Publications | Dr. Abhishta Abhishta, MBA

2026

Analysing the affect of Control, Accountability and Transparency on the Consumer Behaviour of Software as a Service (SaaS) to Prioritise Digital Sovereignty

Siraj Anand, Tijmen Heuvelman, Jan-Willem Bullée, and 2 more authors

Mar 2026

2nd India Conference on Information Systems, InCIS 2026 : Digital Public Infrastructure for a Sustainable and Sovereign Digital Future, InCIS 2026 ; Conference date: 05-03-2026 Through 07-03-2026

Abs Bib PDF

Choice of cloud computing services are being re-evaluated amid concerns over control, accountability, and transparency. Growing reliance on cloud infrastructures for digital services is increasing the concerns over digital sovereignty. The lack of trust between consumers and Cloud Service Providers (CSPs) is pushing policymakers and organisations to develop solutions that incorporate Control, Accountability, and Transparency (CAT) mechanisms. While much has been discussed over the need for CAT measures in cloud computing, the consumer attitude towards these measures has received far less attention. In this paper, we outline an approach to systematically evaluate the influence of Control, Accountability and Transparency (CAT) mechanisms on consumer willingness to pay for Software as a Service (SaaS). We collect opinions of students from Dutch Universities using a survey measured on a 7-point Likert scale. Using this data, we test our hypotheses developed and grounded in theoretical foundations, with the Partial Least Squares Structural Equation Modelling (PLS-SEM) technique. We observe that despite the existing literature focusing on control, consumers actually place more value on transparency when it comes to their data in the cloud. Our results also indicate that while social norms have a minor impact, income levels do not significantly affect consumers’ preference for digital sovereignty. Our findings indicate that cloud providers can distinguish their services from the traditional ones with offers that allow customers to pay for digital sovereignty feature, allowing them to capture market segments that are sensitive towards their digital footprints.
@conference{anand2026affectControlAccountabilityTransparencyConsumer, title = {Analysing the affect of Control, Accountability and Transparency on the Consumer Behaviour of Software as a Service (SaaS) to Prioritise Digital Sovereignty}, keywords = {Digital Sovereignty, Cloud, Controllability, Accountability, Transparency, Consumer behaviour}, author = {Anand, Siraj and Heuvelman, Tijmen and Bull{\'e}e, Jan-Willem and Nieuwenhuis, Bart and Abhishta, Abhishta}, year = {2026}, month = mar, day = {4}, language = {English}, note = {2nd India Conference on Information Systems, InCIS 2026 : Digital Public Infrastructure for a Sustainable and Sovereign Digital Future, InCIS 2026 ; Conference date: 05-03-2026 Through 07-03-2026}, url = {https://conference.iima.ac.in/incis2026/}, }
Assessing Crime Disclosure Patterns in a Large-Scale Cybercrime Forum

Raphael Hoheisel, Tom Meurs, Jai Wientjes, and 3 more authors

Mar 2026

Abs DOI Bib

Cybercrime forums play a central role in the cybercrime ecosystem, serving as hubs for the exchange of illicit goods, services, and knowledge. Previous studies have explored the market and social structures of these forums, but less is known about the behavioral dynamics of users, particularly regarding participants’ disclosure of criminal activity. This study provides the first large-scale assessment of crime dis closure patterns in a major cybercrime forum, analysing over 3.5 million posts from nearly 300k users. Using a three-level classification scheme (benign, grey, and crime) and a scalable labelling pipeline powered by large language models (LLMs), we measure the level of crime exposure present in initial posts, analyze how participants switch between disclosure levels and assess how crime disclosure behavior relates to private communications. Our results show that crime disclosure is relatively normative: one quarter of initial posts include explicit crime-related content, and more than one third of users disclose criminal activity at least once. At the same time, most participants demonstrate restraint, with over two-thirds posting only benign or grey content and typically escalating disclosure gradually. Grey posts are particularly prominent, indicating that many users avoid overt statements and instead anchor their activity in ambiguous content. The study highlights the value of LLM-based text classification and Markov chain modelling for capturing behavioral patterns in cybercrime forums, and offers insights for law enforcement efforts aimed at distinguishing benign, grey, and criminal content in cybercrime forums.
@techreport{hoheisel2026assessingCrimeDisclosurePatternsLarge, title = {Assessing Crime Disclosure Patterns in a Large-Scale Cybercrime Forum}, keywords = {Cybercrime Forums, Underground Forums, Markov Chains, Crime Disclosure, Large Language Models}, author = {Hoheisel, Raphael and Meurs, Tom and Wientjes, Jai and Junger, Marianne and Abhishta, Abhishta and Paquet-Clouston, Masarah}, year = {2026}, month = mar, day = {2}, doi = {10.48550/arXiv.2603.01624}, language = {English}, publisher = {ArXiv.org}, type = {WorkingPaper}, institution = {ArXiv.org}, url = {https://doi.org/10.48550/arXiv.2603.01624}, }
Digital Sovereignty and the means to European digital security: Identification of the goals related to digital sovereignty from legal texts published by the European Union

Siraj Anand, Shawn Donnelly, Michel Ehrenhard, and 2 more authors

European Security, Mar 2026

Abs DOI Bib

Europe is taking the lead in positioning itself at the forefront of digital governance with the accelerating transformation of global digital markets, which is reflected in policies that have frequently addressed digital sovereignty in their communications. However, the lack of conceptual agreement on the fundamental objectives of digital sovereignty leads to diverse interpretations by different actors within the European jurisdiction, expanding its scope but narrowing the intensity with which it is enforced. This article aims to solidify the concept of sovereignty in cyberspace in response to the digital insecurity in Europe amid increasing geopolitical tensions by examining the fundamental objectives of the European Union (EU) within its notion of digital sovereignty. It uses Gioia methodology [Gioia et al., 2013. Seeking qualitative rigor in inductive research: Notes on the Gioia methodology. Organizational research methods, 16 (1), 15–31] as a theoretical approach towards qualitatively examining 79 legal documents selected via a rigorous screening process to identify six dimensions of the EU’s strategic and digital goals while discussing its relevance to digital sovereignty. By analysing these dimensions, we provide actionable insights on digital sovereignty from the EU legislation grounded in empirical evidence and highlight the gaps in its implementation.
@article{anand2026digitalSovereigntyMeansEuropeanDigital, title = {Digital Sovereignty and the means to European digital security: Identification of the goals related to digital sovereignty from legal texts published by the European Union}, keywords = {UT-Hybrid-D, Digital security, European Union, Policy, Objectives, Definition, Digital sovereignty}, author = {Anand, Siraj and Donnelly, Shawn and Ehrenhard, Michel and Nieuwenhuis, Bart and Abhishta, Abhishta}, year = {2026}, month = mar, day = {12}, doi = {10.1080/09662839.2026.2627905}, language = {English}, journal = {European Security}, issn = {0966-2839}, publisher = {Taylor \& Francis}, url = {https://doi.org/10.1080/09662839.2026.2627905}, }

2025

Dark Web Dialogues: Analyzing Communication Platform Choices of Underground Forum Users

Raphael Hoheisel, Tom Meurs, Marianne Junger, and 2 more authors

In 2024 APWG Symposium on Electronic Crime Research (eCrime), Feb 2025

Publisher Copyright: \textcopyright 2024 IEEE.; Symposium on Electronic Crime Research, eCrime 2024, eCrime 2024 ; Conference date: 24-09-2024 Through 26-09-2024

Abs DOI Bib PDF

We investigate the utilization of private communication platforms by underground forum users. We aim to bridge the knowledge gap regarding user preferences for communication platforms employed for private conversations within illicit contexts. We employ social network analysis, topic modeling and statistical analysis on over 7.5 million posts and 260 thousand messages from a popular underground forum. We identify prevalent communication platforms and investigate the relationship between the context in which users share contact details and their social networks in relation to platform preferences. Our contributions include an overview of prominent communication platforms used by forum users, highlighting Telegram’s predominant popularity. We show that in hacking related contexts users choose platforms that provide higher security and privacy levels. Lastly, findings from our statistical model indicate a significant relationship between the centrality of users in the social network and their choice of communication platform. We provide valuable insights for law enforcement agencies, helping them make strategic decisions and plan interventions combating cybercrime.
@inproceedings{hoheisel2025darkWebDialoguesAnalyzingCommunication, title = {Dark Web Dialogues: Analyzing Communication Platform Choices of Underground Forum Users}, keywords = {2025 OA procedure, Social Network Analysis (SNA), Communication channels, Messengers, Hacking forums, Choice behavior, Rational Choice Model, Topic modeling, Underground forums}, author = {Hoheisel, Raphael and Meurs, Tom and Junger, Marianne and Tews, Erik and Abhishta, Abhishta}, note = {Publisher Copyright: {\textcopyright} 2024 IEEE.; Symposium on Electronic Crime Research, eCrime 2024, eCrime 2024 ; Conference date: 24-09-2024 Through 26-09-2024}, year = {2025}, month = feb, day = {25}, doi = {10.1109/eCrime66200.2024.00020}, language = {English}, isbn = {979-8-3315-2450-0}, series = { APWG Symposium on Electronic Crime Research (eCrime)}, publisher = {IEEE}, number = {19}, pages = {187--201}, booktitle = {2024 APWG Symposium on Electronic Crime Research (eCrime)}, address = {United States}, url = {https://doi.org/10.1109/eCrime66200.2024.00020}, }
How Does AI Transform Cyber Risk Management?

Sander Zeijlemaker, {Yaphet K.} Lemiesa, {Saskia Laura} Schröer, and 2 more authors

Systems, Sep 2025

Publisher Copyright: \textcopyright 2025 by the authors.

Abs DOI Bib PDF

Digital transformation embeds smart cities, e-health, and Industry 4.0 into critical infrastructures, thereby increasing reliance on digital systems and exposure to cyber threats and boosting complexity and dependency. Research involving over 200 executives reveals that under rising complexity, only 15% of cyber risk investments are effective, leaving most organizations misaligned or vulnerable. In this context, the role of artificial intelligence (AI) in cybersecurity requires systemic scrutiny. This study analyzes how AI reshapes systemic structures in cyber risk management through a multi-method approach: literature review, expert workshops with practitioners and policymakers, and a structured kill chain analysis of the Colonial Pipeline attack. The findings reveal three new feedback loops: (1) deceptive defense structures that misdirect adversaries while protecting assets, (2) two-step success-to-success attacks that disable defenses before targeting infrastructure, and (3) autonomous proliferation when AI applications go rogue. These dynamics shift cyber risk from linear patterns to adaptive, compounding interactions. The principal conclusion is that AI both amplifies and mitigates systemic risk. The core recommendation is to institutionalize deception in security standards and address drifting AI-powered systems. Deliverables include validated systemic structures, policy options, and a foundation for creating future simulation models to support strategic cyber risk management investment.
@article{zeijlemaker2025doesAiTransformCyberRisk, title = {How Does AI Transform Cyber Risk Management?}, keywords = {artificial intelligence, cybersecurity, qualitative modeling, systemic structure change}, author = {Zeijlemaker, Sander and Lemiesa, \{Yaphet K.\} and Schr{\"o}er, \{Saskia Laura\} and Abhishta, Abhishta and Siegel, Michael}, note = {Publisher Copyright: {\textcopyright} 2025 by the authors.}, year = {2025}, month = sep, day = {23}, doi = {10.3390/systems13100835}, language = {English}, volume = {13}, journal = {Systems}, issn = {2079-8954}, publisher = {MDPI}, number = {10}, url = {https://doi.org/10.3390/systems13100835}, }
NAS ransomware: ransomware targeting NAS devices

Tom Meurs, Raphael Hoheisel, Marianne Junger, and 1 more author

Global crime, Nov 2025

Publisher Copyright: \textcopyright 2025 Informa UK Limited, trading as Taylor & Francis Group.

