Measuring cyber resilience within ACoR through the Human Aspects of Information Security Questionnaire (HAIS-Q)

Measuring cyber resilience within ACoR through the Human

Aspects of Information Security Questionnaire (HAIS-Q)

the human as a last measure

submitted in partial fulfillment for the degree of master of science

Bob Smeets

12096741

master information studies

information systems

faculty of science

university of amsterdam

2020-10-14

First Supervisor Second Supervisor

Title, Name dhr. drs. A.W. (Toon) Abcouwer mw. E. (Emőke) Takács

Affiliation UvA, FNWI, IvI UvA, FNWI, IvI

Abstract

Cyber crime and its impact on the world and organisations is growing. For this reason, an increasing number of organisations are taking measures to improve their cybersecurity posture. Many organisations struggle with the question: "Am I (cyber) resilient enough?". Many models and theories have been devised about the measurability of cyber resilience, in an attempt to answer this question. However, until now, the existing literature has emphasized the measurability of hard (beta) factors, such as KPIs, Risk Management, Reporting, Compliance and Technology. This research attempts to find out to what extent the human aspects of Cyber Resilience within the framework of the Adaptive Cycle of Resilience can be measured through the Human Aspects of Information Security Questionnaire (HAIS-Q).

1

Introduction & motivation

1.1

Context and problem statement

Society and the world we live in is increasingly becoming more digital, and most would argue that society is even digital dependent. We know the benefits the digital age has brought us, such as smart phones that enable anyone to look up information on the web almost anywhere, or the possibility to virtually communicate with almost anyone instantaneous, or organizations using digital information systems that enable them to become both more efficient as well as effective. However, the digital dependence of society is one of the reasons that cybercrime as a whole, and the amount of information security incidents and its impact has exponentially grown over the last decades. Researchers of the American Center for Strategic and International Studies calculated the global economic impact of cybercrime in 2016 and estimated it to be $600 billion, or 0.8% of global GDP (Lewis, 2018). It is also expected that this number will continue to grow. Cyber threats can also have an impact on non-economic factors where whole countries can get disrupted caused by a series of strategically executed cyber attacks. An example of a country-disrupting cyber incident is the case of a cyber attack that disrupted the power grid of Ukraine in 2015, causing at least 225.000 people to have no access to electricity for a period of 1 to 6 hours (Lee, Assante, & Conway, 2016).

Experts and governments call for action, since it is expected that the impact of cybercrime can have society disrupting or even crippling consequences (Dunn Cavelty, 2013; NCTV & NCSC, 2019, 2020). Solving the challenge of cybercrime and its impact on the world requires a multi-domain approach. However, this research attempts to find out to what extent Cyber Resilience within the framework of ACoR can be measured through the Human Aspects of Information Security Questionnaire (HAIS-Q).

The overall thesis will consist of qualitative research. Desk research will be conducted in an effort to review, combine and connect state-of-the-art literature on the different fields and topics. In addition to the literature review, case-studies will be done in an effort to gain deeper insight of how existing theories might translate to practice. The HAIS-Q will be critically evaluated through semi-structured interviews with domain-experts. The resulting data will be analyzed in an effort to qualitatively validate the HAIS-Q as a means to measure the human aspects of cyber resilience within the ACoR.

1.2

Main research question:

• To what extent is (cyber-)resilience within the framework of ACoR measurable through the Human Aspects of Information Security Questionnaire (HAIS-Q)?

1.3

Sub research questions:

• What is the Adaptive Cycle of Resilience? • What is cyber resilience?

• What is the Human Aspects of Information Security Questionnaire (HAIS-Q)? • To what extent do ACoR, HAIS-Q and Cyber Resilience overlap?

2

Related work (Literature review)

2.1

Setting the scene

The concept of resilience is widely studied and applies to organizations, humans, information systems, and even society. What these concepts have in common is that they can be viewed as complex systems, that can be subjected to dynamic and constant change. Being resilient is about being able to withstand disruptions, and about being able to recover from them.

Cyber resilience, often regarded as a sub-discipline of resilience, is on the one hand about returning to normal in the event of a disruption on (digital) information systems, and on the other hand also about preventing disruptions from significantly affecting the continuation of business processes.

Although resilience and its sub-discipline have been studied since the 1960s, research into measuring the human aspects of cyber resilience is limited. However, scientists recognize that human aspects have an impact on cyber resilience (Evans, Maglaras, He, & Janicke, 2016; Proctor & Chen, 2015; Rege, 2016; Sasse & Rashid, 2019). There is no consensus within the literature as to why research is limited, while still significantly affecting cyber resilience, but there are thoughts within the scientific community. Measuring human aspects is a challenge, let alone measuring human aspects within other disciplines such as cyber resilience. Also, in recent years a lot of research has been done on non-human aspects within cyber resilience, where easier to validate research has been done.

Technical measures are getting better by the day, so cyber criminals are increasingly choosing attacks that do not focus on just technical weaknesses. After all, how secure is a state-of-the-art encryption technique if an employee of an organization accidentally or intentionally gives his password to a cybercriminal? In this chapter the existing literature is used to provide a picture of the current state of understanding of the adaptive cycle of resilience, cyber resilience and how human aspects can be made measurable by tools such as the Human Aspects of Information Security Questionnaire (HAIS-Q).

2.2

Adaptive Cycle of Resilience

Almost all organizations need information systems, IT architecture and (digital) information and must be able to be in control of it, to be able to achieve their business goals. Organizations can not accomplish their goals in a sustainable manner and, along with it, survive without precise information management (Abcouwer, Takács, & Banga, 2020b).

The Adaptive Cycle of Resilience is a resilience related model developed by Abcouwer and Parson (2010) and is based on the research of Thompson (1967), Holling (1973), Gunderson (2000) and Heene, Vanhaverbeke, and Vermeylen (2012). The simplified principle of the model is that an organization is in balance with what it wants or needs in relation to what it can do. Organizations can use the model by offering a perspective on how to deal with periodically recurring crises. The model is context independent, which means that it can be light enough for smaller organizations, but is thorough enough to be helpful or even necessary for large organizations. Central to the model is the idea of continuous and dynamical changes that organizations may face at any time, and therefore must be accounted for (Abcouwer et al., 2020b).

Based on the idea by Thompson (1967), two dilemmas can be set against each other in order to create a conceptual plane that can be divided in quadrants, which helps viewing reality in a different way. Abcouwer and Parson (2011) found that by opposing the dilemma’s want/can and certain/uncertain, it is possible create a four-quadrant model that enables to map out a particular phase an organization currently resides in. The four phases are (1) Equilibrium, (2) Crisis, (3) New combinations and (4) Entrepreneurship.

Abcouwer and Smit (2015) noted that organizations movements through the plane are not random, but predictable and lemniscate-like when viewed through the model. An organization that is in equilibrium will inevitably find itself (abruptly or gradually) in a crisis situation, thus moving from Equilibrium to Crisis. Another example is an organization that is in a crisis will seek to get out of it by finding innovative ways by using resources in novel and creative ways, thus moving from Crisis to New combinations. Figure 1 shows the Adaptive Cycle of Resilience, and the lemniscate-like cycle an organization follows through each quadrant. Since contexts can vary across different organizations, it is important to note that the cycle as described in the model is not absolute in the sense that it is rigid, and it is also not bound to fixed time frames (Abcouwer et al., 2020b).

