Leiden University: Welcome to the world of cybersecurity governance

Dikes and locks, Schiphol, the port of Rotterdam, hospitals, the road traffic network, the power grid – in the Netherlands, a lot of critical infrastructure has been connected to the internet. It is certainly convenient and efficient to be able to open and close locks and tunnels remotely, but it comes with the risk of malicious intent. ‘It raises a plethora of security questions regarding both technological vulnerabilities and human behaviour,’ says Bibi van den Berg, professor of Cybersecurity Governance at Leiden University. ‘Cybersecurity governance is about the control measures, regulations, and management of human behaviour that can help in keeping things secure.’

Old methods don’t apply
‘Cybersecurity is an emerging topic that, so far has mainly been addressed from a technical frame of reference, in combination with some very “classical” legal questions,’ Van den Berg says. ‘The fields of public administration and organisational studies have long stayed quiet.’ The various disciplines often resorted to applying old methods to cybersecurity– with risk management a prime example as it had proven its effectiveness in aerospace manufacturing, the automotive industry, health care, and many other fields. ‘The problem is that these methods turn out to be much less effective because of the complexity and unpredictability of cyberspace – with human actors playing a large role in the latter.’

Based on values
Within her research group, Van den Berg develops concepts, models and theories that are specifically tailored to cyberspace. ‘We are active on every scale of governance; from companies to local authorities to national governments and the international stage.’ Last year the group took on a project for Statistics Netherlands (CBS). Rather than applying a classical risk management paradigm, they decided to base their approach on values. ‘It is a great alternative for mapping vulnerabilities,’ she says. ‘It means letting go of quantifiability – this number exceeds that number; therefore, this has our priority – but it allows you to have a conversation about what you stand for as an organisation. It guides the discussion towards what we find worthy of protection.’

‘We have an abundance of disciplines, each with a unique perspective on digital safety.’

Humanities, exact sciences and social sciences
The research group of Van den Berg consists of people with degrees in psychology, political science, public administration, law, philosophy, sociology – an abundance of disciplines, each with a unique perspective on digital safety. She also greatly values her collaborations with technical experts. ‘To do sound research, you need to consider the state-of-the-art in technology.’ She therefore often collaborates with the faculty of Technology, Policy and Management and the faculty of Electrical Engineering, Mathematics & Computer Science of TU Delft, and with computer scientists of the Leiden Institute of Advanced Computer Science (LIACS).

Cybersecurity-by-design
Recently, her group joined forces with LIACS and The Hague University of Applied Sciences in a large project financed by the Dutch Research Council (NWO) and aimed at an integrated approach towards Security-by-design. ‘The core idea is that, so far, security-by-design has mainly addressed technical issues in cyber security,’ Van den Berg says. ‘To make new products and services even more secure, however, we should take the ethical, legal, organisational, and political perspective into consideration all the way from the design stage.’

Increasing resilience
The biggest challenges in cybersecurity may be to not scare people unnecessarily and to protect their privacy. ‘It makes no sense to constantly conjure up the image of some kind of cyber-Tsjernobyl,’ Van den Berg says. ‘But cybersecurity is an urgent issue. We are vulnerable and need to be better protected against cyber incidents.’ There is also a growing awareness that such incidents are unavoidable – resulting from an outside attack, a natural disaster, human error, wear and tear, or programming errors. ‘There is no such thing as 100% security,’ Van den Berg says. ‘We, therefore, see a shift from prevention only to incident response. We can increase our resilience by ensuring that sufficient manpower and resources are available for incident resolution.’

‘We want our students to take the lead, should their organisations suffer a cyber incident.’

Leiden ⇌ Delft ⇌ Erasmus
According to Van den Berg, there are ample specialisms within the three LDE universities ensuring excellent education and research in the field of cybersecurity. ‘We bring technology, behaviour, legislation and ethics close together. We are intensifying existing research collaborations and setting up new ones. On top of our existing joint educational programmes, we are planning a new LDE-bachelor on cybersecurity and cybercrime.’ This bachelor will focus on governance and criminology, but the students will also be taught a basic understanding of the internet – its security risks and the technological means to address these. ‘We want our graduates to take the lead should their organisation suffer a cyber incident,’ Van den Berg says. ‘They need to assemble the troops when all hell break loose.’