Tobias Liebetrau

DOI: https://doi.org/10.1111/jcms.13523

2023-09-22

Journal of Common Market Studies

Abstract:This article furthers the debate between European Studies and Critical Security Studies by demonstrating how European Union (EU) single market integration functions as a security practice in the area of cybersecurity. It explores how the EU has rendered digitisation as a security concern and cybersecurity emerged as an object of EU governance by developing an analytical approach based on problematisation. Situating the problematisation approach in the genealogical tradition of Foucault, it argues that it provides us with an analytical toolbox enabling inquiry into the conditions that make contemporary security problems possible, powerful and changeable. Tracing EU security problematisations of digitisation over four decades, it shows how the single market has come to function as a security practice and stresses the political implications of it. The final part of the article re‐problematises the findings to afford insights into how they can be rethought at the intersection of European Studies and Critical Security Studies.

Kaspar Rosager Ludvigsen,Shishir Nagaraja

DOI: https://doi.org/10.48550/arXiv.2205.13196

2022-05-26

Abstract:Safety is becoming cybersecurity under most circumstances. This should be reflected in the Cybersecurity Resilience Act when it is proposed and agreed upon in the European Union. In this paper, we define a range of principles which this future Act should build upon, a structure and argue why it should be as broad as possible. It is based on what the cybersecurity research community for long have asked for, and on what constitutes clear hard legal rules instead of soft. Important areas such as cybersecurity should be taken seriously, by regulating it in the same way we see other types of critical infrastructure and physical structures, and be uncompromising and logical, to encompass the risks and potential for chaos which its ubiquitous nature entails. We find that principles which regulate cybersecurity systems' life-cycles in detail are needed, as is clearly stating what technology is being used, due to Kirkhoffs principle, and dismissing the idea of technosolutionism. Furthermore, carefully analysing risks is always necessary, but so is understanding when and how the systems manufacturers may fail or almost fail. We do this through the following principles: Ex ante and Ex post assessment, Safety and Security by Design, Denial of Obscurity, Dismissal of Infallibility, Systems Acknowledgement, Full Transparency, Movement towards a Zero-trust Security Model, Cybersecurity Resilience, Enforced Circular Risk Management, Dependability, Hazard Analysis and mitigation or limitation, liability, A Clear Reporting Regime, Enforcement of Certification and Standards, Mandated Verification of Security and Continuous Servicing. To this, we suggest that the Act employs similar authorities and mechanisms as the GDPR and create strong national authorities to coordinate inspection and enforcement in each Member State, with ENISA being the top and coordinating organ.

Computers and Society,Cryptography and Security

Andreas Kruck,Moritz Weiss

DOI: https://doi.org/10.5771/0720-5120-2024-1-21

IF: 1.345

2024-01-01

Integration

Abstract:European security policy is still widely regarded as the realm of national and “positive” states. In contrast to this conventional view, this article argues that the European Union – and the broader European multi-level system – can be conceived as a “regulatory” state in many areas of European security policy-making. The European regulatory security state (ERSS) relies on epistemic authority (i. e. experts) to indirectly produce European security policies by means of setting and enforcing rules. The article introduces the concept of a “European regulatory security state” and illustrates how the ERSS manifests itself empirically; it discusses the extent to which Russia’s war against Ukraine and the European responses to it pose a challenge to the ERSS; and it assesses how normatively desirable – and sustainable – the ERSS is.

engineering, electrical & electronic,computer science, hardware & architecture

Silviu Cristian Paicu

DOI: https://doi.org/10.1080/08850607.2022.2032494

2022-05-10

International Journal of Intelligence and CounterIntelligence

Abstract:This article raises awareness on the value of epistemic diversity for democratic intelligence governance by highlighting the role of academia. Specifically, it argues that the expertise of critically engaged scholars can play a leading role in challenging the expert discourse of intelligence agencies in the age of Big Data and Artificial Intelligence proliferation. The article examines how the intelligence expert discourse is constructed in the post-Snowden landscape in the United Kingdom by investigating the public communication strategies of Government Communications Headquarters. Driven by a normative rhetoric centered on transparency, the agency's unprecedented steps toward public engagement are traced through an analysis of key policy documents, official statements, and a museum exhibition. In the ensuing, and novel, context of openness and widespread discursivity around controversial technologies and practices employed by intelligence agencies, critically engaged academia can bring a much-needed diversity of perspective to an increasingly complex and vital policy area in contemporary democratic societies.