Figure 1: Adaptive Cycle of Resilience (Abcouwer & Parson, 2011)

Abcouwer and Smit (2015) describe how each phase within the model requires specific choices, resources and focus of an organization in order to be able to advance to the next phase. For example, when an organization resides within the equilibrium phase, it must ask itself the question "how to prevent problems from happening?", so that it will not be launched into a crisis. Table 1 describes the differences of each phase within the Adaptive Cycle of Resilience in terms of questions it must ask, traps that may be encountered, and how to advance to the next phase.

Phase Name Critical question to ask Traps Advancing to next phase 1 Equilibrium How to prevent problems to happen? Lock-in Release

2 Challenge Which options? Poverty Reorganisation 3 New combinations How to choose? Isolation Exploitation 4 Operationalism Prepare for challenges? Rigidity Conservation

Table 1: Comparing the features of the quadrants within the Adaptive Cycle or Resilience (Abcouwer et al., 2020a)

2.2.1 Resilience types

Abcouwer et al. (2020b) recognize three types of resilience, each having their own characteristics and usefulness within organizations. For example, an organization that is currently in equilibrium, will likely try to remain in that state by having the ability to recover from relatively minor disturbances. This type of resilience is called Engineering resilience and is useful when it is clear for an organization what it wants and what it can do. However, when an organization is facing a disturbance that forces them to move out of equilibrium towards a crisis (challenge) state, it is no longer useful to think in terms of Engineering resilience. The type of resilience required that describes the movement from an equilibrium to a crisis, and then to new combinations is called Ecological resilience. Ecological resilience is more suited for organizations that are uncertain about what it wants and what it can do. The main difference of Engineering resilience compared to Ecological resilience is the fact that change is normal and needed in Ecological resilience. The type of resilience that is required for an organization to move from new combinations to operationalisation and then to an equilibrium, is called Social resilience. This type of resilience is in essence the same as Ecological resilience, except the focus is not so much on the need for change, but more on the ability of people to adapt to a new system, so that its desired characteristics can be maintained.

A truly resilient organization is about being adaptive, and therefore must be able to recognize and apply the different types of resilience needed to continuously adapt to the challenges the organization may face. The view on resilience in which the three types are all applied correctly is called strategic resilience. Organizations no longer have a choice in whether or not to be adaptive, this VUCA1 _{world demands}

adaptivity.

2.2.2 The role and influence of information and ICT

Abcouwer and Parson (2011) note that because ICT is a major driver in most organizations and ICT being an initiator of cyclical change, ICT plays an essential role. At least three significant roles can be attributed to ICT: Optimizing operations, Facilitating search, and Facilitating ongoing change (Abcouwer & Smit, 2015).

2.3

Cybersecurity & Cyber Resilience

Cyber resilience is a sub-topic of the more broad topic of resilience, and the topic cybersecurity, and consists of several sub-topics itself. explained cyber resilience as "[...] the ability of the system to prepare, absorb, recover, and adapt to adverse effects, especially those associated with cyberattacks". Cyber resilience can be explained by and applies to diverse contexts, such as an organizational context, a global context, the context of Critical Infrastructure (CI), the context of a (complex) system, etc.

For an organization to be resilient within the context of cyber resilience means to be able to offer continuity of services and products, despite being targeted by cyber threats (Shoemaker, Kohnke, & Sigler, 2018). However, cyber resilience is also about having the ability to efficiently and effectively return to a normal and stable state after being in a crisis state. Cyber threats are becoming increasingly unpredictable, which leave traditional risk assessments and cybersecurity measures increasingly unable to address and mitigate cybersecurity threats regarding critical infrastructural systems (Siddiqui, Hagan, & Sezer, 2019). For this reason, traditional methods of cyber systems hardening against known threats are shown to be only somewhat effective. While unpractical, detaching cyber systems from the Internet would be the only real defensive measure cybersecurity experts could take to harden systems from the myriad of potential cybersecurity threats. Thus, much like biological systems build immunity to respond to infections and other attacks on immune systems, so too must cyber systems adapt to continually evolving threats which continue to target critical system functions, and recover from the consequences of the attacks (Linkov et al., 2014).

Organizational resilience is important because the increasing presence of advanced cyber threats makes it inevitable that every organization will ultimately be targeted (Ramdin & Blackwell, 2015). Cyber resilience recognizes that there are too many cutting-edge hacking tools to prevent sophisticated attackers from finding the cracks in even the most robust cybersecurity perimeter (Lois, 2015). Thus, there is a need for a new paradigm. (Shoemaker et al., 2018)

The concept of cyber resilience is supported by three Saltzer and Schroeder’s lesser-known principles. 1. Economy of mechanism: Keep the design as simple and small as possible.

2. Least common mechanism: Minimize the amount of mechanism common to all users. 3. Work factor: The cost must be greater than the potential attacker is willing to commit.

These principles make the cyber resilience concept more effective and less resource intensive than other approaches. Economy of mechanism locks up just the critical assets. This allows for simplicity in the design and implementation of the protection. It also concentrates resources on ensuring the protection of the critical assets rather than diffusing the investment across all assets. Most importantly, if the protection of the critical asset is made robust enough, attacking it will become too expensive and time consuming for the attacker, forcing them to move to more vulnerable targets. (Shoemaker et al., 2018)

2.3.1 Alpha factors & Beta factors

Many researchers agree on the idea of human factors affecting cyber resilience and that awareness can be utilized as a means to improve the human aspects of cyber resilience (Evans et al., 2016; Hadlington, 2017; Proctor & Chen, 2015).

2.3.2 Cyber State-/Non-State Actors

In the non-digital world, criminals can often be ranked by their skills and the resources they have available to them. The more skills, resources and motivation a (group of) criminals have, the more successful they

become in achieving their goals. This idea can also apply to cyber-criminals. Cyber-criminals with a deep knowledge of programming are more dangerous than simple ’script kiddies’ who are mostly on an amateur level of programming knowledge. It is essential to make a distinction between the type of attackers because each distinct type has distinct goals they want to achieve and need different approaches to defend against. Sigholm (2013) described 15 types of non-state sponsored actors active within cyberspace, ranging from civilians to organized cyber-criminals. Sigholm (2013) found that each type can have a different motivation, target, and method they employ to conduct an attack.

Zoller (2012) expanded on the idea of the trade-off that exists between actor-types within cyberspace and created a conceptual model (figure 2) depicting the trade-off between (1) motivation/sophistication/funding vs (2) attacker class and the ratio they exist in vs (3) typical targeted assets and the value connected to them. The top row of the three pyramids corresponds to a (1) highly motivated/sophisticated/well-funded, (2) state founded actor who typically targets (3) high-valued assets such as intellectual property. These actors are most dangerous but are also mostly interested in big corporations or nation-states.

Figure 2: Attacker Pyramid Triads (Zoller, 2012)

2.4

Cyberattack methods

There are different attack methods ranging from flooding an organization with internet requests (DDoS attack), to stealing a password that is used to login to an online mail inbox. However, in this research we will focus on attack methods that are designed to exploit weaknesses of humans, or inherently human traits.

