As digitalization advances, cybersecurity departments are increasingly overwhelmed by alerts and potential threats, leading to decision fatigue among security analysts. In response, many are adopting Artificial Intelligence (AI) to automate routine tasks, prioritize alerts, and accelerate incident response. However, the pace of AI adoption in cybersecurity lags behind that of threat actors, revealing underlying challenges. This thesis explores these challenges through a case study of a large European bank's cybersecurity department, using a sociotechnical systems (STS) approach. Semi-structured interviews with security analysts, data scientists, and leadership revealed four key themes: (1) mixed perceptions of AI, (2) the influence of organizational factors on AI adoption, (3) the importance of interdisciplinary collaboration, and (4) the critical role of trust in AI systems. While AI offers potential benefits like improved threat detection and reduced decision fatigue, challenges such as data quality issues and lack of transparency persist. Organizational readiness, leadership support, and effective change management are crucial for successful AI integration. Building trust through transparency and active user involvement is essential for adoption. The thesis proposes a conceptual model that addresses these challenges by integrating technical and social factors, offering practical recommendations for enhancing AI adoption in cybersecurity. Future research should expand on these findings through diverse case studies, human-centered AI frameworks, and longitudinal studies to better understand AI’s impact on trust and collaboration in cybersecurity.

Organisations are becoming more conscious and deploying more and more security tools to ensure they are adequately protected against cyber-attacks. That means two things: (i) those extra tools inherently augment companies’ attack surface, and (ii) the Security Operations Centre (SOC) gets overwhelmed with the number of false positives those tools generate – leading to attack fatigue. In many cases, the SOC team cannot get through all alerts properly, allowing potential attacks to go unnoticed or be caught much later. Moreover, within a typical CISO organisation, the analysis of “attack” and “defence” data is done somewhat in silos. That means vulnerability data, red-team exercises, and the several available defence tooling data are not looked at as one.

Our work proposes an innovative way to bridge the gap between vulnerability data (CVEs) and security alert data originating from multiple security tools that protect servers using MITRE ATT&CK tactics. That would provide more context to the alerts which would be useful in their classification as attacks or false positives. We use DeBERTa (Decoding-enhanced BERT with Disentangled Attention), a deeplearning state-of-the-art model, to map CVE descriptions to MITRE ATT&CK tactics. Then, we map security alerts to MITRE ATT&CK tactics, which will be used as input to a context-enriched machinelearning model (by CVEs and tactics). That machine-learning model is used to classify security alerts as malicious or benign. We tested our approach using over 5.5 million security alert data combined with red-team exercise attacks and incident response labelling from the company, a large international organization with over 60,000 employees. Our CVE+tactic model (without hyperparameter tuning) detects 64% more true positives than the machine-learning model without that information. In addition, the SOC needs to investigate less than 1400 alerts to catch the red-team attacks in our test set, compared to more than 5500 generated by the model without CVE and tactics. Moreover, assuming a standard response time of 8 minutes per alert, this improved model would save the SOC team up to 550 person hours. That yields a model that catches red-team attacks without overwhelming the SOC with too many false positives.

In the modern digital age, software vulnerabilities pose significant threats to security and privacy. These vulnerabilities are weaknesses in software products that can be exploited for malicious purposes. To manage and coordinate information about these vulnerabilities, the Common Vulnerabilities and Exposures (CVE) system is widely used. Although a lot of research has been done on coordinated CVEs, there is less focus on vulnerabilities that did not receive a CVE number. This research aims to estimate the number of vulnerabilities in open-source projects that do not receive CVE identification numbers and are consequently overlooked by the community. The focus of the research is on quantifying the prevalence of security issues in the issue tracker of GitHub projects, examining these security issues to find hidden CVEs and determining their severity based on the CVSS 3.1 scoring methodology. The methods used for the research are data extraction and analysis, transformer-based models for the classification of security issues, and expert validation for CVE identification and severity scoring. The findings of the research reveal crucial insights into the scale and nature of security threats in open-source software. The DeBERTaV3 model fine-tuned on the Chromium dataset demonstrated good performance metrics for the task of classifying security issues, achieving an f1 score of 0.9 with threshold modification. The case-study application of the model on the gRPC project demonstrated that in the issue tracker, 2.4\% of issues have been predicted as being security issues, out of which 52 were validated as CVEs with an average severity score CVSS 3.1 score of 5.3, compared to 11 CVEs attributed to the gRPC project on NVD. These findings suggest a need for revising current practices in vulnerability reporting and management in open-source projects, potentially influencing future security protocols and policies. The results of the study serve as information for the decision-making process of improving the coordinated vulnerability disclosure process in open-source software. An initial intervention suggestion is provided to induce behavior change and incentivize discoverers to disclose sensitive vulnerability information in private communication channels. Future work on understanding the motivations of discoverers to post such sensitive information in public trackers is required to create well-informed and effective policies for coordinated vulnerability disclosure.

