The institutionalization of cybersecurity management at the EU-Level : 2013-2016

Backman, Sarah

January 2016

International cybersecurity is arguably one of the most serious, complex and recent security-issues of our time. The connectivity between EU member states regarding cybersecurity due to the borderless nature of cyber, together with increasing threat-levels, has made the need for a common response widely acknowledged in the EU for several years. Even so, a common EU cybersecurity response involves problems such as reluctance of member states to share information, that cybersecurity management is linked to national security and therefore touches upon sovereignty, and different levels of cybersecurity development between member states. Despite this, the Network and Information Security Directive was adopted by the European Council in May 2016, involving EU-wide binding rules on cybersecurity. This thesis examines and explains, through a neo-functionalistic approach, how and why this development towards supranational management of cybersecurity in the EU has happened. The author finds that cybersecurity management seems to have institutionalized from a nascent phase during 2013, moving towards an ascendant phase during the end of 2013 and 2014, to end up between an ascendant and a mature phase during 2015 and 2016 – which makes the adoption of the NIS-directive logical. The neo-functionalistic explanation to the development of supranational cybersecurity management in the EU highlights the role of the Commission as a ‘policy entrepreneur’ and the publication of the EU cybersecurity strategy, accompanied by the proposal for the NISdirective in 2013. These regulatory outputs sparked further institutionalization by providing many opportunities and venues for member states to interact and build networks on cybersecurity issues, by initiatives with normative impact to foster an EU ‘cybersecurity community’, by the continuous strengthening of supranational cybersecurity actors such as ENISA, and by supranational cybersecurity cooperation platforms, such as the NIS-platform and the European Private Public Partnership on cybersecurity. Between 2013 and 2016, 21 EU Member States published national cybersecurity strategies, almost all referring clearly to their commitment to EU cybersecurity initiatives. This provides an indicator of a high level of legitimacy of supranational cybersecurity management. However, the thesis also finds that the strongest supporters of EU cybersecurity management are not the most powerful member states but rather the smaller ones. While not expressing a strong commitment to EU initiatives in cyber policy documents, the most powerful member states still agreed to the NIS-directive. This supports the neo-functionalist notion about the “stickiness” of an institutionalization-process, and the possibility that powerful states might have double paths, committing to EU regulation and institutionalization while still continuing their own way.

EU cybersecurity management

EU

cybersecurity

institutionalization

neofunctionalism

the NIS-Directive

Developing a modified total interpretive structural model (M-TISM) for organizational strategic cybersecurity management

Rajan, R., Rana, Nripendra P., Parameswar, N., Dhir, S., Sushil, Dwivedi, Y.K.

06 May 2021

yes / Cybersecurity is a serious issue that many organizations face these days. Therefore, cybersecurity management is very important for any organization. Organizations should learn to deal with these cyber threats through effective management across all business functions. The main purpose of this study is to identify the factors that affect cybersecurity within an organization and analyze relationships among these factors. The modified total interpretive structural modeling (M-TISM) technique is used to build a hierarchical model and define the common interactions between the factors. This study presents the impact of collaboration, training, resources and capabilities, information flow, technology awareness, and technological infrastructure on effective cybersecurity management. In addition, the study also explains the interrelationships among the identified factors in the M-TISM model.

Cybersecurity

Strategy

M-TISM

Organizations

Strategic cybersecurity management

Cybersecurity Management System: Defense and Response

Huang, Chenxiang

19 January 2023

Cybersecurity attacks such as phishing, malware, and ransomware have become a major concern in recent years, with many individuals and organizations suffering financial losses as a result. Most people are unaware of the different types of cybersecurity attacks and have not seen examples of them. To address this problem, we developed the Cybersecurity Management System: Defense and Response (CMSDR) cloud software application. It provides both the "Defense" and "Response" to cybersecurity attacks, with educational materials and examples to help users learn about different types of cybersecurity attacks, and a computer-aided reporting and notification system to help organizations respond to ongoing incidents. CMSDR is a universal application that can be used on any platform with a web browser. Any company or organization can effectively run CMSDR on their own server computer for cybersecurity defense and response. / Master of Science / Cybersecurity has become a major concern in recent years as many individuals and organizations have suffered financially from cybersecurity attacks like phishing, malware, and ransomware. This thesis seeks to provide a solution to the emerging number of cybersecurity breaches by introducing Cybersecurity Management System: Defense and Response (CMSDR) cloud software application that features "Defense" and "Response" to cybersecurity attacks. For "Defense", it aims to guide the users of the common types of cybersecurity attacks following the pedagogy "Learning by Examples" by providing cybersecurity examples to support the learning. For "Response", it aims to provide a system that features computer-aided reporting and notification of cybersecurity breaches in a company or organization. The software application is universally usable on any platform with a web browser. With the help of CMSDR, users receive proper education of the types of cybersecurity attacks to raise awareness. Organizations can report and notify ongoing cybersecurity breach incidents to their members easily and effectively.

Cloud software engineering

cybersecurity breach response

cybersecurity defense

cybersecurity education

cybersecurity management

MANAGERS’ PERCEIVED UNDERSTANDING AND INFLUENCE ON CYBERSECURITY READINESS : Identifying Barriers, Associated Risks, and Strategies

Egelrud, Andrea, Selberg, Jonas

January 2023

Organizations need to protect themselves from cyber threats and a variety of methods exist to mitigate these risks. Factors such as rapid digitalization, expedited by Covid-19, have only made cybersecurity threats a growing concern. Most research within the IS field has focused on technical methods to mitigate risk, leaving non-technical methods less explored. The aim of this study was to develop a deeper understanding of managers’, at different levels, perceived understanding, and influence to achieve cybersecurity readiness in order to identify barriers. Further, an objective was to develop possible strategies to mitigate identified risks associated with these barriers. To fulfill this aim, a case study was conducted at a municipality-owned organization who have taken the initiative to raise cybersecurity awareness. Six interviews were conducted with managers from both senior- and middle management, and cybersecurity governance documents were collected. In our findings, we identified three main themes with associated barriers to achieving cybersecurity readiness. These include barriers associated with (1) organizational and managerial factors, (2) pitfalls in communication, and (3) policy and instructions. The study contributes to an understanding of different barriers that managers at different levels might perceive and suggests possible strategies for mitigating the risks associated with said barriers.

Cybersecurity readiness

Cybersecurity threats

Cybersecurity governance

Cybersecurity management

Policy and Instructions

Information Systems, Social aspects