Abs DOI Bib

The present study examines the impact of ransomware against Network Attached Storage (NAS) devices. NAS devices are external harddrives which are usually easily accessible through the internet. We analyse 502 ransomware attacks reported to the Dutch Police between 2019 and 2022, of which 104 (20.7%) targeted NAS devices. These attacks targeted both companies as individuals. Furthermore, we examine the police intervention against a NAS ransomware strain in October 2022. One limitation of this sample is possible low willingness to report to the Police. We conclude that, although the financial impact of an attack on an individual is relatively low compared to an attack against an organisation, the loss of personal pictures and videos can be very painful for victims and therefore we think it is important to address NAS ransomware in the public debate.
@article{meurs2025nasRansomwareRansomwareTargetingNas, title = {NAS ransomware: ransomware targeting NAS devices}, keywords = {2026 OA procedure, network attached storage, Ransomware, routine activity theory, cybercrime}, author = {Meurs, Tom and Hoheisel, Raphael and Junger, Marianne and Abhishta, Abhishta}, note = {Publisher Copyright: {\textcopyright} 2025 Informa UK Limited, trading as Taylor \& Francis Group.}, year = {2025}, month = nov, day = {26}, doi = {10.1080/17440572.2025.2591628}, language = {English}, journal = {Global crime}, issn = {1744-0572}, publisher = {Routledge}, url = {https://doi.org/10.1080/17440572.2025.2591628}, }
Understanding Digital Sovereignty from the lens of EU legal documents

Siraj Anand, Abhishta Abhishta, Bart Nieuwenhuis, and 1 more author

2025

Abs Bib

This paper examines the European Union’s (EU) concept of digital sovereignty through an analysis of 79 legal documents selected via a rigorous screening process. By evaluating mentions of Digital Sovereignty in these documents, this study identifies four key motivations: increasing foreign digital dependencies, lack of common governance, insufficient security amid rising threats, and the growing social and economic impact of technology. Using Gioia methodology, it recognises six dimensions for EU’s strategic goals: data control, democratic digital transformation, open strategic autonomy, a digital single market, building own digital capacities, and enhancing cybersecurity & resilience. Our analysis of EU legal documents offers a systematic interpretation of the term “Digital Sovereignty” by differentiating at policy, organisational, and individual levels, providing guidance towards building resilient telecommunication systems.
@techreport{anand2025understandingDigitalSovereigntyLensEu, title = {Understanding Digital Sovereignty from the lens of EU legal documents}, keywords = {Digital Sovereignty,, European Union, Resilience, Policy}, author = {Anand, Siraj and Abhishta, Abhishta and Nieuwenhuis, Bart and Ehrenhard, Michel}, year = {2025}, language = {English}, type = {WorkingPaper}, }
Victimization in DDoS attacks: The role of popularity and industry sector

{Muhammad Yasir Muzayan} Haq, Antonia Affinito, Alessio Botta, and 4 more authors

Journal of information security and applications, Nov 2025

Publisher Copyright: \textcopyright 2025 The Authors

Abs DOI Bib

Distributed denial-of-service (DDoS) attacks may be driven not only by economic motives such as extortion, but also by social or political goals, including hacktivism and state-sponsored operations. Therefore, the monetary value of a target alone does not fully explain why some organizations are more frequently victimized. While cloud providers deploy advanced defenses — such as Anycast routing, traffic scrubbing, and filtering — they also concentrate many potential targets within a shared infrastructure, increasing their exposure to DDoS attacks. This study aims to understand what makes organizations more suitable DDoS targets by examining two key attributes: visibility and perceived value, represented by website popularity and industry sector. We also investigate how the customer portfolio of cloud and data center providers influences the DDoS threat to their infrastructure. Research Questions: • How do organizational characteristics related to value and visibility — specifically, popularity and industry sector — correlate with the threat of DDoS attacks? • How does the diversity of customer business sectors hosted by a cloud or data center provider influence the DDoS threat to its infrastructure? Methodology: We conducted a large-scale analysis of DDoS incidents inferred from network telescope data spanning five years. We estimated target visibility and value using Alexa ranks and Cisco Umbrella content categories. We also analyzed the relationship between customer sector composition and DDoS threat at the provider level. Key Findings: • Popular websites are more frequently attacked, though this pattern weakened during the COVID-19 pandemic. • Certain industry sectors face significantly higher and repeated DDoS threats. • Cloud providers serving a higher proportion of high-risk sectors are more likely to face frequent DDoS attacks.
@article{haq2025victimizationDdosAttacksRolePopularity, title = {Victimization in DDoS attacks: The role of popularity and industry sector}, keywords = {UT-Hybrid-D, Cloud provider, Customer portfolio, Distributed denial-of-service, Industry sector, Popularity, Value, Victimization, Visibility, Accumulated threat}, author = {Haq, \{Muhammad Yasir Muzayan\} and Affinito, Antonia and Botta, Alessio and Sperotto, Anna and Nieuwenhuis, \{Lambert J.M.\} and Jonker, Mattijs and Abhishta, Abhishta}, note = {Publisher Copyright: {\textcopyright} 2025 The Authors}, year = {2025}, month = nov, doi = {10.1016/j.jisa.2025.104242}, language = {English}, volume = {94}, journal = {Journal of information security and applications}, issn = {2214-2134}, publisher = {Elsevier}, url = {https://doi.org/10.1016/j.jisa.2025.104242}, }
What To Do Against Ransomware? Evaluating Law Enforcement Interventions

Tom Meurs, Raphael Hoheisel, Marianne Junger, and 2 more authors

In 2024 APWG Symposium on Electronic Crime Research (eCrime), Feb 2025

Symposium on Electronic Crime Research, eCrime 2024, eCrime 2024 ; Conference date: 24-09-2024 Through 26-09-2024

Abs DOI Bib

Ransomware poses an increasing challenge to society, yet there is a notable gap in research on the effectiveness of law enforcement interventions. A key insight from our study is that the presence of victims’ details on leak pages following double extortion ransomware attacks offers a unique opportunity to evaluate these interventions. Analyzing a dataset containing victims published by ransomware groups, we assess the impact of five specific types of interventions: arresting group members, taking down leak page server infrastructure, freezing crypto assets, releasing decryptors, and imposing sanctions. From a collected list of interventions, we categorize ransomware groups’ responses into three actions: ceasing operations, continuing operations, or rebranding under a new name. Initial results show that nearly half of the interventions led to ransomware groups ceasing operations. Additionally, our findings suggest minimal crime displacement, with fewer victims attacked post-intervention if the groups continued their activities. Observed rebranding among these groups is also limited. We discuss the implications and limitations of our research and conclude with two recommendations for law enforcement: prioritize frequent small interventions over a single large intervention and diversify the set of interventions to better counter the adaptive nature of ransomware groups.
@inproceedings{meurs2025whatDoAgainstRansomwareEvaluating, title = {What To Do Against Ransomware? Evaluating Law Enforcement Interventions}, author = {Meurs, Tom and Hoheisel, Raphael and Junger, Marianne and Abhishta, Abhishta and McCoy, Damon}, year = {2025}, month = feb, day = {25}, doi = {10.1109/eCrime66200.2024.00012}, language = {English}, isbn = {979-8-3315-2450-0}, series = {Proceedings APWG Symposium on Electronic Crime Research (eCrime)}, publisher = {IEEE}, pages = {76--93}, booktitle = {2024 APWG Symposium on Electronic Crime Research (eCrime)}, address = {United States}, note = {Symposium on Electronic Crime Research, eCrime 2024, eCrime 2024 ; Conference date: 24-09-2024 Through 26-09-2024}, url = {https://doi.org/10.1109/eCrime66200.2024.00012}, }

2024

Cloud Outsourcing Risk Management for Cloud Consumers: A Systematic Literature Review

{Muhammad Yasir Muzayan} Haq, Siraj Anand, Abhishta Abhishta, and 1 more author

ACM computing surveys, Feb 2024

Abs Bib

This systematic literature review explores the landscape of risks and risk management techniques in cloud outsourcing, with a focus on assisting enterprise cloud consumers in understanding and mitigating both technical and non-technical risks, despite having limited control over the infrastructures. From a comprehensive analysis of 55 academic articles, spanning the period from January 2013 to September 2022, we identify and characterize risks using established frameworks from ENISA and Cebula et al. [16]. Using ISO31000 and the classification proposed by Ardagna et al. [3], we also summarize and characterize 23 main strategies in risk management techniques feasible for cloud consumers, including technical and non-technical measures. We observe a significant emphasis on technical risks in the literature, while non-technical risks, including legal, organizational, and policy aspects, are relatively underrepresented. Threats to data confidentiality dominate the technical risks and mostly originate from shared infrastructure issues. However, non-technical issues, such as vendor lock-in, also pose catastrophic risks the continuity and business operations of the cloud consumers. We also observe that encryption still plays a key role in the existing techniques, next to other techniques such as auditing, risk-aware software development, and assessments of third parties.
@article{haq2024cloudOutsourcingRiskManagementCloud, title = {Cloud Outsourcing Risk Management for Cloud Consumers: A Systematic Literature Review}, keywords = {UT-Hybrid-D, Risk, Risk Management, Systematic Literature Review, Cloud Consumer, Cloud Outsourcing}, author = {Haq, \{Muhammad Yasir Muzayan\} and Anand, Siraj and Abhishta, Abhishta and Nieuwenhuis, \{Lambert J.M.\}}, year = {2024}, month = feb, day = {7}, language = {English}, journal = {ACM computing surveys}, issn = {0360-0300}, publisher = {Association for Computing Machinery}, }
Corrigendum: Picking your brains: where and how neuroscience tools can enhance marketing research(Front. Neurosci., (2020), 14, (577666), 10.3389/fnins.2020.577666)

Letizia Alvino, Luigi Pavone, Abhishta Abhishta, and 1 more author

Frontiers in Neuroscience, 2024

Publisher Copyright: Copyright \textcopyright 2024 Alvino, Pavone, Abhishta and Robben.

Abs DOI Bib

In the published article, the reference for “Vickers (2017)” was incorrectly inserted as “Vickers, N. J. (2017). Animal communication: when I’m calling you, will you answer too? Curr. Biol. 27, R713–R715. 10.1016/j.cub.2017.05.064 The correct reference should be: “Vickers, D. L. (1972). Sorcerer’s Apprentice: Head-Mounted Display and Wand (Ph.D. Thesis). The University of Utah, Salt Lake City, UT, United States.” In the published article, there was also an error in “4.5. Eye Tracking,” paragraph 2 regarding the reported equipment costs. Costs were reported to range between “€100,000 and 300,000” but this should be “€100 and 30,000.” The corrected paragraph appears below: “ET has been widely used in consumer neuroscience research to study visual behavior (e.g., fixation, gaze, pupil dilatation), customers’ visual attention mechanisms and consumers’ engagement (Zamani et al., 2016; Ungureanu et al., 2017). ET has several advantages: it is portable, non-invasive, simple to use and relatively inexpensive. ET has a cost ranging between €100 and 30,000 euros, depending on the level of the technology and whether the software to acquire and analyse data is included1. An ET experiment needs only a technician and, eventually, a data analyst. The average time needed to perform an ET experiment is about 15 min since the subject set-up is very fast. This time covers only the time needed to perform the experiment by the subject. Not all the ET has a high flexibility as some ET models might not work efficiently with glasses and contact lenses. ET is also characterized by a high level of integration with other tools due to its portability and because it is a “ready-to-use” device. To have more reliable results, ET should be used in combination with other tools.” The authors apologize for these errors and state that this does not change the scientific conclusions of the article in any way. The original article has been updated.
@article{alvino2024corrigendumPickingYourBrainsWhere, title = {Corrigendum: Picking your brains: where and how neuroscience tools can enhance marketing research(Front. Neurosci., (2020), 14, (577666), 10.3389/fnins.2020.577666)}, keywords = {consumer neuroscience, GRAIL, iMotion, marketing, neuromarketing, neurophysiological tools, physiological tools, review}, author = {Alvino, Letizia and Pavone, Luigi and Abhishta, Abhishta and Robben, Henry}, note = {Publisher Copyright: Copyright {\textcopyright} 2024 Alvino, Pavone, Abhishta and Robben.}, year = {2024}, doi = {10.3389/fnins.2024.1426471}, language = {English}, volume = {18}, journal = {Frontiers in Neuroscience}, issn = {1662-4548}, publisher = {Frontiers Media SA}, url = {https://doi.org/10.3389/fnins.2024.1426471}, }
Deception in double extortion ransomware attacks: An analysis of profitability and credibility

Tom Meurs, Edward Cartwright, Anna Cartwright, and 2 more authors

Computers and Security, Mar 2024

Publisher Copyright: \textcopyright 2023 The Author(s)

Abs DOI Bib

Ransomware attacks have evolved with criminals using double extortion schemes, where they signal data exfiltration to inflate ransom demands. This development is further complicated by information asymmetry, where victims are compelled to respond to ambiguous and often deceptive signals from attackers. This study explores the complex interactions between criminals and victims during ransomware attacks, especially focusing on how data exfiltration is communicated. We use a signaling game to understand the strategies both parties use when dealing with uncertain information. We identify five distinct equilibria, each characterized by the criminals’ varied approaches to signaling data exfiltration, influenced by the strategic parameters inherent in each attack scenario. Calibrating the game parameters with real-world like values, we identify the most probable equilibrium, offering insights into anticipated ransom amounts and corresponding payoffs for both victims and criminals. Our findings suggest criminals are likely to claim data exfiltration, true or not, highlighting a strategic advantage for intensifying attack efforts. The study underscores the need for victims’ caution towards criminals’ claims and highlights the unintended consequences of policies making false claims costlier for criminals.
@article{meurs2024deceptionDoubleExtortionRansomwareAttacks, title = {Deception in double extortion ransomware attacks: An analysis of profitability and credibility}, keywords = {UT-Hybrid-D, Data exfiltration, Game theory, Information asymmetry, Ransomware, Signaling game, Cybercrime}, author = {Meurs, Tom and Cartwright, Edward and Cartwright, Anna and Junger, Marianne and Abhishta, Abhishta}, note = {Publisher Copyright: {\textcopyright} 2023 The Author(s)}, year = {2024}, month = mar, doi = {10.1016/j.cose.2023.103670}, language = {English}, volume = {138}, journal = {Computers and Security}, issn = {0167-4048}, publisher = {Elsevier}, url = {https://doi.org/10.1016/j.cose.2023.103670}, }
Group Workshop as a “Human-Centered Approach” for Identification and Selection of Business Processes for Robotic Process Automation

Lars Berghuis, Abhishta Abhishta, Wouter Heeswijk}, and 1 more author

In Towards Digital and Sustainable Organisations - People, Platforms, and Ecosystems, May 2024

Publisher Copyright: \textcopyright The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.; 19th Annual conference of the Italian Chapter of AIS, ItAIS 2022, ItAIS 2022 ; Conference date: 14-10-2022 Through 15-10-2022