Le Cheng,Jiamin Pei,Marcel Danesi

DOI: https://doi.org/10.1080/10350330.2019.1587843

2019-01-01

Social Semiotics

Abstract:Based on one specially created corpus of U.S. cybersecurity-related laws, this study employs the corpus approach to examine the referent objects and securitizing actors in U.S. cybersecurity legislative discourse, which are two critical issues in constructing security, including cybersecurity. Through corpus data analysis, it is found that unlike traditional security, cybersecurity has become more people-oriented in terms of referent objects with critical infrastructure as a key referent object. Additionally, the role of private sectors and cooperative security are highlighted in U.S. cybersecurity legislative discourse. From a sociosemiotic perspective, it is noted that the meaning-making process of U.S. cybersecurity not only is conveyed by the texts but also interacts with other sign systems, such as historical background, cyberspace as a virtual realm and social contexts, which suggests that the specific meanings of signs constructing cybersecurity and cybersecurity itself should be interpreted in specific temporal or spatial contexts. Furthermore, a sociosemiotic approach to U.S. cybersecurity legislative discourse also offers valuable insights to how signs and concepts in cybersecurity contribute to sketching a holistic landscape of cybersecurity and further security on a large scale.

Suzanne Vergnolle

2023-05-03

Abstract:While underlying the many ways to build strong cooperation settings between regulators and CSOs, this report focuses on making concrete recommendations for the design of an efficient and influential expert group with the European Commission. The creation of an expert group finds its roots in article 64 and recital 137 of the DSA which require the Commission to develop Union expertise and capabilities. Once established, the experts of this group will be able to bring evidence-based information directly to the Commission and specific expertise on the protection of fundamental rights and the safety of users online. By instituting an expert group, the Commission will not only benefit from valuable expert knowledge but will also demonstrate its willingness to put in place an efficient enforcement system based on collective intelligence. Aside from the establishment of an expert group, other cumulative mechanisms will also help the DSA's enforcement to thrive. Civil society organisations should, for instance, consider organising regular crowdsourcing events to deep-dive and analyse the data published by entities covered by the transparency obligations. As it has done in the past, the Commission can sponsor these events and be a direct beneficiary of their results. Another way for civil society organisations to bring information to the Regulator is by legal action, including by making complaints to the regulators.

Computers and Society

Sara Ricci,Simon Parker,Jan Jerabek,Yianna Danidou,Argyro Chatzopoulou,Remi Badonnel,Imre Lendak,Vladimir Janout

DOI: https://doi.org/10.1109/te.2023.3340868

2024-01-01

IEEE Transactions on Education

Abstract:Demand for cybersecurity professionals from industry and institutions is high, driven by an increasing digitization of society and the growing range of potential targets for cyber attacks. However, despite this pressing need a significant shortfall in the number of cybersecurity experts remains and a discrepancy has emerged between the skills introduced through education and those required in professional settings. In this article, a political, economic, social, technological, legal, and environmental (PESTLE) analysis was utilized to explore the factors impacting cybersecurity education in Europe. The PESTLE analysis enabled the categorization of factors affecting cybersecurty education and skills and allowed for cybersecurity professionals to assess the relevance of the factors at a national-level and European-level. Utilizing the concept of modularity from social network analysis, the interconnectivity of factors was also considered. Finally, a European-level stakeholder survey was conducted to verify the findings. As a result of the above process, a lack of societal awareness of cybersecurity was identified as a major challenge to education, along with a lack of EU-level certification. It should be noted that significant differences between factors perceived as impacting cybersecurity education were found between countries suggesting a need for local solutions to the problem.

engineering, electrical & electronic,education, scientific disciplines

Elaine M. Sedenberg,James X. Dempsey

DOI: https://doi.org/10.48550/arXiv.1805.12266

2018-05-31

Abstract:In recent years the cybersecurity policy debate in Washington has been dominated by calls for greater information sharing within the private sector, and between the private sector and the federal government. The passage of the Cybersecurity Information Sharing Act (CISA) (signed into law under the Cybersecurity Act of 2015) underscored federal efforts to collect information from the private sector, and assuaged some concerns regarding private sector liability in sharing activities. However, the law lacked specificity on how continued federal efforts would work with existing information sharing networks, and failed to address other challenges associated with sharing including trust building, privacy and propriety interests, reciprocation, and quality control. This paper aims to bring granularity to implementations of information sharing initiatives by creating a taxonomy of the governance and policy models within each of these organizations. The research shows how this diverse ecosystem of sharing models work together and separately, and the impact governance and policy have on key components critical to sharing infrastructure.

