Email communication is a crucial part of the daily processes of enterprises. Organizations can opt for traditional infrastructure on-premise or use cloud-based email services provided by (foreign) cloud service providers. In Europe in particular, organizations from crucial sectors have been adopting cloudbasedemail services. The level of cloud adoption can vary strongly within these sectors. Nevertheless, this trend towards the use of cloud-based email services brings societal implications for the sovereignty of European data. Email services hosted with foreign cloud service providers can be susceptible to surveillance by foreign governments and intelligence agencies, which violates privacy of European individuals. The attack space further includes invasion with political and monetary incentives that may also impact security, as data is hosted with cloud service providers who might have weak security protocols. We measured the level of cloud adoption for seven crucial sectors in Europe: executive governments, healthcare, SME’s, higher educational institutes, NGO’s and financial services. We have conducted a DNS analysis on MX records from a Farsight (SIE) dataset to measure the prevalence of cloud service providers. The results revealed the prevalence of extremely dominant cloud service providers, Microsoft and Google in Europe. The dominant position obtained by these providers means that two aspects in governance of this socio-technical system in Europe must be attended to if Europe wants to regain control over their data and infrastructures: (1) European regulation focus needs to shift and (2) awareness must be raised at managerial level in enterprises.

Malware presents a growing problem in a world that is increasingly connected to, and reliant on, the internet. The growing, devastating potential of cyber attacks such as DDoS attacks on society and economy is largely the result of a new class of devices, the Internet of Things (IoT), whose characteristic vulnerabilities make them easy targets to be compromised and controlled by malicious actors. This study employs a mixed-method research design to examine end-users' perceptions of the security of internet connected devices, their motivations for (non-)adoption of centralized DNS-based malware mitigation measures, and the efficacy of such services in mitigating malicious activity in a real-life environment. The results indicate that centralized DNS-based malware mitigation have significant potential in reducing end-user vulnerability to malware threats, but their adoption is hindered by lacking ability to assess threats and the value and efficacy of security measures.

Ultra-Wideband (UWB) technology became unregulated within the EU in 2007. Most recently, it was integrated into mobile phones in 2019, notably Apply and Samsung adding it to all their newer models. While UWB is characterised as a radio technology with any signal above 500 MHz, it operates within the 6-9 GHz
range in mobile phones. This allows for fast data rate, low power secure
communication, multipath facilities and accurate localization. While the integration of UWB is mostly advantageous to users and innovators, its ability of accurate localisation may lead to severe privacy concerns

The aim of the thesis is to understand the privacy concerns of UWB’s integration into mobile phones by answering the main research question: how do experts and users perceive privacy concerns of UWB usage in mobile phones; and how can they be mitigated? It was subsequently broken down into three sub-research
questions: 1. What are the possible applications of UWB in mobile phones? Phones have other incumbent radio technology embedded such as Bluetooth (BLE) and Wi-Fi, however it seems like UWB is being integrated to serve additional purposes. The answer to this question seeks to understand from gray and research literature how UWB can be used in mobile phones and what advantage it gives over incumbent technology. Research shows UWB gives phones the ability for indoor navigation, gesture-based control, foot traffic analysis for smart retail, teleconference systems, proximity-based localization, key-less entry among others.

This leads to research question 2. What are the potential privacy concerns associated with UWB? The incorporation of new technology capable of accurate localization leads to privacy concerns. All privacy issues were categorised on the basis of three paradigms: social, surveillance and institutional mentioned in Gurses and Diaz, 2013. This was initially done by interviewing experts from the three groups of privacy experts, policy regulators and technology experts. Analysis of their answers showed that UWB privacy concerns seem relatively similar to BLE and Wi-Fi localization, albeit with higher granularity. UWB allows mobile phones companies, third parties and governments track people accurately indoors, push advertisements depending on location, obtain relative relationships between people based on distance leaving people with no place to hide. Subsequently, user interviews were carried out to see if they could identify the same concerns of UWB. Results showed that that from the data of users interviewed, all of them believed that accurate data
localization of people is crossing a line that users cannot push back on. A majority of them saw most of the same privacy issues as the experts showing that, as people get more adept with technology they understand
how it can affect their privacy. A common question that was asked across all the interviews was how can we protect our privacy in the face of such penetrating innovation as time lapses.

Which is the final sub-research question: 3. What are technical and societal approaches to address privacy concerns? Experts provided solutions that were more industry oriented which included decoupling UWBfrom other location-based services, provision of opt-out settings on a more prominent basis, reworking license agreements, industry wide discussion and self-regulation in terms of privacy. However, users gave answers that were more user-centric and gave more control to the common public. This included users neggotiating their own privacy agreements, compensation models for loss of privacy, a more holistic regulation process and finally, trying to break the control of big tech companies. This shows that users and experts have very similar understanding of privacy issues but very different views on how privacy should be protected. Perhaps, it may be time for regulators to pay heed to user suggestions. These suggestions were then compared with privacy mitigation strategies mentioned in literature. Notably, the most overarching concept that needs to be incorporated is the concept of Privacy-by-design which can then be broken down into technical and societal strategies. Technical approaches included concepts such as obfuscation, k-anonymiser, differential privacy, dummy localization and access control mechanisms. All the technical strategies seemingly had the same issue of requiring third-party applications to function. Sophisticated security measures and privacy statements would then be needed to ensure these companies do not choose monetary gain over user privacy. Societal approaches included concepts of data-for-all, technical regulatory bodies and finally, breaking up of big tech companies. As time passes and innovations become more pervasive, it may be too late to incorporate privacy protection actively. The time to protect privacy is now.

