Software security patch management refers to “the process of applying patches to the security vulnerabilities present in the software products and systems deployed in an organisation’s cyber environment”. This involves identifying, acquiring, testing, installing and verifying patches for vulnerabilities, requiring intricate coordination among stakeholders. Less than 50 percent of organisations can quickly patch vulnerable systems to protect against critical threats and zero-day attacks. Attacks on OT systems components have increased, with more than 90 percent of organisations operating within the industry having one or more damaging security events in two years. Within the transportation sector, cybersecurity breaches could pose significant safety risks, emphasising the need for efficient collaboration in patch management.

From the literature review, it can be concluded that very little literature can be found regarding the interactions employees have to carry out (human interactions) to address vulnerabilities within cybersecurity (security patching). Socio-technical challenges have been identified; however, there is a
lack of information about the roles and effects of these challenges, as well as known vulnerabilities and their intake. Furthermore, most cited references neglect human interactions associated with security patching or patch management in their research. It can be seen that these found gaps within the
academic research world are dedicated to security patching in IT, without further research towards security patching within an OT environment. Information about current practices of security patching in OT is lacking, combined with a lack of insights into governance and contributing factors related to human interactions and the complexity of security patching processes, resulting in the main research question: "What lessons can be learned from the current practices, governance and complexity factors within security patching processes in an industrial, operational environment?" An embedded single case study is performed at a logistic service provider in the liquid bulk industry to answer this main research question.

An exploratory research design is used to shape this case study, where the socio-technical system theory of Mumford (2000) is used as a basis for the analytical framework, where three sub-research questions were derived. Three types of research methods were used to gain the data for each sub-research question: SRQ1 direct observations during multiple security patching rounds and internal cybersecurity audit. For SRQ2, internal document analysis of internal documents regarding OT security and three semi-structured interviews with internal expert interviews of the selected case study organisation. For SRQ3, twelve semi-structured interviews with OT suppliers of critical OT systems of the selected case study organisation were organised. The data was analysed via a SWOT analysis (for SRQ1), and reflexive thematic analysis (for SRQ2 and SRQ3) to retrieve final themes as results, where Atlas.ti was used as a qualitative research tool.

In answering the main research question of this research, lessons learned can be drawn from the current state of the selected case study organisation’s security patching processes based on the identified strengths, weaknesses, opportunities, and threats. More lessons can be learned in addressing an organisation’s governance, revealing poor centralised control over OT suppliers, incorporating standards into policies without expertise surrounding these certifications and weak interdepartmental coordination. Governance is also lacking in implemented performance metrics (e.g. missing KPIs), limiting the efficiency of the OT security policy in practice. The last lessons learned are dedicated to five key factors regarding supplier dependency, ignorance of the OT environment, missed certification in the OT landscape, human knowledge remaining necessary, and complexity within the OT domain causing delays in security patching. With underlying contributing factors of this resistance towards security patching by OT suppliers,
misalignment of terminology of security patching, inconsistent patch log processes with many organisational differences between OT suppliers, and lost information due to email traffic surrounding no central point for the documentation of reported problems.

Within the discussion section, a diversion can be seen into the reflection on OT-specific considerations (from an industry perspective), where little information is available about security patching in OT, the enormous impact of patching behaviour by OT experts, and missed governmental guidance within the industrial and operational environment. Secondly, the reflection on the selected case study organisation’s perspective regarding the lack of incorporated KPIs in the SLA addendum and closing with limitations of the research. The knowledge gap of lacking information regarding security patching processes, combined with socio-technical aspects in an industrial operational environment, has been made smaller via this research. It can be concluded that practical insights of lessons learned are identified regarding the knowledge gap, including reasons for delays in implementing security patches and contributing factors of resistance towards security patching within this complex, industrial, operational environment of the specific case study organisation. However, the identified knowledge gap is not yet closed. Therefore, two types of recommendations are given for the industry. Further research is needed regarding security patching in an industrial, operational environment, and four practical recommendations are provided for the selected case study organisation.