Computers and Society,Cryptography and Security

Cormac Callanan

DOI: https://doi.org/10.1007/978-3-319-16447-2_2

2015-01-01

Abstract:This chapter examines the practical evolution of Internet self- and co-regulation and reflects on the current approaches in the fields of cybercrime, cybersecurity and national security. First, it provides insights into the development of self- and co-regulatory approaches to cybercrime and cybersecurity in the multi-stakeholder environment from the beginning of the Internet service provider industry. Second, it highlights the differences concerning the ecosystem of stakeholders involved in each area. Detailed analysis focuses on existing forms of collaboration, highlighting the differences and difficulties in leveraging the forms of cooperation and successful approaches from one area to another. The last part analyses the problems of multi-stakeholder approaches. It will also examine the drawbacks of the existing forms of public–private collaboration, which can be attributed to a specific area (cybercrime, cybersecurity and national security). Ultimately, this chapter provides some suggestions with regard to the way forward in self- and co-regulation in securing cyberspace. It offers unique insights into the role of Internet industry in combatting cybercrime, improving cybersecurity and supporting national security. It identifies the current practical and economic limits on cooperation between industry and state agencies and describes the balance between human rights/data privacy and crime investigation. It concludes with the challenge of state over-reaching their mandate—when national security becomes political interference in human rights.

Ingvild Bode,Hendrik Huelss

DOI: https://doi.org/10.1080/13501763.2023.2174169

IF: 4.366

2023-02-14

Journal of European Public Policy

Abstract:ABSTRACT The regulation of military applications of artificial intelligence (AI) is a growing concern. The article investigates how the EU as a multi-level system aims at regulating military AI based on epistemic authority. It suggests that the EU acts as a rule-maker and a rule-taker of military AI predicated on constructing private, corporate actors as experts. As a rule-maker, the EU has set up expert panels such as the Global Tech Panel to inform its initiatives, thereby inviting corporate actors to become part of its decision-making process through the front-door. But the EU is also a rule-taker in that its approach to regulating on military AI is shaped through the backdoor by how corporate actors design AI technologies. These observations signal an emerging hybrid regulatory security state based on ‘liquid’ forms of epistemic authority that empowers corporate actors but also denotes a complex mix of formal political and informal expert authority.

Law,Computer Science,Political Science

Stef Schinagl,Svetlana Khapova,Abbas Shahim

DOI: https://doi.org/10.1007/978-3-030-78120-0_28

2021-01-01

Abstract:Today’s organizations are exposed to high risk because the established digital technologies are vulnerable to security attacks. The increased impact of security on business demands a strategic approach to information security, commonly referred to as digital security governance. While there is a growing understanding that digital security is one of the leading risks and challenges of today’s organizations, organizations still find it difficult to implement security governance as part of their regular organizing change activities. This study focuses on providing more empirical insight into “tensions that are present during the implementation of digital security governance”.We conducted an inductive study and interviewed 42 CISOs and CIOs of large organizations in the Netherlands. The study reveals the tensions that hinder the implementation of digital security governance. We draw from management theories to provide a fresh understanding of and guidance for how to unravel the tensions.

Stef Schinagl,Abbas Shahim,Svetlana Khapova

DOI: https://doi.org/10.1016/j.cose.2022.102903

2022-11-01

Abstract:Due to increasing numbers of cyberattacks, security is one of the leading challenges to contemporary organizations. As contradictory demands (e.g., tensions in digital organizations) intensify, organizations increasingly find it difficult to implement digital security governance (DSG) as part of their regular organizational change activities. Based on data from forty-two interviews with Dutch CISOs and CIOs of large organizations that are active in various sectors, we identify three key paradoxical tensions that affect DSG implementation. We found that in a digital context, paradoxical tensions are pressurized and become out of balance. Disbalance among tensions exposes friction that hinders the implementation of DSG mechanisms. Finally, we present a conceptual model that sets direction for ambidextrous digital security. Understanding how to engage with tensions in an ambidextrous way determines the success of DSG implementations in today's complex digital environments.

