The rapid development of technology gives many opportunities but brings threats as well. The digitization of the financial sector has made the threat for cyber attacks significant. Cyber attacks such as the Petya virus or the Wannacry attack have exposed the vulnerability of the critical infrastructure. The financial sector is especially prone to cyber attacks within the critical infrastructure. The financial sector must be available at all times. Even a minor disruption could cause wrongful or unexecuted transactions leading to cascading effects on careers, organizations, or entire industries. The way to cope with disruptive cyber events is through digital operational resilience. In order to ensure this the European Commission has proposed the Digital Operational Resilience Act. A regulation that harmonizes existing guidelines aimed at ensuring resilience against cyber attacks for the financial sector in the EU. To estimate the regulatory performance of the DORA, insight is to be created into the perceptions of the stakeholders. Therefore, the research question of this thesis is: What is the perception of the financial sector towards the expectation of the Digital Operational Resilience Act? In order to answer this research question, interviews were conducted with high-level security managers of financial service organizations (FSOs) in the Netherlands, ICT providers and supervisory authorities. From insights gathered through the interviews, it can be concluded that the participants share a predominantly positive perception of the DORA. They were confident about there ability to be compliant within the given 24 months. The DORA is also seen as a step in the right direction towards a digital operational resilient financial sector. Recommendations are made for supervisory authorities regarding the implementation and supervision of the DORA and for the FSOs on the implementation and compliance with the DORA.

This study investigates organizations’ approaches to managing cybersecurity challenges that are associated with high levels of teleworking. Over the last two and a half years the pandemic forced organizations to implement teleworking models that resulted in a large share of the workforce working from home. The increasing use of teleworking resulted in organizations being worried about their ability to handle cyberthreats, while at the same time they sidestepped on their cybersecurity to implement a proper teleworking model. There is a large body of literature showing what the security risks and practices are related to these high levels of teleworking, while it is not clear what the related security challenges are and how organizations are approaching these. So, there is a gap in the literature regarding the understanding of the current cybersecurity challenges and approaches that are associated with these high levels of teleworking. Semi-structured interviews were conducted with both cybersecurity consultants and individuals that fulfill a role in an organization that makes them responsible for the cybersecurity management of the organization. Thematic analysis was used that led to the identification of four main security challenges and four approaches used to manage these challenges. The following four challenges were identified: ‘Security vs. privacy’ which shows how it is challenging for organizations to secure the private environments of their organizations without invading their privacy. Secondly, the ‘Control & awareness which addresses the balance between control and awareness. More restrictions can lead to less security if there is a lack of awareness and knowledge among employees. Thirdly, the ’Lack of resources’ challenge, not all organizations have the monetary resources to achieve the desired level of security. Finally, the ’Priorities’ challenge shows how according to the consultants, cybersecurity is still seen as a burden and is being neglected by organizations, regardless of the increase in cybersecurity attention and the increased risks related to high levels of teleworking.
The identified approaches start with ‘Technology & Processes’ as this is most often the first choice for organizations. Using device management systems with corporate devices or BYOD devices with an enclave to ensure security without invading privacy. Education of the workforce is deemed one of the most successful approaches, since the security of the organizations is now more dependent on the workforce, raising awareness through education is of great importance. An approach that at first glance seems more counter-intuitive is the establishment of a security culture that takes years to achieve. Cybersecurity is involved into the daily tasks of the complete workforce. Without forcing and too many controls, but nudging employees by discussion and giving them responsibilities. The last approach shows that despite the priority challenge that is only mentioned by consultants, organizations want to become more mature, and organizations are currently giving cybersecurity a higher priority.

In the current digitalised society keeping assets secure is one of the most prominent challenges organisations face. In the ongoing arms race between attackers and defenders, software security patching is a well-recognised and effective strategy to mitigate vulnerabilities in software products. However, organisations struggle with the best practice to “patch early and often”, resulting in vulnerabilities in software being exposed for much longer than desired. Prior research indicates the socio-technical nature of this practice forms the core of delays in software patch management. Developing a deeper understanding of the decision-making of IT practitioners and what socio-technical factors play a role in this process allows organisations to address the ineffectiveness of their security patch process. The main research question in this explorative research is: What socio-technical factors influence the effectiveness and timeliness of the security patching process in organisations? This Mixed Methods research combines qualitative data from interviews with IT practitioners, with a quantitative data exploration of the meaningfulness of organisational measurements. Findings show that IT practitioners go through a funnel of decision-making that influences the decision of what to patch, and when to patch. The presence and interplay of different socio-technical factors related to four main aspects of this decision (i.e., security, applicability, operability, and availability) result in tensions and trade-offs influencing the decision space of IT. Furthermore, this study indicates the interrelations between the significance of socio-technical factors, which is reduced by certain coping strategies applied by IT practitioners. This research reveals that having some measurement in place helps to understand the existence of challenges and the working of coping strategies, therefore contributing to an understanding of socio-technical challenges. However, it also reveals several limitations to the quality of existing data and difficulties in coming to measurements that provide meaningful information, due to socio-technical factors. The main contribution of this research is a better understanding of how socio-technical factors influence the decision-making process of IT practitioners. This research is limited in the way it uses quantitative data to understand patching activity. Future research is recommended to compare the potential discrepancy between what IT practitioners state influences the effectiveness of their security patch process and what the actual patching activity of IT practitioners reveals about the effectiveness of patching. This research furthermore hypothesises that not all socio-technical factors have the same level of significance. It is recommended to investigate the possibilities of quantification of the importance of each of the socio-technical challenges identified in this explorative study.