Abs DOI Bib

Robotic process automation (RPA) has been rapidly diffusing in organizations to automate monotonous business processes. Nevertheless, only about half of such projects are successful, as organizations struggle to identify simple yet impactful processes. Existing approaches for selecting business processes for RPA include process mining and individual interviews. These have been often charged to be time-consuming, unsystematic, overly complex, and dependent primarily on individual perspectives. In this empirical study, we explore the deployment of group intelligence to select business processes suitable for RPA. We investigate whether and how a group of relevant actors can jointly generate ideas, evaluate them, and select the most salient processes for RPA automation. We draw on the design science to develop a human-centered artifact that fulfills actors’ needs—a group workshop for RPA identification and selection—and to assess such artifacts. The workshop incorporates elements of the business process management lifecycle and nominal brainstorming. The workshop is designed by drawing on the recommendations of the existing relevant literature. A real-life group-based RPA identification and selection workshop experiment was conducted with a group of employees of an audit firm located in the Netherlands. A follow-up survey and interviews were carried out with the participants to evaluate the workshop, indicating an overall positive experience and suitability to effectively identify relevant processes. This study proposes a new systematic group approach for identifying and selecting business processes for RPA, which could be applied in a variety of contexts and organizations. It also puts forward a comprehensive agenda for future research and practice.
@inproceedings{berghuis2024groupWorkshopHumanCenteredApproach, title = {Group Workshop as a “Human-Centered Approach” for Identification and Selection of Business Processes for Robotic Process Automation}, keywords = {2024 OA procedure, Human-centered, Methodology, RPA, Workshop, Group}, author = {Berghuis, Lars and Abhishta, Abhishta and \{van Heeswijk\}, Wouter and Tursunbayeva, Aizhan}, note = {Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.; 19th Annual conference of the Italian Chapter of AIS, ItAIS 2022, ItAIS 2022 ; Conference date: 14-10-2022 Through 15-10-2022}, year = {2024}, month = may, day = {21}, doi = {10.1007/978-3-031-52880-4\_7}, language = {English}, isbn = {9783031528798}, series = {Lecture Notes in Information Systems and Organisation}, publisher = {Springer}, pages = {103--122}, editor = {Lazazzara, Alessandra and Reina, Rocco and Za, Stefano}, booktitle = {Towards Digital and Sustainable Organisations - People, Platforms, and Ecosystems}, address = {Germany}, url = {https://doi.org/10.1007/978-3-031-52880-4\_7}, }
Measuring Malware Detection Capability for Security Decision Making

{Muhammad Yasir Muzayan} Haq, Abhishta Abhishta, Sander Zeijlemaker, and 3 more authors

Jul 2024

9th International Workshop on Traffic Measurements for Cybersecurity, WTMC 2024, WTMC 2024 ; Conference date: 08-07-2024 Through 08-07-2024

Abs Bib

Organizations face an urgent need to bolster their cybersecurity defenses against the rising threat of ransomware. Implementing advanced antivirus and antimalware tools is crucial for proactive identification and mitigation of malicious software. However, adversaries constantly refine malware to evade detection increasing the complexity of the threat. Hence, developing an effective strategy is nontrivial. To address this challenge, this study conducts various analyses on scan results of publicly shared malware samples. Utilizing metadata from 635K samples sourced from MalwareBazaar and scan results from VirusTotal, we assign family labels using AVClass. Additionally, we examine a 90-day longitudinal dataset alongside the main dataset. Our findings demonstrate that while over 60% of scanner engines detect 67% of samples, certain malware families consistently exhibit lower detection rates. Detection capability improves over time, particularly within the initial 30 days, but remains inadequate for specific families. Furthermore, we observe that some scanner engines demonstrate nearly flawless detection capability across all malware families, while the majority struggle with efficiently detecting certain types. Moreover, we performed Monte Carlo simulations and revealed that employing multiple scanner engines substantially enhances detection capability, with 3 to 7 scanners being optimal. Finally, simulation analysis in a case study highlights the significant impact of hard-to-detect malware on risk and performance, underscoring the importance of effective malware strategies.
@conference{haq2024malwareDetectionCapabilitySecurityDecision, title = {Measuring Malware Detection Capability for Security Decision Making}, keywords = {malware detection, defense strategy, decision-making, security investment, VirusTotal}, author = {Haq, \{Muhammad Yasir Muzayan\} and Abhishta, Abhishta and Zeijlemaker, Sander and Chau, Annette and Siegel, Michael and Nieuwenhuis, \{Lambert J.M.\}}, year = {2024}, month = jul, day = {8}, language = {English}, pages = {342--351}, note = {9th International Workshop on Traffic Measurements for Cybersecurity, WTMC 2024, WTMC 2024 ; Conference date: 08-07-2024 Through 08-07-2024}, url = {https://wtmc.info/index.html}, }
Measuring Malware Detection Capability for Security Decision Making

{Muhammad Yasir} {Muzayan Haq}, Abhishta Abhishta, Sander Zeijlemaker, and 3 more authors

In 9th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2024, Jul 2024

Publisher Copyright: \textcopyright 2024 IEEE.; 9th IEEE European Symposium on Security and Privacy Workshops, EuroS&PW 2024, EuroS&PW 2024 ; Conference date: 08-07-2024 Through 12-07-2024

Abs DOI Bib

Organizations face an urgent need to bolster their cybersecurity defenses against the rising threat of ransomware. Implementing advanced antivirus and anti-malware tools is crucial for proactive identification and mitigation of malicious software. However, adversaries constantly refine malware to evade detection increasing the complexity of the threat. Hence, developing an effective strategy is nontrivial. To address this challenge, this study conducts various analyses on scan results of publicly shared malware samples. Utilizing metadata from 635K samples sourced from MalwareBazaar and scan results from VirusTotal, we assign family labels using AV Class. Additionally, we examine a 90-day longitudinal dataset alongside the main dataset. Our findings demonstrate that while over 60 % of scanner engines detect 67 % of samples, certain malware families consistently exhibit lower detection rates. Detection capability improves over time, particularly within the initial 30 days, but remains inadequate for specific families. Furthermore, we observe that some scanner engines demonstrate nearly flawless detection capability across all mal ware families, while the majority struggle with efficiently detecting certain types. Moreover, we performed Monte Carlo simulations and revealed that employing multiple scanner engines substantially enhances detection capability, with 3 to 7 scanners being optimal. Finally, simulation analysis in a case study highlights the significant impact of hard-to-detect malware on risk and performance, underscoring the importance of effective malware strategies.
@inproceedings{muzayanhaq2024malwareDetectionCapabilitySecurityDecision, title = {Measuring Malware Detection Capability for Security Decision Making}, keywords = {2026 OA procedure, defense strategy, malware detection, security investment, VirusTotal, decision-making}, author = {\{Muzayan Haq\}, \{Muhammad Yasir\} and Abhishta, Abhishta and Zeijlemaker, Sander and Chau, Annette and Siegel, Michael and Nieuwenhuis, L.J.M.}, note = {Publisher Copyright: {\textcopyright} 2024 IEEE.; 9th IEEE European Symposium on Security and Privacy Workshops, EuroS\&PW 2024, EuroS\&PW 2024 ; Conference date: 08-07-2024 Through 12-07-2024}, year = {2024}, month = jul, day = {8}, doi = {10.1109/EuroSPW61312.2024.00044}, language = {English}, isbn = {979-8-3503-6732-4}, series = {Proceedings of the IEEE European Symposium on Security and Privacy Workshops}, publisher = {IEEE}, pages = {342--351}, booktitle = {9th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2024}, address = {United States}, url = {https://eurosp2024.ieee-security.org/}, }
Poster: Empirical Cybersecurity Investment Decision-Making: Bridging the Gap Between Intuition and Metric-Driven Strategy

{Nadia Lorraine} Niyonsaba, Abhishta Abhishta, Jeroen Ham}, and 1 more author

Jul 2024

8th European Symposium on Security and Privacy, Euro S&P 2024, Euro S&P 2024 ; Conference date: 03-07-2024 Through 07-07-2024

Abs DOI Bib

Organizations are under constant threat of cyberattacks. Hence, they need to have information security measures put in place. Security managers lack methods to quantify how much effort should be invested in protecting their IT assets and training people. We propose developing a metric-based method to guide cybersecurity investments, aimed at improving an organization’s security posture.
@conference{niyonsaba2024posterEmpiricalCybersecurityInvestmentDecision, title = {Poster: Empirical Cybersecurity Investment Decision-Making: Bridging the Gap Between Intuition and Metric-Driven Strategy}, author = {Niyonsaba, \{Nadia Lorraine\} and Abhishta, Abhishta and \{van der Ham\}, Jeroen and Spierdijk, Laura}, year = {2024}, month = jul, day = {4}, doi = {10.5281/zenodo.12648767}, language = {English}, pages = {20--22}, note = {8th European Symposium on Security and Privacy, Euro S\&P 2024, Euro S\&P 2024 ; Conference date: 03-07-2024 Through 07-07-2024}, url = {https://doi.org/10.5281/zenodo.12648767}, }
Ransomware Economics: A Two-Step Approach To Model Ransom Paid

Tom Meurs, Edward Cartwright, Anna Cartwright, and 4 more authors

In 2023 APWG Symposium on Electronic Crime Research (eCrime), Apr 2024

18th Symposium on Electronic Crime Research, eCrime 2023, eCrime 2023 ; Conference date: 15-11-2023 Through 17-11-2023

Abs DOI Bib

Ransomware poses a significant and pressing challenge in today’s society. Mitigation efforts aim to reduce the profitability of ransomware attacks. Nevertheless, limited research has analysed factors that influence the size of ransom and willingness of businesses to pay a ransom. This study aims to address this existing gap by conducting an empirical investigation that focuses on the ransom paid by victims. Extending on past research, we analyse 382 ransomware attacks reported to the Dutch Police and/or handled by an Incident Response (IR) company. One challenge of modeling ransom payments is the large proportion of victims who did not pay, which leads to zero-inflation. We tackled this problem by employing a hurdle model, which effectively deals with zero-inflation by capturing ransom paid as a two-step decision-making process: first, victims decide whether to comply with the ransom demands, and if they choose to do so, they then need to determine the acceptable ransom amount. The results indicate that the presence of backups and the decision to go to an IR company play a pivotal role in the decision whether to pay the ransom or not. In addition, our findings identify insurance coverage, data exfiltration, and annual revenue of the victim as key determinants affecting the ransom amounts. Specifically, having insurance results in ransoms that are 2.8 times larger, data exfiltration corresponds to a 5.5 times increase in the ransom, and each 1% increase in a victim’s yearly revenue causes a 0.12% rise in the ransom paid. In concluding our paper, we present practical policy recommendations that take into account the two crucial decision-making steps outlined in our study, focusing on data exfiltration and insurance.
@inproceedings{meurs2024ransomwareEconomicsTwoStepApproach, title = {Ransomware Economics: A Two-Step Approach To Model Ransom Paid}, author = {Meurs, Tom and Cartwright, Edward and Cartwright, Anna and Junger, Marianne and Hoheisel, Raphael and Tews, Erik and Abhishta, Abhishta}, year = {2024}, month = apr, day = {1}, doi = {10.1109/eCrime61234.2023.10485506}, language = {English}, isbn = {979-8-3503-6028-8}, series = {Proceedings APWG Symposium on Electronic Crime Research (eCrime)}, publisher = {IEEE}, booktitle = {2023 APWG Symposium on Electronic Crime Research (eCrime)}, address = {United States}, note = {18th Symposium on Electronic Crime Research, eCrime 2023, eCrime 2023 ; Conference date: 15-11-2023 Through 17-11-2023}, url = {https://doi.org/10.1109/eCrime61234.2023.10485506}, }
Understanding Digital Sovereignty: A Textual Analysis Of EU Policy Documents

Siraj Anand, Abhishta Abhishta, and {Lambert J. M.} Nieuwenhuis

In Proceedings of the 32nd European Conference on Information Systems (ECIS), 2024

32nd European Conference of Information Systems, ECIS 2024 : People First: Constructing Digital Futures Together, ECIS 2024 ; Conference date: 13-06-2024 Through 19-06-2024

Abs Bib PDF

The rapid growth of digital transformations globally has compelled European policymakers to discuss the possibility of a “Digitally Sovereign” model of the Internet. However, both policymakers and researchers have yet to solidify the concept behind such an ecosystem. While recent policies on digital issues often center around "Digital Sovereignty," there remains a lack of clear distinction between this term and similar concepts such as "Data Sovereignty" and "Technological Sovereignty". This extended abstract proposes a thorough textual analysis of EU policy documents to grasp the values and principles behind Digital Sovereignty.
@inproceedings{anand2024understandingDigitalSovereigntyTextualEu, title = {Understanding Digital Sovereignty: A Textual Analysis Of EU Policy Documents}, author = {Anand, Siraj and Abhishta, Abhishta and Nieuwenhuis, \{Lambert J. M.\}}, year = {2024}, language = {English}, series = {ECIS 2024 TREOS}, booktitle = {Proceedings of the 32nd European Conference on Information Systems (ECIS)}, note = {32nd European Conference of Information Systems, ECIS 2024 : People First: Constructing Digital Futures Together, ECIS 2024 ; Conference date: 13-06-2024 Through 19-06-2024}, url = {https://ecis2024.eu/}, }
Victimization in DDoS Attacks: The Role of Popularity and Industry Sector

{Muhammad Yasir Muzayan} Haq, Antonia Affinito, Alessio Botta, and 4 more authors