Existing research has shown that due to the increasing digitalization and the adoption of digital technologies and complex (big) data solutions, along with higher firm-level productivity, comes a growing and more dynamic threat environment. Organisations rely on data and digital environments. These environments enlarge the potential attack surface, as every end-point device or network node is a potential entry for malicious actors. The (un)intentional insider threat is also increasingly important for the protection of Intellectual property (IP) and business assets. Not only the attack surface has grown over the years, but also the consequences of security breaches have become more severe. Loss of confidentiality, integrity and availability can heavily disrupt working practices or even threaten the continuity of organisations.

The stakes for organisational security have therefore never been higher. Current trends in coping with this new threat landscape are, among others, to increase oversight and ensure strict regulations, both via internal policy and external regulators. Extant literature also emphasises an increase in security spending, as well as technical measures to protect business assets. This paper proposes a framework for determining the maturity of security governance within organisations. Security governance is concerned with the alignment of business goals on the one hand and security goals on the other hand, i.e. working productively and working securely. Good governance would mean that both business- and security goals can be reached without conflicting interests; preferably even by complementing one another. The research argues that security governance consists of more than merely technical measures and punitive oversight. It also parts from existing views about how more security (spending, measures, policies, etc,) is better and how security is predominantly addressed in isolation. Instead, security governance should be in alignment with ’the business’ of an organisation. This brings forward the notion of security governance, as the alignment between security policies and business goals.

Literature has found that these two concepts can often be conflicting, as more security in most cases impacts productivity. Therefore, the concept of maturity is coupled with the research. Maturity emphasises the alignment between security goals and business goals. The research adopts both a conventional view of maturity, as well as a social view of maturity. The conventional view focuses on the effectiveness of security governance. A higher level of maturity indicates improving one or both of the pillars of governance, i.e. the contribution to business goals and security goals. This could mean working more productively/efficiently given certain security policies. Or - the other way around - working more securely whilst also doing projects efficiently. The social view focuses specifically on the way alignment between the two pillars of security governance is reached. It acknowledges that not all perceived governance problems in organisations have a single solution that can be imposed top-down. Instead, employees in organisations have to cope with different challenges and perceive issues related to security governance differently. The social view on maturity therefore argues that dialogue is required between a representative stakeholder group, with different viewpoints and expertise, whereby policies are drafted in concordance.

By means of a case study at Damen Naval - a large Naval shipbuilding organisation relying heavily on IP and bound by strict regulations - input was gathered regarding security governance in three individual security fields: ’access control’, ’data classification, and ’monitoring & incident response. Incorporating results from a literature review, individual interviews and
a focus group session, a framework was built with both a conventional assessment of security governance and a social aspect of how the alignment of policies (security- and business-related) can best be reached. The foundation of the framework consists of six dimensions of security governance:
1. Organisation-wide security and responsibility/accountability
2. Risk-based approach
3. Direction of acquisition and commitment of resources
4. Conformance with internal and external requirements
5. Security positive/conscious culture
6. Security performance measurement/alignment

These dimensions were used to guide and structure the individual interviews and led to a list of performance indicators. Each indicator steers on improving security (in terms of policy-setting) and/or productivity (in terms of contribution to business goals). The research showed that although the security fields were different from each other, most indicators could be applied to all the security fields, showing that the indicators are generalisable to an organisation-wide level. The indicators led to practical recommendations for security governance at Damen Naval. The most important takeaways are to better empower engineers in making decisions on data classification, as currently engineers feel uncomfortable in doing this due to the negative consequences of ’under classifying’, which leads to information being classified higher rather than lower. Also, performance expectations should be clear for employees and additional hours spent on dealing with security measures should not be absorbed by engineers. In line with this, more effort should be put into quantifying the total costs of imposed security measures, both direct and indirect. This will make current security policies better explainable or address issues that need to be improved.

