August, 2016
Chantal Jongeneel
Student ID: S1138367
Email: c.v.l.jongeneel@umail.leidenuniv.nl
Supervisor: Dr. M.A.J. Ezinga
Second reader: Dr. A.L. van Leeuwen
Master Thesis
Crisis and Security Management
AWARENESS OF CYBERCRIME AND CYBERSECURITY
A CASE STUDY INTO THE RELATION BETWEEN AWARENESS OF CYBERCRIME
AND CYBERSECURITY AND THE EFFECTIVENESS OF CYBERSECURITY POLICIES
Foreword
Before you lies the master thesis: “Awareness of cybercrime and cybersecurity. A case study into the relation between awareness of cybercrime and cybersecurity and the effectiveness of cybersecurity policies.” This thesis was written for the completion of the master Crisis and Security Management at Leiden University. From January 2016 until August 2016 I have been engaged in the research and writing of the thesis.
Together with my supervisor, Menno Ezinga, I have figured out the research question for this thesis. The research that I conducted was complex. After extensive quantitative and qualitative research I was able to answer the research question. During this investigation I was very grateful for my fellow students and contacts from my bachelor’s degree. They always answered my questions so I could continue my research.
I would like to thank not only my supervisor, but also the study advisor, for motivating me during the times I needed motivation the most. A special thanks to the company that allowed me to conduct this study. Without them this would not have been possible. I also want to thank the interviewees and respondents who have cooperated in this study.
Finally, I would like to thank all my family and friends who have helped me to stay focused. Especially, Maarten van Schaik, for his moral support and wisdom.
I hope this thesis provides you with new insights.
Chantal Jongeneel
Abstract
This study empirically investigated the relation between awareness of cybercrime and cybersecurity and the effectiveness of the cybersecurity policy of a healthcare organization. Literature indicates that awareness of cybercrime and cybersecurity, password behavior and compliance behavior of employees are related to the effectiveness of cybersecurity policies. Further, the number of cybersecurity incidents an organization faces is related to the effectiveness of cybersecurity. This study followed a mixed methods research design. Qualitative data were collected by reviewing the content and incidents, and by conducting interviews. Qualitative data were collected by conducting a survey amongst the organization’s employees. The results showed that there is a relation between awareness of cybercrime and cybersecurity and the effectiveness of the cybersecurity policy of the organization. The interviews and incident review showed that password sharing is believed to be one of the biggest threats to the organization’s cybersecurity. One of the main explanations provided for this finding is that employees prefer usability over cybersecurity.
Table of Content 1. Introduction 6 2. Theory 10 2.1 Previous studies 11 2.1.1 Social engineering 12 2.1.2 End-user behavior 14
2.2 Limitations in the existing literature 15
3. Method 17
3.1 Operationalization 17
3.2 Case study selection 18
3.2.1 Case study subject 19
3.3 Data collection and analysis 19
3.3.1 Cybersecurity policy of the company 20
3.3.2 The interviews 20
3.3.3 The survey 21
3.4 Limitations 25
4. Results 27
4.1 Policy review 27
4.1.1 The Strategic ICT Policy 28
4.1.2 The Plan of Action for the Implementation of Information Security 28 4.1.3 The Code of Conduct for the Use of the Company’s Network, the Internet and
Corporate E-mail 29
4.2 Incident review 30
4.2.1 Reports from the monitor and IT department 31 4.2.2 Reports of cybersecurity incidents by employees 32 4.2.3 Communications between the IT department and employees 33
4.2.4 Analysis of incident reports 35
4.3 Interview results 35
4.4 Survey results 40
4.4.1 The awareness level of employees 41
4.4.2 Password behavior of employees 42
5. Discussion 48
5.2 Limitations 51
5.3 Recommendations 52
References 53
Appendices 56
Appendix A. Structured interview questions 56
Appendix B. The survey 57
Appendix C. Complete list of variables 75 Appendix D. Checklist for choosing the right statistical analysis 79 Appendix E. Overview of statistical analyses 81
1. Introduction
Life today would be unimaginable without the internet. We have become dependent on it. With this dependency comes risk (Choo, 2011). The internet and its potential uses have grown exponentially in the past couple of years. This growth is used for the benefit of everyday life, but has also created new possibilities for criminals (Bossler & Holt, 2009; Choo, 2011). Not only are ordinary people targeted by cybercrime, but also public and private organizations find themselves the targets of cybercrime (Choo, 2011; Dodge Jr., Carver, & Ferguson, 2007; Flores & Ekstedt, 2016). The reasons for cybercriminals to target private and public companies are diverse, but one of the main reasons that organizations are targeted is that organizations hold a wealth of information. This stock of knowledge includes both financial information and private information about other companies or individuals. When this information is lost or stolen, companies can lose not only money, but they might also suffer damage to their reputations (Albrechtsen & Hovden, 2010; Bossler & Holt, 2009; Collins, Sainato, & Khey, 2011; Safa, Van Solms, & Furnell, 2016).
As such, cybercrime has become a considerable risk for private and public organizations alike, and most medium- and large-sized companies have created cybersecurity policies to deal with this threat (Flores & Ekstedt, 2016). These policies include both technological measures and policies to regulate the online behavior of their employees (Bossler & Holt, 2009; Choo, 2011; Flores & Ekstedt, 2016). One component of regulating the online behavior of employees is education (Albrechtsen & Hovden, 2010; Dodge Jr., Carver, & Ferguson, 2007; Flores & Ekstedt, 2016). Awareness of cybercrime and cybersecurity has emerged as a very important element in implementing effective cybersecurity policies (Albrechtsen & Hovden, 2010; Flores & Ekstedt, 2016; Stanton, Stam, Mastrangelo, & Jolton, 2005). Recent studies have shown that 40% to 50% of all cybersecurity incidents are caused by employees (Collins, Sainato, & Khey, 2011). These incidents usually take place when employees have, on a website or in an e-mail, clicked on a link that contained malicious software. This usually occurs through social
engineering (Flores & Ekstedt, 2016; Parsons, McCormac, Butavicius, Pattinson, & Jerram,
2014).
Social engineering is “the psychological manipulation of people” (p. 27) into giving information that benefits the attacker. The most well-known form of social engineering in relation to cybersecurity is phishing, the manipulation of users through e-mails (Flores & Ekstedt, 2016). Phishing is not directed towards a specific individual or company, but aims at gathering as much information as possible by infecting as many computers as possible. When a phishing e-mail is targeted at a specific individual, group of individuals, or company, it is
called spear-phishing. The goal of spear-phishing is to gain access to specific information that the attacker deems desirable (Parsons, McCormac, Butavicius, Pattinson, & Jerram, 2014).