Humans are curious by nature (Berlyne, 1954; Kobayashi, Ravaioli, Baranès, Woodford, & Gottlieb, 2019). Cyber attackers therefore regularly exploit this inherently human trait. By far the most popular way of exploiting a human’s curiosity is by Phishing. Verizon (2020) reported that of the 2907 breaches that occurred worldwide, 25 % could be attributed to phishing attacks, making it the top attack method for successfully breaching an organization, closely followed by the use of stolen credentials.

2.4.1 Phishing & Spear-Phishing

Phishing is an attack method of cybercriminals that attempts to let a human click on a malicious link or open a malicious attachment (Jagatic, Johnson, Jakobsson, & Menczer, 2007). A phishing attack consists of a container, which is often an email, text message or instant message, and a payload, such as a malicious URL or an attachment containing malicious files. A spear-phishing attack, is a more sophisticated and less common type of phishing. Figure 3 visualizes the container and payload.

2.4.2 Phishing as a container

The term phishing comes from the notion that an attacker ’lures’ their victim with seemingly interesting, but often fake information that ’baits’ someone to click on a link, leading him or her to a malicious website, or opening an attachment containing viruses and malware. Phishing can also be seen as a form of social

Figure 3: Phishing container and payload

engineering, which is the act of manipulating humans in such a way that they do tasks that they would not have done under normal circumstances.

For example, a cybercriminal sends out n = >1000 emails to a list of people claiming to be their bank with the message that suspicious transactions have been made on their accounts. The people are urged to click a link and confirm their identity by logging in to their account. If they click on the link and fill in their account details, they have essentially given away their login information to a criminal. Nowadays, most people in highly digitized societies have learned to recognize these messages as fake and will not act on those kinds of mails (Verizon, 2020). However, there is still a significant portion of people who are susceptible to phishing attacks for a multitude of reasons. Dhamija, Tygar, and Hearst (2006) found that the most common reason for people to fall for phishing emails is that they are unable to recognize the digital message as a phishing attack.

2.4.3 Spear-phishing as a container

Spear-phishing is -in contrast to the regular type of phishing- an email attack that is tailor-made for the recipient(s) of the digital message. The term comes from the notion of using a ’spear’ to hunt for a specific ’fish’, instead of using a more general ’fishing rod’ in combination with general ’bait’ which are not used to catch a particular ’fish’. Spear phishing attacks are highly targeted and often take local context into account, which results in a seemingly more realistic message (Wang, Herath, Chen, Vishwanath, & Rao, 2012). Wang et al. (2012) found that a seemingly more realistic message decreases people’s ability to recognize it as phishing, which in turn leads to a higher phishing-susceptibility rate.

2.4.4 Common Payloads

The payloads are inside the container of a phishing attack and are often a URL or an attachment. The risk of clicking a URL or opening an attachment depends on what happens when someone would perform that task. For example, a click on a URL could lead a user to a fake website that is designed to look like a Gmail login screen, which attempts to steal the user’s account credentials.

Common and relatively non-dangerous payloads are included in most phishing attacks, which makes them less effective at disrupting the target.

2.4.5 0-day threats as a Payload

Most antivirus software are signature-based, which puts them at risk when dealing with 0-day threats. A 0-day threat is entirely new and is not yet observed by cybersecurity researchers, which means that antivirus software will not identify it as harmful through its digital signature. Because 0-day threats are by definition impossible to detect through signatures, they are relatively more dangerous compared to common payloads. 0-day threats can exploit vulnerabilities of a system while being undetected by traditional signature-based antivirus software. The down-side for a criminal is that 0-day vulnerabilities are rare and if

2.4.6 Mitigating (Spear-)Phishing Attacks

Regular phishing attacks can be partly mitigated by technical measures such as firewalls, virus-/malware scanners and spam filters because these kinds of attacks are often performed en masse and are therefore widely reported and documented. This allows cyber researchers to identify the digital signature or behaviour patterns of malicious files. The digital signatures can then be shared with other cyber research institutes, such as Microsoft or McAfee so they can update their antivirus-software with the latest cyber-threat information so that these threats can be automatically identified and blocked.

In general, the more attacks are reused on a large scale, the more this incentivizes cyber researchers to come up with a way to mitigate the risk, which ultimately leads to a less effective attack. This is one of the reasons cyber research institutes and industry best practices are to keep operating systems, software and virus signature databases up-to-date.

2.5

Measuring Alpha Factors of Cyber Resilience

Because they ensure the organization’s priority assets, the control set in a cyber-resilient system must be thoroughly and consistently inspected and tested. The controls that make up that system are real-world entities, which are subject to failure and irrelevance. Therefore, the general process for ensuring their reliability is a continuous assurance function, which is capable of characterizing the explicit level of performance of the current control architecture against the organization’s assurance goals. The aim of that process is to be able to say with reasonable certainty that the aggregate control set for any given cyber-resilient protection scheme is effective, given the strategic aims of the organization. (Shoemaker et al., 2018)

Common methods to measure cyber resilience and cybersecurity posture are conducting audits, having (automated) software tools test for predefined indicators (such as firewalls, virus scanners, attempted privileged access gain, configuration changes scanning). These common methods are effective at measuring hard beta factor, but they are less able to measure the current level of awareness of cybersecurity within organizations.

Awareness of cybersecurity can improve knowledge, attitude and behaviour of employees, which is therefore an effective way of strengthening defensive measures against human-centered cyberattacks such as phishing (Parsons et al., 2017a).

For many organizations, awareness of users is difficult to quantify and therefore also difficult to measure. For this reason, many organizations focus their cybersecurity measuring efforts on the hard beta factors. Many organizations acknowledge the fact that the human factor is an influence on cyber resilience, and most of the organizations that work on improving their cybersecurity have some form of cybersecurity awareness program in place. These programs are focused on improving the knowledge, attitude and behaviour of the people within the organization with regards to cybersecurity. However, most organizations that have an awareness program in place, seem to be unable to answer the question how aware their employees are at a certain point in time. Multiple scientific tools have been developed that aim to measure the cyber resilience of organizations or underlying information systems. However, little research has been done on measuring the human aspects of cyber resilience, even though it is agreed by many researchers that the human factor plays a significant role within cyber resilience. Parsons, McCormac, Butavicius, Pattinson, and Jerram (2014) developed the Human Aspects of Information Security Questionnaire (HAIS-Q), which is currently the only scientific, peer-reviewed method available to measure the human aspects within cyber security (Parsons et al., 2017a). The HAIS-Q has been quantitatively validated by people involved in the creation of the HAIS-Q, which can be scientifically valid. However, the scientific community interested in the HAIS-Q may benefit from research that further validates or invalidates it. Because the HAIS-Q has only been validated quantitatively in Australia, knowledge about the HAIS-Q currently lacks validation on the qualitative side and what the HAIS-Q can bring to countries outside Australia.

2.6

Integrating all information thus far

Current literature on the Adaptive Cycle of Resilience, cybersecurity, cyber resilience and the human factor of cybersecurity was analyzed and integrated, which serves as a working foundation for this research going forward.