The final stage of the research aimed at reaching concordance on security governance. This was researched via a focus group session in which the metaphor of a doctor-patient relationship about a negotiated treatment plan was used to see whether and to what extent this relationship would be possible in an organisation such as Damen Naval. Despite the fact that such a relationship is hard to pursue in a large organisation with multiple stakeholders as well as being limited in autonomy due to external legislators, the results indicate that concordance would be possible, although on different levels inter- and intra-organisational. Intraorganisational, this research suggests composing an organisational structure wherein employees of the business, ICT and security are represented to discuss matters that are related to security. The focus group session itself proved that this contributed to reaching alignment. Inter organisational, dialogue with external regulators should be pursued. Using the framework for security governance and the security performance indicators, potential misalignment can be determined systematically and a more comprehensive discussion can take place. Finally, future research could focus on improving the framework to enable a Capability Maturity Model (CMM) approach and to conduct a similar case study with the inclusion of an external regulator.

Phishing attacks are a growing cause of cybersecurity incidents such as data breaches. With these attacks, malicious actors try to gain access to systems by exploiting the vulnerability of employees. Particularly, intruders use different tricks to create convincing phishing emails to force people to behave less securely. Unfortunately, technological applications are insufficient in detecting all possible phishing attempts. As the consequences of a successful breach can be disastrous for a company, especially in the banking sector, pressure is put on employees to recognise and report potential phishing emails. To aid them in this task, phishing training is provided by employers. Employees are taught what phishing emails look like and which actions they should take if an email appears malicious. However, the effectiveness of these training sessions is difficult to evaluate.

To understand the interaction of employees with phishing emails without influencing their behaviour, we study the emails employees report as suspicious to characterise the security culture at a bank. A better understanding of the behaviour provides grounds for recommendations to improve anti-phishing training and create a safer environment. The newfound metrics can provide an alternative to current methods.

This research uses Exploratory Data Analysis (EDA) to evaluate the email reporting behaviour of employees at a bank to answer the Research Question How can email reporting patterns in a large organisation measure the relationship between phishing training, reported emails and employee behaviour? With this case study, we apply EDA to a large dataset containing bank employees' reported emails over 16 months. We analysed the reported emails and related them to the provided phishing training events. Moreover, we did a text analysis of the emails' content using the Term Frequency - Inverse Document Frequency (TF-IDF) method. Additionally, we extract the dominant topics of the emails using topic modelling. Lastly, with the help of interviews, the results are tied to employees' experiences to understand their behaviour.

The major findings of the research are, firstly, the new metrics we identified to measure the security culture of a company. These metrics were found from both the analysis of employee behaviour over time, as well as the analysis of the email content. From the analysis of the reporting behaviour over time, new metrics include the unique reporters in relation to the total reported emails over time. Besides the unique reporters, unique reported emails can uncover the presence of campaigns. For example, a single email can explain the increase from 50 to 350 daily benign reports. The difference between the total reports and unique reports uncovered this. Secondly, topic analysis and content comparison show similarities between benign and malicious reported emails, indicating an increased vigilance of employees on these attributes.

A second finding originates from the analysis of the email components. One of the components was used in all simulation emails, while it was not present in all the benign and malicious reported emails. This shows that the simulation emails can be extended to include different scenarios. Therefore, we recommend the company to extend the phishing simulation emails to contain varied phishing tactics to expose employees to other types of attacks and incorporate all aspects taught during the E-learning.

Lastly, the analysis shows no concrete relation between the number of reported emails and the timing of the simulation wave. Although the reported p-value of benign emails after the simulation is 0.03, this significance can also be explained by external factors.

With these results, we can measure employees' security culture and awareness in real-world circumstances without influencing the employees' behaviour, providing a new approach to investigating phishing behaviour. Adding to the research of Steves et al. (2020),, the click rates can be explained by more than solely the employees' awareness levels, and new explanations come forward to handle phishing threats. Moreover, the absence of a required test environment for the analysis created a solution for existing gaps. For example, as seen in (Hillman et al., 2023).

A limitation of exploratory data analysis is that results are often ambiguous and mainly provide possible directions for future research. Furthermore, external factors influencing the behaviour could provide alternative reasons for the discussed interactions.

