TUCCR researches the socio-economic context of security problems and solutions focussing on three main challenges:
We model and analyze cybersecurity attacks and vulnerabilities in enterprise systems to allow for enterprise risk management and continuity planning. This involves tackling major challenges with respect to designing new methods to evaluate enterprise security and integrate these with existing enterprise architecture and business process modelling approaches. Enhanced modelling methods would allow for the specification of security goals and requirements on both assets and users, of control measures that are (to be) implemented in an enterprise, and of threats to security goals and requirements satisfaction. New analysis methods have to be developed that can take security-enhanced enterprise architecture models as input and produce a vulnerability and risk assessment of the enterprise as output. Also, it should be possible to analyze the impact of enterprise architecture changes on enterprise security, and of enterprise security changes on the enterprise architecture. Quantitative model-based analysis of risks, vulnerabilities, and threats should be possible with data obtained from measurements and connected to the enterprise model. Based on these analyses, and appropriate tooling, risk management can be supported and measures for prevention and recovery can be designed.
We research approaches and methods to measure the true economic impact of security attacks on businesses. Current methods often use victim surveys and expert opinions, which lack empirical grounding, making them inaccurate inputs for budgetary and investment decisions related to cybersecurity. One major challenge addressed by the research is to develop a conceptual problem framework to describe phenomena of security attacks on businesses, including the social context of an attack, such as the aims of attackers and routines of victims. Another challenge is to identify operationalizable constructs of the framework as well as methods for their measurement to reliably establish economic impact. We believe that collecting empirical data using these methods and interpreting them according to the framework will help to get a more straightforward view of how cyberattacks may damage the current and future revenues of a business organisation and understand the need for investment in cybersecurity.
We investigate how to improve our understanding of human factors in cybersecurity and to design better preventive and mitigating interventions based on this understanding. Knowledge on human behaviour, of both attackers and victims, is important to explain vulnerabilities for cyberattacks and (non-) compliance of victims to security rules. Complicating factors are continuous adaptation of attack methods to security measures and the availability of inexpensive tools for dissemination of false information and propaganda. Reproducible experiments are needed to obtain and validate insights on human behaviour. An important challenge is to develop such experiments as well as scientific theories that are supported by experimental data. These theories are used as tools in design practice to develop better policies and effective interventions.