computer science, information systems

Yang Hoong,Davar Rezania

DOI: https://doi.org/10.1016/j.cose.2024.103852

IF: 5.105

2024-04-23

Computers & Security

Abstract:This study examines cybersecurity discourses of small and medium size businesses in Canada. The findings culminated in a novel conceptual framework, which captures the intricate interplay between the discourse of agency, prevailing conditions, and the resultant discourse of strategy. Central to this model is the discourse of agency, framing cybersecurity as either a high agency mechanism actively contributing to business objectives, or a low agency mechanism perceived as a passive burden. The conditions under which businesses operate, characterized by external pressures and internal motivations, alongside the degree of environmental support, further shape their cybersecurity narratives. These dynamics significantly influence the resultant discourse of strategy, leading to four distinct strategic narratives: Synergistic Asset, Operational Pragmatism, Ambivalent Prospect, and Impractical Liability. For instance, a discourse of Synergistic Asset reflects a perception of an environment positively influenced by robust governmental cybersecurity initiatives, setting benchmarks in cybersecurity practices. Conversely, a discourse of Impractical Liability reflects pronounced levels of risk, influenced by societal narratives and economic apprehensions. We offer a comprehensive model for understanding cybersecurity discourses, bridging empirical findings with theoretical underpinnings, and providing valuable insights for both academia and industry.

computer science, information systems

Guri Rosén,Kolja Raube

DOI: https://doi.org/10.1177/1369148117747105

2018-01-22

The British Journal of Politics and International Relations

Abstract:The European Union’s foreign and security policy is commonly described as an intergovernmental affair. Despite limited formal powers, several studies suggest that the European Parliament has increased its influence on the Union’s foreign and security policy. This article argues that, to gauge the significance of parliamentary participation, it is necessary to look beyond the notion of formal parliamentary rights and to take into account informal influence. The analysis shows how informal avenues of influence are crucial at certain stages of the decision-making process, and points to factors that constrain and enable parliamentary impact. Furthermore, it emphasises the important role that parliaments play in scrutinising security policy, which is a crucial component of democratic governance. In this particular field where there is little legislation, the establishment of solid procedures and practices for oversight and control can also be a significant indicator of parliamentary influence.

Marta F. Arroyabe,Carlos F. A. Arranz,Ignacio Fernandez De Arroyabe,Juan Carlos Fernandez de Arroyabe

DOI: https://doi.org/10.1080/08874417.2024.2394440

2024-08-29

Journal of Computer Information Systems

Abstract:This study investigates cybersecurity governance dynamics within organizations, investigating the influence of supply chains, environmental factors, and stakeholder engagement. Utilizing the UK's Cyber Security Longitudinal Survey and employing artificial neural networks and k-means cluster analysis, we explore how organizational practices and external pressures shape cybersecurity strategies. Our findings show the managerial and political dimensions of improving organizational cybersecurity, highlighting the critical role of environmental influences alongside incident perception and self-efficacy. The research shows the necessity for organizations to remain receptive to external influences and identifies supply chains as critical factor in shaping cybersecurity practices, advocating for comprehensive security protocols. We demonstrate that guidance from governing bodies is essential for aligning with industry standards. The findings suggest a range of strategies, from implementing standards to encouraging board-level integration of cybersecurity, facilitated by a combination of coercive, normative, and mimetic pressures exerted by various agents, including governments, stakeholders, and the supply chain.

computer science, information systems

Tina Vuko,Sergeja Slapničar,Marko Čular,Matej Drašček

DOI: https://doi.org/10.1111/ijau.12365

2024-07-23

International Journal of Auditing

Abstract:The aim of this paper is to analyse which factors explain the effectiveness of internal audit in providing assurance about cybersecurity risk management. On the basis of neo‐institutional theory, we hypothesize that coercive (cybersecurity regulation), normative (professionalization of internal auditors and Boards) and mimetic forces (outsourcing of cyber security assurance services) positively contribute to cybersecurity audit (CSA) effectiveness. As these forces do not come about in an interest free model, we study the role of and the interaction with other actors who shape the CSA practices—Boards and security experts. We hypothesize that Board's support to CSA and the level of internal auditors' cooperation with the first and the second line of defence positively affect CSA effectiveness. To test our hypothesis, we conducted a survey involving IT auditors and Chief Audit Executives from various industries, organizations of different sizes and countries. We examined the hypothesized relationships in a series of regression analyses. We find that normative forces (professionalization of the internal auditors and Boards' competences), Board's support to CSA and cooperation between the internal audit function (IAF) and the first two line of defence significantly explain the CSA effectiveness. We find no support for the effect of regulation as a coercive force and outsourcing as a mimetic force. We discuss potential reasons for our findings and their implications. The paper is an original analysis that advances our understanding of key drivers of CSA effectiveness and their relationships.