Generative AI is expected to have a significant impact on how business is done, especially for knowledge-intensive domains. Professional usage amongst knowledge workers is already widespread and many of them believe that LLM use for work will make them more efficient, help them generate ideas, and improve the quality of their work. Yet, the technology comes with numerous potential risks, including job displacement, threats to data privacy, unreliability, cybersecurity risks, and non-compliance with new AI regulation. The decision to adopt LLMs for knowledge work is thus a significant one as organisations must carefully weigh up the benefits and drawbacks that these models present.

Using a qualitative research approach, this study was aimed at exploring employee and organisational perceptions on the benefits and risks of LLM adoption within the Dutch financial sector. This study was conducted in partnership with a global Professional Services Firm and used their existing network of people and clients to conduct interviews with experts who act as advisors to top management in the decision-making process of new technology adoption such as LLMs. 18 semi-structured interviews were done to collect qualitative data. The research question to be answered is:

- How do employees’ and organisations’ perceived benefits and risks of Large Language Models (LLMs) influence financial organisations’ LLM adoption plans?

Exactly half of participants (9/18) said that they use LLMs in their own work while the other half stated that they do not due to a lack of perceived benefits. Microsoft was found to be a significant player in the current adoption of LLMs at Dutch financial institutions with 57% of all LLMs used by participants being owned by the software vendor. The most common LLM use cases were literary and creative in nature and included preparing presentation slides (16%), text generation (12%), email composition (12%), and structuring documents (12%).

The targeted capabilities that organisations would like to achieve with their future adoption plans include helping programmers write better code, analysing help desk conversations, assisting employees via LLM chatbots, and analysing emails to predict customer questions. Employees were most excited about the potential efficiency and productivity gains that LLMs offer for their work (19%), how LLM usage could free up more time for focused, interesting, and fun work (11%), repetitive tasks becoming automated by LLM (8%), the new opportunities that LLMs present (8%) such as new business models, and improvements to customer service (5%). General overlap can be seen between the targeted capabilities of future LLMs to be adopted and employee expectations.

Instead of restricting LLM usage, it is recommended that organisations find ways to incorporate them into their employee workflows by providing clear policies and guidelines. It was found that this approach will be most beneficial to creative and literary workflows like improving writing/grammar/translation, information search, structuring documents, and text generation. To achieve this integration, organisations should write and implement clear usage policies. This will ensure that the benefits of allowing LLM usage at work are enjoyed while mitigating the most important risks.

The increasing dependence on technology has made society vulnerable to cyber threats, with ransomware becoming a major concern. The complex nature of the Ransomware-as-a-Service (RaaS) model makes identifying the attackers challenging. Traditional methods often rely on direct indicators, but these may not be readily available or reliable. This research explores the potential of utilizing indirect indicators to improve correlating ransomware attacks to specific threat actors. This results in the formulation of the following research question:

"If and to what extent can the analysis of indirect indicator be utilized to improve correlating ransomware attacks with cyber-threat actors?"

The research employs a mixed research approach. A literature review examines the techniques, indicators, and taxonomies used for attributing cyber-threat actors in general. Additionally, expert interviews explore differences in the attribution of ransomware threat actors compared to general cyber-threat actors. Furthermore, it highlights the need to use indirect indicators in the attribution process of ransomware threat actors. Therefore, a cybersecurity company's 2023 ransomware incident reports are analysed to understand how the ransomware attacks are investigated and how the conclusions are drawn.