Symantec’s Internet Security Threat Report for 2015 showed that the number of spear-phishing campaigns targeting employees increased by 55% in 2015 compared to 2014. Of all e-mails received, 53% were spam (Symantec, 2016). Filters and other technological measures block most of these e-mails, but it is impossible to identify and stop every malicious e-mail from reaching the employee (Flores & Ekstedt, 2016; Dodge Jr., Carver, & Ferguson, 2007). This impossibility shows how important the employee is in maintaining cybersecurity. If employees are not vigilant and open these e-mails or websites, not understand the consequences of doing so, they are likely to cause a cybersecurity without even knowing they are putting their company and themselves at risk (Albrechtsen & Hovden, 2010; Drevin, 2007; Parsons, McCormac, Butavicius, Pattinson, & Jerram, 2014).
Employees in the healthcare industry ought to be some of the most careful, since this sector has the most data breach incidents of all sectors worldwide, comprising 39% of all data breaches in 2015 with 120 incidents that year. The healthcare sector is also in the top three sectors that received the most spam e-mails, with an average of 54.1% of all e-mails received: one of every 2,711 e-mails in the healthcare sector is a phishing e-mail, and one in every 396 e-mails contains malware. On average, each healthcare organization worldwide is the target of two spear-phishing campaigns per year (Symantec, 2016).
Despite the growing risks that cybersecurity threats imply and the necessity of employee awareness in minimizing these risks, so far, there has been little research on the relation between awareness of cybercrime and cybersecurity and the effectiveness of the cybersecurity policies in place, let alone research in the healthcare sector (Choi, Levy, & Hovav, 2013; Parsons, McCormac, Butavicius, Pattinson, & Jerram, 2014). There has been research on which user behaviors are likely to influence the effectiveness of cybersecurity policies, and some studies have investigated whether or not employees are able to recognize fraudulent e-mails or websites; few studies, however, look at the relation between all the above concepts (Parsons, McCormac, Butavicius, Pattinson, & Jerram, 2014). Studies that look at awareness of both cybercrime and cybersecurity, look at only the correlation between awareness and policy compliance or only the number of incidents, not both (Parsons, McCormac, Butavicius, Pattinson, & Jerram, 2014). Furthermore, no research was found concerning the Netherlands specifically, even on the high-risk healthcare industry. Thus, a study concerning cybercrime policy awareness in the Netherlands’ healthcare sector addresses a gap in the research in this
Studying both awareness of cybercrime and awareness of cybersecurity is important because the two distinct points of attention differently impact the effectiveness of cybersecurity policies (Parsons, McCormac, Butavicius, Pattinson, & Jerram, 2014). One can recognize fraudulent e-mails, but have a weak password, making that person nevertheless a risk to a company. Additionally, studying both user compliance to cybersecurity policy and the nature and number of incidents is important, since if users comply with the cybersecurity policies, but many cybersecurity incidents still occur, the policy in place seems to be ineffective. User compliance therefore does not guarantee effective cybersecurity policy, as is also the case with cybersecurity incidents. A limited number of cybersecurity incidents does not automatically mean that the cybersecurity policy is effective, since when users do not comply with the measures imposed, the measure is not effective in those cases (Parsons, McCormac, Butavicius, Pattinson, & Jerram, 2014).
To truly investigate which effect awareness of cybercrime and cybersecurity has on the effectiveness of the cybersecurity policies in place, one must look at all factors involved: the awareness of cybercrime, the awareness of cybersecurity, the compliance with and awareness of the cybersecurity policies of the company and the number of incidents (Parsons, McCormac, Butavicius, Pattinson, & Jerram, 2014). It is not only the correlation between all factors that has been sparsely researched, empirical research conducted into the effectiveness of cybersecurity policies within Dutch organizations is also sparse, and no empirical research was found that investigates the effectiveness of cybersecurity policies in the healthcare sector, even though this sector faced the most data breaches of all sectors worldwide in 2015 (Symantec, 2016).
A handbook for information security and cybersecurity in the healthcare sector in the Netherlands was introduced in 2004. As the demand for a basic level of cybersecurity and information security in the healthcare sector became evident, the guidelines within his handbook became partly mandatory for all healthcare organizations within the Netherlands. Hospitals are obligated to comply with the measures described in the handbook, complying with the measures is not yet mandatory for other (private) healthcare institutions, for example institutions for elderly care (Nederlands Normalisatie-instituut, 2011). The expectation is that the NEN7510 will be mandatory for all healthcare institutions in the near future.
For this reason, this study will try to provide a first insight into the effect of all the human factors related to the effectiveness of cybersecurity policies within a healthcare organization focused on elderly care by conducting a single case study. The following central research question seeks this insight: To what extent does awareness of cybercrime and
cybersecurity of employees relate to the effectiveness of cybersecurity measures within a healthcare organization?
In order to answer this central research question, the following sub-questions were posed: - Sub-question 1: What level of awareness do employees have of cybercrime and
cybersecurity?
- Sub-question 2: What level of awareness do employees have of cybersecurity measures
installed within the organization?
- Sub-question 3: What is the organization’s cybersecurity policy?
- Sub-question 4: What type of cybersecurity incidents has the organization faced in the
past 18 months and how often?
This study will first provide a theoretical framework for this study in which the governance of cybersecurity is discussed and a theoretical perspective is offered which explains the relation between different actors that are important for cybercrime to occur and effect cybersecurity. Further, a literature review will be provided that outlines the findings of preview studies about the important constructs that effect the effectiveness of cybersecurity policies and influence the awareness of cybercrime and cybersecurity. The methods section of this study will provide insight into the case study selection and the triangulation of methods used to investigate the extent to which awareness of cybercrime and cybersecurity have an effect on the effectiveness of cybersecurity policies. The results section of this study is divided into different sections in which the results are displayed for each method. Finally, the discussion section of this study discusses the implications of the results and the conclusion of this study. The discussion sector will also provide insight into the limitations of this study and pose recommendations for future research.
2. Theory
The origin of cybersecurity lies in the military. The internet was primarily designed for the military, and the structure and organization of the internet also found its basis there. Its origin means that the internet was structured in a very hierarchical manner. With most people now connected to the internet, this hierarchical structure no longer applies. Since the end-user of the internet is one of the key links in securing the internet. Managing the internet top-down is no longer an option. Another issue in internet governance is that the focus has mostly been on the technological measures needed to secure the internet, and the users of the internet have been overlooked (Kesar, 2011).
