Space data provide timely and reliable information that enables a wide variety of civil and commercial applications. Thanks to their volume, velocity, variety, and veracity, space big data create... Show moreSpace data provide timely and reliable information that enables a wide variety of civil and commercial applications. Thanks to their volume, velocity, variety, and veracity, space big data create the potential for additional benefits from space data.The benefits of space big data depend on the ways in which data are collected, accessed, used, and disseminated, therefore the laws and data policies that affect them should be studied. This thesis answers the question ‘How could space big data be regulated to address existing legal challenges and enhance their benefits?’. In particular, it identifies the laws and data policies that are relevant to the collection, access, use, and dissemination of space big data, among the legal frameworks that govern activities involving space or data. It also assesses the impact of the relevant laws and data policies, in terms of the limitations they impose on data collection, access, use, and dissemination. From the analysis of the relevant laws and data policies and their impact, the thesis draws the areas where their application encounters difficulties and describes the respective legal challenges. Based on these findings, recommendations are provided for overcoming the legal challenges and enhancing the collection, access, use, and dissemination of data, and by extension, their benefits. Show less
Small and Medium-sized Enterprises (SMEs) constitute a very large part of every country's economy and play an essential role in economic growth and social development. SMEs are frequent targets of... Show moreSmall and Medium-sized Enterprises (SMEs) constitute a very large part of every country's economy and play an essential role in economic growth and social development. SMEs are frequent targets of cyberattacks. Unlike large enterprises, SMEs generally have limited capabilities regarding cybersecurity practices. Assessment and improvement of cybersecurity capabilities are crucial for SMEs to survive and sustain their operations. Despite the availability of maturity assessment models and standards to assess and improve cybersecurity capabilities, SMEs' specific requirements and roles in the digital ecosystem are often neglected. This paper presents high-level SME requirements regarding cybersecurity maturity assessment and standardization and translates them into an Adaptable Security Maturity Assessment and Standardization (ASMAS) framework to address this gap. The framework is demonstrated by a web-based software prototype. In the evaluation study conducted with SMEs, we obtained positive results for perceived usefulness, perceived ease of use of the framework, and intention to use it. Show less
Mors, E. ter; Lelieveld, G.-J.; Noordewier, M.; Vliet, A. van der; Hilgevoord, V.; Dijkstra, R.; Dijk, W. van 2022
Small- and medium-sized enterprises (SMEs) frequently experience cyberattacks, but often do not have the means to counter these attacks. Therefore, cybersecurity researchers and practitioners need... Show moreSmall- and medium-sized enterprises (SMEs) frequently experience cyberattacks, but often do not have the means to counter these attacks. Therefore, cybersecurity researchers and practitioners need to aid SMEs in their defence against cyber threats. Research has shown that SMEs require solutions that are automated and adapted to their context. In recent years, we have seen a surge in initiatives to share cyber threat intelligence (CTI) to improve collective cybersecurity resilience. Shared CTI has the potential to answer the SME call for automated and adaptable solutions. Sadly, as we demonstrate in this paper, current shared intelligence approaches scarcely address SME needs. We must investigate how shared CTI can be used to improve SME cybersecurity resilience. In this paper, we tackle this challenge using a systematic review to discover current state-of-the-art approaches to using shared CTI. We find that threat intelligence sharing platforms such as MISP have the potential to address SME needs, provided that the shared intelligence is turned into actionable insights. Based on this observation, we developed a prototype application that processes MISP data automatically, prioritises cybersecurity threats for SMEs, and provides SMEs with actionable recommendations tailored to their context. Subsequent evaluations in operational environments will help to improve our application, such that SMEs are enabled to thwart cyberattacks in future. Show less
Online data breaches are recurrent and damaging cyber incidents for organizations worldwide. This study examines how organizations can effectively mitigate reputational damages in the aftermath of... Show moreOnline data breaches are recurrent and damaging cyber incidents for organizations worldwide. This study examines how organizations can effectively mitigate reputational damages in the aftermath of data breaches by hacking through situational crisis communication strategies. Comparable data breach crises do not have an equally negative impact on organizational reputation. Providing comprehensive and exhaustive guidelines, and detailed explanations about the incident to consumers helped to reduce the damage. Organizations that primarily relied on one single strategy, performed better than those that inconsistently blended strategies. Particularly denial was ultimately detrimental to organizational reputation. Self-disclosure allowed companies to positively influence media reporting. Social media communication did not play an important role in the response of the organizations involved. The consistent and timely adoption of compensation, apology and rectification strategies, combined with reinforcing strategies such as ingratiation and bolstering, positively influenced reputational recovery from the crisis. Show less
Private sector Active Cyber Defence (ACD) lies on the intersection of domestic security and international security and is a recurring subject, often under the more provocative flag of ‘hack back’,... Show morePrivate sector Active Cyber Defence (ACD) lies on the intersection of domestic security and international security and is a recurring subject, often under the more provocative flag of ‘hack back’, in the American debate about cyber security. This article looks at the theory and practice of private cyber security provision and analyses in more detail a number of recent reports and publications on ACD by Washington DC based commissions and think tanks. Many of these propose legalizing forms of active cyber defence, in which private cyber security companies would be allowed to operate beyond their own, or their clients’ networks, and push beyond American law as it currently stands. Generally, public-private governance solutions for security problems have to manage a balance between (i) questions of capacity and assigning responsibilities, (ii) the political legitimacy of public–private security solutions and (iii) the mitigation of their external effects. The case of private active cyber defence reveals a strong emphasis on addressing the domestic security (and political) problem, while failing to convincingly address the international security problems. The proposals aim to create a legitimate market for active cyber defence, anchored to the state through regulation and certification as a way to balance capacity, responsibilities and domestic political legitimacy. A major problem is that even though these reports anticipate international repercussions and political pushback, against what is likely be received internationally as an escalatory and provocative policy, they offer little to mitigate it. Show less
Cybersecurity experts foster a perception of cybersecurity as a gloomy underworld in which the good guys must resort to unconventional tactics to keep at bay a motley group of threats to the... Show moreCybersecurity experts foster a perception of cybersecurity as a gloomy underworld in which the good guys must resort to unconventional tactics to keep at bay a motley group of threats to the digital safety of unsuspecting individuals, businesses, and governments. This article takes this framing seriously, drawing on film studies scholarship that identifies certain aesthetic themes as associated with moral ambiguity in noir films. This article introduces the term “cyber-noir” to describe the incorporation of noir elements in cybersecurity expert discourses. It argues that the concept of cyber-noir helps explain the persistence of practices that blur legal, moral, and professional lines between legitimate and malicious activity in cyberspace. Consequently, changing cybersecurity requires not only institutional and technological measures, but also a re-constitution of cybersecurity identities themselves. Show less
Als onderdeel van het beleid van de EU aangaande cybersecurity en het beschermen van kritieke infrastructuur is na lang onderhandelen de Netwerk- en informatiebeveiligingsrichtlijn (NIB-richtlijn)... Show moreAls onderdeel van het beleid van de EU aangaande cybersecurity en het beschermen van kritieke infrastructuur is na lang onderhandelen de Netwerk- en informatiebeveiligingsrichtlijn (NIB-richtlijn) in 2016 in werking getreden. Dit artikel geeft een kritische bespreking van de richtlijn, waarbij wordt ingegaan op de meerwaarde van de richtlijn en de vraag wordt gesteld of kan worden verwacht dat het doel, te weten om cybersecuritywetgeving in de EU te harmoniseren, zal slagen. Show less