In general, people are poorly protected against cyberthreats, with the main reason being user behaviour. For the study described in this paper, a ques-tionnaire was developed in order to understand how people’s knowledge of and attitude towards both cyberthreats and cyber security controls affect in-tention to adopt cybersecure behaviour. The study divides attitude into a cog-nitive and an affective component. Although only the cognitive component of attitude is usually studied, the results from a questionnaire of 300 respond-ents show that both the affective and cognitive components of attitude have a clearly positive, albeit varying, influence on behavioural intention, with the affective component having an even greater effect on attitude than the cog-nitive aspect. No correlation was found between knowledge and behavioural intention. The results indicate that attitude is an important factor to include when developing behavioural interventions, but also that different kinds of attitude should be addressed differently in interventions.
DOCUMENT
Adversarial thinking is essential when dealing with cyber incidents and for finding security vulnerabilities. Capture the Flag (CTF) competitions are used all around the world to stimulate adversarial thinking. Jeopardy-style CTFs, given their challenge-and-answer based nature, are used more and more in cybersecurity education as a fun and engaging way to inspire students. Just like traditional written exams, Jeopardy-style CTFs can be used as summative assessment. Did a student provide the correct answer, yes or no. Did the participant in the CTF competition solve the challenge, yes or no. This research project provides a framework for measuring the learning outcomes of a Jeopardy-style CTF and applies this framework to two CTF events as case studies. During these case studies, participants were tested on their knowledge and skills in the field of cybersecurity and queried on their attitude towards CTF education. Results show that the main difference between traditional written exam and a Jeopardy-style CTF is the way in which questions a re formulated. CTF education is stated to be challenging and fun because questions are formulated as puzzles that need to be solved in a gamified and competitive environment. Just like traditional written exams, no additional insight into why the participant thinks the correct answer is the correct answer has been observed or if the participant really did learn anything new by participating. Given that the main difference between a traditional written exam and a Jeopardy-style CTF is the way in which questions are formulated, learning outcomes can be measured in the same way. We can ask ourselves how many participants solved which challenge and to which measurable statements about “knowledge, skill and attitude” in the field of cybersecurity each challenge is related. However, when mapping the descriptions of the quiz-questions and challenges from the two CTF events as case studies to the NICE framework on Knowledge, Skills and Abilities in cybersecurity, the NICE framework did not provide us with detailed measurable statements that could be used in education. Where the descriptions of the quiz-questions and challenges were specific, the learning outcomes of the NICE framework are only formulated in a quite general matter. Finally, some evidence for Csíkszentmihályi’s theory of Flow has been observed. Following the theory of Flow, a person can become fully immersed in performing a task, also known as “being in the zone” if the “challenge level” of the task is in line with the person’s “skill level”. The persons mental state towards a task will be different depending on the challenge level of the task and required skill level for completing it. Results show that participants state that some challenges were difficult and fun, where other challenges were easy and boring. As a result of this9 project, a guide / checklist is provided for those intending to use CTF in education.
DOCUMENT
Om mkb’ers in staat te stellen hun cyberweerbaarheid te verhogen, heeft de Haagse Hogeschool, samen met het Platform Veilig Ondernemen (PVO) en de VeiligheidsAlliantie regio Rotterdam (VAR) een webapplicatie ontwikkeld. Voor de financiering van de webapplicatie heeft het PVO een subsidie ontvangen van het Centrum voor Criminaliteitspreventie en Veiligheid (CCV). Cyberweerbaarheid is hier gedefinieerd als het vermogen om weerstand te bieden tegen bekende en onbekende vormen van cybercriminaliteit en snel te herstellen van een cybercrisis. Naast het ontwikkelen van de app is het doel om mkb’ers in de regio Rotterdam die de app hebben gebruikt: (1) meer bewust te maken van de risico’s van cybercriminaliteit in zijn algemeenheid en ook voor hun bedrijf specifiek; (2) inzicht te geven in weten welke maatregelen ze kunnen treffen om slachtofferschap te voorkomen en schade bij slachtofferschap te beperken; en (3) daadwerkelijk aan de slag te laten gaan met de gegeven tips. De evaluatie van de app vond plaats onder negen mkb’ers in de regio Rotterdam. Zij zijn geworven op cybersecurity congressen in Barendrecht en Dordrecht. De evaluatie bestond uit een nulmeting en een effectmeting op vier relevante kwaliteiten uit de ISO 25010-norm, namelijk de bruikbaarheid, effectiviteit, efficiëntie en het vertrouwen in de uitkomsten. De evaluatie laat zien dat het gebruik van de app door mkb’ers leidt tot meer bewustzijn van cyberrisico’s. Drie van de negen mkb’ers hebben ook daadwerkelijk adviezen die volgen uit het gebruik van de app opgevolgd en daarmee hun cyberweerbaarheid verhoogd. Een verbetermogelijkheid is de vraagstelling die in de app wordt gebruikt om de adviezen te bepalen. Deze was hier en daar verwarrend of sloot niet goed aan bij de organisatie en haar context. En hoewel de deelnemers aan de evaluatie over het algemeen enthousiast waren over de app bleek het in de praktijk lastig om deelnemers te werven. Ook het bewerkstelligen van gedragsverandering is een knelpunt gebleken, zoals blijkt uit het geringe aantal mkb’ers dat daadwerkelijk maatregelen heeft genomen op basis van de adviezen die volgden uit het gebruik van de app. Mogelijke verklaring hiervoor is de lage prioriteit die mkb’ers toekennen aan het nemen van maatregelen om hun cyberweerbaarheid te vergroten. Samenvattend kunnen we concluderen dat de app in de huidige vorm voldoende kwaliteit heeft om mkb’ers te helpen bij het verhogen van de cyberweerbaarheid. Vervolgonderzoek zou zich kunnen richten op de vraag hoe mkb’ers te motiveren in het gebruikmaken van de app en het opvolgen van adviezen.