Internet governance is defined as “the development and application by governments, the private sector and civil society, in their perspective roles, of shared principles, norms, rules, decision-making procedures, and programs that shape the evolution and use of the internet” (WGIG, 2005). The literature review of internet governance by Van Eeten and Mueller (2012) found four distinct fields of internet governance: internet governance, telecommunications policy, information security economics and cyber law. While the internet governance field focuses on the international or global governance of the internet and the telecommunications policy field focuses on communication and the neutrality of the internet, the field of information security economics focuses on the security of networks and information systems, along with cybercrime. This is field to which this study belongs.
Some studies have tried to link cybersecurity incidents and victimization to theory. One of the most used theories for cybersecurity and cybercrime is the routine activity theory (RAT) (Anderson, et al., 2012; Bossler & Holt, 2009; Wall D. S., 2007; Yar, 2005). This theory suggests that in order for crime to occur, a convergence in both space and time of three aspects are necessary, a motivated offender, a suitable or attractive target and the absence of a capable guardian (Cohen & Felson, 1979). The theory was originally designed to explain traditional crime. The RAT has been used in literature to explain person-based cybercrime, a term Bossler and Holt (2009) use to classify cybercrimes like online stalking and harassment, but little research has been conducted to test the validity of the RAT in explaining property cybercrimes like phishing and malware infections (Bossler & Holt, 2009).
The capable guardian is a term referring to the physical countermeasures one can take to prevent cybercrime from occurring, like anti-virus software and firewalls. Bossler and Holt focus on the physical guardians online (Bossler & Holt, 2009). Some studies have focused on the social guardianship of the internet, defining social guardianship as “the availability of others who may prevent personal crimes by their mere presence or by offering assistance to ward off
an attack” (Spano & Nagy, 2005, p. 418). Being active socially online, like using social media, can put people into closer proximity to an offender, as they are in close proximity to many people of whom any one could be infected and spread the infection. Attention is also given to personal guardianship, which boils down to awareness of cybercrime and cybersecurity and taking responsibility by keeping the physical technical measures up to date.
In traditional crime the target’s attractiveness plays a large role in determining the likelihood of victimization. In cybercrime, it is less visible whether someone is wealthy or not, but in spear-phishing attacks targeted at specific businesses, the target’s attractiveness might play a role, as the offender might choose the business based on specific characteristics that they deem desirable. By contrast, in normal phishing attacks the target’s attractiveness is less evident, as phishing spreads uncontrollably and the attacker cannot know who will be targeted and what their characteristics are. Felson (2001) defines a suitable target as “any person or property that an offender would like to take or control” (p. 43). The study of Bossler and Holt (2009) found that social guardianship has a significant relation to malware victimization.
The RAT is a valid starting point for this study, because it takes all actors that are relevant to govern cybersecurity into account. Based on the RAT the existing research was explored to see what types of research has been conducted into the relation between awareness of cybercrime and cybersecurity and the effectiveness of cybersecurity policy.
2.1 Previous studies
Most cybersecurity measures and policies have been based on technological countermeasures (Choi, Levy, & Hovav, 2013), forcing cybercriminals to look for new ways to attack their targets. In consequence, they have started to focus on what in the literature is often called “the weakest link” of cybersecurity, the human actor (Flores & Ekstedt, 2016; Furnell & Clarke, 2012). For this reason, much of the recent literature stresses the importance of awareness training in the prevention of cybercrime and enhancement of cybersecurity, because many cybersecurity breaches are caused by end-users either at home or in organizations (Choi, Levy, & Hovav, 2013; MacEwan, 2013).
In searching for literature about the relation between cybersecurity and cybercrime awareness and the effectiveness of cybersecurity measures, only one study (Parsons, McCormac, Butavicius, Pattinson, & Jerram, 2014) was found that tried to determine employee awareness using multiple concepts. The study conducted a review on previous security surveys and found that the previous surveys focused mostly on one component of cybersecurity instead of trying to determine the overall cybersecurity awareness of employees. The authors
hypothesize that if the level of knowledge of cybersecurity policy and procedures increases, the employee’s behavior will change accordingly, which can translate into more risk-averse security behavior, possibly influencing the effectiveness of the policies (Parsons, McCormac, Butavicius, Pattinson, & Jerram, 2014). The authors’ model is based on initial research conducted via their own literature review, interviews and analysis of an initial security survey. The focus areas identified by this study are “internet use, email use, social networking site use, password management (including locking workstations), incident reporting, information handling and mobile computing” (p. 167). The results of their study supported their hypothesis. They found that an increase of knowledge and understanding of a cybersecurity policy is associated with risk-averse behavior.
Although this is the only study that investigated all identified constructs related to the awareness of cybercrime and cybersecurity and the effectiveness of cybersecurity policies, there are studies that investigated awareness of cybercrime and cybersecurity or the effectiveness of cybersecurity policies by looking at social engineering, password behavior and compliance. These studies provide insight into what influences the different constructs and in which way the construct effects either awareness of cybercrime and cybersecurity or the effectiveness of cybersecurity policies.
2.1.1 Social engineering
Social engineering is targeted at exploiting individuals or employees by manipulating them into performing certain actions that can benefit the attacker (Flores & Ekstedt, 2016). These actions involve clicking on a link in a malicious e-mail, website or pop-up window and consequently installing malware on their networks and having them reveal personal information and passwords over the internet (via websites and e-mail) or telephone (Flores & Ekstedt, 2016; MacEwan, 2013).
Of the studies conducted into social engineering, many measure social engineering by looking into phishing. Phishing is a criminal mechanism using both social engineering and technical deception (MacEwan, 2013). Flores and Ekstedt (2016) notice two methods used in literature to study social engineering: self-reported behavior and observed behavior in (controlled) experiments in which an unannounced phishing or social engineering attack is performed.
Of the studies conducted as an experiment, most of them were conducted using university students as the sample and looked only at the success rates of the attacks, disregarding other factors that could explain susceptibility to social engineering (Flores &
Ekstedt, 2016). The only study found that used an employee sample and looked at susceptibility to social engineering and other factors was by Flores and Ekstedt (2016), who “aimed at providing information about how organizational and individual factors complement each other in shaping organizational employees’ intention to resist social engineering” (Flores & Ekstedt, 2016, p. 28). They do not relate social engineering to cybersecurity effectiveness or awareness, but do identify constructs that influence susceptibility to social engineering: namely, the employee’s self-efficacy, attitudes and beliefs relating to cybersecurity and cybersecurity threats. The authors sent a survey to 4,296 employees of different public and private organizations in Sweden, and the survey results indicate that all three constructs have an influence on the intention of the employee to resist or not to resist social engineering.