Cyber resilience seems to fit within the framework of the Adaptive Cycle of Resilience. Both topics can be integrated with each other and can make use of each other’s strengths. For example, the ACoR can be adjusted to take the implications of cyber resilience (such as the importance of measuring alpha and beta factors) into account. And cyber resilience can learn from and adjust to the fundamental idea of the ACoR in the sense that resilience is not only continuous, but it should also be adapted to what an organization wants and what it can do. What both topics have in common is the fact that the human element is an essential element. Although the human element is essential for both, measuring the human aspects within the frameworks is not yet fully understood. There is limited to no scientific consensus when it comes to measuring the human aspects of resilience.

The fact that measuring the human aspects of cyber resilience within the Adaptive Cycle of Resilience, is both not yet fully understood while simultaneously being important enough for it to significantly affect it, is reason to explore this topic further. The following chapter will study cases that deepen the understanding of the currently existing knowledge gap with regards to measuring the human aspects of cyber resilience within ACoR.

3

Case analysis

3.1

Chapter expectations

As shown in chapter 2 current literature suggests that humans play a role in cyber resilience, while simultaneously being hard to measure. To further investigate this, three well-known and well-documented cases are analyzed to show how the human factor might play a role in this. Each case is described, after which the extent to which the human factor played a role in cyber disruption is discussed.

3.2

Ukraine power grid disruption

The cyberattack on the Ukrainian power grid is an example of a society disrupting event, where a country suddenly finds itself in a crisis. To understand how the country came to be in this situation, it is important to understand how the cyberattack was executed. Lee et al. (2016) found that the attack consisted of 5 key points:

1. Prior compromise of corporate networks using spear-phishing emails with BlackEnergy malware; 2. Seizing SCADA under control, remotely switching substations off;

3. Disabling/destroying IT infrastructure components (uninterruptible power supplies, modems, RTUs, commutators);

4. Destruction of files stored on servers and workstations with the KillDisk malware;

5. Denial-of-service attack on call-center to deny consumers up-to-date information on the blackout. Although all points contributed to the disruption of the power grid, point 1 was the reason the attackers gained initial access to the systems of Kyivoblenergo. It is therefore critical to understand how the initial access was gained.

The corporate networks of Kyivoblenergo were compromised through a spear-phishing attack, which is a more sophisticated and less common type of phishing attack. The combination of a spear-phishing container with a 0-day payload was enough to breach the security measures they took. Both the human-factor (recognizing the spear-phishing container) and the automated technical tools (identifying and blocking the 0-day payload) failed in stopping the attack, which paved the way for the attackers to advance within the organization. If either the container was recognized by a human as a spear-phishing attack, or if the payload was identified and blocked by an automated tool, Kyivoblenergo would not have been breached in this specific way.

3.2.1 The human element

This further emphasizes the idea to take the human element into account when an organization is setting up their cybersecurity. However, although taking the human factor into account within cybersecurity research is nothing new within the scientific community, there is no scientific consensus or an industry best practice on measuring the human element within cyber resilience.

This raises the question: Could the hack have been prevented through measuring and reinforcing the human aspect of cybersecurity? This question is further explored by analyzing additional well documented cyber disruptions.

3.3

Disruption of Universiteit Maastricht

Another example of a cyberattack that disrupted a public organization is the case of the Universiteit Maastricht (Inspectie van het Onderwijs, 2020). During the period from 15 October 2019 to 30 December 2019, Maastricht University had to deal with a ransomware attack on its infrastructure. This attack had resulted in the encryption of critical systems for UM’s business operations, which impacted around 4500 employees and 18.000 students. These systems include the e-mail servers, file servers containing research and business operations data, and a number of backup servers (Dijkstra & Dantzig, 2020).

To understand how the University of Maastricht came to be in this situation, it is important to understand how the cyberattack was executed. Dijkstra and Dantzig (2020); Inspectie van het Onderwijs (2020) found that the attack consisted of 4 key points:

1. Prior compromise of university networks using phishing emails containing links to SDBBot malware; 2. Additional reconnaissance and distribution within the network;

3. Attacker acquires domain admin rights; 4. Preparation and rollout of Clop-ransomware.

3.3.1 Initial compromise

In the period mid-October 2019, malicious parties sent a phishing email to an email address of Maastricht University. This legitimate-looking mail contained a link to an Excel document with macro functionality, which was opened by a Maastricht University employee. The macro functionality then ensured that SDBBot malware was retrieved and executed on the workstation (Dijkstra & Dantzig, 2020).

One day later (after the first phishing attack was successful) five other e-mail addresses connected to the university received a phishing e-mail. These mails again contained a link to an excel document with macro functionality, which retrieved the same SDBBot malware and managed to be executed on an additional workstation.

In the following months, until December 23rd, information was collected about the internal application and network architecture and, due to missing security updates, limited segmentation within the network and failure to follow up various alarm signals, the attackers were given room to gain control over the main server (domain server). This server was eventually used to disable the antivirus software from all servers and workstations and to roll out the so-called Clop-ransomware. The Clop-ransomware encrypted critical servers containing research and business files, making it impossible to use or read the files. The attackers left an instruction to Furthermore,

After running the Clop-ransomware, the attackers left behind an instruction in which they demand a certain amount of money if the university wants to have access to its files again.

Backup servers were also encrypted, which meant that the university had no way to restore files. The university decided to pay the attackers for the decryptor of the Clop-ransomware, which made it possible to decrypt the files.

3.3.2 The human factor

Similar to the cyber disruption in Ukraine, the attacker managed to gain initial access to the university’s systems through a phishing attack specifically targeting humans. However, technical measures also contained gaps, as found by Dijkstra and Dantzig (2020), and could possibly have stopped the attack if they had been in better order. Despite this, it does not alter the fact that humans had been successfully compromised at an earlier stage, which is the source of the attack. In line with risk-management theory, it is generally favourable to mitigate risks at the source, instead of in later stages that followed the cause of a certain risk.

Again, the question can therefore be asked whether the hack could have been prevented by measuring and improving the human factor of cybersecurity.

3.4

Twitter hack

On Wednesday 15 July 2020, it became clear that access to 130 Twitter accounts was gained by malicious parties (Twitter, 2020b). On these accounts (with millions of followers) Tweets were then posted stating that people could temporarily double their money (in Bitcoin) if they transferred an amount to a certain address, belonging to the fraudsters. The attackers used Twitter accounts of famous people such as Elon Musk (37 million followers), Barack Obama (120 million followers) and Bill Gates (51 million followers) to share these fraudulent messages. Millions of people saw the messages and some of them also transferred Bitcoins. A total of 400 transactions were made with a total value of over 100,000 euros. Twitter share prices dropped 1% in the following day, and many people started doubting if the platform would still be secure (Menn, Paul, & Hosenball, 2020).

1. Hacker met a Twitter employee and used social engineering to get him to sell his Twitter account login credentials to him;

2. Hacker then had access to a Twitter employee-only tool that was used to replace emails belonging to high-profiled accounts, and to remove 2-factor authentication;

3. Forgot password functionality was then used on high profiled accounts, which sent an email to the mail address that was associated with the account, which was recently changed by the hacker to the mail address of their liking;

4. The accounts were then in control of the hackers, and were used to Tweet a message claiming it was possible to double ones money by sending bitcoin to a specific address.

