The new EP Library Catalogue allows you to search the EP collection for:
- Journals, books and articles in paper or electronic format
- EPRS and Policy Department publications
Abstract: Based on textual analysis and a comparison of cybersecurity risk disclosures of firms that were hacked to others that were not, we propose a novel firm-level measure of cybersecurity risk for all U.S.-listed firms. We then examine whether cybersecurity risk is priced in the cross-section of stock returns. Portfolios of firms with high exposure to cybersecurity risk outperform other firms. Yet, high-exposure firms perform poorly in periods of high cybersecurity risk. Reassuringly, the measure is higher in information-technology industries, correlates with characteristics linked to firms hit by cyberattacks, and predicts future cyberattacks. Authors have furnished an Internet Appendix, which is available on the Oxford University Press Web site next to the link to the final published paper online
Abstract: Despite promises by European Union (EU) policymakers to “fundamentally change” cybersecurity certification, they have recently created a regime that is strikingly similar to already existing certification arrangements. How can we explain this puzzle? Through a process-tracing analysis based on 41 documents and 18 interviews, this article traces the development of the EU cybersecurity certification regime over the past two decades. It deconstructs certification into standardisation, accreditation, certification, and evaluation; analyses how each regime component changed over time; and discusses to what extent causal mechanisms that are derived from classic theories of EU integration explain the limited nature of policy change. The observed dynamics uncover a “Europeanization on Demand” model that allows national authorities to completely control the extent of integration. This study challenges the dichotomous understanding portrayed by EU integration literature, of mutually exclusive dynamics of market or core state powers integration, highlighting intriguing political dynamics in EU cybersecurity policymaking.
Abstract: Cybersecurity in the financial sector is a dynamic and evolving policy field with unique challenges and specific characteristics. While it has recently received a lot of attention from disciplines like Economics and Politics, legal literature on this topic, especially with regard to EU law, still lags behind. This is surprising, given that cybersecurity in the EU is characterized by complex governance structures, a variety of legal sources, and a wide range of different rule makers and involved actors, and given that only a clear legal framework with efficient institutions at both EU and Member State level can provide for a safe digital environment. The purpose of this Article, therefore, is twofold: On the one hand, it aims to introduce the legal aspects of cybersecurity in the financial sector while taking stock of existing cybersecurity schemes, including their strengths and weaknesses from a legal perspective. On the other hand, it will set out key elements that cybersecurity regulation in the financial sector must respect in order to be effective and come up with reform proposals to make the EU financial sector more cybersecure.
Abstract: The cybersecurity of critical infrastructures is an essential topic within national and international security as 16 critical infrastructure sectors touch various aspects of American society. Because the failure to provide adequate cybersecurity controls within the critical infrastructure sectors renders the country open to an attack that could have a debilitating effect on security, national public health, safety, and economic security, this matter is so vital that there is the Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning and resilient critical infrastructure. An organization identified as the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS) has the mission to be the risk advisor for the United States (US). Other organizations, such as the National Security Agency (NSA), have approved a specific Knowledge Unit (KU) to address cybersecurity for critical infrastructures associated with doctoral-level granting programs. To address this challenge, it is necessary to identify threats better and defend against them while mitigating risks to an acceptable level. Only then can a nation build a more secure and resilient infrastructure for the future while defending against present-day bad actors as cyberwarfare, cyber espionage, and cybersecurity attacks are the modern-day threats that need to be addressed in planning, designing, implementation, and maintenance. Therefore, the researchers developed a case study reviewing threats against different sectors defined in the PPD.
Abstract: Cybersecurity is a patient safety concern. Recent cyberattacks on healthcare institutions around the world have shown the risks to patients: from delayed treatment as hospitals and clinics are shutdown, to the threat of harm from the theft of personal data, to patient death. The recent Covid-19 pandemic has further increased cyber-attacks on health organisations. In low- and middle-income countries (LMICs) digital health, including the use of health informatics systems and electronic health records, is an increasing part of the health agenda as national governments move to scale up healthcare on the path to achieving Universal Health Coverage. Frontline healthcare workers are often warned of the dangers of data mismanagement and are advised to take precautions to ensure data is safe. However, as many workers are already overstretched with conflicting administrative priorities, cybersecurity risks are going unnoticed.
Abstract: In this article, I investigate why international law and norms have failed to keep cyberspace peaceful. The problem comes mainly from their failure to address what non-state actors, such as individual hackers and technology firms, do in cyberspace. Created by the extensive input of government officials decades ago with heavy focus on states as primary actors of international politics, international law is incoherent with the dominance of non-state actors as de facto operators of cyberspace. The critical problem shared by international law and institutions of having no “teeth” to penalize non-state violence extends to cyberspace. As a result, noncompliance with international law has become practical, and it has even bolstered the private sector, especially major technology firms, to assert themselves in the legal void, leverage their digital products to reshape norms, and become norm entrepreneurs in the business of digital defense. However, the multiplication of norm entrepreneurs has accelerated in an uncoordinated manner, and the way they built their interests does not neatly align with those of the states. While some norms of cyberspace behavior have been accepted, many others remain contested. In the meantime, norm discourse in diplomatic venues, including in multilateral debates at the United Nations, has become highly undemocratic, dominated by a small mix of great powers and active middle powers that are also split over what norms should guide state and nonstate behaviors.