A few studies have employed an experimental setting that used images of real and fraudulent websites and e-mails. In these studies respondents have to identify the real or fraudulent website or e-mail. Participants in these studies were mostly students or student and staff samples. Karakasiliotis, Furnell and Papadaki (2006) present the only study that used a mix of 20 real and fraudulent e-mails and had 179 participants from 22 different nationalities choose whether or not the e-mail was legitimate and why they thought so. They found that overall the participants were able to identify the legitimacy of the e-mail correctly 42% of the time and incorrectly 32% of the time, while in 26% of cases they reported that they did not know. They found no significant differences in gender, age or nationality. The most mentioned variables in deciding whether an e-mail was legitimate were technical cues (the URL), visual factors, the presence of an e-mail address and the language and content of the e-mail.
Two further studies used a mixed sample of students and staff, but did not differentiate between the students and staff in their results. Aloul (2012) conducted a phishing audit amongst faculty staff and students of an American university in the Middle East. They created a fake website that looked identical to the website on which students and staff have to change their passwords. The URL was visibly different from the original URL, though. An e-mail was sent prompting all users to change their password due to a security breach, and a follow-up warning e-mail was sent a couple of hours after the phishing e-mail. Of all users, approximately 9% entered their password and login information. Of this 9%, 2% entered their information after the warning e-mail was sent. After the first experiment, an awareness session was conducted, along with a second phishing audit. In the second experiment, only 2% of all users entered their information (Aloul, 2012).
fraudulent websites, where the fraudulent websites had browser-based cues that they were fraudulent. They report a mean of 11.6 correct answers with a range between 6 and 18 correct answers out of 19 websites, with no significant differences for sex, age or hours using the computer. They also report that most of their respondents did not know or did not notice the key indicators that the website was spoofed.
Finally, the study of Dodge, Carver & Ferguson (2007) have studied what type of phishing e-mails people are more likely to open and click on. They distributed three types of phishing e-mails to students of the United States Military Academy with an embedded link, an attachment or a sensitive information request. They found that the students were more likely to open the phishing e-mail with an attachment (62%) than the phishing e-mails with an embedded link (50%) or a sensitive information request (54%). The results were not significant.
A concept that has been researched extensively is the behavior of end-users. This concept has been investigated by looking at the relation between password behavior of end-users and their awareness of cybercrime and cybersecurity and by looking at the relation between the intent of end-users and the effectiveness of cybersecurity policies.
2.1.2 End-user behavior
One aspect of end-user behavior that has been explicitly researched is end-users passwords and password behavior. Shen, Yu, Xu and Guan (2016) have examined password use. They found that surveys asking questions about password use are potentially less reliable, because of the influence of socially desirable answers (Shen, Yu, Xu, Yang, & Guan, 2016). Their results indicate that most passwords were 8–10 characters long, that passwords still mostly consist of simple structures and that the use of number- only passwords has significantly increased. Comparing their findings to other studies that looked at password habits, they find that the average length of the password in their study differed from that in studies. They speculate that this variance was present because most websites and applications today require a password with a minimal length of 8 characters.
McCrohan, Engel and Harvey (2010) have also focused on password behavior, aiming to analyze the effect of cybersecurity awareness training. They conducted an experiment with students of an undergraduate business school in the United States. The students were divided into two groups: a high-information group and a low-information group. Students were then asked to create an account for the purpose of the study. The password chosen was used as the “pre-treatment dependent variable” (McCrohan, Engel, & Harvey, 2010, p. 31). They were then introduced to a lecture that contained either basic information about good password behavior
or extensive information about password behavior and examples of cybercrime. The students had to come back in two weeks and were prompted to change their password, because their password had expired. The results showed that the students in the high-information group entered a significantly stronger password during the second experiment.
Another aspect of end-user behavior that has been studied is intent. For example, Stanton, Stam, Mastrengelo and Jolton (2005) have developed a two-dimension taxonomy with six elements to determine information security end-user behavior. They looked at the intention and technical expertise necessary for specific cybersecurity incidents to occur, and they identified three different intentions: malicious intent, neutral intent and beneficial intent. After identifying these intentions, they conducted a national survey on naïve end-user mistakes that fall under the neutral intention spectrum, because they found that this is a viable variable that influences the cybersecurity effectiveness of an organization. Their results indicate a significant correlation between password-related behaviors and training and awareness. This correlation suggests that training and awareness related to better security-related behaviors can positively influence the effectiveness of cybersecurity policies (Stanton, Stam, Mastrangelo, & Jolton, 2005).
2.2 Limitations in the existing literature
Although the RAT and the existing literature provide some insight into the important concepts for the effectiveness of a cybersecurity policy, no empirical data exists that looks at the relation between the employee awareness of cybercrime and cybersecurity and effectiveness of company cybersecurity policy. Some studies that have examined this relation, but they were performed using a student sample or did not include all of the important concepts that have been linked to the effectiveness of cybersecurity.
As described in the introduction, the healthcare industry is the sector with the most data breach incidents of all sectors (Symantec, 2016). Ponemon Institute’s latest report (Sixth annual benchmark study on privacy & security of healthcare data, 2016) shows that 69% of the healthcare organizations worldwide were most worried about incidents caused by negligent or careless employees. Of the security breaches, 36% were claimed to be caused by unintentional employee action.
Collins, Sainato and Khey (2011) have studied organizational data breaches between 2005 and 2010 in healthcare institutions. Their study is based on a criminological theoretic framework, and they say that situational crime prevention, which is based on the RAT, can reduce the frequency of data breaches. They also look at laws that can influence the number of
data breaches, noting that there are very few studies that look at data breaches within healthcare organizations. Their study suggests that the most frequent type of security breaches within healthcare organizations in that period were “insider abuse, physical loss of records, compromised portable devices, and compromised stationary devices” (p. 805).
Caminada, van de Riet, van Zanten and van Doorn (1998) present the only empirical study conducted within Dutch organizations. This study looked at internet security incidents and dates to 1998. The aim of the study was to analyze the cause of the incidents and the effectiveness of the security measures. This study looked at part of the human factor of cybersecurity, but only IT administrators and not end-users.