DOCUMENT
Presentatie gegeven op de NVC congres 2022.
DOCUMENT
The outbreak of the COVID-19 virus in December 2019 and the restrictive measures that were implemented to slow down the spread of the virus have had a significant impact on our way of life. The sudden shift from offline to online activities and work may have resulted in new cybersecurity risks. The present study therefore examined changes in the prevalence, nature and impact of cybercrime among Dutch citizens and SME owners, during the pandemic. Qualitative interviews with ten experts working at various public and private organizations in the Netherlands that have insights into cybercrime victimization and data from victim surveys administrated in 2019 and 2021 were analyzed. The results show that there was only a small, non-statistically significant increase in the prevalence of cybercrime during the pandemic among citizens and SME owners. Nevertheless, the COVID-19 pandemic did have an impact on the modus operandi of cybercriminals: victims indicated that a considerable proportion of the offenses was related to the COVID-19 pandemic, particularly in the case of online fraud. Moreover, the use of new applications and programs for work was associated with an increased risk of cybercrime victimization during the COVID-19 crisis. These results suggest that increases in rates of registered cybercrime that were found in previous studies might be the consequence of a reporting effect and that cybercriminals adapt their modus operandi to current societal developments.
DOCUMENT
NL samenvatting: In dit verkennend onderzoek werden social engineering-aanvallen bestudeerd, vooral de aanvallen die mislukten, om organisaties te helpen weerbaarder te worden. Fysieke, telefonische en digitale aanvallen werden uitgevoerd met behulp van een script volgens de 'social engineering-cyclus'. We gebruikten het COM-B model van gedragsverandering, verfijnd door het Theoretical Domains Framework, om door middel van een enquête te onderzoeken hoe Capability, Motivational en vooral Opportunity factoren helpen om de weerbaarheid van organisaties tegen social engineering-aanvallen te vergroten. Binnen Opportunity leek sociale invloed van extra belang. Werknemers die in kleine ondernemingen werken (<50 werknemers) waren succesvoller in het weerstaan van digitale social engineering-aanvallen dan werknemers die in grotere organisaties werken. Een verklaring hiervoor zou een grotere mate van sociale controle kunnen zijn; deze medewerkers werken dicht bij elkaar, waardoor ze in staat zijn om onregelmatigheden te controleren of elkaar te waarschuwen. Ook het installeren van een gespreksprotocol over hoe om te gaan met buitenstaanders was een maatregel die door alle organisaties werd genomen waar telefonische aanvallen faalden. Daarom is het moeilijker voor een buitenstaander om toegang te krijgen tot de organisatie door middel van social engineering. Dit artikel eindigt met een discussie en enkele aanbevelingen voor organisaties, bijvoorbeeld met betrekking tot het ontwerp van de werkomgeving, om hun weerbaarheid tegen social engineering-aanvallen te vergroten. ENG abstract: In this explorative research social engineering attacks were studied, especially the ones that failed, in order to help organisations to become more resilient. Physical, phone and digital attacks were carried out using a script following the ‘social engineering cycle’. We used the COM-B model of behaviour change, refined by the Theoretical Domains Framework, to examine by means of a survey how Capability, Motivational and foremost Opportunity factors help to increase resilience of organisations against social engineering attacks. Within Opportunity, social influence seemed of extra importance. Employees who work in small sized enterprises (<50 employees) were more successful in withstanding digital social engineering attacks than employees who work in larger organisations. An explanation for this could be a greater amount of social control; these employees work in close proximity to one another, so they are able to check irregularities or warn each other. Also, having a conversation protocol installed on how to interact with outsiders, was a measure taken by all organisations where attacks by telephone failed. Therefore, it is more difficult for an outsider to get access to the organisation by means of social engineering. This paper ends with a discussion and some recommendations for organisations, e.g. the design of the work environment, to help increase their resilience against social engineering attacks. https://openaccess.cms-conferences.org/publications/book/978-1-958651-29-2/article/978-1-958651-29-2_8 DOI: 10.54941/ahfe1002203
DOCUMENT