Sep 2024

Abs DOI Bib

DDoS attacks could have an economic motive such as extortion, but also social and political such as hacktivism and state-sponsored warfare. Hence, the monetary value of the targets does not always explain the victimization. To counter DDoS threats, cloud providers utilize more robust, distributed networks and implement DDoS evasion techniques such as Anycast. However, by hosting many targets under a single infrastructure, they also accumulate threats, which together might exceed the ability of the infrastructure. We approach the victimization problem by using VIVA (value, inertia, visibility, and access) attributes of the DDoS victims to understand what makes them a suitable target for DDoS attacks. We conduct a large-scale analysis of DDoS attack incidents inferred from traffic data recorded by a network telescope over a five-year period. Using Alexa rank and content category of the domain names associated with the targeted IP addresses, we infer the targets’ popularity and industry sector to estimate their VIVA attributes, especially, visibility and value. We reveal that more popular domain names suffer more DDoS attacks but during the COVID-19 pandemic, we observe more attacks targeting domain names regardless of their popularity. Our analysis of the top 100K most popular domain names shows that certain industry sectors have significantly higher threats of DDoS attacks and even repeat victimization. We also investigate the accumulated threats among cloud/data center providers and find that the proportion of customers from specific industry sectors statistically increases the threat of DDoS attacks for these providers significantly.
@techreport{haq2024victimizationDdosAttacksRolePopularity, title = {Victimization in DDoS Attacks: The Role of Popularity and Industry Sector}, keywords = {Victimization, VIVA, Popularity, Industry sector, Accumulated threat, Cloud provider, Customer portfolio, DDoS}, author = {Haq, \{Muhammad Yasir Muzayan\} and Affinito, Antonia and Botta, Alessio and Sperotto, Anna and Nieuwenhuis, \{Lambert J.M.\} and Jonker, Mattijs and Abhishta, Abhishta}, year = {2024}, month = sep, day = {30}, doi = {10.2139/ssrn.4970423}, language = {English}, publisher = {Social Science Research Network (SSRN)}, type = {WorkingPaper}, institution = {Social Science Research Network (SSRN)}, url = {https://doi.org/10.2139/ssrn.4970423}, }

2023

Assessing Network Operator Actions to Enhance Digital Sovereignty and Strengthen Network Resilience: A Longitudinal Analysis during the Russia-Ukraine Conflict

{Muhammad Yasir Muzayan} Haq, Abhishta Abhishta, Raffaele Sommese, and 2 more authors

2023

8th International Workshop on Traffic Measurements for Cybersecurity, WTMC 2023, WTMC 2023 ; Conference date: 07-07-2023 Through 07-07-2023

Abs Bib PDF

We conduct longitudinal and temporal analyses on active DNS measurement data to investigate how the Russia-Ukraine conflict impacted the network infrastructures supporting domain names under ICANN’s CZDS new gTLDs. Our findings revealed changes in the physical locations of network infrastructures, utilization of managed DNS services, infrastructure redundancy, and distribution, which started right after the first reported Russian military movements in February 2022. We also found that domains from different countries had varying location preferences when moving their hosting infrastructure. These observed changes suggest that network operators took proactive measures in anticipation of an armed conflict to promote resilience and protect the sovereignty of their networks in response to the conflict.
@conference{haq2023assessingNetworkOperatorActionsEnhanceConference, title = {Assessing Network Operator Actions to Enhance Digital Sovereignty and Strengthen Network Resilience: A Longitudinal Analysis during the Russia-Ukraine Conflict}, keywords = {Network resilience, Digital sovereignty, Russia-Ukraine conflict, DNS measurement}, author = {Haq, \{Muhammad Yasir Muzayan\} and Abhishta, Abhishta and Sommese, Raffaele and Jonker, Mattijs and Nieuwenhuis, \{Lambert J.M.\}}, year = {2023}, language = {English}, note = {8th International Workshop on Traffic Measurements for Cybersecurity, WTMC 2023, WTMC 2023 ; Conference date: 07-07-2023 Through 07-07-2023}, }
Assessing Network Operator Actions to Enhance Digital Sovereignty and Strengthen Network Resilience: A Longitudinal Analysis during the Russia-Ukraine Conflict

{Muhammad Yasir Muzayan} Haq, Abhishta Abhishta, Raffaele Sommese, and 2 more authors

In 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Jul 2023

8th IEEE European Symposium on Security and Privacy Workshops, EuroS&PW 2023, EuroS&PW 2023 ; Conference date: 03-07-2023 Through 07-07-2023

Abs DOI Bib PDF

We conduct longitudinal and temporal analyses on active DNS measurement data to investigate how the Russia-Ukraine conflict impacted the network infrastructures supporting domain names under ICANN’s CZDS new gTLDs. Our findings revealed changes in the physical locations of network infrastructures, utilization of managed DNS services, infrastructure redundancy, and distribution, which started right after the first reported Russian military movements in February 2022. We also found that domains from different countries had varying location preferences when moving their hosting infrastructure. These observed changes suggest that network operators took proactive measures in anticipation of an armed conflict to promote resilience and protect the sovereignty of their networks in response to the conflict.
@inproceedings{haq2023assessingNetworkOperatorActionsEnhanceConference2, title = {Assessing Network Operator Actions to Enhance Digital Sovereignty and Strengthen Network Resilience: A Longitudinal Analysis during the Russia-Ukraine Conflict}, keywords = {Industries, Redundancy, Time measurement, Censorship, Internet, Domain Name System, Resilience, 2024 OA procedure}, author = {Haq, \{Muhammad Yasir Muzayan\} and Abhishta, Abhishta and Sommese, Raffaele and Jonker, Mattijs and Nieuwenhuis, \{Lambert J.M.\}}, year = {2023}, month = jul, day = {31}, doi = {10.1109/EuroSPW59978.2023.00060}, language = {English}, isbn = {979-8-3503-2721-2}, pages = {487--494}, booktitle = {2023 IEEE European Symposium on Security and Privacy Workshops (EuroS\&PW)}, publisher = {IEEE}, address = {United States}, note = {8th IEEE European Symposium on Security and Privacy Workshops, EuroS\&PW 2023, EuroS\&PW 2023 ; Conference date: 03-07-2023 Through 07-07-2023}, url = {https://doi.org/10.1109/EuroSPW59978.2023.00060}, }
Assessing Network Operator Actions to Enhance Digital Sovereignty and Strengthen Network Resilience: A Longitudinal Analysis during the Russia-Ukraine Conflict

{Muhammad Yasir Muzayan} Haq, Abhishta Abhishta, Raffaele Sommese, and 2 more authors

May 2023

Abs DOI Bib PDF

We conduct longitudinal and temporal analyses on active DNS measurement data to investigate how the Russia-Ukraine conflict impacted the network infrastructures supporting domain names under ICANN’s CZDS new gTLDs. Our findings revealed changes in the physical locations of network infrastructures, utilization of managed DNS services, infrastructure redundancy, and distribution, which started right after the first reported Russian military movements in February 2022. We also found that domains from different countries had varying location preferences when moving their hosting infrastructure. These observed changes suggest that network operators took proactive measures in anticipation of an armed conflict to promote resilience and protect the sovereignty of their networks in response to the conflict.
@techreport{haq2023assessingNetworkOperatorActionsEnhanceReport, title = {Assessing Network Operator Actions to Enhance Digital Sovereignty and Strengthen Network Resilience: A Longitudinal Analysis during the Russia-Ukraine Conflict}, keywords = {cs.NI, cs.CR}, author = {Haq, \{Muhammad Yasir Muzayan\} and Abhishta, Abhishta and Sommese, Raffaele and Jonker, Mattijs and Nieuwenhuis, \{Lambert J. M.\}}, year = {2023}, month = may, day = {28}, doi = {10.48550/arXiv.2305.17666}, language = {English}, publisher = {ArXiv.org}, type = {WorkingPaper}, institution = {ArXiv.org}, url = {https://doi.org/10.48550/arXiv.2305.17666}, }
Industry 4.0 and healthcare: Context, applications, benefits and challenges

Konstantinos Kotzias, {Faiza A.} Bukhsh, {Jeewanie Jayasinghe} Arachchige, and 2 more authors

IET software, Jun 2023

Publisher Copyright: \textcopyright 2022 The Authors. IET Software published by John Wiley & Sons Ltd on behalf of The Institution of Engineering and Technology. Financial transaction number: 2500030781

Abs DOI Bib

Industry 4.0 refers to the digital transformation in the manufacturing domain through new technology. Currently, it expands well beyond manufacturing, affecting many areas of life and posing implications for all types of business. This paper focuses on the relationships between Industry 4.0 and Healthcare which transitions to increased interconnectivity, automation and smart decision making. The integration context of Industry 4.0 into Healthcare is only partly understood. Little was done until now to consolidate what is known on the integration benefits and the challenges. This article reports results of a systematic mapping study that analysed 69 papers to extract knowledge about the concepts of Industry 4.0 and the emerging Healthcare 4.0., and the relationships between them. We found 10 different perspectives of Healthcare 4.0, ranging from strategic to tactical and operational levels. Next, our results show: (i) nine applications of Industry 4.0 in the Healthcare domain: Augmented Reality and Simulation, Autonomous Robotics, Cybersecurity, Big Data Analytics, Internet of Things, Cloud Computing, Additive Manufacturing and Systems Integration; and (ii) 10 benefits and nine challenges in Healthcare 4.0. The most frequently mentioned benefits are patients’ diagnosis, monitoring, treatment, and financial benefits. The most researched challenges are data fragmentation, heterogeneity, complexity, and privacy.
@article{kotzias2023industryHealthcareContextApplicationsBenefits, title = {Industry 4.0 and healthcare: Context, applications, benefits and challenges}, keywords = {Big data, Cloud computing, Fourth industrial revolution, Healthcare 4.0, Industry 4.0, Internet of Things (IoT), Mapping Study, Smart industry}, author = {Kotzias, Konstantinos and Bukhsh, \{Faiza A.\} and Arachchige, \{Jeewanie Jayasinghe\} and Daneva, Maya and Abhishta, Abhishta}, note = {Publisher Copyright: {\textcopyright} 2022 The Authors. IET Software published by John Wiley \& Sons Ltd on behalf of The Institution of Engineering and Technology. Financial transaction number: 2500030781 }, year = {2023}, month = jun, doi = {10.1049/sfw2.12074}, language = {English}, volume = {17}, pages = {195--248}, journal = {IET software}, issn = {1751-8806}, publisher = {Wiley}, number = {3}, url = {https://doi.org/10.1049/sfw2.12074}, }
Methodology for Evaluating the Appropriateness of a Business Process for Robotic Process Automation

Abhishta Abhishta, Lars Berghuis, Wouter Heeswijk}, and 1 more author

Jan 2023

Publisher Copyright: \textcopyright 2024 selection and editorial matter, Francesco Paolo Appio, Davide La Torre, Francesca Lazzeri, Hatem Masri, Francesco Schiavone; individual chapters, the contributors.

Abs DOI Bib

Robotic process automation (RPA) is often used by organisations to automate standard and repetitive business processes with the aim of improving firm performance. In some firms, processes such as invoice processing, onboarding and payment reminder notification are no longer required to be performed by humans. A successful implementation of RPA results in benefits such as FTE savings and increased employee satisfaction. However, when the wrong processes are chosen to be automated, the RPA implementation process becomes tedious and non-rewarding. Organisations often tend to select processes that are too complex or that require tasks necessitating human interventions. A miss-assessment in selection of a business process for automation leads to overly long development time and maintenance-intensive digital robots. Currently used process selection methods - such as interviews and process mining - might help with the identification of suitable processes, but are time consuming, complex, unsystematic and dependent on the individual. This book chapter discusses the different process selection methods covered in literature and suggests a workshop design that can be utilised to select business processes suitable for RPA implementation. The proposed workshop-based process selection method takes into consideration the recommendations of multiple stakeholders of a business process, evaluating the complexity of a business process to RPA fit and providing insights on expected benefits of RPA implementation.
@inbook{abhishta2023methodologyEvaluatingAppropriatenessBusinessProcess, title = {Methodology for Evaluating the Appropriateness of a Business Process for Robotic Process Automation}, keywords = {NLA}, author = {Abhishta, Abhishta and Berghuis, Lars and \{van Heeswijk\}, Wouter and Tursunbayeva, Aizhan}, note = {Publisher Copyright: {\textcopyright} 2024 selection and editorial matter, Francesco Paolo Appio, Davide La Torre, Francesca Lazzeri, Hatem Masri, Francesco Schiavone; individual chapters, the contributors.}, year = {2023}, month = jan, day = {1}, doi = {10.4324/9781003304616-8}, language = {English}, isbn = {9781032303413}, pages = {105--133}, booktitle = {Impact of Artificial Intelligence in Business and Society}, publisher = {Taylor \& Francis}, address = {United Kingdom}, url = {https://doi.org/10.4324/9781003304616-8}, }

Preface

Jos Hillegersberg}, Jörg Osterrieder, Fethi Rabhi, and 3 more authors

In Enterprise Applications, Markets and Services in the Finance Industry, Apr 2023

Funding Information: This year, the conference was also supported by the European Union under the COST (Cooperation in Science and Technology) scheme, the longest-running European intergovernmental framework for cooperation in science and technology. The COST Action CA19130 Fintech and Artificial Intelligence is a research network connecting 270+ researchers from 49 countries globally.; 11th International Workshop on Enterprise Applications, Markets and Services in the Finance Industry, FinanceCom 2022, FinanceCom 2022 ; Conference date: 22-08-2022 Through 24-08-2022

DOI Bib

@inproceedings{vanhillegersberg2023preface,
  title = {Preface},
  author = {\{van Hillegersberg\}, Jos and Osterrieder, J{\"o}rg and Rabhi, Fethi and Abhishta, Abhishta and Marisetty, Vijay and Huang, Xiaohong},
  note = {Funding Information: This year, the conference was also supported by the European Union under the COST (Cooperation in Science and Technology) scheme, the longest-running European intergovernmental framework for cooperation in science and technology. The COST Action CA19130 Fintech and Artificial Intelligence is a research network connecting 270+ researchers from 49 countries globally.; 11th International Workshop on Enterprise Applications, Markets and Services in the Finance Industry, FinanceCom 2022, FinanceCom 2022 ; Conference date: 22-08-2022 Through 24-08-2022},
  year = {2023},
  month = apr,
  day = {30},
  doi = {10.1007/978-3-031-31671-5},
  language = {English},
  isbn = {978-3-031-31670-8},
  series = {Lecture notes in business information processing},
  publisher = {Springer},
  pages = {vii--viii},
  booktitle = {Enterprise Applications, Markets and Services in the Finance Industry},
  url = {http://financecom2022.nl},
}