Mobile phones are playing an increasingly significant role. The surge of services and tasks performed on mobile phones is accompanied by an ever-increasing amount of personal data about the owner. This has made mobile phones ideal targets for cyber criminals and it has translated into an increase in malware targeting mobile phones. Social engineering threat actors have very effectively adopted SMS texts, as these are universally trusted by phone users, for Flubot, a new and very dangerous malware. The malware spreads through SMS texts and secretly harvests personal and financial information. Because of the novelty of the malware and its tactics, academic and industrial knowledge is very scarce on how to remediate such infections and how to best involve victims.
This research is focused on a better understanding of how the remediation has influenced the impact Flubot has had on victims and smartphone users in general. A quantitative research approach, based on a survey of victims within a large Dutch telecom provider’s client database, is used to gain this understanding. This is aided by desk research, an interview with an active case of Flubot and expert input (employed by telecom providers and governmental bodies). The results from these research methods are put into context by making use of the Fogg Behavior Model, to better understand what might trigger certain target groups to or not to remediate the infection. The larger environment Flubot functioned in, is analysed too, as it was developed over time and by June of 2022 it had been taken down.
This research has found that the detection methods used against Flubot, before it was taken down, were ineffective in detecting and stopping the spread of the malware. This is a result of a misunderstanding of the more recent workings of Flubot and a larger incorrect presumption that there was no urgency to do much about the malware. Furthermore, in the remediation process some important issues are unclear or unaddressed for victims, leading to a situation where it is often not clear what might have caused the infection or what can be done to prevent a future infection. It is important to prevent further infections, as similar malware does exist, functioning on similar principles, and there is a chance that Flubot might reappear.
The research is based on victims and there was no target group reached that had not been victimised. This makes for a possibly skewed understanding of the situation which should be researched. The data has been gathered through one of the largest telecom providers of the Netherlands, which is not necessarily representative for the whole Dutch industry. Researching other telecom providers in and outside the Netherlands could provide a more comprehensive understanding. The research has led recommending an adaptive notification systems and improvements to the notifications currently used.

Connecting ‘things’ like a doorbell, webcam, lamp, or other objects to the web to provide a service or control is called the Internet of Things (IoT). These devices contain vulnerabilities that form risks for the device user and possibly the network owner through their heterogeneity. The identified knowledge gap is the need for more IoT governance but no specification on governance options and means to reach specific stakeholders. Using a dataset of network scan data of The Hague as the empirical context for the defined knowledge gap, this research aims to look into the vulnerabilities IoT devices carry, and then look into relevant stakeholders to see what they can do through governance and why they are not doing this. To answer the main research question: How can the municipality of The Hague use governance instruments to decrease cyber vulnerabilities in IoT devices?
Using a literature study to define IoT concepts and the governance of IoT and current governance examples, background information is provided for the rest of this research. The database of 1649 IP addresses of network scan data from the area of The Hague is then used to find what vulnerabilities are present and what stakeholders are identifiable from this data. Exploring this network scan data showed only 191 devices are fully identifiable from the total number of IP addresses. These devices all carry vulnerabilities for the user of these devices, and being visible is by itself a vulnerability. No device owners could be directly identified, only the providers of the networks these devices are found in. This results in the identifiable stakeholders from the dataset: ISPs and device manufacturers.
Governance options are defined for these stakeholders (e.g. security-by-design, informing users etc.). These options are assessed on viability and validity through semi-structured interviews with three ISPs and the municipality.
The conclusion found is that the most viable action to take is informing device users since secure configuration and usage of a device would take away vulnerabilities while waiting for European legislation to be implemented. This legislation will force more security-by-design. The recommendation for the municipality is to take the role of leading actor, provide a better problematization with the data available, and use this to generate more urgency with other stakeholders. Starting public-private partnerships (with ISPs, device vendors, universities, other municipalities: different perspectives to progress the problem) and starting information campaigns and therefore try to reach as many people as possible. Even though ISPs can not provide in reaching vulnerable users directly, they can help in general information campaigns. Increasing security practices on the user side while waiting for legislation on the manufacturer's side.

Research shows that most of the security issues arise through human shortcomings, instead of technical issues (Abawajy, 2014). Therefore, users of information systems have to become more security aware. The reasonable solution to these human shortcomings was to provide users with policies that tell them what to do and have the technical systems behind them for support. However, within an organisational environment, information technology is increasingly needed for the completion of work activities. This creates problems for users to follow policies that require an excessive amount of effort and introduces human errors. Mainly caused by employees feeling like the amount of effort is unreasonable and not fitting into their daily work activities (Kirlappos, Parkin, & Sasse, 2014). Subsequently, cyber attacks are mostly caused by liabilities created due to the human error and social engineering (Schneier, 2015). Therefore, it is of importance for organisations to find a way to manage security in an effective manner, by taking into account the interactions between the social and physical environment. Accordingly, there is a possibility that employees find complying to security rules and procedures to have higher costs than benefits to their company. Finally, it is fundamental to find aspects where the business and security processes clash, in order to improve the security and productivity of the organisation (Beautement, Becker, Parkin, Krol, & Sasse, 2016).