This study will try to fill some of the gap of information regarding the cybersecurity policy effectiveness of organizations in The Netherlands. This study’s aim is to provide a first insight into the relation between the level of awareness of cybercrime and cybersecurity and the effectiveness of cybersecurity policy. The study will answer the central research question by conducting a single case study within a healthcare organization using a triangulation of methods. The awareness level of employees will be analyzed by testing their ability to recognize phishing and their password use. The effectiveness of the cybersecurity policy will be measures by looking at which incidents the company has faced in the past and to what extent the employees comply with the cybersecurity policy of the company.
3. Method
In order to answer the central research question the study conducted a content analysis of the cybersecurity policy, cybersecurity incidents, interviews, and a questionnaire, all within the scope of a single case study. The case study centered on a healthcare organization focused on elderly care in the Netherlands. The name of the company is omitted. This was a requirement for the company to cooperate. The reason they do not want their name to be published is that it could produce negative publicity or pose a security risk if cybercriminals were to read this document. Therefore the healthcare organization is referred to as “the company”. Besides measuring the awareness level of cybercrime and cybersecurity amongst the employees, this study will also conduct interviews with IT-experts and managers responsible for the cybersecurity policy within the company and analyze cybersecurity incidents over the past 18 months. First, however, it will discuss the operationalization of the concepts used for this study, and then continue with the selection of the case study subject, the data collection and the instruments and protocols used to analyze the data.
3.1 Operationalization
In order to answer the central and sub-research questions, the key concepts have to be operationalized into feasible concepts. For this study, four concepts are key to answering the central research question: cybercrime, cybersecurity, awareness thereof, and the effectiveness of cybersecurity measures.
There is no consensus on the definition of “cybercrime.” The European Commission defines cybercrime as “criminal acts committed using electronic communications networks and information systems or against such networks and systems” (Koops, 2010, p. 738). The internet can be used as tool or a target for committing cybercrime. To be able to divide cybercrime into a graspable concept, the literature has established three types of cybercrime according the role of the internet in the crime: as object, instrument or environment (Koops, 2010). This study focuses on cybercrimes committed against the networks of companies. The literature on cybersecurity incidents caused by end-users show that the most common types of cybercrime used to gain access to networks are phishing and spoofing, and therefore these types of cybercrime are the focus of this study.
Cybersecurity is like cybercrime a concept without an accepted definition. As such, for this study we use the following definition: “Cybersecurity is the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights“(Craigen,
Diakun-Thibault, & Purse, 2014, p. 17). This definition was chosen after study of the different definitions used in the literature. This study focuses on the awareness of cybersecurity and the cybersecurity policy of the employees. This was measured by analyzing user behavior and compliance to the cybersecurity policy. This definition was chosen, because this definition was the most complete of all definitions provided for cybersecurity.
Awareness is defined as follows for this study: the knowledge and understanding of cybersecurity and cybercrime (Kritzinger & von Solms, 2010). Awareness in this study was measured by testing knowledge of cybersecurity and cybercrime of the employees and by looking at their password behavior. Knowledge of cybercrime was analyzed directly by testing whether or not employees could recognize phishing and whether they could recognize cues that indicate that an e-mail or website is a phishing e-mail or website. Another measure used to analyze the level of awareness of cybersecurity was the strength and use of passwords.
The last concept is the effectiveness of the cybersecurity measures of the company. On the basis of the literature (Aloul, 2012), this study defines a security measure as effective when the security measure decreases the number of security breaches, which it is designed to protect. This concept was measured by investigating the number, type and cause of cybersecurity incidents that occurred in the company from January 2015 – July 2016 and by investigation whether or not the employees complied with the cybersecurity measures taken by the company.
3.2 Case study selection
The case study subject was selected based on pre-determined criteria. The first criteria was that the company had to have defined cybersecurity measures and a defined cybersecurity policy. The literature shows that small companies usually do not have defined cybersecurity measures and policies, and this feature makes measuring the level of awareness of cybersecurity measures more difficult in small companies. Therefore the second criterion was that the company has to be a medium- or large-sized company. Another important criterion was that full access to cybersecurity incidents in the past 18 months be provided. The other criteria determined were that the company had to be based in the Netherlands and that the employees had to speak either Dutch or English. These criteria were determined because gaining access to the security measures of a Dutch company was relatively easier due to the availability of information and the location. The last criterion was that the company had to be active in the healthcare industry.
The limited time and resources available for this study meant that location, availability, willingness to cooperate and organization type were key factors in determining the case study
subject. Of the approached companies, this company was the one that met the criteria and was willing to cooperate.
3.2.1 Case study subject
The company used for this case study is a private healthcare organization in “De Randstad,” the agglomeration of cities in the West of the Netherlands. The company has a headquarters from which the central departments function. These central departments are the IT department, the communications and PR department, the legal department, the building management department, the financial department, an academy, the human resources department, the executive office, and a knowledge center. The company has several smaller bodies. Relevant bodies for this study were the works council, board of directors, concern control, and inspections and audits.
The company is divided into different labels, which function as separate divisions. The largest division is the division responsible for the care of the elderly either at home or in an institutional setting. Most locations of the company’s locations are retirement homes, but other locations include nursing homes and a mixture of a nursing and retirement homes. The nursing homes are part of a separate division than the retirement homes, and the mixed homes belong to the same division as the retirement homes. These two divisions together serve approximately 4,500 elderly people (in 2014), have approximately 3,500 employees and together consist of approximately 20 locations divided into districts based on the geographical distribution.
A district usually consists of two–four locations. Each district has its own management, which usually consists of a district manager, a facility manager, at least one healthcare manager (usually one per location) and a policy manager. These locations usually also provide a home care service. Each location has between 100 and 300 employees, of which most (90%) are nurses of different levels.
3.3 Data collection and analysis
The research data was collected from February–July 2016. To answer the research question, the data was collected from three different sources and in three different ways: by reviewing the cybersecurity measures implemented and reviewing the cybersecurity incidents, by interviewing IT experts and related managers by means of a semi-structured interview and by surveying the employees of the company.
The policy review and incident review performed for this study were completed using the public website of the company and the intranet of the company. The intranet is accessible
the employee. Management and staff have access to sensitive documents on the intranet that are not accessible for regular employees. For this study, access was granted to all documents that regular employees are also able to access. Access to management documents was not provided directly, meaning that the incident reports, which are not accessible for regular employees, were obtained through the IT department and the director of operations. The survey was distributed to all employees.