This study identifies differences in attributing ransomware and general cyber-threat actors. While indirect indicators are crucial for attributing general cyber-threat actors, ransomware attackers often directly identify themselves through ransomware notes. These notes often provide access to communication channels and leak sites, offering substantial evidence for attribution.
The study also finds that Tactics, Techniques, and Procedures (TTPs) tend to be generic in ransomware attacks, offering limited value for differentiating between different actors. However, based on the interviews, there is a need for a central database of observed indirect indicators to facilitate future research and attribution efforts. Consequently, the research finds some promising results for using indirect indicators in ransomware threat actor attribution. The first finding is that the TTPs are less generic as initially thought as 32\% of the techniques and 47\% of the sub-techniques were unique. In addition, analysing the specific tools and techniques used by different actors, such as Blackcat's use of "nltest" for domain trust discovery, can help identify and differentiate them. Furthermore, threat actors observed only once in ransomware attacks of 2023 often used unique techniques, potentially allowing for differentiation based on this factor.

In conclusion, this study demonstrates that analysing indirect indicators can be a valuable tool in correlating ransomware attacks to specific threat actors. While certain limitations exist, continued research and development of this approach have the potential to significantly improve our ability to identify and track ransomware attackers.

The internet's infrastructure relies heavily on Autonomous System Numbers (ASNs) for efficient and reliable data routing across complex networks. This thesis investigates the policies governing the allocation and management of ASNs across the five Regional Internet Registries by employing a mixed-method approach, including content analysis, surveys, and interviews. The study examines the potential impacts of recent policy changes, particularly the introduction of maintenance fees at RIPE NCC and APNIC as these fees could disproportionately affect smaller stakeholders.

The research highlights regional differences in ASN policies and the effects on stakeholders. It also explores the broader consequences of these policies for the global internet infrastructure. Based on the findings, several recommendations are proposed to harmonize policies, improve transparency, and ensure that the governance of ASNs remains responsive to the evolving needs of the Internet. The study concludes by addressing the critical balance between financial sustainability for RIRs and the accessibility of resources for diverse stakeholders.

Intrusion detection systems (IDSs) are essential for protecting computer systems and networks from malicious attacks. However, IDSs face challenges in dealing with dynamic and imbalanced data, as well as limited label availability. In this thesis, we propose a novel elastic gradient boosting decision tree algorithm, namely Elastic CatBoost Uncertainty (eCBU), that adapts to concept drifts and copes with label scarcity by using a novel sequential uncertainty estimation method. We compare our method with state-of-the-art techniques on synthetic and real-world datasets and show that it achieves comparable accuracy and higher robustness to limited label availability in intrusion detection tasks.

Increasing digitalization of systems bring about the grand challenge of keeping these systems secure from malicious prying eyes, and thus highlighting the need for increased Cybersecurity practices. Ransomware is among the most prevalent cybersecurity threats in our current digital era. The attacks are mainly done by advanced persistent threats (ATPs) to increase the impact done to organizations worldwide. Ransomware encrypt data using advanced cryptographic measures and lock users out of their systems to ask for a ransom that is typically paid through bitcoins. ATPs also exfiltrate sensitive data and utilize double and triple extortion methods where they either blackmail the organization with the public release or selling of their data, or they go to the customers to blackmail them, so they pressure the organization into paying the ransom. Defense against Ransomware is possible but in many cases, by the time, ransomware is detected the malicious actors already have strong access into the systems and data. All is not lost however as organizations can bring back their systems and data if there are backup & recovery policies that have been established prior. This thesis systematically explores the ransomware topic scoped on backups & recovery to identify how ransomware attack backups, what are the best practices for backups & recovery, and the corresponding challenges for organizations to produce policy recommendations. To this end, three methods are used. The methods are: semi-systematic literature review, qualitative content analysis, and semi-structured interviews. A triangulation of these methods over cybersecurity frameworks, expert knowledge and backup software provider reports establish essential insights. The main recommendations made are that organizations must ensure that they regularly must create redundant, airgapped, offline, and offsite backups that are stored in multiple storage media. Furthermore organizations must establish proper cyber hygiene practices in order to protect their backups. Lastly, organizations must ensure that they can test and maintain resilient backup & recovery policies through establishing responsibility and accountability of different stakeholders, streamlining their IT environments, and having a cybersecurity-enabling approach to organizational IT governance. The research is a rigorous and comprehensive overview of the backup & recovery topic against ransomware and is academically relevant as it fills research gaps on: how ransomware attacks target backups & recovery specifically, what the best practices offered by the most credible cybersecurity frameworks are, and why organizations still fail in setting up proper backup & recovery practices. The EPA relevance is characterized through navigating a branch of the grand challenge of cybersecurity, namely ransomware. This is a grand challenge as there are a plethora of stakeholders on an organizational level who have different opinions and views on the topic at hand where organizations are comprised of teams in different countries, subject to different regulations, etc. Therefore it is essential in this complex environment to see what could be made as policy recommendations for organizations of all levels against the treat of ransomware with respect to backup & recovery practices.