To conclude, by using the reported emails to measure security behaviour related to phishing, we found new metrics which do not influence the employees in their daily behaviour while still providing insights to improve the tactics of a company in combating phishing attacks. Reporting behaviour can be used to analyse the current anti-phishing tactics of a company and provide suggestions for improvements.

Future research should explore the differences in applying the method in other companies and across sectors. Overlap and differences can create an understanding of the diversity in security culture and the effect of external factors. Combining these results with a comprehensive understanding of a company's operations can expose directions for improvement in the security approach. Additionally, the effect of the recommendations can be analysed using the metrics we proposed. This can be done with a follow-up analysis of the behaviour to see whether the desired effect can be observed.

Addressing the growing problem of phishing attacks requires nurturing a reporting culture within organizations. This research examines the factors influencing reporting behavior and the role of infrastructure & support in enhancing reporting rates. By adopting a mixed methods approach and analyzing phishing simulation logs and user perspectives, the study utilizes the COMB model to identify key factors that affect reporting behavior. The research emphasizes the importance of reassessing the desired level of reporting to ensure the benefits of reporting do not overshadow the associated costs. To foster a reporting culture, organizations should ensure a user-friendly reporting process and offer regular reminders and training programs. Emphasizing communication, transparency, and trust-building are vital in encouraging reporting and providing timely feedback. Leveraging technology to optimize the reporting process and appreciating users' efforts further enhance reporting rates. Overall, embracing a paradigm shift that recognizes users as part of the solution is crucial in nurturing a reporting culture and ensuring a secure digital environment.

Mobile phones are playing an increasingly significant role. The surge of services and tasks performed on mobile phones is accompanied by an ever-increasing amount of personal data about the owner. This has made mobile phones ideal targets for cyber criminals and it has translated into an increase in malware targeting mobile phones. Social engineering threat actors have very effectively adopted SMS texts, as these are universally trusted by phone users, for Flubot, a new and very dangerous malware. The malware spreads through SMS texts and secretly harvests personal and financial information. Because of the novelty of the malware and its tactics, academic and industrial knowledge is very scarce on how to remediate such infections and how to best involve victims.
This research is focused on a better understanding of how the remediation has influenced the impact Flubot has had on victims and smartphone users in general. A quantitative research approach, based on a survey of victims within a large Dutch telecom provider’s client database, is used to gain this understanding. This is aided by desk research, an interview with an active case of Flubot and expert input (employed by telecom providers and governmental bodies). The results from these research methods are put into context by making use of the Fogg Behavior Model, to better understand what might trigger certain target groups to or not to remediate the infection. The larger environment Flubot functioned in, is analysed too, as it was developed over time and by June of 2022 it had been taken down.
This research has found that the detection methods used against Flubot, before it was taken down, were ineffective in detecting and stopping the spread of the malware. This is a result of a misunderstanding of the more recent workings of Flubot and a larger incorrect presumption that there was no urgency to do much about the malware. Furthermore, in the remediation process some important issues are unclear or unaddressed for victims, leading to a situation where it is often not clear what might have caused the infection or what can be done to prevent a future infection. It is important to prevent further infections, as similar malware does exist, functioning on similar principles, and there is a chance that Flubot might reappear.
The research is based on victims and there was no target group reached that had not been victimised. This makes for a possibly skewed understanding of the situation which should be researched. The data has been gathered through one of the largest telecom providers of the Netherlands, which is not necessarily representative for the whole Dutch industry. Researching other telecom providers in and outside the Netherlands could provide a more comprehensive understanding. The research has led recommending an adaptive notification systems and improvements to the notifications currently used.