Abstract: Are cyber-enabled information warfare (IW) campaigns uniquely threatening when compared with traditional influence operations undertaken by state actors? Or is the recent “hacking” of Western democracies simply old wine in new—but fundamentally similar—bottles? This article draws on classical theories of democratic functionality from the political science and communications studies fields to deconstruct the aims and effects of cyber-enabled IW. I describe democracies as information systems wherein the moderating functions of democratic discourse and policy deliberation rely on robust mechanisms for asserting the credibility, origination, and quality of information. Whereas the institutions of democracy are often compromised in ways that force failures of the system’s moderating dynamics, influence operations in the digital age act to subvert the traditional mechanisms of democratic functionality in new ways. Sophisticated digital age information operations create a multifaceted attribution challenge to the target state that amounts to unprecedented uncertainty about the nature and scope of the threat. However, the promise of cyber-enabled IW capabilities emerges more from the rewiring of modern democratic information environments around new media platforms than it does from the cyber conflict faculties of state actors. Rather, cyber operations act as an adjunct modifier of IW abilities that allow belligerent governments to secure new sources of private information, to divert attention from other pillars of IW campaigns, to compromise the capabilities of domestic counterintelligence assets and to tacitly coerce important members of society.
Abstract: Today, social engineering techniques are the most common way of committing cybercrimes through the intrusion and infection of computer systems. Cybersecurity experts use the term “social engineering” to highlight the “human factor” in digitized systems, as social engineering attacks aim at manipulating people to reveal sensitive information. In this paper, we explore how discursive framings of individual versus collective security by cybersecurity experts redefine roles and responsibilities at the digitalized workplace. We will first show how the rhetorical figure of the deficient user is constructed vis-à-vis notions of (in)security in social engineering discourses. Second, we will investigate the normative tensions that these practices create. To do so, we link work in science and technology studies on the politics of deficit construction to recent work in critical security studies on securitization and resilience. Empirically, our analysis builds on a multi-sited conference ethnography during three cybersecurity conferences as well as an extensive document analysis. Our findings suggest a redistribution of institutional responsibility to the individual user through three distinct social engineering story lines—“the oblivious employee,” “speaking code and social,” and “fixing human flaws.” Finally, we propose to open up the discourse on social engineering and its inscribed politics of deficit construction and securitization and advocate for companies and policy makers to establish and foster a culture of collective cyber in/security and corporate responsibility.
Abstract: There have already been several studies focusing on cybersecurity and international trade but the intersection between the two is multifaceted and can be approached from several viewpoints. This article focuses on cybersecurity and international trade from the specific perspective of technological neutrality. Although technological neutrality is recognized with different degrees of intensity both under World Trade Organization Covered Agreements and free trade agreements in a diverse range of fields (such as trade in services, technical barriers to trade, or intellectual property), its status in international trade law is unclear. In this uncertain context, it is argued here, technological neutrality has the potential of expanding the scope of trade obligations unpredictably. As a result, in the face of pressing cybersecurity concerns, technology-related trade measures risk to constantly violate trade obligations, making the trade-cybersecurity relationship even more complicated. The possibility to clarify the status of technological neutrality and the scope of technology-neutral provisions is chief among the solutions proposed in this article. Additionally, this article suggests for States either to be compensated when a trade-restrictive cybersecurity measure affects them, or to consider adopting a waiver in the field of technology, similar to what has been carried out in other areas.
Abstract: Accusations of bad state behaviour in cyberspace are proliferating, yet this increase in naming has not obviously produced much shame. Accused states uniformly deny the accusation or decline to comment, without changing behaviour. For international lawyers, the problem is compounded by the absence of international law in these charges. States are not invoking international law when they complain of other states' behaviour, suggesting the law is weak - or worse, irrelevant - in holding states accountable for their cyber operations. In lieu of "naming and shaming', we introduce and examine the broader concept of "accusation' as a social, political and legal practice with diverse uses in cyberspace and beyond. Accusers must make strategic choices about how they frame their accusations, and we unpack various elements accusers may manipulate to their advantage. Accusations also have many purposes. They may seek to "name and shame' an accused into conforming to certain behavioural expectations, but they may also aim at defensive or deterrent effects on both the accused and, crucially, on third parties. Particularly important, accusations may play a constitutive role, constructing new norms, including customary international law, within the international community. In short, accusations offer states and other stakeholders a menu of strategic options beyond those identified by the extant literature on naming and shaming.
Abstract: As technology has evolved, cities have become increasingly smart. Smart mobility is a crucial element in smart cities, and autonomous vehicles are an essential part of smart mobility. However, vulnerabilities in autonomous vehicles can be damaging to quality of life and human safety. For this reason, many security researchers have studied attacks and defenses for autonomous vehicles. However, there has not been systematic research on attacks and defenses for autonomous vehicles. In this survey, we analyzed previously conducted attack and defense studies described in 151 papers from 2008 to 2019 for a systematic and comprehensive investigation of autonomous vehicles. We classified autonomous attacks into the three categories of autonomous control system, autonomous driving systems components, and vehicle-to-everything communications. Defense against such attacks was classified into security architecture, intrusion detection, and anomaly detection. Due to the development of big data and communication technologies, techniques for detecting abnormalities using artificial intelligence and machine learning are gradually being developed. Lastly, we provide implications based on our systemic survey that future research on autonomous attacks and defenses is strongly combined with artificial intelligence and major component of smart cities.
If you are unable to access the article you need, please contact us and we will get it for you as soon as possible.
| Data Protection Notice | Cookie Policy & Inventory |
 |
 |
 |
Journals on all devices |
Books, articles, EPRS publications & more |
Newspapers on all devices |