While many researchers have investigated soft skills for different roles related to business, engineering, healthcare and others, the soft skills needed by the chief information security officer (CISO) in a leadership position are not studied in-depth. This paper describes a first study aimed at filling this gap. In this multimethod research, both the business leaders perspective as well as an analysis of CISO job ads is studied. The methodology used to capture the business leaders perspective is via a Delphi study and the jobs adds are studied using a quantitative content analysis. With an increasing threat to information security for companies, the CISO role is moving from a technical role to an executive role. This executive function is responsible for information security across all layers of an organisation. To ensure compliance with the security policy among different groups within the company, such as employees, the board, and the IT department, the CISO must be able to adopt different postures. Soft skills are thus required to be able to assume this leadership role in the organisation. We found that when business leaders were asked about the most important soft skills the top three consisted out of 'communication', ‘leadership’ and 'interpersonal' skills while 'courtesy' was last on the list for a CISO leadership role.
MULTIFILE
Entrepreneurs are likely to be victims of ransomware. Previous studies have found that entrepreneurs tend to adopt few preventive measures, thereby increasing their chances of victimization. Due to a lack of research, however, not much is known about why entrepreneurs lack self-protective behaviors and how they can be encouraged to change said behaviors. Therefore, the purpose of this study is to explain, by means of an extended model of the Protection Motivation Theory (PMT), the motivation for entrepreneurs using protective measures against ransomware in the future. The data for our study were collected thanks to a questionnaire that was answered by 1,020 Dutch entrepreneurs with up to 250 employees. Our Structural Equation Modelling (SEM) analysis revealed that entrepreneurs are more likely to take preventive measures against ransomware if they perceive the risk of ransomware as severe (perceived severity), if they perceive their company as being vulnerable (perceived vulnerability), if they are concerned about the risks (affective response), and if they think that the people and companies around them expect them to apply preventive measures (subjective norms). However, if entrepreneurs think that they are capable of handling the risk (self-efficacy) and are convinced that their adopted preventive measures are effective (response efficacy), they are less likely to take preventive measures. Furthermore, for entrepreneurs that outsource IT security, the significant effect of perceived vulnerability and subjective norms disappears. The likelihood of entrepreneurs protecting their business against ransomware is thus influenced by a complex interplay of various motivational factors and is partly dependent on the business’ characteristics. Based on these findings, we will discuss security professionals’ prospects for increasing the cyber resilience of entrepreneurs, thus preventing cybercrime victimization.
DOCUMENT
Design and development practitioners such as those in game development often have difficulty comprehending and adhering to the European General Data Protection Regulation (GDPR), especially when designing in a private sensitive way. Inadequate understanding of how to apply the GDPR in the game development process can lead to one of two consequences: 1. inadvertently violating the GDPR with sizeable fines as potential penalties; or 2. avoiding the use of user data entirely. In this paper, we present our work on designing and evaluating the “GDPR Pitstop tool”, a gamified questionnaire developed to empower game developers and designers to increase legal awareness of GDPR laws in a relatable and accessible manner. The GDPR Pitstop tool was developed with a user-centered approach and in close contact with stakeholders, including practitioners from game development, legal experts and communication and design experts. Three design choices worked for this target group: 1. Careful crafting of the language of the questions; 2. a flexible structure; and 3. a playful design. By combining these three elements into the GDPR Pitstop tool, GDPR awareness within the gaming industry can be improved upon and game developers and designers can be empowered to use user data in a GDPR compliant manner. Additionally, this approach can be scaled to confront other tricky issues faced by design professionals such as privacy by design.
LINK
Full text via link. This research project investigates the connection between internationalisation of small and medium-sized enterprises (SMEs) and innovation in de context of the Utrecht region in the Netherlands. The study makes use of unique data accomplished of with the help of Syntens, the regional agency of the Ministry of Economic Affairs that aims to support the SME innovation. The research group International Business and Innovation was asked to evaluate the effectiveness of consultancy with respect to internationalisation. To this end 173 firms returned a questionnaire on their internationalisation success, innovation and the role of public consulting and subsidies. This dataset allows us to analyse the connection between internationalisation and innovation of Dutch SMEs in great detail.
LINK