The hack on Twitter was not a complex case relative to the Ukraine and Universiteit Maastricht cases, but it was effective, unprecedented and a major disruption. There were no months of preparation and once initial access was gained, no additional reconnaissance was performed. The hackers did not look for a maximum amount of money, but instead looked for a fast way to make money.

Twitter is becoming more and more critical to the world’s infrastructure, since it is a platform used by world leaders, politicians, corporations and other people, consisting of about 166 million active users per day (Twitter, 2020a). Twitter’s growing importance is recognized by many, which is for some people reason to declare Social Media and Twitter to be Critical Infrastructure. Cybersecurity experts predicted that the impact of the hack could have been worse, by spreading fake news to influence the upcoming U.S. Presidential Elections, or by spreading misinformation about the Covid-19 crisis, or by sharing private conversations between powerful people (McMillan & Volz, 2020).

3.4.1 The human factor

Although in this case more general social engineering methods and no specific phishing methods were used to gain initial access to Twitter’s internal systems, the attack was still focused on the human factor of Twitter’s cybersecurity measures. Similar to the cases of Ukraine and Universiteit Maastricht there were both mistakes made on the human and the technical aspects of cyber resilience. This further strengthens the idea of both human and technical aspects of cybersecurity being essential to cyber resilience. The foundation of the question whether measuring and improving the human factor of cybersecurity could have prevented this disruption, has been solidified and seems relevant enough to explore further.

3.5

General summary of the case analysis

The real-life cases analyzed in this chapter show that the human factor before a disruption occurs can be part of the cause. The analysis of the cases shows the impact of the human aspects on (cyber) resilience, but also shows the need to have more control over it. The literature review provides a theoretical framework for this research and the analysis of the cases gives a practical need for a better understanding of the human aspects of cyber resilience.

4

Methodology

4.1

General approach

As shown in chapter 2, the ACoR can be regarded as a flexible framework that allows organisations to look at resilience through different contexts, such as the context of cyber resilience. Furthermore, the literature has shown that the HAIS-Q is the only quantitatively validated tool designed to measure the human aspects of cyber resilience. Although already quantitatively validated, the HAIS-Q is not yet qualitatively validated. Chapter 3 has shown that there is a practical need for measuring the human aspects of cyber resilience.

The research methodology consists of a number of steps. Literature research has been conducted in an effort to review, combine and connect state-of-the-art literature on the different fields and topics. Case-study analysis has been done to gain a deeper understanding about how the human aspects play a role before and during a cyber disruption in practice. Given that the HAIS-Q has already been partially validated quantitatively by Parsons et al. (2017b), a qualitative analysis will be done through semi-structured interviews in an attempt to validate the HAIS-Q qualitatively and gain novel and deeper insights into measuring the human aspects of cyber resilience through the HAIS-Q or similar tools. The resulting data will be analysed by processing and encoding the results. Finally, a conclusion is drawn, which will be discussed.

4.2

Semi-structured interviews with domain experts

Recent research by Fujs, Mihelič, and Vrhovec (2019) on the topic of qualitative research methods in cybersecurity found by analyzing 160 papers that there are several methods to do research. The three most common methods found are: interviews, case studies, observation. Conducting an interview is by far the most popular method among cybersecurity researchers. The researchers further noted that "A well-prepared interview with interviewees that can provide meaningful insights may [...] be more beneficial by providing deeper insight than sampling that resembles random sampling in quantitative methods."(Fujs et al., 2019).

A total of 7 semi-structured expert interviews need to be conducted in order to have sufficient input, and to ensure that a sufficiently wide range of specialists has been involved. The selection of interviewees is based on their current role, experience, and industry they are active in. Consideration was taken to avoid similar candidates, to prevent skewed or biased results from a certain industry or role. A list of candidates, their role and the industry they are active in can be found in appendix A in table 2. The final interview protocol, containing the questions that were asked during the interviews and the process all interviews followed can be found in appendix B. The first interview is seen as a pilot, through which possible inaccuracies can be corrected or process improvements can be made. The interview protocol was revised one time after the pilot interview in order to make improvements with regards to shortening the introduction, putting the questions more in colloquial language and correcting some typing errors within the questionnaire.

The interview protocol was designed according to the principles as described by the Harvard strategies for qualitative interviews. Interviews started with an introduction to the topic, where the research is explained and the necessary information is given to conduct the interview.

The interviews start with an introduction in which the reason for the research and what the purpose of the research is. It also discusses what will happen during the interview and what the expert can expect. After the introduction it will be clear to the interviewee what the subject is and he or she can decide not to participate in the research, which will be asked for confirmation during the consent questions. If the consent questions are answered positively, general questions will be asked about the interview. One of the purposes of this part of the research is to gauge the current experience of the interviewee with respect to cyber resilience, so that any insights given by the interviewees can be seen in the context of this. After the general question section, the HAIS-Q will be filled in by the interviewee. This is the original HAIS-Q, as intended for an end user, but the order of the questions is not randomized, so evaluation of specific questions is easier.

Immediately after filling in the HAIS-Q the open question: "What do you think of the HAIS-Q?" is asked, which is a deliberately unstructured question. By asking this question before specific more structured evaluation questions are asked, there is an opportunity for the interviewee to give an unbiased opinion that

has not yet been possibly changed by unintentional steering questions from the interviewer. This question can lead to new insights that may remain hidden by the structured nature of structured questions. The semi-structured questions are about evaluating the HAIS-Q as a ’good’ measure. Shoemaker states that a measure such as, for example, the HAIS-Q has to possess 5 characteristics in order to be seen as a good measure. The interviewee answers 5 questions about these characteristics. During the evaluation, the expert is also asked whether the HAIS-Q can contribute to increased information security awareness, because the literature sometimes shows that starting to measure values within an organization can increase awareness.

In addition, the HAIS-Q is evaluated by asking what the expert thought was good and less good about it. Finally, the expert has the opportunity to ask questions, share comments or give further insights. After the results have been collected, they will be coded and analyzed using the Atlas.ti tool.

5

Results

5.1

General summary of the results

A total of seven Dutch experts were interviewed. Five of the seven interviews took place via Skype or Microsoft Teams, because the coronavirus did not allow for some interviews to be conducted in-person. The interviews were transcribed, after which they were coded and analyzed using the atlas.ti tool. This chapter contains the interviewees’ insights regarding cyber resilience and the qualitative assessment of a good meter according to Shoemaker in the context of the HAIS-Q.

5.2

General open questions before filling in the HAIS-Q

Answers to the open questions regarding the initial compromise caused by a human or technical factor: • An interviewee noted that he felt that it not always possible or even fair to conclude that the

initial compromise of a digital disruption can be attributed solely to a human factor or solely to a technical factor. Instead, he proposed, in real-life situations it is often a combination of both human and technical factors resulting in the initial compromise which leads to a digital disruption. He further noted that even technical factors can be further attributed to human design flaws, since the technical solutions are designed by humans.

Answers to the open question of how an interviewee can make the human side of cyber resilience better measurable provided the following insights:

• Measuring the human factor of cyber resilience is difficult, because you also try to measure the way you work, which is part of the organization’s work culture. Work culture is something that is difficult to measure, because it differs from person to person, for example, but also because it can vary from moment to moment, which makes it impossible to look at specific cases, which makes it an elusive thing. Work climate, however, can be measured, because it is a snapshot and therefore you can measure what the current situation is with a ’thermometer’. Looking at cyber resilience it is easier to measure the indirect cause, for example awareness, than to measure the direct cause such as culture.

