Volitional Cybersecurity

This dissertation introduces the “Volitional Cybersecurity” (VCS) theory as a systematic way to think about adoption and manage long-term adherence to cybersecurity approaches. The validation of VCS has been performed in small- and medium-sized enterprises or businesses (SMEs/SMBs) context. The focus on volitional activities promotes theoretical viewpoints. Also, it aids in demystifying the aspects of cybersecurity behaviour in heterogeneous contexts that have neither been systematically elaborated in prior studies nor embedded in cybersecurity solutions. Abundant literature demonstrates a lack of adoption of manifold cybersecurity remediations. It is still not adequately clear how to select and compose cybersecurity approaches into solutions for meeting the needs of many diverse cybersecurity-adopting organisations. Moreover, the studied theories in this context mainly originated from disciplines other than information systems and cybersecurity. The constructs were developed based on data, for instance, in psychology or criminology, that seem not to fit properly for the cybersecurity context. Consequently, discovering new methods and theories that can be of help in active and volitional forms of cybersecurity behaviour in diverse contexts may be conducive to a better quality of cybersecurity engagement. This leads to the main research question of this dissertation: How can we support volitional forms of behaviour with a self-paced tool to increase the quality of cybersecurity engagement? The main contribution of this dissertation is the VCS theory. VCS is a cybersecurity-focused theory structured around the core concept of volitional cybersecurity behaviour. It suggests that a context can be classified based on the cybersecurity competence of target groups and their distinct requirements. This classification diminishes the complexity of the context and is predictive of improvement needs for each class. Further, the theory explicates that supporting three factors: A) personalisation, B) cybersecurity competence, and C) connectedness to cybersecurity expertise affect the adoption of cybersecurity measures and better quality of cybersecurity engagement across all classes of the context. Therefore, approaches that ignore the personalisation of cybersecurity solutions, the cybersecurity competence of target groups, and the connectedness of recipients to cybersecurity expertise may lead to poorer acceptance of the value or utility of solutions. Subsequently, it can cause a lack of motivation for adopting cybersecurity solutions and adherence to best practices. VCS generates various implications. It has implications for cybersecurity research in heterogeneous contexts to transcend the common cybersecurity compliance approaches. Building on VCS, researchers could develop interventions looking for volitional cybersecurity behaviour change. Also, it provides knowledge that can be useful in the design of self-paced cybersecurity tools. VCS explains why the new self-paced cybersecurity tool needs specific features. The findings of this dissertation have been subsequently applied to the follow-up project design. Further, it has implications for practitioners and service providers to reach out to the potential end-users of their solutions

Customer’s Cybersecurity Awareness in Indonesian Online Clothing Micro, Small and Medium Enterprises

In the current technological era, almost every business operation and transaction are conducted through cyberspace, including micro, small and medium enterprises (MSME). However, MSMEs pose the greatest vulnerability to cyber-attacks due to their limitation in both awareness and resources. Multiple research found that people significantly affect cybersecurity more than the technical aspect. Thus, making cybersecurity awareness vital for every business, especially MSMEs. Currently, most cybersecurity awareness research is focused on the perspective of MSMEs and their owners. Limited cybersecurity awareness research assesses MSMEs in Indonesia, especially in the online clothing sector. This research will contribute to assessing cybersecurity awareness from MSME customers’ perspective and aims to recommend Indonesian online clothing MSME environment to raise cybersecurity awareness. The researcher used a survey and a semi-structured interview to assess the overall cybersecurity awareness of Indonesian online clothing MSME customers. The semi-structured interview also explored respondents’ opinions on raising cybersecurity awareness in the Indonesian online clothing MSME. The result shows a variety of levels of cybersecurity awareness among respondents. Correlation tests were conducted and found several aspects that were affecting respondents’ cybersecurity awareness. The interview results also support the findings in the survey whilst also contributing to providing recommendations to raise cybersecurity awareness.Keywords: Customers, Cybersecurity, Cybersecurity Awareness, Cyber-attack, MSM

The HORM Diagramming Tool: A Domain-Specific Modelling Tool for SME Cybersecurity Awareness

Improving security posture while addressing human errors made by employees are among the most challenging tasks for SMEs concerning cybersecurity risk management. To facilitate these measures, a domain-specific modelling tool for visualising cybersecurity-related user journeys, called the HORM Diagramming Tool (HORM-DT), is introduced. By visualising SMEs’ cybersecurity practices, HORM-DT aims to raise their cybersecurity awareness by highlighting the related gaps, thereby ultimately informing new or updated cyber-risk strategies. HORM-DT’s target group consists of SMEs’ employees with various areas of technical expertise and different backgrounds. The tool was developed as part of the Human and Organisational Risk Modelling (HORM) framework, and the underlying formalism is based on the Customer Journey Modelling Language (CJML) as extended by elements of the CORAS language to cover cybersecurity-related user journeys. HORM-DT is a fork of the open-source Diagrams.net software, which was modified to facilitate the creation of cybersecurity-related diagrams. To evaluate the tool, a usability study following a within-subject design was conducted with 29 participants. HORM-DT achieved a satisfactory system usability scale score of 80.69, and no statistically significant differences were found between participants with diverse diagramming tool experience. The tool’s usability was also praised by participants, although there were negative comments regarding its functionality of connecting elements with lines.publishedVersio