The EU Artificial Intelligence Act (AI Act) proposed by the European Commission is a significant legislative effort to regulate AI systems. It is the first legal framework that specifically addresses the risks associated with AI systems, aiming to ensure their trustworthiness and alignment with the values enshrined in the Charter of the Fundamental Rights of the EU and the Union values. Thus, the draft of the AI Act emphasizes the importance of fundamental rights in Europe's AI approach.

The AI Act covers various AI applications, including machine learning, logical, statistical, and knowledge-based approaches. It provides a classification framework based on the purpose and risks posed by AI applications: Prohibited/Unacceptable risk, High-Risk, Limited-Risk, and Minimal/No risk. However, there are concerns about the clarity of the classification criteria mentioned in the AI Act. Some AI systems may fall into multiple classifications, leading to ambiguity. For example, a social robot used in patient treatment could be classified as High-Risk or Limited-Risk. This ambiguity is also observed in classifying AI systems in enterprise functions, where 40{\%} of the classifications remain unclear.

Therefore, these challenges provide an opportunity to improve the classification process of AI systems under the AI Act, facilitating the classification process and accommodating emerging AI technologies. The main research question addressed in this thesis is: \textbf{"To what extent can the process of AI systems classification under the AI Act be improved?"}

The research focuses specifically on AI systems classification. It explores specific provisions of the AI Act, including Prohibited Risk, Classification Rules for High-Risk AI systems, Transparency Obligations, and Annexes II and III.

To achieve the objective of improving the classification accuracy of AI systems based on the AI Act, the study adopts the Design Science Methodology. This methodology involves systematically studying existing AI systems classifications and challenges, extracting themes to develop a framework, and evaluating the framework through feedback from AI experts.

A decision tree is designed as the proposed framework. It is evaluated on 16 respondents from two different backgrounds: legal and non-legal. In order to obtain comprehensive insights, the evaluation is designed to incorporate an experiment where respondents are tasked to classify AI systems to the risk level with the AI Act only. Then in the second experiment, they have to classify AI systems using the proposed decision tree framework. It is important to note that the study acknowledges the possibility of overestimating or underestimating respondents' ability to classify AI systems due to their diverse backgrounds and levels of understanding of the AI Act. Furthermore, a semi-structured interview is conducted to strengthen the analysis.

Based on the evaluation, the decision tree's performance revealed higher accuracy than the classification approach without the decision tree. However, the overall accuracy remained low, indicating room for improvement. Challenges identified include the need for additional context and understanding of terms, definitions, and examples in the decision tree and the potential for misclassification due to vague definitions and assumptions. Respondents also expressed the need for more detailed information about AI system use cases to improve classification accuracy.

The decision tree's performance varied between obvious and non-obvious use cases, with non-obvious cases presenting challenges in accurate classification. The accuracy for obvious cases was higher, highlighting the difficulty of distinguishing between High-Risk and Unacceptable Risk categories. Lack of clarity in terms and definitions and limited contextual information contributed to the challenges faced in classifying non-obvious cases.

Legal experts demonstrated higher accuracy than non-legal respondents, indicating familiarity with legal terminology and the AI Act. However, legal and non-legal respondents encountered difficulties classifying non-obvious cases, emphasizing the need for clearer frameworks and tools to enhance clarity and streamline the classification process. Greater clarity in the AI Act and an interdisciplinary approach were recommended to address these challenges and facilitate understanding of the risks associated with AI systems.

Based on the analysis, several areas for improving AI systems classification under the AI Act have been identified. The current classification process faces challenges related to ambiguities in definitions, lack of contextual information, and difficulties in distinguishing between different risk levels.

To address these challenges and enhance the classification process, it is recommended to introduce clearer guidelines and refine the decision tree used for classification. The decision tree should incorporate additional criteria and features that provide more clarity and context. It is important to consider biases, subjective interpretations, clarity, and the dynamic nature of AI technologies in these improvements.

