the situation and applying the most obvious (default) response pattern that has worked in similar situations in the past. In exceptional situations, however, this way of recognition-primed decision-making results in suboptimal decisions as experts are likely to miss conflicting cues once the situation is quickly recognized under pressure. Understanding the default response pattern and the rare occasions in which this response pattern could be ineffective is therefore key for improving and aiding cyber incident response decision making. Therefore, we interviewed six experienced CIR consultants and used the critical decision method (CDM) to learn how they made decisions under challenging conditions. The main conclusion is that the default response pattern for CIR consultants during cyber breaches is to reduce uncertainty as much as possible by gathering and investigating data and thus delay decision making about eradication until the investigation is completed. According to the respondents, this strategy usually works well and provides the most assurance that the threat actor can be completely removed from the network. However, the majority of respondents could recall at least one case in which this strategy (in hindsight) resulted in unnecessary theft of data or damage. Interestingly, this finding is strikingly different from other operational decision-making domains such as the military, police and fire service in which there is a general tendency to act rapidly instead of searching for more information. The main advice is that training and decision aiding of (novice) cyber incident responders should be aimed at the following: (a) make cyber incident responders aware of how recognition-primed decision making works; (b) discuss the default response strategy that typically works well in several scenarios; (c) explain the exception and how the exception can be recognized; (d) provide alternative response strategies that work better in exceptional situations.
DOCUMENT
The growing sophistication, frequency and severity of cyberattacks targeting all sectors highlight their inevitability and the impossibility of completely protecting the integrity of critical computer systems. In this context, cyber-resilience offers an attractive alternative to the existing cybersecurity paradigm. We define cyber-resilience as the capacity to withstand, recover from and adapt to the external shocks caused by cyber-risks. This article seeks to provide a broader organizational understanding of cyber-resilience and the tensions associated with its implementation. We apply Weick's (1995) sensemaking framework to examine four foundational tensions of cyber-resilience: a definitional tension, an environmental tension, an internal tension, and a regulatory tension. We then document how these tensions are embedded in cyber-resilience practices at the preparatory, response and adaptive stages. We rely on qualitative data from a sample of 58 cybersecurity professionals to uncover these tensions and how they reverberate across cyber-resilience practices.
DOCUMENT
Presentatie gegeven op de NVC congres 2022.
DOCUMENT
Presentation given at EURCRIM 2022 conference
DOCUMENT