• The difficult thing about measuring the human factor of cyber resilience is that there is a difference between what people say (the socially desirable answer to a survey) and what people actually do (something that contradicts what people say).

5.3

Open evaluation of the HAIS-Q

Feedback was given about the HAIS-Q before asking structured questions about it:

• The 5-point Likert scale forces a person to make a choice between strongly agree and somewhat agree, which is experienced as a big difference. This may not represent reality. A 7-point scale or a Likert scale with different wording might be more appropriate..

• The questions of the HAIS-Q are relevant to the topic of making the human factor of cyber resilience measurable.

• The correct answer seemed clear because of the sometimes steering character of the questions, giving socially desirable answers instead of honest answers. This does not seem to be related to the knowledge and experience of a user, which means that even a layman can give socially desirable answers. This underpins the notion that the HAIS-Q is more suited towards measuring what people know, rather than what people do.

5.4

Shoemaker’s characteristics of a good meter

Shoemaker’s 5 characteristics of a good meter were used to qualitatively assess the HAIS-Q. Insights and feedback from interviewees are categorized per characteristic:

• Simple - Definition and use of the metric is simple.

– All interviewees agreed that the questions were simple. The level was such that the questions could be answered by a layman.

– Some of the interviewees thought the questions were too simple, which made it abundantly clear to them what the right socially desirable answer was. The way in which some questions had been asked seemed to seek confirmation, instead of taking a more objective standpoint. One interviewer mentioned as an example: ’you are not allowed to walk through the red traffic light, are you?

• Objective - Different people will give same value.

– Almost all interviewees agreed that different people are likely to give the same answer to the same question. However, different reasons were given for this:

∗ The 5-point Likert scale makes too big a distinction in the steps used for the different answers, so people are likely to give a less ’extreme’ answer and therefore tend to answer around a center point.

∗ The questions sometimes seem to point to the desired correct answer, which means that the same outcome is achieved for those questions.

– Two interviewees found it likely that the uniqueness of a human being will cause them to look at questions differently, which will result in different results compared to another human being. However, the interviewees did agree that if a person would answer the questions again at a later time, there would be sufficient objectivity assuming that the persons would all answer the questions honestly.

• Easily collected - The cost and effort are reasonable.

– Opinions were divided on how easy the data can be collected. About half (4 out of 7) of the interviewees found the effort and cost required to collect the data acceptable, the other 3 found this unacceptable.

– Reasons given for finding the effort required to collect the data acceptable: ∗ The questionnaire is online and the questions are relatively simple to answer.

∗ The questionnaire is modular, and depending on the needs of an organization only certain modules can be incorporated, without making the questionnaire less effective.

∗ The full questionnaire only takes about 30 minutes to complete. If this is to be done periodically, but not too often, the balance between effort and benefit to the organization is acceptable.

– Reasons given for finding the effort required to collect the data unacceptable:

∗ Organizations that set up processes lean have to justify every minute. The persons who work in a lean organisation therefore try to remove all actions which do not directly

contribute to the primary process. Completing a periodic questionnaire of about 30 minutes is considered too heavy for this kind of organization. After all, if a questionnaire has to be filled out for the cyber resilience theme, this may also have to be done for other themes, which makes the process increasingly heavy. This choice must therefore be made at board level.

• Robust - Metric is insensitive to irrelevant changes.

– Three interviewees indicated that it was difficult for them to answer this question, because after only filling in the questionnaire once, they could not properly assess whether the answers to the questionnaire could be influenced by unintentional changes.

– The other interviewees estimate that the questions are robust enough not to be affected by irrelevant changes, because the questions are specifically focused on sub-themes within cyber resilience.

• Valid - Metric measures what it is supposed to.

– In general, the HAIS-Q does indeed measure what it should measure, namely the human factor within information security. However, 3 interviewees found that there was a limitation and that especially the indirect aspects of the human factor are measured with the HAIS-Q. With the indirect factors is meant the knowledge of the people. A direct factor would be people’s actions. The purpose of the HAIS-Q should therefore be clear beforehand. Does the organization want to measure the knowledge and awareness, or does the organization want to measure the actual human actions? For the first scenario the HAIS-Q is, according to all interviewees, at least suitable, for the second scenario there are different opinions.

– There is also a doubt as to whether the results resulting from the HAIS-Q represent the company, or only the persons measured within the company. The question is therefore whether the results can be generalized across the entire organization.

5.5

Concluding open evaluation questions

• What was good about the HAIS-Q?

– It can be used to make the often difficult to measure human factor within cyber resilience more measurable, but not conclusively measurable.

– The HAIS-Q increases cyber security awareness due to the fact that there is attention for the subject from the organization. The questions make you think about cyber resilience and its sub-themes, which contributes to the overall awareness. This is similar to the phenomenon that people often behave differently when they know they are being recorded.

• What could be better about the HAIS-Q?

– What do the results actually say to the organization? Suppose I score above or below an industry average, what should I do?

– Trying to quantify the human factor gives a wrong picture of reality because the results from the HAIS-Q, or similar questionnaires are only indicative. Making the human factor measurable and the feelings and opinions he has is not an exact science. The results from the HAIS-Q should therefore not be seen as absolute truth, but should be interpreted with nuance and will have to be used in combination with other more fact-based meters.

6

Conclusion

The goal of this research was to increase the understanding of measuring the human element of cyber resilience within the context of the ACoR framework. Therefore, the following research question was defined: To what extent is (cyber-)resilience within the framework of ACoR measurable through HAIS-Q? To answer this question, an exploratory, qualitative and inductive study with experts that had multiple years of professional experience in cybersecurity related projects was conducted.

This research confirms through qualitative analysis that the HAIS-Q can benefit cyber resilience of organizations as a whole, which is in line with the quantitative validation studies done by Parsons et al. (2017b). However, through the qualitative analysis it was found that there are limits and constraints that should be taken into consideration when using the HAIS-Q or similar tools to measure the human factor of cyber resilience. In addition to this, this research found that the ACoR can also be used in the context of cyber resilience. This underpins the notion that the ACoR can be seen as an adaptive framework that is multidisciplinary in nature.

Even though the human element is important within cyber resilience, it is a piece to the puzzle. There are some cases where the human element may be critical in being cyber resilient (such as spear-phishing attacks) and there are cases where the human element may be almost irrelevant (such as DDoS attacks). An organization should understand the goal it is trying to achieve when incorporating the HAIS-Q in their cyber resilience strategy, and keep in mind that measuring human aspects is merely indicative due to its non-exact nature.

Furthermore, this research found that when measuring humans through the HAIS-Q or similar tools it is critical for it to be in balance with the work culture of an organization. To see general trends in the numbers that the HAIS-Q it is important that the questions are answered as thruthfully as possible, but also often enough for the data to be meaningful. If this impacts the primary production processes of organizations too much in terms of time that needs to be invested into the HAIS-Q, the risk grows that the questions are not answered truthfully or accurately due to time constraints, which again underpins the notion that results of the HAIS-Q should be seen as indicative.