The study has certain limitations. The small sample size of respondents may impact the generalizability of the findings. The number of participants might not be representative of the entire population. Additionally, the limited number of use cases utilized in the research may limit the comprehensiveness of the classification framework. The study is based on the latest amendment of a policy proposal, and there is a potential for changes in the regulation's details, which may affect the effectiveness of the results. Finally, potential biases may exist in the development of the research, such as in making the decision tree and selecting the use cases.

Future research should explore the continuity of the decision tree's performance over time and its evaluation. There should be more research on non-obvious cases in specific domains or industries. It is crucial to focus on potential issues in classifying certain risk levels in the AI Act that hinder classification accuracy. Understanding the differences between legal and non-legal perspectives on the AI Act is also important to establish standardized understanding among stakeholders. Additionally, conducting quantitative research with larger and more diverse respondents from industrial backgrounds can further evaluate the proposed framework.

Phishing attacks are a growing cause of cybersecurity incidents such as data breaches. With these attacks, malicious actors try to gain access to systems by exploiting the vulnerability of employees. Particularly, intruders use different tricks to create convincing phishing emails to force people to behave less securely. Unfortunately, technological applications are insufficient in detecting all possible phishing attempts. As the consequences of a successful breach can be disastrous for a company, especially in the banking sector, pressure is put on employees to recognise and report potential phishing emails. To aid them in this task, phishing training is provided by employers. Employees are taught what phishing emails look like and which actions they should take if an email appears malicious. However, the effectiveness of these training sessions is difficult to evaluate.

To understand the interaction of employees with phishing emails without influencing their behaviour, we study the emails employees report as suspicious to characterise the security culture at a bank. A better understanding of the behaviour provides grounds for recommendations to improve anti-phishing training and create a safer environment. The newfound metrics can provide an alternative to current methods.

This research uses Exploratory Data Analysis (EDA) to evaluate the email reporting behaviour of employees at a bank to answer the Research Question How can email reporting patterns in a large organisation measure the relationship between phishing training, reported emails and employee behaviour? With this case study, we apply EDA to a large dataset containing bank employees' reported emails over 16 months. We analysed the reported emails and related them to the provided phishing training events. Moreover, we did a text analysis of the emails' content using the Term Frequency - Inverse Document Frequency (TF-IDF) method. Additionally, we extract the dominant topics of the emails using topic modelling. Lastly, with the help of interviews, the results are tied to employees' experiences to understand their behaviour.

The major findings of the research are, firstly, the new metrics we identified to measure the security culture of a company. These metrics were found from both the analysis of employee behaviour over time, as well as the analysis of the email content. From the analysis of the reporting behaviour over time, new metrics include the unique reporters in relation to the total reported emails over time. Besides the unique reporters, unique reported emails can uncover the presence of campaigns. For example, a single email can explain the increase from 50 to 350 daily benign reports. The difference between the total reports and unique reports uncovered this. Secondly, topic analysis and content comparison show similarities between benign and malicious reported emails, indicating an increased vigilance of employees on these attributes.

A second finding originates from the analysis of the email components. One of the components was used in all simulation emails, while it was not present in all the benign and malicious reported emails. This shows that the simulation emails can be extended to include different scenarios. Therefore, we recommend the company to extend the phishing simulation emails to contain varied phishing tactics to expose employees to other types of attacks and incorporate all aspects taught during the E-learning.

Lastly, the analysis shows no concrete relation between the number of reported emails and the timing of the simulation wave. Although the reported p-value of benign emails after the simulation is 0.03, this significance can also be explained by external factors.

With these results, we can measure employees' security culture and awareness in real-world circumstances without influencing the employees' behaviour, providing a new approach to investigating phishing behaviour. Adding to the research of Steves et al. (2020),, the click rates can be explained by more than solely the employees' awareness levels, and new explanations come forward to handle phishing threats. Moreover, the absence of a required test environment for the analysis created a solution for existing gaps. For example, as seen in (Hillman et al., 2023).

A limitation of exploratory data analysis is that results are often ambiguous and mainly provide possible directions for future research. Furthermore, external factors influencing the behaviour could provide alternative reasons for the discussed interactions.

To conclude, by using the reported emails to measure security behaviour related to phishing, we found new metrics which do not influence the employees in their daily behaviour while still providing insights to improve the tactics of a company in combating phishing attacks. Reporting behaviour can be used to analyse the current anti-phishing tactics of a company and provide suggestions for improvements.