Role of Culture in Customer Acceptance of Neobanks

Koen Meijer, Abhishta Abhishta, and Reinoud Joosten

In Enterprise Applications, Markets and Services in the Finance Industry, Apr 2023

Publisher Copyright: \textcopyright 2023, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 11th International Workshop on Enterprise Applications, Markets and Services in the Finance Industry, FinanceCom 2022, FinanceCom 2022 ; Conference date: 22-08-2022 Through 24-08-2022

Abs DOI Bib PDF

We examine customer acceptance of neobanks across national cultures using the technology acceptance model (TAM) extended with an additional construct, i.e. trust, accounting for scepticism surrouding digital innovations. We incorporate dimensions developed by Hofstede to evaluate national cultural effects on the modified TAM. For this, we collect primary quantitative data through questionnaires obtaining a sample including many nationalities. We assess our variant of the TAM using partial least squares structural equation modelling to quantify the complex relationships with reflective constructs. We find that national cultural dimensions may not have a significant effect on the customer acceptance. Moreover, the original two independent constructs of the TAM, perceived ease of use and perceived usefulness, have a significant positive weak direct effect on acceptance. However, perceived ease of use has a significant positive strong effect on perceived usefulness and trust. Finally, the theorised trust dimension has a significant positive weak effect on both the perceived usefulness of, and the behavioural intention to use neobanks.
@inproceedings{meijer2023roleCultureCustomerAcceptanceNeobanks, title = {Role of Culture in Customer Acceptance of Neobanks}, keywords = {Culture, Digital banking, Digital transformation, Neobanks, 2023 OA procedure}, author = {Meijer, Koen and Abhishta, Abhishta and Joosten, Reinoud}, note = {Publisher Copyright: {\textcopyright} 2023, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 11th International Workshop on Enterprise Applications, Markets and Services in the Finance Industry, FinanceCom 2022, FinanceCom 2022 ; Conference date: 22-08-2022 Through 24-08-2022}, year = {2023}, month = apr, day = {30}, doi = {10.1007/978-3-031-31671-5\_7}, language = {English}, isbn = {978-3-031-31670-8}, series = {Lecture Notes in Business Information Processing}, publisher = {Springer}, pages = {97--116}, editor = {\{van Hillegersberg\}, Jos and Osterrieder, J{\"o}rg and Rabhi, Fethi and Abhishta, Abhishta and Marisetty, Vijay and Huang, Xiaohong}, booktitle = {Enterprise Applications, Markets and Services in the Finance Industry}, address = {Germany}, url = {http://financecom2022.nl}, }

Towards a Digitally Sovereign Internet: An Architectural Proposal for a Secure-by-Design System

Siraj Anand, Abhishta Abhishta, Michel Ehrenhard, and 1 more author

2023

Bib

@book{anand2023digitallySovereignInternetArchitecturalProposal,
  title = {Towards a Digitally Sovereign Internet: An Architectural Proposal for a Secure-by-Design System},
  author = {Anand, Siraj and Abhishta, Abhishta and Ehrenhard, Michel and Nieuwenhuis, Bart},
  year = {2023},
  language = {English},
}

2022

COORDINATE: A model to analyse the benefits and costs of coordinating cybercrime

Tom Meurs, Marianne Junger, Abhishta Abhishta, and 2 more authors

Journal of internet services and information security, Nov 2022

Abs DOI Bib PDF

Recent leaks (such as Conti) have provided greater insights on the working of cybercriminal organisations. Just like any other business, these malicious actors strategically manage their processes in order to maximise their revenues. Coordinating different types of cybercrimes as part of a single attack campaign provides another opportunity to these criminal groups to improve the efficiency of their attacks. To investigate the promise of this “coordination” between cybercrimes in improving the financial gains realised by cybercriminals, we take a two-step approach. First, we perform a bibliometric analysis of past scientific literature discussing the concept of “coordination” w.r.t to cybercrime. Second, as a case study, analysing the attack chains of DDoS, phishing and ransomware attacks, we identify vantage points for potential coordination from an attacker’s perspective. Based on our findings, we propose a model (COORDINATE) to identify the types of potential cybercrime “coordinations”. COORDINATE considers three relevant types of coordination: direct collaborated coordination, indirect collaborated coordination, and opportunistic coordination. Given the advantages of coordinated attacks, our results suggest that one crime may provide opportunities for the next one. Coordinated attacks will become more prevalent, and that we may witness the development of a dynamic that leads to more online crime.
@article{meurs2022coordinateModelAnalyseBenefitsCosts, title = {COORDINATE: A model to analyse the benefits and costs of coordinating cybercrime}, author = {Meurs, Tom and Junger, Marianne and Abhishta, Abhishta and Tews, Erik and Ratia, Emma}, year = {2022}, month = nov, day = {1}, doi = {10.58346/JISIS.2022.I4.001}, language = {English}, volume = {12}, journal = {Journal of internet services and information security}, issn = {2182-2069}, publisher = {Innovative Information Science and Technology Research Group}, number = {4}, url = {https://doi.org/10.58346/JISIS.2022.I4.001}, }

Enterprise Applications, Markets and Services in the Finance Industry: 11th International Workshop, FinanceCom 2022, Twente, The Netherlands, August 23–24, 2022, Revised Selected Papers

Jos Hillegersberg}, Jörg Osterrieder, Fethi Rabhi, and 3 more authors

2022

11th International Workshop on Enterprise Applications, Markets and Services in the Finance Industry, FinanceCom 2022, FinanceCom 2022 ; Conference date: 22-08-2022 Through 24-08-2022

DOI Bib

@book{vanhillegersberg2022enterpriseApplicationsMarketsServicesFinance,
  title = {Enterprise Applications, Markets and Services in the Finance Industry: 11th International Workshop, FinanceCom 2022, Twente, The Netherlands, August 23–24, 2022, Revised Selected Papers},
  author = {\{van Hillegersberg\}, Jos and Osterrieder, J{\"o}rg and Rabhi, Fethi and Abhishta, Abhishta and Marisetty, Vijayabhaskar and Huang, Xiaohong},
  year = {2022},
  doi = {10.1007/978-3-031-31671-5},
  language = {English},
  isbn = {978-3-031-31670-8},
  series = {Lecture Notes in Business Information Processing},
  publisher = {Springer},
  address = {Germany},
  note = {11th International Workshop on Enterprise Applications, Markets and Services in the Finance Industry, FinanceCom 2022, FinanceCom 2022 ; Conference date: 22-08-2022 Through 24-08-2022},
  url = {http://financecom2022.nl},
}

How Attackers Determine the Ransom in Ransomware Attacks

Tom Meurs, Marianne Junger, Abhishta Abhishta, and 1 more author

In 7th IEEE European Symposium on Security and Privacy (Euro S&P 2022), Jun 2022

7th IEEE European Symposium on Security and Privacy 2022 ; Conference date: 06-06-2022 Through 10-06-2022

Abs DOI Bib PDF

Ransomware may lead to massive economic damage to victims [13]. However, it is still unclear how attackers determine the amount of ransom. In this poster we empirically study the ransom requested by attackers in ransomware attacks. We analysed 371 ransomware attacks reported to the Dutch Police between 2019 and 2021. Our results indicate that attacker’s effort and opportunity are important predictors for the ransom requested. The goal of the poster is to invite other researchers for collaboration.
@inproceedings{meurs2022attackersDetermineRansomRansomwareAttacks, title = {How Attackers Determine the Ransom in Ransomware Attacks}, author = {Meurs, Tom and Junger, Marianne and Abhishta, Abhishta and Tews, Erik}, year = {2022}, month = jun, day = {4}, doi = {10.13140/RG.2.2.34435.58400}, language = {English}, booktitle = {7th IEEE European Symposium on Security and Privacy (Euro S\&P 2022)}, publisher = {ResearchGate}, note = {7th IEEE European Symposium on Security and Privacy 2022 ; Conference date: 06-06-2022 Through 10-06-2022}, url = {https://doi.org/10.13140/RG.2.2.34435.58400}, }
NAS-ransomware: Hoe ransomware-aanvallen tegen NAS-apparaten verschillen van reguliere ransomware-aanvallen

Tom Meurs, Marianne Junger, Erik Tews, and 1 more author

Tijdschrift voor veiligheid, Dec 2022

Abs DOI Bib

Een specifiek type ransomware-aanval richt zich op NAS-apparaten. In deze studie onderzoeken we het verschil tussen deze NAS-ransomware en reguliere ransomware. Uit de resultaten blijkt dat er bij NAS-ransomware andere ransomware-varianten bij de aanval worden gebruikt, dat slachtoffers vaker particulieren zijn en dat het gevraagde losgeld en de financiële schade lager zijn dan bij reguliere ransomware-aanvallen. Daarnaast vonden we een temporeel verband tussen NAS-ransomware-campagnes en de bekendmaking van nieuwe kwetsbaarheden. We sluiten het artikel af met een aantal aanbevelingen om het risico op slachtofferschap van NAS-ransomware te verkleinen, waarbij bewustwording centraal staat.
@article{meurs2022nasRansomwareHoeRansomwareAanvallen, title = {NAS-ransomware: Hoe ransomware-aanvallen tegen NAS-apparaten verschillen van reguliere ransomware-aanvallen}, keywords = {2023 OA procedure}, author = {Meurs, Tom and Junger, Marianne and Tews, Erik and Abhishta, Abhishta}, year = {2022}, month = dec, doi = {10.5553/TvV/.000044}, language = {Dutch}, volume = {21}, pages = {69--88}, journal = {Tijdschrift voor veiligheid}, issn = {1872-7948}, publisher = {Boom Criminologie}, number = {3-4}, url = {https://doi.org/10.5553/TvV/.000044}, }
No Time for Downtime: Understanding Post-Attack Behaviors by Customers of Managed DNS Providers

{Muhammad Yasir Muzayan} Haq, Mattijs Jonker, Roland Rijswijk-Deij}, and 3 more authors

May 2022

Abs DOI Bib

We leverage large-scale DNS measurement data on authoritative name servers to study the reactions of domain owners affected by the 2016 DDoS attack on Dyn. We use industry sources of information about domain names to study the influence of factors such as industry sector and website popularity on the willingness of domain managers to invest in high availability of online services. Specifically, we correlate business characteristics of domain owners with their resilience strategies in the wake of DoS attacks affecting their domains. Our analysis revealed correlations between two properties of domains – industry sector and popularity – and post-attack strategies. Specifically, owners of more popular domains were more likely to re-act to increase the diversity of their authoritative DNS service for their domains. Similarly, domains in certain industry sectors were more likely to seek out such diversity in their DNS service. For example, domains categorized as General News were nearly 6 times more likely to re-act than domains categorized as Internet Services. Our results can inform managed DNS and other network service providers regarding the potential impact of downtime on their customer portfolio.
@techreport{haq2022noTimeDowntimeUnderstandingPostReport, title = {No Time for Downtime: Understanding Post-Attack Behaviors by Customers of Managed DNS Providers}, keywords = {cs.NI, managed DNS, availability, DDoS mitigation, network management}, author = {Haq, \{Muhammad Yasir Muzayan\} and Jonker, Mattijs and \{van Rijswijk-Deij\}, Roland and Claffy, KC and Nieuwenhuis, \{Lambert J.M.\} and Abhishta, Abhishta}, year = {2022}, month = may, day = {25}, doi = {10.48550/arXiv.2205.12765}, language = {English}, publisher = {ArXiv.org}, type = {WorkingPaper}, institution = {ArXiv.org}, url = {https://doi.org/10.48550/arXiv.2205.12765}, }
No Time for Downtime: Understanding Post-Attack Behaviors by Customers of Managed DNS Providers

{Muhammad Yasir Muzayan} Haq, Mattijs Jonker, {Roland Martijn} Rijswijk - Deij}, and 3 more authors

Jun 2022

Funding Information: This work is part of the NWO: MASCOT project, which is funded by the Netherlands Organization for Scientific Research (CS.014). This material is based on research sponsored by the National Science Foundation (NSF) grant OAC-1724853 and OAC-2131987. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of NSF. Publisher Copyright: \textcopyright 2022 IEEE.; 7th International Workshop on Traffic Measurements for Cybersecurity, WTMC 2022, WTMC’22 ; Conference date: 06-06-2022 Through 06-06-2022

Abs DOI Bib

We leverage large-scale DNS measurement data on authoritative name servers to study the reactions of domain owners affected by the 2016 DDoS attack on Dyn. We use industry sources of information about domain names to study the influence of factors such as industry sector and website popularity on the willingness of domain managers to invest in high availability of online services. Specifically, we correlate business characteristics of domain owners with their resilience strategies in the wake of DoS attacks affecting their domains. Our analysis revealed correlations between two properties of domains – industry sector and popularity – and post-attack strategies. Specifically, owners of more popular domains were more likely to re-act to increase the diversity of their authoritative DNS service for their domains. Similarly, domains in certain industry sectors were more likely to seek out such diversity in their DNS service. For example, domains categorized as General News were nearly 6 times more likely to re-act than domains categorized as Internet Services. Our results can inform managed DNS and other network service providers regarding the potential impact of downtime on their customer portfolio.
@inbook{haq2022noTimeDowntimeUnderstandingPostInbook, title = {No Time for Downtime: Understanding Post-Attack Behaviors by Customers of Managed DNS Providers}, keywords = {Managed DNS, Availability, DDoS attack mitigation, Network management}, author = {Haq, \{Muhammad Yasir Muzayan\} and Jonker, Mattijs and \{van Rijswijk - Deij\}, \{Roland Martijn\} and kc Claffy and Nieuwenhuis, \{Lambert J.M.\} and Abhishta, Abhishta}, note = {Funding Information: This work is part of the NWO: MASCOT project, which is funded by the Netherlands Organization for Scientific Research (CS.014). This material is based on research sponsored by the National Science Foundation (NSF) grant OAC-1724853 and OAC-2131987. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of NSF. Publisher Copyright: {\textcopyright} 2022 IEEE.; 7th International Workshop on Traffic Measurements for Cybersecurity, WTMC 2022, WTMC'22 ; Conference date: 06-06-2022 Through 06-06-2022}, year = {2022}, month = jun, day = {27}, doi = {10.1109/EuroSPW55150.2022.00039}, language = {English}, isbn = {978-1-6654-9561-5}, pages = {322--331}, booktitle = {Proceedings of the 2022 Workshop on Traffic Measurements for Cybersecurity}, publisher = {IEEE}, address = {United States}, url = {https://wtmc.info/index.html}, }
Ransomware: How attacker’s effort, victim characteristics and context influence ransom requested, payment and financial loss