In the current digitalised society keeping assets secure is one of the most prominent challenges organisations face. In the ongoing arms race between attackers and defenders, software security patching is a well-recognised and effective strategy to mitigate vulnerabilities in software products. However, organisations struggle with the best practice to “patch early and often”, resulting in vulnerabilities in software being exposed for much longer than desired. Prior research indicates the socio-technical nature of this practice forms the core of delays in software patch management. Developing a deeper understanding of the decision-making of IT practitioners and what socio-technical factors play a role in this process allows organisations to address the ineffectiveness of their security patch process. The main research question in this explorative research is: What socio-technical factors influence the effectiveness and timeliness of the security patching process in organisations? This Mixed Methods research combines qualitative data from interviews with IT practitioners, with a quantitative data exploration of the meaningfulness of organisational measurements. Findings show that IT practitioners go through a funnel of decision-making that influences the decision of what to patch, and when to patch. The presence and interplay of different socio-technical factors related to four main aspects of this decision (i.e., security, applicability, operability, and availability) result in tensions and trade-offs influencing the decision space of IT. Furthermore, this study indicates the interrelations between the significance of socio-technical factors, which is reduced by certain coping strategies applied by IT practitioners. This research reveals that having some measurement in place helps to understand the existence of challenges and the working of coping strategies, therefore contributing to an understanding of socio-technical challenges. However, it also reveals several limitations to the quality of existing data and difficulties in coming to measurements that provide meaningful information, due to socio-technical factors. The main contribution of this research is a better understanding of how socio-technical factors influence the decision-making process of IT practitioners. This research is limited in the way it uses quantitative data to understand patching activity. Future research is recommended to compare the potential discrepancy between what IT practitioners state influences the effectiveness of their security patch process and what the actual patching activity of IT practitioners reveals about the effectiveness of patching. This research furthermore hypothesises that not all socio-technical factors have the same level of significance. It is recommended to investigate the possibilities of quantification of the importance of each of the socio-technical challenges identified in this explorative study.

This study investigates organizations’ approaches to managing cybersecurity challenges that are associated with high levels of teleworking. Over the last two and a half years the pandemic forced organizations to implement teleworking models that resulted in a large share of the workforce working from home. The increasing use of teleworking resulted in organizations being worried about their ability to handle cyberthreats, while at the same time they sidestepped on their cybersecurity to implement a proper teleworking model. There is a large body of literature showing what the security risks and practices are related to these high levels of teleworking, while it is not clear what the related security challenges are and how organizations are approaching these. So, there is a gap in the literature regarding the understanding of the current cybersecurity challenges and approaches that are associated with these high levels of teleworking. Semi-structured interviews were conducted with both cybersecurity consultants and individuals that fulfill a role in an organization that makes them responsible for the cybersecurity management of the organization. Thematic analysis was used that led to the identification of four main security challenges and four approaches used to manage these challenges. The following four challenges were identified: ‘Security vs. privacy’ which shows how it is challenging for organizations to secure the private environments of their organizations without invading their privacy. Secondly, the ‘Control & awareness which addresses the balance between control and awareness. More restrictions can lead to less security if there is a lack of awareness and knowledge among employees. Thirdly, the ’Lack of resources’ challenge, not all organizations have the monetary resources to achieve the desired level of security. Finally, the ’Priorities’ challenge shows how according to the consultants, cybersecurity is still seen as a burden and is being neglected by organizations, regardless of the increase in cybersecurity attention and the increased risks related to high levels of teleworking.
The identified approaches start with ‘Technology & Processes’ as this is most often the first choice for organizations. Using device management systems with corporate devices or BYOD devices with an enclave to ensure security without invading privacy. Education of the workforce is deemed one of the most successful approaches, since the security of the organizations is now more dependent on the workforce, raising awareness through education is of great importance. An approach that at first glance seems more counter-intuitive is the establishment of a security culture that takes years to achieve. Cybersecurity is involved into the daily tasks of the complete workforce. Without forcing and too many controls, but nudging employees by discussion and giving them responsibilities. The last approach shows that despite the priority challenge that is only mentioned by consultants, organizations want to become more mature, and organizations are currently giving cybersecurity a higher priority.