Future research should explore the differences in applying the method in other companies and across sectors. Overlap and differences can create an understanding of the diversity in security culture and the effect of external factors. Combining these results with a comprehensive understanding of a company's operations can expose directions for improvement in the security approach. Additionally, the effect of the recommendations can be analysed using the metrics we proposed. This can be done with a follow-up analysis of the behaviour to see whether the desired effect can be observed.

With the ever-increasing digitalisation of society and the explosion of internet-enabled devices with the Internet of Things (IoT), keeping services and devices secure is becoming more important. Logs play a critical role in sustaining system reliability. Manual analysis of logs has become increasingly difficult, accelerating the development of automated methods for log-anomaly detection. Despite significant progress in automating log analysis, current state-of-the-art methods face challenges dealing with unstable log data, which means that the content of log messages evolves over time.

We show that LogBERT, a state-of-the-art technique based on Bidirectional Encoder Representations from Transformers (BERT), cannot deal with unstable log data. On the three most prevalent publicly available log datasets, Mathew's Correlation Coefficient (MCC) score (which measures the correlation between a model's output and the correct labels) of LogBERT dropped by 90% after increasing log data instability from 1% to over 80% normal sequences containing logkeys in the test set. Log data instability was increased by only reassigning samples between the train and test set. Furthermore, we show that the high performance of LogBERT reported in the original paper was achieved because the model relied on a simple heuristic that only worked under specific conditions.
To address this issue, we propose a novel sequence anomaly detection technique based on BERT: Vocabulary-Free BERT (VoBERT). VoBERT uses a novel pre-training task we designed specifically for anomaly detection: Vocabulary-Free Masked Language Modeling (VF-MLM). We adapted traditional MLM and removed the fixed vocabulary constraint, which allows VF-MLM to classify out-of-vocabulary logkeys correctly.
We highlight that VoBERT is more stable than LogBERT and outperforms the latter in certain situations where log data is very unstable. For the public datasets, the MCC score of the specific train-test split used in the LogBERT paper dropped by 90% after reassigning the train-test split, increasing log data instability. In addition to sequence-level anomaly predictions, we evaluated all approaches on element level, providing a more granular performance assessment.
To assess the generalisation of the experimental results to real-world scenarios, we conducted a case study evaluating the anomaly detection models on real-world security event data collected at a large bank (50,000+ employees). We found that the simple heuristic did not work for this real-world data, having a negative correlation with the correct results. VoBERT showed performance on par with LogBERT on this real-world security event dataset.
We urge future researchers to evaluate their methods on real-world data, as we showed that the commonly used public datasets do not represent real-world scenarios. Furthermore, it is important to assess how difficult it is to detect anomalies in datasets used for evaluation. When a simple heuristic can perform well, such datasets might not be well suited to evaluate a complex anomaly detection model.
This thesis is a proof of concept for the novel pre-training task VF-MLM and paves the way for future work to refine this technique further, as well as to develop additional robust and adaptable solutions for log and security event anomaly detection.

In today's business landscape, software has become an integral part of operations for all companies, with a growing reliance on third-party components. This increasing complexity in software supply chains has led to a significant reduction in transparency and visibility, posing challenges for effective management and security. Software Bill of Materials (SBOMs) emerges as a promising concept to address this issue by providing detailed information about software components and their supply chain relationships, ultimately enhancing transparency within these supply chains. However, despite its potential benefits, SBOM adoption remains limited in practice.

This research examines the perspectives of four key business stakeholders involved in the software supply chain to understand their incentives and disincentives surrounding SBOM adoption. Through a series of in-depth interviews with representatives from each stakeholder group, we aimed to identify stakeholder-specific risks, benefits, concerns, and incentives related to SBOM adoption. The analysis reveals that SBOM adoption potential is notably higher among system integrators and software vendors. These stakeholders perceive the benefits of enhanced transparency and supply chain risk mitigation, which align with their strategic objectives. On the contrary, B2B customers and Individual Developers exhibit the least motivation for SBOM adoption. Their limited interest stems from a perception that SBOMs may impose additional complexities without commensurate benefits. Given that B2B customers and individual developers are the primary consumers and suppliers of SBOMs, respectively, the findings suggest that the overall adoption potential of this technology remains restricted.