Tom Meurs, Marianne Junger, Erik Tews, and 1 more author

In Symposium on Electronic Crime Research, eCrime 2022, Dec 2022

Symposium on Electronic Crime Research, eCrime 2022, eCrime 2022 ; Conference date: 30-11-2022 Through 02-12-2022

Abs DOI Bib PDF

In recent years, ransomware attacks have led to disastrous consequences for victims, not just due to the payment ransom amount but also due to the recovery costs associated with these attacks. So far only a few empirical studies have analysed the financial impact of ransomware attacks. This study aims to understand the expected financial gains for attackers and financial losses of victims after a ransomware attack. To do so, we build a dataset based on 453 ransomware attack investigation reports in the Netherlands reported to the Dutch Police between 2019 and 2022. Using rational choice model of crime (RCM) and crime scripting we hypothesise that the effort of an attacker, victim characteristics and context variables influence not only the ransom requested by an attacker but also the financial losses reported by victims. We use generalised linear models to evaluate and quantify this influence. Our results show that attacker’s efforts such as using Ransomware-as-a-Service (RaaS) and victim characteristics such as industry sector, contribute to the ransom requested by attackers and financial losses reported by victims. We also show that the availability of recoverable backups explains the likelihood of victims paying the ransom. A limitation of the present study is the interpretation of the results due to selection bias of victims willing to report to the police. Despite this limitation, we argue that our methodology and results lay the groundwork for future large-scale empirical studies and add to our understanding of attacker and victim behaviour.
@inproceedings{meurs2022ransomwareAttackerEffortVictimContext, title = {Ransomware: How attacker's effort, victim characteristics and context influence ransom requested, payment and financial loss}, keywords = {2022 OA procedure}, author = {Meurs, Tom and Junger, Marianne and Tews, Erik and Abhishta, Abhishta}, year = {2022}, month = dec, day = {1}, doi = {10.1109/eCrime57793.2022.10142138}, language = {English}, booktitle = {Symposium on Electronic Crime Research, eCrime 2022}, note = {Symposium on Electronic Crime Research, eCrime 2022, eCrime 2022 ; Conference date: 30-11-2022 Through 02-12-2022}, url = {https://doi.org/10.1109/eCrime57793.2022.10142138}, }

2021

A message from the program chairs of TAURIN 2021

R. Holz and A. Abhishta

In TAURIN 2021 - Proceedings of the 2021 ACM SIGCOMM Workshop on Technologies, Applications, and Uses of a Responsible Internet, 2021

ACM SIGCOMM Workshop on Technologies, Applications, and Uses of a Responsible Internet, TAURIN 2021, TAURIN 2021 ; Conference date: 23-08-2021 Through 23-08-2021

Bib PDF

@inproceedings{holz2021messageProgramChairsTaurin2021,
  title = {A message from the program chairs of TAURIN 2021},
  author = {Holz, R. and Abhishta, A.},
  year = {2021},
  language = {English},
  booktitle = {TAURIN 2021 - Proceedings of the 2021 ACM SIGCOMM Workshop on Technologies, Applications, and Uses of a Responsible Internet},
  note = {ACM SIGCOMM Workshop on Technologies, Applications, and Uses of a Responsible Internet, TAURIN 2021, TAURIN 2021 ; Conference date: 23-08-2021 Through 23-08-2021},
}

Crime chain: het verband tussen DDoS-aanvallen en Phishing

Marianne Junger, Abhishta Abhishta, and Bart Nieuwenhuis

Jun 2021

Abs Bib

In dit specialistische onderzoek is gezocht naar het bestaan van online misdaadketens ofwel ‘crime chains’. Misdaadketens zijn omschreven als reeksen van verschillende type delicten die samen of in een bepaalde volgorde voorkomen en met elkaar verband houden om een gecoördineerde reeks acties uit te voeren. De huidige studie onderzoekt of er een statistisch verband bestaat tussen de tijdstippen van een DDoS-aanval en het gemiddeld aantal phishing e-mails rondom de DDoS periode. Het onderzoek analyseert een set van 1.908.794 e-mails die zijn verzameld door de APWG en 23 DDoS aanvallen in dezelfde periode en waarover is gerapporteerd in de media. De conclusie is dat bij ruim de helft van de bestudeerde 23 DDoS aanvallen DDoS meer phishing e-mails worden verzonden rondom de DDoS aanval. De onderzoekers stellen dat er soms coördinatie of afstemming plaatsvindt of dat een aanvaller gebruik maakt van de omstandigheden, zoals een DDoS aanval om een phishing campagne te lanceren. Samenwerking en/of coördinatie van aanvallen is gemakkelijker geworden dankzij het internet en allerlei vormen van samenwerking, zoals ‘crime-as-a-Service’ online zijn ontstaan. De huidige studie biedt statistische ondersteuning aan deze vaststelling. Op basis van de huidige studie kan niet worden vastgesteld of het om bewuste coördinatie gaat van een of meerdere daders of dat verschillende daders reageren op wat zij online zien gebeuren. Natuurlijk kunnen beiden het geval zijn op verschillende momenten. Het onderzoek laat zien dat er statistische relaties in de tijd bestaan tussen phishing en DDoS. Maar een statistische samenhang betekent niet noodzakelijk causaliteit. Meer gedetailleerd onderzoek is nodig om te kunnen reconstrueren wat door wie en wanneer is gedaan. De resultaten van dit onderzoek kunnen de opsporing versterken door de setting en de sequentie van delicten en gerelateerde gebeurtenissen beter te beschrijven en te begrijpen. Daardoor kan de focus van opsporing worden verscherpt. Daarnaast zou er meer aandacht kunnen zijn voor het feit dat de ene aanval de ander kan inluiden. Dankzij een beter begrip van de misdaadketens en gerelateerde gebeurtenissen kunnen barrièremodellen worden ontwikkeld ten behoeve van de bestrijding van phishing en DDoS aanvallen. Dit gebeurt ook door de Nederlandse politie en initiatieven zoals de nationale anti-DDoS-coalitie.
@book{junger2021crimeChainHetVerbandTussen, title = {Crime chain: het verband tussen DDoS-aanvallen en Phishing}, keywords = {Phishing, DDoS attacks, Crime chains, cyber crime, cyber security, Cyber threat intelligence}, author = {Junger, Marianne and Abhishta, Abhishta and Nieuwenhuis, Bart}, year = {2021}, month = jun, language = {Dutch}, publisher = {Politie \& Wetenschap}, }
The Effect of Consumer Portfolio on the Risk Profile of Cloud Provider

{Muhammad Yasir Muzayan} Haq, Abhishta Abhishta, and {Lambert J.M.} Nieuwenhuis

In SIGCOMM ’21, Aug 2021

Funding Information: This work is funded by the Nederlandse Organisatie voor Weten-schappelijk Onderzoek (NWO) MeAsuring Security in Cloud OuTsourcing (MASCOT) project. Publisher Copyright: \textcopyright 2021 Owner/Author.; ACM SIGCOMM Conference 2021, SIGCOMM 2021 ; Conference date: 23-08-2021 Through 27-08-2021

Abs DOI Bib

The economies-of-scale model of Cloud services has brought many financial and technical benefits for organizations. However, recent events like the attack on Dyn and GitHub have shown that successful attacks on big Cloud providers can cause a massive impact on a major portion of the Internet ecosystem. In this project, we will study how the consumer portfolio of a Cloud provider may affect its risk profile. We will use the result to develop a recommender system for choosing a Cloud provider based on consumer security and business requirements. Insights from our research can be used to simulate an alternative more secure market structure for the Cloud ecosystem. We invite fellow researchers to further discuss this idea and possible collaboration.
@inproceedings{haq2021effectConsumerPortfolioRiskProfile, title = {The Effect of Consumer Portfolio on the Risk Profile of Cloud Provider}, keywords = {2022 OA procedure, Cyber attacks, Decision support system, Oligopoly, Security, Cloud}, author = {Haq, \{Muhammad Yasir Muzayan\} and Abhishta, Abhishta and Nieuwenhuis, \{Lambert J.M.\}}, note = {Funding Information: This work is funded by the Nederlandse Organisatie voor Weten-schappelijk Onderzoek (NWO) MeAsuring Security in Cloud OuTsourcing (MASCOT) project. Publisher Copyright: {\textcopyright} 2021 Owner/Author.; ACM SIGCOMM Conference 2021, SIGCOMM 2021 ; Conference date: 23-08-2021 Through 27-08-2021}, year = {2021}, month = aug, day = {23}, doi = {10.1145/3472716.3472851}, language = {English}, isbn = {978-1-4503-8629-6}, pages = {18–20}, booktitle = {SIGCOMM '21}, publisher = {Association for Computing Machinery}, address = {United States}, url = {https://doi.org/10.1145/3472716.3472851}, }

2020

A Note on Analysing the Attacker Aims Behind DDoS Attacks

Abhishta Abhishta, Marianne Junger, Reinoud Joosten, and 1 more author

In Intelligent Distributed Computing XIII, IDC 2019, Jan 2020

13th International Symposium on Intelligent Distributed Computing, IDC 2019, IDC 2019 ; Conference date: 07-10-2019 Through 10-10-2019

Abs DOI Bib

Distributed denial of service (DDoS) attacks pose a serious threat to the availability of online resources. In this paper, we analyse the attacker aims for the use of DDoS attacks. We propose a model that can be used to evaluate news articles for determining probable aims of attackers. Thereafter, we apply this model to evaluate 27 distinct attack events from 2016. We make use of a DDoS specific longitudinal news database to select these attack events. We find the proposed model useful in analysing attack aims. We also find that in some cases attackers might target a web infrastructure just because it is virtually invincible.

@inproceedings{abhishta2020noteAttackerAimsBehindDdos,
  title = {A Note on Analysing the Attacker Aims Behind DDoS Attacks},
  keywords = {DDoS attacks, Routine Activity Theory, SPEC, Attacker Aims, Cybersecurity},
  author = {Abhishta, Abhishta and Junger, Marianne and Joosten, Reinoud and Nieuwenhuis, \{Lambert J.M.\}},
  year = {2020},
  month = jan,
  day = {1},
  doi = {10.1007/978-3-030-32258-8\_30},
  language = {English},
  isbn = {978-3-030-32257-1},
  series = {Studies in Computational Intelligence},
  publisher = {Springer},
  pages = {255--265},
  editor = {Kotenko, Igor and Badica, Costin and Desnitsky, Vasily and \{El Baz\}, Didier and Ivanovic, Mirjana},
  booktitle = {Intelligent Distributed Computing XIII, IDC 2019},
  address = {Germany},
  note = {13th International Symposium on Intelligent Distributed Computing, IDC 2019, IDC 2019 ; Conference date: 07-10-2019 Through 10-10-2019},
  url = {https://doi.org/10.1007/978-3-030-32258-8\_30},
}

A simulation-based procedure to estimate base rates from Covid-19 antibody test results I: Deterministic test reliabilities

Reinoud Joosten and Abhishta Abhishta

Apr 2020

Abs Bib

We design a procedure (the complete Python code may be obtained at https://github.com/abhishta91/antibody_montecarlo) using Monte Carlo (MC) simulation to establish the point estimators described below and confidence intervals for the base rate of occurence of an attribute (e.g., antibodies against Covid-19) in an aggregate population (e.g., medical care workers) based on a test. The requirements for the procedure are the test’s sample size (N) and total number of positives (X), and the data on test’s reliability. The modus generates the largest frequency of observations in the MC simulation with precisely the number of test positives (maximum- likelihood estimator). The median is the upper bound of the set of priors accounting for half of the total relevant observations in the MC simulation with numbers of positives identical to the test’s number of positives. Our rather preliminary findings are: • The median and the confidence intervals suffice universally. • The estimator X/N may be outside of the two-sided 95% confidence interval. • Conditions such that the modus, the median and another promising estimator which takes the reliability of the test into account, are quite close. • Conditions such that the modus and the latter estimator must be regarded as logically inconsistent. • Conditions inducing rankings among various estimators relevant for issues concerning over- or underestimation.
@techreport{joosten2020simulationProcedureEstimateBaseRates, title = {A simulation-based procedure to estimate base rates from Covid-19 antibody test results I: Deterministic test reliabilities}, keywords = {base rates, Monte Carlo simulation, Covid-19, tests}, author = {Joosten, Reinoud and Abhishta, Abhishta}, year = {2020}, month = apr, day = {21}, language = {English}, type = {WorkingPaper}, }
Picking Your Brains: Where and How Neuroscience Tools Can Enhance Marketing Research