The goal of measuring the human factor of cyber security through means such as the HAIS-Q, should not be to measure the direct human factors that influence cyber resilience, since that may be an impossible to achieve goal. Instead the goal should be to measure the indirect human factors such as awareness, which is more focused on what people know rather than what people do.

7

Discussion

7.1

Theoretical and practical contribution

This research attempted to fill the gap that exists with regard to understanding and measuring the human factors within cyber resilience. This research partly contributes to the outstanding research question of the Dutch NCSC research agenda paragraph 1.2 of 2019-2022 with regard to making cyber resilience measurable.

In addition, this research contributes to improving understanding of systems thinking in the field of cyber resilience. It has also been demonstrated that the ACoR is suitable as an overarching framework in which cyber resilience can be placed.

Finally, this research has demonstrated through qualitative validation that the HAIS-Q is suitable for measuring the human factor within cyber resilience, although there are important conditions and limits to this. In addition to the qualitative validation of the HAIS-Q, feedback from domain experts has been provided and included in this research.

7.2

Limitations

Systems should be designed according to Saltzer and Schroeder principles, which take cyber security usability aspects into account. For instance, it is unreasonable to expect a person who receives 100 to 200 emails per day to scrutinize each and every mail for signs of phishing attacks. Human nature can not be ignored when thinking about designing systems that are cybersecure. Most humans see cybersecurity as a rule they have to adhere to, rather than a primary task. For example, when a user wants to send a message to a colleague, their primary task is to write an email, their secondary priority is cybersecurity. For instance, most humans will seek the way of least resistance when trying to accomplish a task, which in essence means that a human will try to circumvent cybersecurity measures if the task of applying cybersecurity tasks significantly hinders applying their main task. Another psychological idea, is the idea of alarm fatigue, which can happen when humans are unneccesarily faced with alarms, notifications and other means to get the attention of a person (Sasse & Rashid, 2019). If alarms are false, or too plentiful, people have the tendency to ignore them, which for example collides with the idea of a phishing warning next to each email one receives. Complex passwords seem secure in the sense that they are hard to

guess if they are above a certain length of characters and use sufficient combinations (such as upper-case, lower-case, special charachters and numbers), however remembering complex, random and constantly adapting passwords is a task that humans by nature are not efficient at, which leads to people writing passwords down, re-using passwords, creating algorithmic systems for them and making them therefore no longer random.

Should humans adapt to systems or should systems adapt to humans? With the rapidly changing and ever more digitizing world, it seems foolish to think systems should only adapt to humans, after all, according to Darwin it is not the strongest who survive, but the ones most able to adapt who survive. People who are willing and able to adapt to dealing with the challenges cybersecurity threats bring, will be more likely to survive in this VUCA and digitizing world. The Adaptive Cycle of Resilience supports this thinking, and therefore assumes that organizations need adaptability to be truly resilient. So should humans adapt to systems? Why not both? A best of both worlds situation may be best. An organization that has both people who are able to adapt to systems, and systems that are made to take human nature into account may be the organization that is able to reduce risks the most. A well balanced cybersecurity management system does not push the ’burden’ of cybersecurity onto the users, but instead acknowledges both sides of the puzzle and uses the best of both worlds. On the one side well designed systems that take human nature into account and on the other side humans who are adaptable to the systems.

7.3

Future research

In the article "Users are not the enemy!" Adams and Sasse (1999) argued more than 20 years ago that security needs user-centered design in order to be effective. The world shifting more and more to digital information should have made it more clear for system designers to take this idea seriously, however the growing number of successful cybersecurity attacks seem to indicate cybersecurity is still not yet fully understood by many. More research into user-centered cybersecurity design is needed to avoid placing the ’burden’ of cybersecurity onto its users. Furthermore, system-thinking within cyber resilience as a whole currently still happens infrequently, but may benefit it greatly. Simply, because system-thinking is a proven concept. Looking at the automotive industry for example, the most successful cars are the ones that take the aspects of the complete system into consideration. There should be a balance between safety, comfort, efficiency, structural integrity, ease of use, etc. When system-thinking is applied correctly and all these aspects are integrated well with each other, the world has a better car for it. Instead of keeping the different topics of cyber resilience separate, it is sensible to integrate the topics more with each other. It is recommended that when a new version of the HAIS-Q is to be developed, the feedback from the domain experts that participated in this research will be considered.

Acknowledgments

I would like to thank Toon Abcouwer and Emőke Takács for introducing me to the ACoR and deepening my understanding of resilience. My research would have been impossible without the help and support of you both. I am grateful for the supervision you offered me during the thesis project.

I would like to thank my interviewees for your time and valuable insights. It was because of you this research has theoretical and practical value.

I would also like to thank the University of Amsterdam for giving me the opportunity to develop myself, by offering the right knowledge and possibilities.

References

Abcouwer, T., & Parson, B. (2010). Veerkracht: Het managen van veranderende evenwichten. Amsterdam:

Universiteit van Amsterdam.

Abcouwer, T., & Parson, B. (2011). Sustainable Assertiveness: The Adaptive Cycle of Resilience. Ams-terdam. Retrieved fromhttp://www.adaptivecycle.nl/images/SUSTAINABLE_ASSERTIVENESS _THE_ADAPTIVE_CYCLE_OF_RESILIENCE.pdf

Abcouwer, T., & Smit, B. (2015). Business IT Alignment : A Never-ending Story. Amsterdam. Retrieved fromhttps://hdl.handle.net/11245/1.480432

Abcouwer, T., Takács, E., & Banga, O.-P. (2020a). The Adaptive Cycle of Resilience. IT Executive, 3. Retrieved fromhttps://itexecutive.nl/wp-content/uploads/2020/03/The-ACoR-NL.pdf

Abcouwer, T., Takács, E., & Banga, O.-P. (2020b). Adaptive Information Management (1st ed.). Amsterdam: A.A.A. & O.

Adams, A., & Sasse, M. A. (1999, 12). Users are not the enemy. Communications of the ACM , 42 (12), 40–46. doi: 10.1145/322796.322806

Bennis, W., & Nanus, B. (1985). Leaders: The Strategies for Taking Charge. Harper & Row. Retrieved fromhttps://books.google.nl/books?id=poq3AAAAIAAJ

Berlyne, D. E. (1954, 8). A Theory Of Human Curiosity. British Journal of Psychology. General Section,

45(3), 180–191. doi: 10.1111/j.2044-8295.1954.tb01243.x

Dhamija, R., Tygar, J., & Hearst, M. (2006). Why phishing works. In Conference on human factors in

computing systems - proceedings (Vol. 1, pp. 581–590).