Sustainable Information Security Sensitization in SMEs: Designing Measures with Long-Term Effect

This paper outlines an overall scenario for ongoing personnel development measures designed to increase information security awareness in small and medium-sized enterprises (SMEs) in Germany and to help small businesses improve their security levels and defenses. The three-year project combines different actors and a multitude of methods, with a focus on conducting interviews and online surveys with companies, developing customized game-based awareness trainings, tests, and on-site attacks, and creating measurements and evaluations as well as maturity statements, guidelines, and low-threshold security concepts. A mix of analog/digital serious games and operational trainings with reviews are of key importance here. Compared with the findings from the applied scientific literature on behavioral research and design, the ultimate goal at project’s end is to extrapolate statements on the success and efficacy of the measures and their long-term effect

"It may take ages":understanding human-centred lateral phishing attack detection in organisations

Smartphones are a central part of modern life and contain vast amounts of personal and professional data as well as access to sensitive features such as banking and financial apps. As such protecting our smartphones from unauthorised access is of great importance, and users prioritise this over protecting their devices against digital security threats. Previous research has explored user experiences of unauthorised access to their smartphone – though the vast majority of these cases involve an attacker who is known to the user and knows an unlock code for the device. We presented 374 participants with a scenario concerning the loss of their smartphone in a public place. Participants were allocated to one of 3 scenario groups where a different unknown individual with malicious intentions finds the device and attempts to gain access to its contents. After exposure, we ask participants to envision a case where someone they know has a similar opportunity to attempt to gain access to their smartphone. We compare these instances with respect to differences in the motivations of the attacker, their skills and their knowledge of the user. We find that participants underestimate how commonly people who know them may be able to guess their PIN and overestimate the extent to which smartphones can be ‘hacked into’. We discuss how concerns over the severity of an attack may cloud perceptions of its likelihood of success, potentially leading users to underestimate the likelihood of unauthorised access occurring from known attackers who can utilize personal knowledge to guess unlock codes

Systematic approach to cyber resilience operationalization in SMEs

The constantly evolving cyber threat landscape is a latent problem for today’s companies. This is especially true for the Small and Medium-sized Enterprises (SMEs) because they have limited resources to face the threats but, as a group, represent an extensive payload for cybercriminals to exploit. Moreover, the traditional cybersecurity approach of protecting against known threats cannot withstand the rapidly evolving technologies and threats used by cybercriminals. This study claims that cyber resilience, a more holistic approach to cybersecurity, could help SMEs anticipate, detect, withstand, recover from and evolve after cyber incidents. However, to operationalize cyber resilience is not an easy task, and thus, the study presents a framework with a corresponding implementation order for SMEs that could help them implement cyber resilience practices. The framework is the result of using a variation of Design Science Research in which Grounded Theory was used to induce the most important actions required to implement cyber resilience and an iterative evaluation from experts to validate the actions and put them in a logical order. Therefore, this study proposes that the framework could benefit SME managers to understand cyber resilience, as well as help them start implementing it with concrete actions and an order dictated by the experience of experts. This could potentially ease cyber resilience implementation for SMEs by making them aware of what cyber resilience implies, which dimensions it includes and what actions can be implemented to increase their cyber resilience

Roadmap for NIS education programmes in Europe:education

This document continues work from previous activities by suggesting training materials, scenarios and a way forward for implementing the EC roadmap for NIS education in Europe. In doing so, the Agency has recognised the heterogeneous landscape of Europe in this area

Ensuring American Manufacturing Leadership Through Next-Generation Supply Chains

Suppliers now account for 50-70 percent of a typical manufacturer’s final production value. How U.S. manufacturers manage their supply chains has been the key to offshoring production and will be the key to rebuilding a robust manufacturing sector. Traditional purchasing practices, in which buying decisions are based on the lowest unit cost with acceptable quality and delivery, drove much of the shift to Asian suppliers. As Asian capabilities progressed, a more diverse range of products were imported from Asia, mostly China. Some U.S. suppliers responded by building production facilities or contracting production in China, while others, unable to compete, failed. The number of U.S. manufacturing establishments, 292,825 in 2015, has declined by more than 41,000 since 2005. A growing number of U.S. manufacturers, however, have recognized that this model of supply chain management does not provide a sustainable competitive advantage. If their products are made in the same factories as those of their competitors, product differentiation too often has become superficial. Regaining a competitive edge requires a different approach to managing suppliers, one in which the total supply chain is managed to maximize value. Suppliers are treated as partners, contributing design and engineering ideas. Manufacturing capacity, production planning, and delivery schedules are closely coordinated. Rather than a strict focus on low unit price, broader considerations of cost, flexibility, consistency, and risk minimization—collectively known as Total Cost of Ownership—drives purchasing decisions, at least for high-value parts and components. Many specific tools and techniques for building strong supplier partnerships have been created, and could be more widely used with appropriate training and information sharing.National Science Foundation, Grant No. 1552534https://deepblue.lib.umich.edu/bitstream/2027.42/145153/1/SupplyChainReport_Digital_FINAL_reduced.pdfDescription of SupplyChainReport_Digital_FINAL_reduced.pdf : Repor