Letizia Alvino, Luigi Pavone, Abhishta Abhishta, and 1 more author

Frontiers in Neuroscience, Dec 2020

Abs DOI Bib

The use of neuroscience tools to study consumer behavior and the decision making process in marketing has improved our understanding of cognitive, neuronal, and emotional mechanisms related to marketing-relevant behavior. However, knowledge about neuroscience tools that are used in consumer neuroscience research is scattered. In this article, we present the results of a literature review that aims to provide an overview of the available consumer neuroscience tools and classifies them according to their characteristics. We analyse a total of 219 full-texts in the area of consumer neuroscience. Our findings suggest that there are seven tools that are currently used in consumer neuroscience research. In particular, electroencephalography (EEG) and eye tracking (ET) are the most commonly used tools in the field. We also find that consumer neuroscience tools are used to study consumer preferences and behaviors in different marketing domains such as advertising, branding, online experience, pricing, product development and product experience. Finally, we identify two ready-to-use platforms, namely iMotions and GRAIL that can help in integrating the measurements of different consumer neuroscience tools simultaneously. Measuring brain activity and physiological responses on a common platform could help by (1) reducing time and costs for experiments and (2) linking cognitive and emotional aspects with neuronal processes. Overall, this article provides relevant input in setting directions for future research and for business applications in consumer neuroscience. We hope that this study will provide help to researchers and practitioners in identifying available, non-invasive and useful tools to study consumer behavior.
@article{alvino2020pickingYourBrainsWhereNeuroscience, title = {Picking Your Brains: Where and How Neuroscience Tools Can Enhance Marketing Research}, keywords = {Neuromarketing, Consumer neuroscience, Review, iMotion, GRAIL, Marketing, Neurophysiological tools, Physiological tools}, author = {Alvino, Letizia and Pavone, Luigi and Abhishta, Abhishta and Robben, Henry}, year = {2020}, month = dec, day = {3}, doi = {10.3389/fnins.2020.577666}, language = {English}, volume = {14}, journal = {Frontiers in Neuroscience}, issn = {1662-4548}, publisher = {Frontiers Media SA}, url = {https://doi.org/10.3389/fnins.2020.577666}, }
Why would we get attacked? An analysis of attacker’s aims behind DDoS attacks

Abhishta Abhishta, Wouter Heeswijk}, Marianne Junger, and 2 more authors

Journal of wireless mobile networks, ubiquitous computing, and dependable applications, Jun 2020

Abs DOI Bib PDF

Reliable availability to the internet and internet-based services is crucial in today’s world. DDoS attacks pose a severe threat to the availability of such online resources – especially owing to booters – virtually everyone can execute them nowadays. In order to appropriately protect oneself against such attacks, it is essential to have a good insight into the threats that exist. This paper proposes a novel hybrid model that combines postulates from various models on crime opportunity, analyzing the targeted victim and the targeted infrastructure in conjunction. We apply this model to analyze 27 distinct attack events that occurred in 2016. To construct this dataset, we utilize a longitudinal news database specific to DDoS-related events, aiding to select relevant attack events. We outline the procedure to replicate the dataset construction process. Looking at DDoS attacks solely as a technical issue is not enough, news articles can be an important resource in providing contextual relevance to this problem. Our analysis reveals several motives underlying DDoS attacks; economic reasons are but one of the possible aims. For this reason, we advise companies to also monitor the socio-cultural and political environment. In terms of infrastructure, visibility and accessibility are the main instigators for an attack. A holistic perspective is imperative to accurately map the threats that companies face and to take appropriate protective measures.
@article{abhishta2020whyWouldWeGetAttacked, title = {Why would we get attacked? An analysis of attacker's aims behind DDoS attacks}, keywords = {DDoS attacks, Routine Activity Theory, Aims, Cyber Attacks, Cyber Crime, Cybersecurity, Motivation/goal setting}, author = {Abhishta, Abhishta and \{van Heeswijk\}, Wouter and Junger, Marianne and Nieuwenhuis, \{Lambert J. M.\} and Joosten, Reinoud}, year = {2020}, month = jun, day = {30}, doi = {10.22667/JOWUA.2020.06.30.003}, language = {English}, volume = {11}, pages = {3--22}, journal = {Journal of wireless mobile networks, ubiquitous computing, and dependable applications}, issn = {2093-5374}, publisher = {Innovative Information Science and Technology Research Group}, number = {2}, url = {https://doi.org/10.22667/JOWUA.2020.06.30.003}, }

2019

Collecting Contextual Information About a DDoS Attack Event Using Google Alerts

Abhishta Abhishta, Reinoud Joosten, Mattijs Jonker, and 2 more authors

May 2019

40th IEEE Symposium on Security and Privacy 2019 ; Conference date: 20-05-2019 Through 22-05-2019

Abs Bib

Distributed Denial of Service (DDoS) attacks may lead to massive economic damages to victims. In most cases, the damage caused is dictated by the circumstances surrounding the attack (i.e. context). One of the ways of collecting information on the context of an attack can be by using the online articles written about the attack. In this poster, we introduce a dataset collected using Google Alerts that provides contextual information related DDoS attacks. The goal of the poster is to invite other researchers for collaboration
@conference{abhishta2019collectingContextualInformationAboutDdos, title = {Collecting Contextual Information About a DDoS Attack Event Using Google Alerts}, author = {Abhishta, Abhishta and Joosten, Reinoud and Jonker, Mattijs and Kamerman, Wim and Nieuwenhuis, \{Lambert J.M.\}}, year = {2019}, month = may, day = {20}, language = {English}, note = {40th IEEE Symposium on Security and Privacy 2019 ; Conference date: 20-05-2019 Through 22-05-2019}, url = {https://www.ieee-security.org/TC/SP2019/}, }
Impact of Successful DDoS Attacks on a Major Crypto-Currency Exchange

Abhishta Abhishta, {Reinoud A.M.G.} Joosten, Sergey Dragomiretskiy, and 1 more author

In 2019 27th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP), Mar 2019

27th Euromicro International Conference on Parallel, Distributed and Network-Based Processing 2019, PDP 2019 ; Conference date: 13-02-2019 Through 15-02-2019

Abs DOI Bib

Distributed Denial of Service (DDoS) attacks provide an easy option for these criminals to disrupt the business of these online platforms. We analyse the economic impact of DDoS attacks on a crypto-currency exchange using event analysis. Our contributions are fourfold: Firstly, we develop an estimation model utilising ideas from behavioural finance to predict volume of crypto-currency traded on the basis of changes in price. Secondly, we perform an event analysis to evaluate whether there is an impact of a DDoS attack on the volume traded on the exchange in 17 different cases. Thirdly, we find that in 13 cases the negative impact due to a DDoS attack is recovered within the same day by the exchange. Finally, we evaluate hourly trade data to show why in most cases the volume traded recovers within a single day.
@inproceedings{abhishta2019impactDdosAttacksMajorCrypto, title = {Impact of Successful DDoS Attacks on a Major Crypto-Currency Exchange}, keywords = {Bitfinex, Crypto-currency, DDoS Attacks, Economic Impact, Event Study}, author = {Abhishta, Abhishta and Joosten, \{Reinoud A.M.G.\} and Dragomiretskiy, Sergey and Nieuwenhuis, \{Lambertus Johannes Maria\}}, year = {2019}, month = mar, day = {19}, doi = {10.1109/EMPDP.2019.8671642}, language = {English}, isbn = {978-1-7281-1644-0}, pages = {379--384}, booktitle = {2019 27th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP)}, publisher = {IEEE}, address = {United States}, note = {27th Euromicro International Conference on Parallel, Distributed and Network-Based Processing 2019, PDP 2019 ; Conference date: 13-02-2019 Through 15-02-2019}, url = {https://www.pdp2019.eu/index.html}, }
The Blind Man and The Elephant: Measuring Economic Impacts of DDoS Attacks

Abhishta Abhishta

Dec 2019

Abs DOI Bib PDF

Internet has become an important part of our everyday life. We use services like Netflix, Skype, online banking and Scopus etc. daily. We even use Internet for filing our tax returns and communicating with municipalities. This dependency on network-based technologies provides an opportunity to malicious actors in our society to remotely attack IT infrastructure. One type of cyberattack that may lead to unavailability of network resources is known as distributed denial of service (DDoS) attack. A DDoS attack leverages many computers to launch a coordinated Denial of Service attack against one or more targets. These attacks cause damages to victim businesses. According to reports published by several consultancies and security companies these attacks lead to millions of dollars in losses every year. One might ponder: are the damages caused by temporary unavailability of network services really this large? One of the points of criticism for these reports has been that they often base their findings on victim surveys and expert opinions. Now, as cost accounting/book keeping methods are not focused on measuring the impact of cyber security incidents, it is highly likely that surveys are unable to capture the true impact of an attack. A troubling fact is that most C-level managers make budgetary decisions for security based on the losses reported in these surveys. Several inputs for security investment decision models such as return on security investment (ROSI) also depend on these figures. This makes the situation very similar to the parable of the blind men and the elephant, in which several blind men try to conceptualise how the elephant looks like by touching it. Hence, it is important to develop methodologies that capture the true impact of DDoS attacks. In this thesis, we study the economic impact of DDoS attacks on public/private organisations by using an empirical approach. In Chapter 1 we explain the motivation for our work and illustrate the problems associated with measuring the economic impacts of DDoS attacks. We then formulate our main research question and break it down into sub-questions that we investigate in later chapters. We state our main research question as follows: What are the economic impacts of DDoS attacks on public/private organisations? Our first contribution is identifying the main stakeholders in a DDoS attack. In Chapter 2, we discuss the evolution of DDoS attacks in the last decade and briefly describe the strategies adopted by attackers and defenders. By studying the business model of a botnet, we also analyse how DDoS attacks can be used by attackers for monetary gains. Our second contribution is to develop methodologies to capture the direct impact of DDoS attacks. In Chapters 3 and 4 we measure the direct consequences of DDoS attacks on large managed domain name service (DNS) providers and a cryptocurrency exchange respectively. We find that a successful DDoS attack on a managed DNS service provider, changes the security behaviour of its customers. In the case of cryptocurrency exchange we find that the losses are recovered very quickly, on most instances even within a single day. We show how longitudinal datasets can be used to asses the impacts. The third contribution of this thesis is to develop methodologies to measure the indirect consequences of DDoS attacks. In Chapter 5, we propose a more robust event study approach and use it to analyse the impact of DDoS attack announcements on victims’ stock prices. We find that in most cases this impact is short lived (5-10 days). In Chapter 6, we introduce a dataset based on web articles on DDoS attacks which captures the social context of an attack. We show how machine learning algorithms can be used to filter news articles that are reporting a DDoS attack from the dataset. We recognise that it is not possible to measure the true impact of DDoS attacks on the victim without learning about the aims of attackers. In Chapter 7, we propose a model based on Routine Activity Theory (RAT) to study attacker’s aims by using the information about the attack reported in the news articles. Later in Chapter 8, we show how postulates of RAT may be used to explain DDoS attack trends on educational institutions. Our results show that DDoS attacks are not a random phenomenon and attackers are instigated by the circumstances surrounding them. We observe that measuring the true economic impact of these attacks is complex and requires us to consider the context of an attack. Some of the consequences of short duration IT unavailability are temporary and they are recovered rather quickly. Hence, to take this work forward we propose to give economic meaning to the empirical data that is presently available and collect more data at employee level to measure the resilience of firms towards IT unavailability.
@phdthesis{abhishta2019blindManElephantEconomicImpacts, title = {The Blind Man and The Elephant: Measuring Economic Impacts of DDoS Attacks}, keywords = {Cybersecurity}, author = {Abhishta, Abhishta}, year = {2019}, month = dec, day = {5}, doi = {10.3990/1.9789036549127}, language = {English}, isbn = {978-90-365-4912-7}, publisher = {University of Twente}, address = {Netherlands}, type = {PhD Thesis - Research UT, graduation UT}, school = {University of Twente}, url = {https://doi.org/10.3990/1.9789036549127}, }
Victim routine influences the number of DDoS attacks: Evidence from Dutch educational network

Abhishta Abhishta, Marianne Junger, Reinoud Joosten, and 1 more author

In 2019 IEEE Security and Privacy Workshops, SPW 2019, Sep 2019

IEEE Security and Privacy Workshops, SPW 2019, SPW 2019 ; Conference date: 23-05-2019 Through 23-05-2019

Abs DOI Bib

We study the influence of daily routines of Dutch academic institutions on the number of DDoS attacks targeting their infrastructures. We hypothesise that the attacks are motivated and harness the postulates of Routine Activity Theory (RAT) from criminology to analyse the data. We define routine periods in order to group days with similar activities and use 2.5 years of NetFlow alerts data measured by SURFnet to compare the number of alerts generated during each of these periods. Our analysis shows clear correlation between academic schedules and attack patterns on academic institutions. This leads us to believe that most of these attacks are not random and are initiated by someone who might benefit by disrupting scheduled educational activities.
@inproceedings{abhishta2019victimRoutineInfluencesNumberDdos, title = {Victim routine influences the number of DDoS attacks: Evidence from Dutch educational network}, keywords = {Aims, DDoS attacks, NetFlow analysis, Routine activity theory, 2023 OA procedure}, author = {Abhishta, Abhishta and Junger, Marianne and Joosten, Reinoud and Nieuwenhuis, \{Lambert J.M.\}}, year = {2019}, month = sep, day = {19}, doi = {10.1109/SPW.2019.00052}, language = {English}, pages = {242--247}, booktitle = {2019 IEEE Security and Privacy Workshops, SPW 2019}, publisher = {IEEE}, address = {United States}, note = {IEEE Security and Privacy Workshops, SPW 2019, SPW 2019 ; Conference date: 23-05-2019 Through 23-05-2019}, url = {https://doi.org/10.1109/SPW.2019.00052}, }