This study aims to make recommendations about how the Internet can be more thoroughly cleaned of Child Sexual Abuse Material (CSAM), focusing on the Dutch government policies. In the past years, several organizations, including the European Commission, called out the Netherlands for the role Dutch companies have in the hosting of CSAM. According to INHOPE, the CSAM hotline umbrella organization, the Netherlands is responsible for 20\% of the hosted CSAM worldwide and 79\% within the EU. For this study, a mixed-methods approach is chosen. A mixed-methods approach combines a qualitative and a quantitative method. The qualitative analysis is used to reveal relevant stakeholders, their positions, how they participate in the policymaking process, how they evaluate the government policies, and what they believe are the most significant improvements to the system. The quantitative results map information flows and processing times of the Dutch CSAM NTD mechanism. Combining the qualitative and quantitative research has revealed several pitfalls. Firstly, much CSAM remains unfound. Secondly, hotlines have a very important but also insecure position in the government policies. Further, are direct incentives for the sector more than moral duty are missing and the organizational degree of the sector is low. Also, the set norms and policies of the government and self-regulation are not accounting for the high diversity of the sector. There is a lack of financial resources. Finally, several stakeholders question the adequacy of law enforcement in regard to CSAM. Consequently, recommendations in three areas are made: (1) expanding and strengthen the current policies, (2) enhancing the collaboration between the stakeholders and their own position and (3) introducing new policy initiatives.

More effective and efficient risk communication in the cybersecurity field needs to be designed to improve risk awareness among people and to increase resiliency. The field of cyber risk communication is relatively new, which limits the current knowledge on how to design risk communication. In this study the risk perception of eleven laypeople and eight experts is researched using a mental model approach and semi-structured interviews combined with a three part scenario-based drawing task. The data is analyzed using the grounded theory method and a substantive theory is formed on the similarities and differences between the mental models of experts and laypeople of VPN in a professional services firm in the Netherlands. The accuracy of the perceptions in the theory are evaluated by a comparison with a real-world representation of VPN organization. Further research can use the results of this study to determine the completeness of the mental models described. Additionally, the study design can be repeated in other settings to determine the generalizability of the identified beliefs. Furthermore, the prevalence of the identified beliefs among similar or different populations can be researched. And finally, the mental models can already be used to design risk communication in a more effective and efficient manner by considering the identified beliefs.

Research ProblemIn today’s competitive and fast-paced nature of conducting business in the semiconductor industry, the discipline of revenue management (RM) is often mentioned. Through a dynamic pricing capability, RM enables firms to maximize profits by capitalizing on missed revenues. Moreover, RM enables customers to receive products on short notice, by allowing them to place orders with a(n) (earlier) delivery wish date, wish price and volume. Since the semiconductor industry is characterized by volatile market demand, long production times and high capital investment (Ehm & Ponsignon, 2012), the semiconductor industry is a model representation of the manufacturing industry. Despite the benefits of RM, the manufacturing industry has not yet witnessed a widely-adopted revenue management system.In order to apply revenue management in the manufacturing industry, it is primarily important to understand that the data involved from the parties participating in the revenue management process is confidential. For manufacturers, the confidential data includes the daily unallocated available-to-promise data, which is available to commit to customers for orders on short notice. On the other hand, for customers, the maximum price that they are willing to pay for such products with a shorter delivery time is confidential. Hence, due to the confidentiality involved, as well as the need for enabling a more equal collaboration model between buyers and sellers, a secure technology that involves inputs from multiple parties is required in order to facilitate the implementation of revenue management in the manufacturing industry.Multi-party computation is a promising cryptography technology which has been theoretically studied by researchers but has not yet been practically applied. This technology is a value-added tool in the use case of revenue management because it deals with multiple parties’ confidential data and performs a computation with them securely. The outcome of the algorithm presents a revised price (based on the desired price adder range provided by the manufacturer, as well as the price wishes of the customer), a volume and a delivery date. This will allow manufacturers to secure their unallocated available-to-promise data, and customers to share the confidential maximum price they are willing to pay to receive products earlier. Multi-party computation has been proposed to be applied to revenue management by the EU H2020 SafeDEED project. We further build on this concept (SafeDEED, 2018).As a consequence of multi-party computation being an up-and-coming technology, as well as revenue management being new to the business-to-business field, it is challenging to imagine what a possible implementation of their integration is...

In recent years, many countries and administrative domains exploit control over their communication infrastructures to censor online materials. The concrete reasons behind the Internet censorship remain poorly understood due to the opaque nature of the systems. Generally, Internet censorship is to disrupt the free flow of information. It involves a series of steps to stop the dissemination of information, or prevent the access to information, for example, disrupt the link between the users and providers. These technologies bring significant inconvenience for legitimate users. The goal of the thesis is to undertake a recent study to measure the behaviour of the Great Firewall of China (GFW). Based on that, this work designs a Peer-to-Peer (P2P) circumvention system called MultiProxy which exploits the blockchain-based economical model in order to create a balanced environment for resources providing and consuming. The system also uses multi-hop messaging to protect the privacy of the request initiators. The evaluation results show that MultiProxy can evade censorship while protecting users privacy.

The frequency of online banking fraud incidents has increased over the last years. A method used by different cybercriminals is the injection of malicious code into the targeted web pages. For example, attackers might inject an additional piece code into the webpage of a targeted bank asking users to enter extra personal information (e.g., the PIN of the card). By comparing attack instances of web injected code attacks from different malware families an answer will given on how cyber criminals evolve the code of financial malware that is been used in injected code attacks against financial institutions. The contribution of this thesis is to verify the current literature of the existence of code re-use among different code instances using different code similarity tools and to explore how and why the code is evolved.