3.3.1 Cybersecurity policy of the company
All cybersecurity measures implemented within the company were mapped and recorded. This data was acquired by reviewing the company policy documentation available on the intranet of the company and all the e-mails sent to the employees regarding cybersecurity in the past 18 months previous to the study. During this phase, all documents and information were gathered and analyzed to determine which security measures are in place in the company. All e-mails and news articles were also reviewed from January 2015 through June 2016. The company’s intranet and public website were used to look for items relating to cybersecurity policy and incidents. Several keywords were entered to retrieve the information, including Dutch and English keywords: internet, security, phishing, cyber, informatiebeveiliging (information security), beveiliging (security), spam, social engineering, and fraude (fraud).
3.3.2 The interviews
After gathering the information on the implemented cybersecurity measures and policies, a semi-structured interview was held with 10 experts from the IT-department and management of the company. During the semi-structured interviews, six pre-determined questions were asked about the implemented cybersecurity measures and policies, use of the cybersecurity measures and policies, the perceived risk of cybercrime, and the nature and number of cybersecurity incidents (see Appendix A). Depending on the function and knowledge of interviewees, follow-up questions were asked related to their fields of expertise. The interviews were held with members of the relevant departments and bodies. The interviewees included a district member, a former district-manager and now label-director, and employees from the communications department, control department, policy department and IT department.
The interviewees were selected on the basis of their knowledge and function within the company and their willingness to cooperate with this study. The interviews lasted approximately 15–30 minutes. Before the start of the interview, the interviewees were given a short introduction to the study, the purpose of the interview, an assurance of confidentiality and
confirmation that the interview was being recorded and transcribed. The audio of the interview was recorded with a laptop. The data acquired during these interviews was transcribed and compared, and information that could reveal personal information of the interviewee was deleted or left out in the interview transcripts. After the interview was transcribed and interviewees’ identifying information erased, the recordings were erased to protect further the anonymity of the interviewees. Important information from the interviews was coded and entered into a database to create an overview. The database was later used to analyze and compare the retrieved information.
3.3.3 The survey
The survey used for this study was created based on the findings of the literature review. All main constructs that influence cybersecurity, cybercrime awareness and the effectiveness of cybersecurity policies were incorporated. No existing survey was found that fit this case study, and therefore a new survey was created. The surveys used in other studies consisted of technical terms and were aimed at people who have some knowledge of cybersecurity or cybercrime, but the survey population of this study did not. Therefore most concepts had to be simplified in order for the sample population to be able to complete this survey. Another limitation to the other surveys was that they consisted mostly of more questions. The sample population for this study had limited time to spend time on a computer, and therefore a shorter survey was necessary. The final and most important reason for creating a new survey was that hardly any existing surveys were found consisting of questions specifically aimed at employees and cybersecurity policies.
The created survey consisted mostly of self-reporting questions, but had also an experimental element in which the respondents had to identify the legitimacy and security level of a website or e-mail. At the end of the survey, the respondents were shown a page with information on how to be secure on the internet and what indicators to look for. At the very end the respondents received their test score for the experimental part of the survey. The language spoken within company was Dutch, and therefore the language of the survey was also Dutch. The completed survey consists of four parts with a total of 34 questions. At the beginning of the survey, a page was shown that contained very basic information about the intent of the survey and confirmation that the survey was anonymous and cannot be traced back to an individual, and that the survey was voluntary and no compensation of any kind was to be provided for its completion (see Appendix B for the complete survey, in Dutch).
The first part of the survey consisted of five questions about the characteristics of the participants (sex, age, education level, function, and work field). The second part consisted of 12 questions, with a corresponding image to test the level of awareness of cybercrime and cybersecurity. The questions were divided into four different categories of images (see Table 1).
Table 1.
Categories of images used to test awareness level of cybercrime and cybersecurity.
Type of image Related question
Website Is this the website of x?
E-mail Is the e-mail sent by x?
Pop-up or download Is the download (or pop-up) most likely reliable?
Website Does the website use a secure connection?
Note. The original questions were written in Dutch. See appendix B.
The title of the categories was not visible in the survey. In all categories, a mix of images was used that portray the real website or a spoofed website, a real e-mail sent by a company or a fake one, and so forth. The respondents had three choices in answering the question: “yes,” “no,” or “I don’t know.” Instruction on how to answer this question states that a “yes” or “no” answer should be given only if the respondent is sure. If there was any doubt, they were instructed to choose “I don’t know.” To reduce bias or the possibility of co-workers helping each other, a total of five images per category was available, of which three images were shown at random. The order of the different categories of images was also randomized. A safeguard was built in to ensure each image was shown an equal number of times.
The third part consisted of seven questions related to the use of the internet at home. The questions were related to the use of passwords, the type of activities conducted online and the amount of time spent online. The final part of the survey looked at the cybersecurity measures and policies implemented within the company and whether the end-users comply with these measures.
The survey was created and distributed in three phases: a pre-testing phase, a pilot phase and the implementation and distribution of the main study. Before distributing the main survey, a pre-testing phase was conducted. The first version of the survey was sent via a link by e-mail to the business director, a communications advisor and an ICT advisor of the case study company. Four ICT experts from another big healthcare institution also checked the survey. They were asked to complete the survey and about their understanding of the instructions, questions and answering categories. This process of review led to some minor changes and
additions to the survey, after which the survey was completed again with the researcher present and then verbally discussed. The discussion consisted of probing questions (Why did you
hesitate? What do you think this means? Etc.) through which the experts were to get better
insight into their reasoning. This process led to additional minor changes, involving additional instructions and directions.
After the pre-testing phase, a pilot survey was conducted to test whether or not the survey instructions and questions were clear and to explore whether or not there were errors that could impact the results. The pilot study was conducted via a convenience sample. The pilot sample population consisted of 10 employees who work within the case study company. They were asked to complete the survey and give feedback via e-mail. The pilot survey was completed online using the Qualtrics survey software. The results retrieved during the pre-testing phase and pilot surveys were not included in the results of the main survey.
The main survey was distributed online to 3,518 employees of the company using Qualtrics survey software. The survey was sent to the employees by e-mail with a description of the study’s purpose, instructions on how to complete the survey, a link to the survey, the estimated time commitment required and an assurance of confidentiality. The information about and link to the survey was also posted on the intranet of the company. The survey collected responses from Monday June 20th, 2016, to Monday July 3rd 2016. A reminder was sent after a
week to nonresponsive employees increase the response rate. Of the 3,518 employees, 483 responded to the survey (response rate=13.73%). Of the 483 responses, 13 were excluded because they said they did not use a computer or other device with an internet connection at work. The other excluded cases involved partial responses; there were 61 partial responses, of which 19 only opened the survey and did not enter any data.