2018

Analysing The Impact Of A DDoS Attack Announcement On Victim Stock Prices

Abhishta, Reinoud Joosten, and L.J.M. Nieuwenhuis

May 2018

Abs DOI Bib PDF

DDoS attacks are increasingly used by ‘hackers’ and ‘hacktivists’ for various purposes. A number of on-line tools are available to launch an attack of significant intensity. These attacks lead to a variety of losses at the victim’s end. We analyse the impact of Distributed Denial-of-Service (DDoS) attack announcements over a period of 5 years on the stock prices of the victim firms. We propose a method for event studies that does not assume the cumulative abnormal returns to be normally distributed, instead we use the empirical distribution for testing purposes. In most cases we find no significant impact on the stock returns but in cases where a DDoS attack creates an interruption in the services provided to the customer, we find a significant negative impact.
@techreport{abhishta2018impactDdosAttackAnnouncementVictim, title = {Analysing The Impact Of A DDoS Attack Announcement On Victim Stock Prices}, keywords = {cs.CE, cs.CR, Abnormal Returns, Event Study, Cyber Security, DDoS Attacks}, author = {Abhishta and Joosten, Reinoud and Nieuwenhuis, L.J.M.}, year = {2018}, month = may, day = {2}, doi = {10.48550/arXiv.1805.00749}, language = {English}, publisher = {ArXiv.org}, type = {WorkingPaper}, institution = {ArXiv.org}, url = {https://doi.org/10.48550/arXiv.1805.00749}, }
Business Model of a Botnet

C.G.J. Putman, Abhishta, and L.J.M. Nieuwenhuis

In 2018 26th Euromicro International conference on Parallel, Distributed, and Network-Based Processing (PDP), Jun 2018

26th Euromicro International Conference on Parallel, Distributed and Network-based Processing 2018, PDP 2018 ; Conference date: 21-03-2018 Through 23-03-2018

Abs DOI Bib

Botnets continue to be an active threat against firms or companies and individuals worldwide. Previous research regarding botnets has unveiled information on how the system and their stakeholders operate, but an insight on the economic structure that supports these stakeholders is lacking. The objective of this research is to analyse the business model and determine the revenue stream of a botnet owner. We also study the botnet life-cycle and determine the costs associated with it on the basis of four case studies. We conclude that building a full scale cyber army from scratch is very expensive where as acquiring a previously developed botnet requires a little cost. We find that initial setup and monthly costs were minimal compared to total revenue.
@inproceedings{putman2018businessModelBotnet, title = {Business Model of a Botnet}, author = {Putman, C.G.J. and Abhishta and Nieuwenhuis, L.J.M.}, year = {2018}, month = jun, day = {7}, doi = {10.1109/PDP2018.2018.00077}, language = {English}, isbn = {978-1-5386-4976-3}, pages = {441 -- 445}, editor = {Kotenko, Igor and Merelli, Ivan and Lio, Pietro}, booktitle = {2018 26th Euromicro International conference on Parallel, Distributed, and Network-Based Processing (PDP)}, publisher = {IEEE}, address = {United States}, note = {26th Euromicro International Conference on Parallel, Distributed and Network-based Processing 2018, PDP 2018 ; Conference date: 21-03-2018 Through 23-03-2018}, url = {http://www.pdp2018.org/}, }
Comparing Alternatives to Measure the Impact of DDoS Attack Announcements on Target Stock Prices

Abhishta, Reinoud Joosten, and {Lambert J.M.} Nieuwenhuis

May 2018

The final version of this paper has been published in Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA), Volume 8, Number 4.

Abs Bib

The attack intensity of distributed denial of service (DDoS) attacks is increasing every year. Botnets based on internet of things (IOT) devices are now being used to conduct DDoS attacks. The estimation of direct and indirect economic damages caused by these attacks is a complex problem. One of the indirect damage of a DDoS attack can be on the market value of the victim firm. In this article we analyze the impact of 45 different DDoS attack announcements on victim’s stock prices. We find that previous studies have a mixed conclusion on the impact of DDoS attack announcements on the victim’s stock price. Hence, in this article we evaluate this impact using three different approaches and compare the results. In the first approach, we use the assume the cumulative abnormal returns to be normally distributed and test the hypothesis that a DDoS attack announcement has no impact on the victim’s stock price. In the latter two methods, we do not assume a distribution and use the empirical distribution of cumulative abnormal returns to test the hypothesis. We find that the assumption of cumulative abnormal returns being normally distributed leads to overestimation/underestimation of the impact. Finally, we analyze the impact of DDoS attack announcement on victim’s stock price in each of the 45 cases and present our results.
@techreport{abhishta2018alternativesImpactDdosAttackAnnouncements, title = {Comparing Alternatives to Measure the Impact of DDoS Attack Announcements on Target Stock Prices}, keywords = {q-fin.ST, eess.SP}, author = {Abhishta and Joosten, Reinoud and Nieuwenhuis, \{Lambert J.M.\}}, note = {The final version of this paper has been published in Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA), Volume 8, Number 4.}, year = {2018}, month = may, day = {30}, language = {English}, publisher = {ArXiv.org}, type = {WorkingPaper}, institution = {ArXiv.org}, }
Measuring the impact of a successful DDoS attack on the customer behaviour of managed DNS service providers

Abhishta Abhishta, Roland {Van Rijswijk-Deij}, and {Lambert J.M.} Nieuwenhuis

Computer communication review, Oct 2018

Abs DOI Bib PDF

Distributed Denial-of-Service (DDoS) attacks continue to pose a serious threat to the availability of Internet services. The Domain Name System (DNS) is part of the core of the Internet and a crucial factor in the successful delivery of Internet services. Because of the importance of DNS, specialist service providers have sprung up in the market, that provide managed DNS services. One of their key selling points is that they protect DNS for a domain against DDoS attacks. But what if such a service becomes the target of a DDoS attack, and that attack succeeds? In this paper we analyse two such events, an attack on NS1 in May 2016, and an attack on Dyn in October 2016. We do this by analysing the change in the behaviour of the service’s customers. For our analysis we leverage data from the OpenINTEL active DNS measurement system, which covers large parts of the global DNS over time. Our results show an almost immediate and statistically significant change in the behaviour of domains that use NS1 or Dyn as a DNS service provider. We observe a decline in the number of domains that exclusively use NS1 or Dyn as a managed DNS service provider, and see a shift toward risk spreading by using multiple providers. While a large managed DNS provider may be better equipped to protect against attacks, these two case studies show they are not impervious to them. This calls into question the wisdom of using a single provider for managed DNS. Our results show that spreading risk by using multiple providers is an effective countermeasure, albeit probably at a higher cost.
@article{abhishta2018impactDdosAttackCustomerBehaviourArticle, title = {Measuring the impact of a successful DDoS attack on the customer behaviour of managed DNS service providers}, keywords = {Customer Behaviour, DDoS Attacks, Domain Name System, Dyn, Economic Impact, NS1, 22/3 OA procedure}, author = {Abhishta, Abhishta and \{Van Rijswijk-Deij\}, Roland and Nieuwenhuis, \{Lambert J.M.\}}, year = {2018}, month = oct, doi = {10.1145/3310165.3310175}, language = {English}, volume = {48}, pages = {70--76}, journal = {Computer communication review}, issn = {0146-4833}, publisher = {Association for Computing Machinery}, number = {5}, url = {https://doi.org/10.1145/3310165.3310175}, }
Measuring the Impact of a Successful DDoS Attack on the Customer Behaviour of Managed DNS Service Providers

Abhishta, Roland Rijswijk-Deij}, and L.J.M. Nieuwenhuis

In WTMC ’18, 2018

ACM SIGCOMM Workshop on Traffic Measurements for Cybersecurity, WTMC 2018, WTMC 2018 ; Conference date: 20-08-2018 Through 23-08-2018

Abs DOI Bib PDF

Distributed Denial-of-Service (DDoS) attacks continue to pose a serious threat to the availability of Internet services. The Domain Name System (DNS) is part of the core of the Internet and a crucial factor in the successful delivery of Internet services. Because of the importance of DNS, specialist service providers have sprung up in the market, that provide managed DNS services. One of their key selling points is that they protect DNS for a domain against DDoS attacks. But what if such a service becomes the target of a DDoS attack, and that attack succeeds? In this paper we analyse two such events, an attack on NS1 in May 2016, and an attack on Dyn in October 2016. We do this by analysing the change in the behaviour of the service’s customers. For our analysis we leverage data from the OpenINTEL active DNS measurement system, which covers large parts of the global DNS over time. Our results show an almost immediate and statistically significant change in the behaviour of domains that use NS1 or Dyn as a DNS service provider. We observe a decline in the number of domains that exclusively use NS1 or Dyn as a managed DNS service provider, and see a shift toward risk spreading by using multiple providers. While a large managed DNS provider may be better equipped to protect against attacks, these two case studies show they are not impervious to them. This calls into question the wisdom of using a single provider for managed DNS. Our results show that spreading risk by using multiple providers is an effective countermeasure, albeit probably at a higher cost.
@inproceedings{abhishta2018impactDdosAttackCustomerBehaviourConference, title = {Measuring the Impact of a Successful DDoS Attack on the Customer Behaviour of Managed DNS Service Providers}, keywords = {Customer behaviour, DDoS attacks, Domain Name System, Dyn, Economic Impact, NS1, 2023 OA procedure}, author = {Abhishta and \{van Rijswijk-Deij\}, Roland and Nieuwenhuis, L.J.M.}, year = {2018}, doi = {10.1145/3229598.3229599}, language = {English}, pages = {1--7}, booktitle = {WTMC '18}, publisher = {ACM Press}, note = {ACM SIGCOMM Workshop on Traffic Measurements for Cybersecurity, WTMC 2018, WTMC 2018 ; Conference date: 20-08-2018 Through 23-08-2018}, url = {https://conferences.sigcomm.org/sigcomm/2018/}, }

2017

Analysing the Impact of a DDoS Attack Announcement on Victim Stock Prices

Abhishta, Reinoud Joosten, and L.J.M. Nieuwenhuis

In 2017 25th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP), Apr 2017

25th Euromicro International Conference on Parallel, Distributed and Network-based Processing, PDP 2017, PDP ; Conference date: 06-03-2017 Through 08-03-2017

Abs DOI Bib PDF

DDoS attacks are increasingly used by ’hackers’ and ’hacktivists’ for various purposes. A number of on-line tools are available to launch an attack of significant intensity. These attacks lead to a variety of losses at the victim’s end. We analyse the impact of Distributed Denial-of-Service (DDoS) attack announcements over a period of 5 years on the stock prices of the victim firms. We propose a method for event studies that does not assume the cumulative abnormal returns to be normally distributed, instead we use the empirical distribution for testing purposes. In most cases we find no significant impact on the stock returns but in cases where a DDoS attack creates an interruption in the services provided to the customer, we find a significant negative impact
@inproceedings{abhishta2017impactDdosAttackAnnouncementVictim, title = {Analysing the Impact of a DDoS Attack Announcement on Victim Stock Prices}, keywords = {Abnormal returns, Event study, Cyber security, DDoS attacks, 2023 OA procedure}, author = {Abhishta and Joosten, Reinoud and Nieuwenhuis, L.J.M.}, year = {2017}, month = apr, day = {27}, doi = {10.1109/PDP.2017.82}, language = {English}, isbn = {978-1-5090-6059-7}, pages = {354--362}, booktitle = {2017 25th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP)}, publisher = {IEEE}, address = {United States}, note = {25th Euromicro International Conference on Parallel, Distributed and Network-based Processing, PDP 2017, PDP ; Conference date: 06-03-2017 Through 08-03-2017}, url = {https://doi.org/10.1109/PDP.2017.82}, }

Characteristics of DDoS attacks: An analysis of the most reported attack events of 2016

Abhishta Abhishta, {Lambertus Johannes Maria} Nieuwenhuis, Marianne Junger, and 1 more author

2017

Bib

@techreport{abhishta2017ddosAttacksMostReportedAttack,
  title = {Characteristics of DDoS attacks: An analysis of the most reported attack events of 2016 },
  author = {Abhishta, Abhishta and Nieuwenhuis, \{Lambertus Johannes Maria\} and Junger, Marianne and Joosten, \{Reinoud A.M.G.\}},
  year = {2017},
  language = {English},
  type = {WorkingPaper},
}

Comparing Alternatives to Measure the Impact of DDoS Attack Announcements on Target Stock Prices

Abhishta Abhishta, Reinoud Joosten, and {Lambert J.M.} Nieuwenhuis

Journal of wireless mobile networks, ubiquitous computing, and dependable applications, Dec 2017

Abs DOI Bib

Distributed denial of service (DDoS) attacks are responsible for creating unavailability of online resources. Botnets based on internet of things (IOT) devices are now being used to conduct DDoS attacks. The estimation of direct and indirect economic damages caused by these attacks is a complex problem. In this article we analyze the impact of 45 different DDoS attack announcements on victim firm’s stock prices using three different approaches and compare the results. We show that the assumption of cumulative abnormal returns being normally distributed leads to overestimation/underestimation of the impact. We solve this problem by using an empirical distribution of cumulative abnormal returns for hypothesis testing. Finally, we demonstrate the impact of DDoS attack announcements in each of the cases.
@article{abhishta2017alternativesImpactDdosAttackAnnouncements, title = {Comparing Alternatives to Measure the Impact of DDoS Attack Announcements on Target Stock Prices}, keywords = { DDoS attacks, Stock market, Event study}, author = {Abhishta, Abhishta and Joosten, Reinoud and Nieuwenhuis, \{Lambert J.M.\}}, year = {2017}, month = dec, day = {31}, doi = {10.22667/JOWUA.2017.12.31.001}, language = {English}, volume = {8}, pages = {1--18}, journal = {Journal of wireless mobile networks, ubiquitous computing, and dependable applications}, issn = {2093-5374}, publisher = {Innovative Information Science and Technology Research Group}, number = {4}, url = {https://doi.org/10.22667/JOWUA.2017.12.31.001}, }