Entrepreneurs are likely to be victims of ransomware. Previous studies have found that entrepreneurs tend to adopt few preventive measures, thereby increasing their chances of victimization. Due to a lack of research, however, not much is known about why entrepreneurs lack self-protective behaviors and how they can be encouraged to change said behaviors. Therefore, the purpose of this study is to explain, by means of an extended model of the Protection Motivation Theory (PMT), the motivation for entrepreneurs using protective measures against ransomware in the future. The data for our study were collected thanks to a questionnaire that was answered by 1,020 Dutch entrepreneurs with up to 250 employees. Our Structural Equation Modelling (SEM) analysis revealed that entrepreneurs are more likely to take preventive measures against ransomware if they perceive the risk of ransomware as severe (perceived severity), if they perceive their company as being vulnerable (perceived vulnerability), if they are concerned about the risks (affective response), and if they think that the people and companies around them expect them to apply preventive measures (subjective norms). However, if entrepreneurs think that they are capable of handling the risk (self-efficacy) and are convinced that their adopted preventive measures are effective (response efficacy), they are less likely to take preventive measures. Furthermore, for entrepreneurs that outsource IT security, the significant effect of perceived vulnerability and subjective norms disappears. The likelihood of entrepreneurs protecting their business against ransomware is thus influenced by a complex interplay of various motivational factors and is partly dependent on the business’ characteristics. Based on these findings, we will discuss security professionals’ prospects for increasing the cyber resilience of entrepreneurs, thus preventing cybercrime victimization.
Entrepreneurs are likely to be victims of ransomware. Previous studies have found that entrepreneurs tend to adopt few preventive measures, thereby increasing their chances of victimization. Due to a lack of research, however, not much is known about why entrepreneurs lack self-protective behaviors and how they can be encouraged to change said behaviors. Therefore, the purpose of this study is to explain, by means of an extended model of the Protection Motivation Theory (PMT), the motivation for entrepreneurs using protective measures against ransomware in the future. The data for our study were collected thanks to a questionnaire that was answered by 1,020 Dutch entrepreneurs with up to 250 employees. Our Structural Equation Modelling (SEM) analysis revealed that entrepreneurs are more likely to take preventive measures against ransomware if they perceive the risk of ransomware as severe (perceived severity), if they perceive their company as being vulnerable (perceived vulnerability), if they are concerned about the risks (affective response), and if they think that the people and companies around them expect them to apply preventive measures (subjective norms). However, if entrepreneurs think that they are capable of handling the risk (self-efficacy) and are convinced that their adopted preventive measures are effective (response efficacy), they are less likely to take preventive measures. Furthermore, for entrepreneurs that outsource IT security, the significant effect of perceived vulnerability and subjective norms disappears. The likelihood of entrepreneurs protecting their business against ransomware is thus influenced by a complex interplay of various motivational factors and is partly dependent on the business’ characteristics. Based on these findings, we will discuss security professionals’ prospects for increasing the cyber resilience of entrepreneurs, thus preventing cybercrime victimization.
What you don’t know can’t hurt you: this seems to be the current approach for responding to disinformation by public regulators across the world. Nobody is able to say with any degree of certainty what is actually going on. This is in no small part because, at present, public regulators don’t have the slightest idea how disinformation actually works in practice. We believe that there are very good reasons for the current state of affairs, which stem from a lack of verifiable data available to public institutions. If an election board or a media regulator wants to know what types of digital content are being shared in their jurisdiction, they have no effective mechanisms for finding this data or ensuring its veracity. While there are many other reasons why governments would want access to this kind of data, the phenomenon of disinformation provides a particularly salient example of the consequences of a lack of access to this data for ensuring free and fair elections and informed democratic participation. This chapter will provide an overview of the main aspects of the problems associated with basing public regulatory decisions on unverified data, before sketching out some ideas of what a solution might look like. In order to do this, the chapter develops the concept of auditing intermediaries. After discussing which problems the concept of auditing intermediaries is designed to solve, it then discusses some of the main challenges associated with access to data, potential misuse of intermediaries, and the general lack of standards for the provision of data by large online platforms. In conclusion, the chapter suggests that there is an urgent need for an auditing mechanism to ensure the accuracy of transparency data provided by large online platform providers about the content on their services. Transparency data that have been audited would be considered verified data in this context. Without such a transparency verification mechanism, existing public debate is based merely on a whim, and digital dominance is likely to only become more pronounced.