The rapid development of technology gives many opportunities but brings threats as well. The digitization of the financial sector has made the threat for cyber attacks significant. Cyber attacks such as the Petya virus or the Wannacry attack have exposed the vulnerability of the critical infrastructure. The financial sector is especially prone to cyber attacks within the critical infrastructure. The financial sector must be available at all times. Even a minor disruption could cause wrongful or unexecuted transactions leading to cascading effects on careers, organizations, or entire industries. The way to cope with disruptive cyber events is through digital operational resilience. In order to ensure this the European Commission has proposed the Digital Operational Resilience Act. A regulation that harmonizes existing guidelines aimed at ensuring resilience against cyber attacks for the financial sector in the EU. To estimate the regulatory performance of the DORA, insight is to be created into the perceptions of the stakeholders. Therefore, the research question of this thesis is: What is the perception of the financial sector towards the expectation of the Digital Operational Resilience Act? In order to answer this research question, interviews were conducted with high-level security managers of financial service organizations (FSOs) in the Netherlands, ICT providers and supervisory authorities. From insights gathered through the interviews, it can be concluded that the participants share a predominantly positive perception of the DORA. They were confident about there ability to be compliant within the given 24 months. The DORA is also seen as a step in the right direction towards a digital operational resilient financial sector. Recommendations are made for supervisory authorities regarding the implementation and supervision of the DORA and for the FSOs on the implementation and compliance with the DORA.

Research shows that most of the security issues arise through human shortcomings, instead of technical issues (Abawajy, 2014). Therefore, users of information systems have to become more security aware. The reasonable solution to these human shortcomings was to provide users with policies that tell them what to do and have the technical systems behind them for support. However, within an organisational environment, information technology is increasingly needed for the completion of work activities. This creates problems for users to follow policies that require an excessive amount of effort and introduces human errors. Mainly caused by employees feeling like the amount of effort is unreasonable and not fitting into their daily work activities (Kirlappos, Parkin, & Sasse, 2014). Subsequently, cyber attacks are mostly caused by liabilities created due to the human error and social engineering (Schneier, 2015). Therefore, it is of importance for organisations to find a way to manage security in an effective manner, by taking into account the interactions between the social and physical environment. Accordingly, there is a possibility that employees find complying to security rules and procedures to have higher costs than benefits to their company. Finally, it is fundamental to find aspects where the business and security processes clash, in order to improve the security and productivity of the organisation (Beautement, Becker, Parkin, Krol, & Sasse, 2016).

Connecting ‘things’ like a doorbell, webcam, lamp, or other objects to the web to provide a service or control is called the Internet of Things (IoT). These devices contain vulnerabilities that form risks for the device user and possibly the network owner through their heterogeneity. The identified knowledge gap is the need for more IoT governance but no specification on governance options and means to reach specific stakeholders. Using a dataset of network scan data of The Hague as the empirical context for the defined knowledge gap, this research aims to look into the vulnerabilities IoT devices carry, and then look into relevant stakeholders to see what they can do through governance and why they are not doing this. To answer the main research question: How can the municipality of The Hague use governance instruments to decrease cyber vulnerabilities in IoT devices?
Using a literature study to define IoT concepts and the governance of IoT and current governance examples, background information is provided for the rest of this research. The database of 1649 IP addresses of network scan data from the area of The Hague is then used to find what vulnerabilities are present and what stakeholders are identifiable from this data. Exploring this network scan data showed only 191 devices are fully identifiable from the total number of IP addresses. These devices all carry vulnerabilities for the user of these devices, and being visible is by itself a vulnerability. No device owners could be directly identified, only the providers of the networks these devices are found in. This results in the identifiable stakeholders from the dataset: ISPs and device manufacturers.
Governance options are defined for these stakeholders (e.g. security-by-design, informing users etc.). These options are assessed on viability and validity through semi-structured interviews with three ISPs and the municipality.
The conclusion found is that the most viable action to take is informing device users since secure configuration and usage of a device would take away vulnerabilities while waiting for European legislation to be implemented. This legislation will force more security-by-design. The recommendation for the municipality is to take the role of leading actor, provide a better problematization with the data available, and use this to generate more urgency with other stakeholders. Starting public-private partnerships (with ISPs, device vendors, universities, other municipalities: different perspectives to progress the problem) and starting information campaigns and therefore try to reach as many people as possible. Even though ISPs can not provide in reaching vulnerable users directly, they can help in general information campaigns. Increasing security practices on the user side while waiting for legislation on the manufacturer's side.