The survey ended with an information page and a scoring page on which respondents could view their own score for the first part of the survey. Seventy-three cases stopped the survey before the information page and score were shown. They did, however, answer all the survey questions, and these surveys were included in the dataset as complete responses. The entire survey was completed by 336 respondents. In some cases, respondents refused to answer questions about their password behavior. One of these cases was deleted because this respondent refused to answer any questions about their use of the internet at home or about their password and also did not answer questions related to their behavior online in the work environment. This case was labeled a partial response and deleted from the final database used for analysis. A final number of 408 cases were included (response rate=11.60%).
The information retrieved from the survey was analyzed using SPSS (Version 22 for Mac). The Qualtrics Survey Tool offers an SPSS-compatible database file, which automatically enters the variable information and case information into SPSS. This database file was used as the basis for the SPSS database file. The variable information entered into SPSS by Qualtrics was sometimes incomplete, however, so the missing information was completed manually. The variable settings were also sometimes incorrect, and these were also corrected manually (see Appendix C for a list of all the variables in the database).
A test in Qualtrics was performed to recognize patterns in answers to the first part of the survey. A report was created to show whether anyone had answered “yes” or “no” to all questions in the first part of the survey (image recognition). No responses were found that met these patterns. The responses were not tested for other patterns; this testing would have been difficult because of the randomization of the order of the type of images and images within the image types.
The average completion time for the survey was 15 minutes. All surveys completed in less than 10 minutes were manually checked for pattern recognition. The choice was made to check all responses completed in less than 10 minutes based on the pre-test and pilot study, in which the participants all took more than 10 minutes to complete the survey. Completing the survey faster might suggest that the respondent was just randomly answering the questions or was not thinking about his or her answers. As such, this manual check was made to reduce the risk of bias in the sample, and they consisted of looking for patterns in answering, like all “yes” or all “no,” never multiple answers in multiple-choice questions, uncharacteristic answers for a particular question or answers to questions that contradicted each other.
In total, four extra variables were created to analyze the data. New variables were created for password use, password sharing, password behavior 1 and 2 and password behavior 3 and 4. The variable for password use consisted of four answering categories. The comments from respondents in the survey showed that they were unsure which option to choose for the second and third answering categories. Therefore the choice was made to compute the second and third answering category as one answering category (see Table 2).
Table 2.
Recoded variable for password use. Password use
Same password for everything=0 Only different for online banking=1
Various passwords=1 All different passwords=2
The question that measured whether or not employees had shared their password was a multiple choice question in which employees could indicate whether and in which way they had shared their password with colleagues (through e-mail, phone, a note, etc.). Qualtrics created a different variable for each answering category. To analyze whether the sharing of one’s password correlated with any of the other variables, the choice was made to compute these answering categories into one dichotomous variable indicating whether or not an employee had shared their password with a colleague (Cronbach’s α= .071).
Four questions in the survey related to password behavior. The first two questions asked whether or not the respondent had ever logged into the company’s network for a colleague or for someone from outside of the company. The third and fourth questions about password behavior inquired as to whether or not the respondent had their password written down on their computer screen or on paper in a place accessible to others. The first and second questions were computed into one dichotomous variable that showed whether or not the respondent had logged into the corporate network for someone else (Cronbach’s α= .218). The third and fourth questions were computed into one dichotomous variable that showed whether or not the respondent had their password written down in a location accessible to others (Cronbach’s α= .842).
After the variables were all recoded into the same directionality from bad to good behavior and the new variables were created, several statistical analyses were performed using SPSS to see whether or not the survey showed significant correlations. A checklist was used to determine which test should be used to analyze the data (see Appendix D). A complete overview of all the tests performed is shown in Appendix E.
3.4 Limitations
A case study has strong internal validity, but on average does not have a high external validity. To make up for the lack of external validity, the choice was made to use different accompanying methods of data collection (Swanborn, 2010). Although the survey used to conduct part of this study was based on findings in the literature, this study marks the first time this survey has been, used and therefore the validity of this survey is so far untested. To determine the validity of the survey, a pre-testing phase and a pilot survey were used. These were carried out to bolster the validity of the survey, but they do does not guarantee its validity.
timeframe could explain why the response rate of the survey was low. The IT department was supposed to send the survey only to nursing employees and the support staff that worked within the locations, but accidentally sent the survey to all employees. This mistake caused survey response to see an overrepresentation of employees working for the supporting services. These employees spend more time on a computer, as they have a desktop type job, and they usually have higher education than do employees who work as healthcare professionals.
The tests available in SPSS were limited, because of the setup of the central research question. To test the effect of the level of awareness on the effectiveness of the cybersecurity policy of the company, the level of awareness variable had to be entered as the independent variable. This fact meant that there were multiple dependent variables and one independent variable. Normally, the distribution is the other way around, which offers more statistical options. The variables also did not pass the parametric assumptions test, and therefore only non-parametric tests could be used, leaving only the Spearman’s rho test. This test does not allow for control variables, and therefore the found correlations could not be checked for partial correlation.
The reliability analyses of the computed variables showed that the Cronbach’s α for
password share (Cronbach’s α = .071) and password behavior 2 (Cronbach’s α = .218) were
very low. This indicates that the variables do not measure the same thing and show very little correlation. The Cronbach’s alpha did not show significant change if one of the items was deleted. The choice was made to compute the variables even though the reliability test failed, because the items do measure the same concept and provide much insight into the behavior of employees.
4. Results
The results of this study are divided into subsections based on the different stages of the study research. First the results of the policy and incident review will be described, then the results of the interviews, and lastly the results of the survey.
4.1 Policy review
The company has several official documents and policies related to cybersecurity and cybercrime. There are documents that provide information on cybersecurity and cybercrime, guidelines for online behavior, a code of conduct and two policy papers on the structure and implementation of cybersecurity and information security within the company. An overview of all documents published on the company’s intranet is given in Table 3.
Table 3.
Policy and information documents of the company.