In the past several years, financial applications of the blockchain technology experienced significant growth, development and adoption among the public and institutional investors. With the rise of stablecoins and major events such as the announcement of Facebook’s own cryptocurency Libra in 2019, the EU regulators felt the urgent need to address the digital currencies that may pose financial and security risks if left unsupervised. In 2020, the European Commission introduced the Markets in Crypto-Assets (MiCA) framework to regulate the crypto-asset issuers and service providers located in the EU or serving EU clients from abroad. One of the regulation’s objectives is to address the risks of the crypto-markets while leveraging its benefits, yet there has been no evaluation of the proposed regulation besides the Commission’s own impact assessment.

Thus, this research offers an evaluation of the MiCA framework by adopting World Economic Forum’s DeFi white paper risk framework and interviews with the industry experts to generate both qualitative and quantitative data that is used to construct policy considerations for future amendments. By conducting interviews with 8 legal experts, the study provides insights into the strengths and weaknesses of the MiCA framework, while the interviews with 2 respondents from crypto-asset issuer entities, 6 from crypto-asset service providers entities and 3 from institutional investors entities provided further insights into the perceptions of the industry participants on the EU crypto regulation. Moreover, the study presents the risk perceptions of each respondent groups as during the interview rounds the participants were presented 18 risks of DeFi and were asked to select the most 5 critical risks perceived by them. This information is used to reveal what risks are perceived by each group. Lastly, the study presents a content analysis to assess the extent to which the 18 risks ranked by the interviewees are addressed in the MiCA framework. In summary, the results of the study suggest many points of improvement to the MiCA framework with respect to definitions, scoping, classifications and the regulatory approach. Moreover, the results suggest that the policy makers should focus on the unaddressed risks in the future amendments and policies, most importantly on technical and operational risks that have been left out from the framework.

Applications on Android phones which block spam calls could be argued a necessity for people unfortunate enough to have their number on spam lists. Third-party applications provide exten- sive, up-to-date blocklists to screen incoming calls. This paper analyses and describes how these types of applications store and access their data. First we analyse which applications keep their data offline on disk, then we take a look at applications which use the internet to query an in- coming phone call. We found four applications use a combination of both, two applications using exclusively online resources and four applications using offline resources only.

The aim of this research is to provide a structured approach for dynamically analysing Android applications, focusing on applications that block or flag suspected spam caller IDs. This paper discusses ways to determine how an application stores the data regarding the phone numbers, and what APIs it utilizes. In order to develop a methodology of what to search for while performing dynamic analysis, the research in this paper focuses on analysing one such Android application, using it as a template. Additionally, it provides insights and limitations on this analysed application, and potential improvements both on the techniques and tools used.

Spam calls are becoming an increasing problem, with people receiving multiple spam calls per month on average. Multiple Android applications exist that are able to detect spam calls and display a warning or block such calls. Little is known however on how these applications work and what numbers they block.
In this research, the following question is investigated: Can we do a brute force dynamic analysis on Android spam call blocking apps, to extract caller ID information from apps that cannot be or is not extracted through static analysis? A tool is created that is capable of doing such a dynamic analysis, by installing such an app on an emulator, sending emulated phone calls to the emulator, and using screenshot comparison techniques to determine whether the call is classified as allowed or blocked by the respective app. The tool developed in this research can, fully automated, test caller IDs on 8 different Android apps. Apart from a number of initial setup steps to install and configure the apps in the emulator, the tool takes about 1.5 seconds on average to analyze 1 caller IDs on one app.

In order to combat increasing spam calls, many applications are developed and downloaded to block those calls. Some studies about performance of the applications were previously conducted, however, the actual processes the applications go through to intercept and block the spam calls are not well studied. This research presents a method to systematically explore Android APIs that are responsible for intercepting and blocking the spam calls.

Spam calls are a widespread problem as people receive about 14 spam calls per month on average. In response, tens of applications are available in Google’s Play Store that aim to block these calls. While these apps have hundreds of millions of installations, there’s a lack of research into these applications. Research has been done on the user experience of these apps, but the inner workings of the apps have not been explored. Analyzing the inner workings can provide useful insights to combat spam calls more effectively. In this paper, we analyze the elements of the AndroidManifest.xml file of a set of 10 spam call blocking applications to identify aspects that are related to the blocking of spam calls and to find commonalities among the apps. Occurrences of specific elements and their attributes are summarized in this paper. Permissions related to managing phone calls and accessing the internet were found to be common, and services were identified that screen and manage phone calls. 2 apps were found to allow other apps to use their phone number information database, but this analysis did not identify usages by other apps. A complete analysis of all available spam call blocking apps could show the general usage of these and other components.