Dijkstra, M., & Dantzig, M. v. (2020). Reactie Universiteit Maastricht op rapport FOX-IT (Tech. Rep.). Maastricht: FOX-IT. Retrieved fromhttps://www.maastrichtuniversity.nl/um-cyber-attack -symposium-\T1\textendash-lessons-learnt

Dunn Cavelty, M. (2013, 4). From Cyber-Bombs to Political Fallout: Threat Representations with an Impact in the Cyber-Security Discourse. International Studies Review, 15 (1), 105–122. doi: 10.1111/misr.12023

Evans, M., Maglaras, L. A., He, Y., & Janicke, H. (2016, 11). Human behaviour as an aspect of cybersecurity assurance. Security and Communication Networks, 9 (17), 4667–4679. doi: 10.1002/sec.1657 Fujs, D., Mihelič, A., & Vrhovec, S. L. R. (2019). The Power of Interpretation: Qualitative Methods

in Cybersecurity Research. In Proceedings of the 14th international conference on availability,

reliability and security. New York, NY, USA: Association for Computing Machinery. doi: 10.1145/

3339252.3341479

Gunderson, L. H. (2000, 11). Ecological Resilience—In Theory and Application. Annual Review of Ecology

and Systematics, 31 (1), 425–439. doi: 10.1146/annurev.ecolsys.31.1.425

Hadlington, L. (2017). Human factors in cybersecurity; examining the link between Internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours. Heliyon, 3 (7), e00346. doi: 10.1016/j.heliyon.2017.e00346

Heene, A., Vanhaverbeke, J., & Vermeylen, S. (2012). Praktijkboek strategie: routeplan voor het ontwikkelen

van een werkbare bedrijfsstrategie. Lannoo Campus.

Holling, C. S. (1973, 11). Resilience and Stability of Ecological Systems. Annual Review of Ecology and

Systematics, 4 (1), 1–23. doi: 10.1146/annurev.es.04.110173.000245

Inspectie van het Onderwijs. (2020). Cyberaanval Universiteit Maastricht (Tech. Rep.). Utrecht: Ministerie van Onderwijs, Cultuur en Wetenschap. Retrieved fromhttps://www.rijksoverheid.nl/documenten/ kamerstukken/2020/06/12/definitief-rapport-cyberaanval-universiteit-maastricht-21pj-docx

Jagatic, T., Johnson, N., Jakobsson, M., & Menczer, F. (2007). Social phishing. Communications of the

ACM, 50 (10), 94–100.

Kobayashi, K., Ravaioli, S., Baranès, A., Woodford, M., & Gottlieb, J. (2019). Diverse motives for human curiosity. Nature Human Behaviour, 3 (6), 587–595. doi: 10.1038/s41562-019-0589-3

Lee, R. M., Assante, M. J., & Conway, T. (2016). Analysis of the Cyber Attack on the Ukrainian Power

Grid Defense Use Case (Tech. Rep.). Washington: SANS. Retrieved from https://ics.sans.org/

media/E-ISAC_SANS_Ukraine_DUC_5.pdf

Lewis, J. (2018). Economic Impact of Cybercrime – No Slowing Down (Tech. Rep. No. February). Center for Strategic and International Studies. Retrieved from https://www.csis.org/analysis/ economic-impact-cybercrime

Linkov, I., Bridges, T., Creutzig, F., Decker, J., Fox-Lent, C., Kröger, W., . . . Thiel-Clemen, T. (2014, 6). Changing the resilience paradigm. Nature Climate Change, 4 (6), 407–409. doi: 10.1038/ nclimate2227

Lois, J. E. (2015). It Can Happen to You: Know the Anatomy of A Cyber Intrusion. Retrieved from

https://www.navy.mil/submit/display.asp?story_id=91603

Security.Retrieved fromhttps://www.wsj.com/articles/fbi-investigates-twitter-hack-amid-broader

-concerns-about-platforms-security-11594922537?mod=itp_wsj&yptr=yahoo

Menn, J., Paul, K., & Hosenball, M. (2020). Twitter stepped up search to fill top security job ahead of

hack.Retrieved fromhttps://www.reuters.com/article/us-twitter-cyber/twitter-hack-raises-concern

-in-washington-shares-fall-idUSKCN24H2DG

NCTV, & NCSC. (2019). Cybersecuritybeeld nederland (Tech. Rep.). Den Haag: Nationaal Coördinator Terrorismebestrijding en Veiligheid. Retrieved fromhttps://www.thehaguesecuritydelta.com/media/ com_hsd/report/237/document/CSBN2019-online-tcm31-392768.pdf

NCTV, & NCSC. (2020). Cybersecuritybeeld nederland (Tech. Rep.). Den Haag: Nationaal Coördinator Terrorismebestrijding en Veiligheid (NCTV). Retrieved fromhttps://www.thehaguesecuritydelta .com/media/com_hsd/report/237/document/CSBN2019-online-tcm31-392768.pdf

Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., & Zwaans, T. (2017a). The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies. Computers

and Security, 66 , 40–51.

Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., & Zwaans, T. (2017b). The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies. Computers

and Security, 66 , 40–51. doi: 10.1016/j.cose.2017.01.004

Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers

and Security, 42 (September 2019), 165–176. doi: 10.1016/j.cose.2013.12.003

Proctor, R. W., & Chen, J. (2015). The Role of Human Factors/Ergonomics in the Science of Security: Decision Making and Action Selection in Cyberspace. Human Factors, 57 (5), 721–727.

Ramdin, A., & Blackwell, A. (2015). Report on Cybersecurity and Critical Infrastructure in the

Americas (Tech. Rep.). Trend Micro Incorporated. Retrieved from https://www.sites.oas.org/

cyber/Documents/2015; -; OAS; Trend; Micro; Report; on; Cybersecurity; and; CIP; in; the;

Americas.pdf

Rege, A. (2016). Incorporating the human element in anticipatory and dynamic cyber defense. In 2016

ieee international conference on cybercrime and computer forensic, icccf 2016. Vancouver, BC,

Canada: IEEE.

Sasse, M. A., & Rashid, A. (2019). Human Factors. In A. Rashid (Ed.), The cyber security body of

knowledge(pp. 145–167). University of Bristol. Retrieved from https://www.cybok.org/

Shoemaker, D., Kohnke, A., & Sigler, K. (2018). How to Build a Cyber-Resilient Organization (1st ed.). Boca Raton, FL: Auerbach Publications. doi: 10.1201/9780429400339

Siddiqui, F., Hagan, M., & Sezer, S. (2019). Establishing Cyber Resilience in Embedded Systems for Securing Next-Generation Critical Infrastructure. International System on Chip Conference,

2019-Septe, 218–223.

Sigholm, J. (2013, 12). Non-State Actors in Cyberspace Operations. Journal of Military Studies, 4 (1), 1–37. doi: 10.1515/jms-2016-0184

Thompson, J. D. (1967). Organizations in action. new york: Mcgraw-hill.

Twitter. (2020a). Selected Company Metrics and Financials (Vol. Q1; Tech. Rep. No. 1). Twitter. Retrieved fromhttps://s22.q4cdn.com/826641620/files/doc_financials/2020/q1/Q1-2020-Selected -Financials-and-Metrics.pdf

Twitter. (2020b, 18). An update on our security incident. Retrieved fromhttps://blog.twitter.com/en_us/ topics/company/2020/an-update-on-our-security-incident.html

Verizon. (2020). 2020 Data Breach Investigations Report (Tech. Rep.). Verizon.

Wang, J., Herath, T., Chen, R., Vishwanath, A., & Rao, H. R. (2012). Research article phishing susceptibility: An investigation into the processing of a targeted spear phishing email. IEEE

Transactions on Professional Communication, 55 (4), 345–362.

Zoller, T. (2012). Attacker Classes and Pyramid (Version 3). Retrieved fromhttps://blog.zoller.lu/2011/ 10/attacker-classes-and-pyramid-version-1.html