Date Type of document Information summary
March 16th,
2010 (Currently under revision)
Plan of Action for the Implementation of Information Security
States what measures will be taken to comply with the national conditions for healthcare
organizations (NEN7510) May 14th, 2013
(Currently under revision)
Strategic ICT Policy 2013–2015
How the company will incorporate new digital forms like the cloud and how they will increase
the cybersecurity of the company February 27th,
2014
Code of Conduct for the Use of the Network, Internet, and E-mail
Regulations on how to use the company’s digital network and disciplinary actions when in
violation of these regulations March 5 th,
2014
Guideline for Password Behavior
Information for employees on how to structure their password and what password behavior
they should practice March 28th,
2014 Company's Network Manual for the Explains how to use the network and offers guidelines for good password behavior March 3th,
2015 Information Security Leaflet Provides information on cybercrime and in particular phishing August 11th,
2015 (revised June, 2016)
Guideline for the Use of Social Media
Explains copyright and portrait right laws. States that statements about the company should
be made on personal title
Note. Retrieved from the intranet of the company.
The policy papers specific to the IT department and related to cybersecurity are the
occurred last year, and a new business director was contracted to set up a project to actively map the current cybersecurity status of the company and to improve cybersecurity where needed. Access to the revised documents was not obtained, but another important policy document is the Code of Conduct for the Use of the Company’s Network, Internet and Email policy that applies to all employees.
4.1.1 The Strategic ICT Policy
The Strategic ICT Policy of 2013 is the second strategic ICT policy of the company. A previous version was used from 2011 to 2013. The reason for renewing the first strategic ICT policy was to meet the new requirements created by technological innovation and to increase the usability of the digital infrastructure for employees. In 2014, a large change in the way healthcare professionals work was introduced by a change in laws, subsequent to which healthcare professionals must be able to access more data and in a different way than in the past. Healthcare professionals shifted their focus to results and needed more options to measure and monitor data. The reason for this shift was that laws were changed nationally.
The policy outlines some of trends that the IT department has to take into account in the future. Specifically, it names digital information exchange, the increase of the use of private mobile devices and applications and the rise of a supply-and-demand culture as the important trends for the ICT department. The policy further outlines that the ICT governance has to be in line with the corporate governance structure. Based on the trends, the policy outlines key issues. Some of the key issues are complexity reduction of the application landscape, secure access to the network from all different entry points, the introduction of cloud services that must be implemented securely, and how to securely allow private and corporate mobile devices onto the network. Another key element of the strategic ICT policy is to increase cooperation between the business and the IT department.
4.1.2 The Plan of Action for the Implementation of Information Security
The plan of action for the implementation of an information security system is from 2010, when the central government of the Netherlands created a standard of information security to which healthcare institutions must comply, the NEN7510. For healthcare institutions like this company, the NEN7510 was not yet mandatory in 2010, but a plan of action did have to be present. This standard was the motive for the plan of action this company formulated. The plan of action was supposed to last until 2011 and then be revised, but no new or revised plan of action has yet been published. A new plan of action is currently being written by the business director of the company, though, and is supposed to be published in late 2016.
The plan of action document describes information security as a coherent system of measures that focuses on the achievement of an optimum level of availability, integrity and confidentiality of information and information systems. The purpose of the information security system is to realize a permanent and optimum level of security. The plan of action lists certain actions that have to be implemented to comply with the NEN7510. This plan includes providing training and education to increase information security awareness among employees; installing technological measures to combat malicious software; securing the access to the network, sensitive documents, and personal information; and the reporting and logging of security incidents.
To carry out these actions, a taskforce was created to gain support from the company as a whole and to gain insight into the needs of the organization. The taskforce consists of the managers of the IT department, two district managers, a business controller, a quality controller, and an information and security specialist. The last part of the plan of action documents lists all requirements of NEN7510 and specifies whether or not the company complies and who is responsible for that requirement.
4.1.3 The Code of Conduct for the Use of the Company’s Network, the Internet and Corporate E-mail
The most important document for employees, and one that all employees have to sign before being employed by the company, is the code of conduct for the use of the company’s digital network, the internet and e-mail. This policy was introduced in 2014, and the company has tried to add this document to the dossiers of all employees who worked for the company before the introduction of the code of conduct. A check of whether or not this addition actually happened was never performed, and therefore not every employee has signed this document (HR department). The document is available on the intranet of the company, which means that all employees have access to the document, but no communication was sent out to the employees when the document was published to alert them of its availability.
The document states several regulations and guidelines for the use of the digital network, the internet and e-mail. Firstly, login name and password are strictly personal and are not allowed to be shared with third parties. As well, installing or copying programs to an employee’s home computer is not allowed. It also contains a section to explain the reasoning behind this code of conduct, followed by a section giving the regulations and guidelines for employees. An overview of the regulations is portrayed in Table 4. The document ends with a section that explains that internet and e-mail use is monitored and that information retrieved
can be used in an investigation if signals arise that the employee is acting in violation of the code of conduct. It also states that, pending the circumstances, disciplinary action can be taken.
Table 4.
Regulations and guidelines for the use of the company network, the internet and corporate e-mail.
- The login name and password are strictly personal and are not allowed to be shared with third parties.
- Installing programs or copying programs to your home computer is not allowed - The use of the internet is only allowed for business.
- Downloading software or applications is not permitted, unless personal permission is granted by the manager.
- Confidential information and sensitive business information should not be sent outside the organization unless permission is granted and the information is encrypted.
- Use of the corporate e-mail address for private purposes is not allowed.
- Unintended breaches of the security of the corporate network have to be reported to the IT service desk.
- Use of the internet for personal purposes for example playing online games, gambling, shopping, and social media is not allowed.
- Visiting or downloading information from sites of a racist, sexual, discriminatory, insulting or offensive nature is explicitly not allowed.
- Intentionally changing or destroying information to which access was gained through the internet without permission is explicitly not allowed.
- Sending e-mails anonymously or under a fictitious name is not allowed.
- Sending e-mails of a threatening, insulting, sexual, racist or discriminatory nature is not allowed.
- Stalking someone digitally is not allowed.
Note. Retrieved from the Code of Conduct for the Use of the Company Network, the Internet
and E-mail Service.
4.2 Incident review
This study’s aim was to log all incidents between January 2015 and June 2016. The company does not log incidents in a database, which made it very difficult to structurally analyze how many and which type of incidents had occurred from January 2015 to June 2016. To provide information on the type of incidents the company has faced in the past and determine how these incidents were caused, information was gathered from different sources. A log of incidents reported by employees of the company was obtained, and access to the reports created by the different monitors was also granted. In addition, the technical IT specialist in charge of handling incidents went through his communications to see whether he could find additional information about cybersecurity incidents over the previous 18 months.