business, finance

Ian Walden,Johan David Michels

DOI: https://doi.org/10.48550/arXiv.2203.04887

2022-03-10

Abstract:In this chapter, we review how the EU cybersecurity regulatory framework impacts providers of cloud computing services. We examine the evolving regulatory treatment of cloud services as an enabler of the EU's digital economy and question whether all cloud services should be treated as critical infrastructure. Further, we look at how the safeguarding and incident notification obligations under the General Data Protection Regulation ('GDPR') and the Network and Information Systems Directive ('NISD') apply to cloud providers. We also consider the proposed revision of the NISD and look at newly developed voluntary assurance mechanisms for cloud providers, including codes of conduct and certification schemes. We conclude that, since cloud providers are typically subject to both NISD and GDPR and to the jurisdiction of multiple regulators, they face divergent regulatory approaches, which can lead to unintended outcomes and high compliance costs.

Computers and Society,Cryptography and Security

R Andrew Paskauskas

DOI: https://doi.org/10.12688/openreseurope.15219.3

2023-05-24

Abstract:Abstract -The literature on 5G design and architecture numbers in the hundreds of thousands, which makes analyzing this vast corpus of technical knowledge impossible within the scope of a single article. A rigorous literature scan has revealed investigations of various specific 5G components, or specific aspects of 5G design, architecture, or security, but none that are comprehensive in scope, encompassing all of the aforementioned categories, or that take into account the associated vulnerabilities, threats and risks to the basic 5G infrastructure. In this sense the 5G framework advocated by The European Union Agency for Cybersecurity (ENISA) in its comprehensive report is singular in relation to the extensive literature associated with the 5G domain and the fragmented character of scientific reporting related to 5G technology. It is the purpose of this article to go beyond the existing literature and examine in depth the details of the ENISA 5G Threat Landscape Report and reveal ENISA's painstaking efforts to stand out among other leading-edge players in the 5G arena and achieve its strategic aims of integrating cybersecurity considerations with threats, risks, and vulnerabilities into an architecture of 5G right from the start of the design and development process. In formulating such a framework, ENISA has set the stage for standardization of cybersecurity considerations in relation to 5G design and architecture that may be considered a first approximation towards best practice in the field. ENISA's role in the European Union as a leader in setting the pace of development of 5G networks is acknowledged in EU's legislation and its directives. Significantly, its strategic direction targets future implementations of 5G networks by vendors, operators, and practitioners. This should equip EU with the necessary resilience to withstand hybrid threat onslaughts on its Pan-European network, a topic to be dealt with in full in a follow-on paper.

Dimitri Kusnezov,Wendell B. Jones

DOI: https://doi.org/10.48550/arXiv.1707.06668

2017-07-20

Physics and Society

Abstract:Regulatory frameworks are a common tool in governance to incent and coerce behaviors supporting national or strategic stability. This includes domestic regulations and international agreements. Though regulation is always a challenge, the domain of fast evolving threats, like cyber, are proving much more difficult to control. Many discussions are underway searching for approaches that can provide national security in these domains. We use game theoretic learning models to explore the question of strategic stability with respect to the democratization of certain technologies (such as cyber). We suggest that such many-player games could inherently be chaotic with no corresponding (Nash) equilibria. In the absence of such equilibria, traditional approaches, as measures to achieve levels of overall security, may not be suitable approaches to support strategic stability in these domains. Altogether new paradigms may be needed for these issues. At the very least, regulatory regimes that fail to address the basic nature of the technology domains should not be pursued as a default solution, regardless of success in other domains. In addition, the very chaotic nature of these domains may hold the promise of novel approaches to regulation.

Annika Andreasson,Henrik Artman,Joel Brynielsson,Ulrik Franke

DOI: https://doi.org/10.1007/s10111-024-00779-1

2024-09-28

Cognition Technology & Work

Abstract:In recent years, the Swedish public sector has undergone rapid digitalization, while cybersecurity efforts have not kept even steps. This study investigates conditions for cybersecurity work at Swedish administrative authorities by examining organizational conditions at the authorities, what cybersecurity staff do to acquire the cyber situation awareness required for their role, as well as what experience cybersecurity staff have with incidents. In this study, 17 semi-structured interviews were held with respondents from Swedish administrative authorities. The results showed the diverse conditions for cybersecurity work that exist at the authorities and that a variety of roles are involved in that work. It was found that national-level support for cybersecurity was perceived as somewhat lacking. There were also challenges in getting access to information elements required for sufficient cyber situation awareness.

engineering, industrial,ergonomics