MULTIFILE
During the coronavirus pandemic, the use of eHealth tools became increasingly demanded by patients and encouraged by the Dutch government. Yet, HBO health professionals demand clarity on what they can do, must do, and cannot do with the patients’ data when using digital healthcare provision and support. They often perceive the EU GDPR and its national application as obstacles to the use of eHealth due to strict health data processing requirements. They highlight the difficulty of keeping up with the changing rules and understanding how to apply them. Dutch initiatives to clarify the eHealth rules include the 2021 proposal of the wet Elektronische Gegevensuitwisseling in de Zorg and the establishment of eHealth information and communication platforms for healthcare practitioners. The research explores whether these initiatives serve the needs of HBO health professionals. The following questions will be explored: - Do the currently applicable rules and the proposed wet Elektronische Gegevensuitwisseling in de Zorg clarify what HBO health practitioners can do, must do, and cannot do with patients’ data? - Does the proposed wet Elektronische Gegevensuitwisseling in de Zorg provide better clarity on the stakeholders who may access patients’ data? Does it ensure appropriate safeguards against the unauthorized use of such data? - Does the proposed wet Elektronische Gegevensuitwisseling in de Zorg clarify the EU GDPR requirements for HBO health professionals? - Do the eHealth information and communication platforms set up for healthcare professionals provide the information that HBO professionals need on data protection and privacy requirements stemming from the EU GDPR and from national law? How could such platforms be better adjusted to the HBO professionals’ information and communication needs? Methodology: Practice-oriented legal research, semi-structured interviews and focus group discussions will be conducted. Results will be translated to solutions for HBO health professionals.
This project addresses the fundamental societal problem that encryption as a technique is available since decades, but has never been widely adopted, mostly because it is too difficult or cumbersome to use for the public at large. PGP illustrates this point well: it is difficult to set-up and use, mainly because of challenges in cryptographic key management. At the same time, the need for encryption has only been growing over the years, and has become an urgent problem with stringent requirements – for instance for electronic communication between doctors and patients – in the General Data Protection Regulation (GDPR) and with systematic mass surveillance activities of internationally operating intelligence agencies. The interdisciplinary project "Encryption for all" addresses this fundamental problem via a combination of cryptographic design and user experience design. On the cryptographic side it develops identity-based and attribute-based encryption on top of the attribute-based infrastructure provided by the existing IRMA-identity platform. Identity-based encryption (IBE) is a scientifically well-established technique, which addresses the key management problem in an elegant manner, but IBE has found limited application so far. In this project it will be developed to a practically usable level, exploiting the existing IRMA platform for identification and retrieval of private keys. Attribute-based encryption (ABE) has not reached the same level of maturity yet as IBE, and will be a topic of further research in this project, since it opens up attractive new applications: like a teacher encrypting for her students only, or a company encrypting for all employees with a certain role in the company. On the user experience design side, efforts will be focused on making these encryption techniques really usable (i.e., easy to use, effective, efficient, error resistant) for everyone (e.g., also for people with disabilities or limited digital skills). To do so, an iterative, human-centred and inclusive design approach will be adopted. On a fundamental level, scientific questions will be addressed, such as how to promote the use of security and privacy-enhancing technologies through design, and whether and how usability and accessibility affect the acceptance and use of encryption tools. Here, theories of nudging and boosting and the unified theory of technology acceptance and use (known as UTAUT) will serve as a theoretical basis. On a more applied level, standards like ISO 9241-11 on usability and ISO 9241-220 on the human-centred design process will serve as a guideline. Amongst others, interface designs will be developed and focus groups, participatory design sessions, expert reviews and usability evaluations with potential users of various ages and backgrounds will be conducted, in a user experience and observation laboratory available at HAN University of Applied Sciences. In addition to meeting usability goals, ensuring that the developed encryption techniques also meet national and international accessibility standards will be a particular point of focus. With respect to usability and accessibility, the project will build on the (limited) usability design experiences with the mobile IRMA application.
A huge amount of data are being generated, collected, analysed and distributed in a fast pace in our daily life. This data growth requires efficient techniques for analysing and processing high volumes of data, for which preserving privacy effectively is a crucial challenge and even a key necessity, considering the recently coming into effect privacy laws (e.g., the EU General Data Protection Regulation-GDPR). Companies and organisations in their real-world applications need scalable and usable privacy preserving techniques to support them in protecting personal data. This research focuses on efficient and usable privacy preserving techniques in data processing. The research will be conducted in different directions: - Exploring state of the art techniques. - Designing and applying experiments on existing tool-sets. - Evaluating the results of the experiments based on the real-life case studies. - Improving the techniques and/or the tool to meet the requirements of the companies. The proposal will provide results for: - Education: like offering courses, lectures, students projects, solutions for privacy preservation challenges within the educational institutes. - Companies: like providing tool evaluation insights based on case studies and giving proposals for enhancing current challenges. - Research centre (i.e., Creating 010): like expanding its expertise on privacy protection technologies and publishing technical reports and papers. This research will be sustained by pursuing following up projects actively.
