The effective sharing of knowledge both within and between police organizations is arguably becom... more The effective sharing of knowledge both within and between police organizations is arguably becoming increasingly vital for success and has driven research in a disparate range of ields. This paper therefore presents the results of an integrative systematic literature review of research into knowledge sharing within and between police organizations across Europe. The 39 papers analysed were drawn from English-language studies published between 2000 and 2013, complemented by additional searches for non-English language papers in nine European countries. Analyses showed that past research has focused on intra-organizational knowledge sharing, with a particular spotlight on criminal intelligence and technology. Barriers / enablers of knowledge sharing were grouped into knowledge management strategy/legislation, technology, culture and loss of knowledge themes. Research recommendations include exploring the role of leadership and examination of police knowledge sharing across regional, institutional and international boundaries. Practical recommendations include having procedural clarity in systems, policies for sharing knowledge and developing the relevant knowledge, skills and motivation of police personnel through appropriate training.
In response to evolving cybersecurity challenges, global spending on information security has gro... more In response to evolving cybersecurity challenges, global spending on information security has grown steadily, and could eventually reach a level that is inefficient and unaffordable. A better understanding of new socio-technical-economic complexities around information security is urgently needed, which requires both reconsideration of traditional cybersecurity issues and investigation of new and unexplored research directions. In recent times, interdisciplinary research has elucidated the many economic and behavioural dimensions of security. This research is rooted in the field of Information Security Economics, and primarily addresses disclosure policy and specifically, data breach notification laws. Data breach notification laws require any business that suffers a data breach, or believes that it suffered a data breach, to notify customers about the incident that entails the unauthorised acquisition of unencrypted and computerised personal information. Such laws offer incentives to the party who owes the notification duty to minimise the number of triggering events and also enable the affected third parties to diminish the consequences, namely identity theft, and to make prudent choices in the future. Public policy that seeks to improve the effects of data breach notification legislation must be informed by a comprehensive understanding of the behaviour and incentives of the organisations and individuals involved in the notification flow. Thus, this dissertation poses the fol-lowing research question: What are the effects of the provisions of data breach notification laws on (1) communications issued by breached organisations to their customers; (2) the timing of breach detection and reaction; (3) the number of data breaches reported; and (4) the volume of identity theft stemming from data breaches? As we live in the era of big data, it was possible to access and utilise data on the number of breaches and the number of notifications sent. However, it was also necessary to examine further the types of breaches that occurred as well as the types of communication sent and how individuals perceived them. This analysis allows to develop specific metrics, activating critical thinking about the measurement and the underlying phenomenon. This dissertation examines these notions and answers the research question through one theoretical peer-reviewed paper and four peer-reviewed empirical studies, each addressing a separate aspect related to the implementation of notification mechanisms, specifically data breach notification laws. Chapter one studies the role of information availability in the cybersecurity landscape and describes a theoretical model for evaluating data breach notification laws as a solution to tackle information asymmetries in the digital arena. Chapter two fo-cuses on the tangible tools needed to implement such laws, specifically the notification process itself, and analyses the extent to which each organisation has leeway to ensure compliance with the law. Drawing on the variation in time for data breach detection and notification and letter content analysis, chapter four discusses the necessity to implement superseding law in order to bring coherence to the diverse approaches used in different geographical areas. Chapter five then addresses underreporting of data breaches. Finally, chapter six explores the relationship between data breaches and identity theft. The dissertation concludes by reflecting on the shared elements across the studies. The conclusion reflects on the role of disclosure policies in the information security arena and on the implications, given the results of these studies, for European data breach notification policies.Organisation and Governanc
This article investigates the relationship between data breaches and identity theft, including th... more This article investigates the relationship between data breaches and identity theft, including the impact of Data Breach Notification Laws (DBNL) on these incidents (using empirical data and Bayesian modeling). We collected incident data on breaches and identity thefts over a 13-year timespan (2005–2017) in the United States. Our analysis shows that the correlation is driven by the size of a state. Enacting a DBNL still slightly reduces rates of identity theft; while publishing breaches notifications by Attorney Generals helps the broader security community learning about them. We conclude with an in-depth discussion on what the European Union can learn from the US experience.
Current scenarios reveal new types of ever increasing dynamic and aggressive threats, which lead ... more Current scenarios reveal new types of ever increasing dynamic and aggressive threats, which lead to a move from a traditional security management to a strategic vision for protecting citizens and assets in a more comprehensive way. In such an environment, the risk related to incidents involving the use of CBRN (Chemical, Biological, Radiological and Nuclear) agents must be considered a cause of potentially devastating consequences. Non-proliferation and disarmament operations can make an essential contribution to combat terrorism by preventing or reducing the access of non-state actors or non-authorised persons to chemicals, biological and nuclear dual-use materials but this could be not enough. Illicit proliferation of chemical weapons, clandestine production of toxins and biological agents, 'dirty bombs' and trafficking of fissile material are just some examples of the use of CBRN agents for terrorist purposes. This chapter argues that, in order to address these issues, the integration of human, instrumental, technological and financial resources should be improved and reinforced. For that purpose, an effective strategy to mitigate and reduce the risk of using CBRN materials requires a high level of coordination across national agencies. Further development of interagency CBRN defence capabilities remains a top priority for global security.
Dissemination Level PU Public x PP Restricted to other programme participants (including the Comm... more Dissemination Level PU Public x PP Restricted to other programme participants (including the Commission Services) RE Restricted to a group specified by the consortium (including the Commission Services) CO Confidential, only for members of the consortium (including the Commission Services) Classification level UE Classified with the classification level "Restreint UE" according to Commission Decision 2001/844 and amendments Abstract: In this report we present the results from interviews and document analyses of current and planned information and communication technology (ICT) projects with police forces from 10 European countries and from interviews with technology vendors in the field of ICT for policing. Based on a crosscountry , cross-organisational analysis, we present the following themes that describe major trends in ICT for European policing: • the integration of intelligence data systems • the adoption of mobile computing • the use of video surveillance technologi...
Introduction A decade has passed since the enactment of data breach notification laws (DBNLs) in ... more Introduction A decade has passed since the enactment of data breach notification laws (DBNLs) in numerous U.S. states. These laws mandate companies that have suffered a data breach to inform the customers whose data might have been exposed. The intent of DBNLs can perhaps be best summed up in the phrase: “sunlight is the best disinfectant”. Whether the goal of incentivizing better security practices has been realized is the subject of an ongoing debate (e.g., Romanosky et al. 2011, Bisogni 2016). What is clear, however, is that they have offered more visibility into the state of data breach events in the United States.
This paper describes an approach for assessing potential casualties due to events that adversely ... more This paper describes an approach for assessing potential casualties due to events that adversely impact critical infrastructure sectors. The approach employs the consequence calculation model (CMM) to integrate quantitative data and qualitative information in evaluating the socioeconomic impacts of sector failures. This is important because a critical event that affects social and economic activities may also cause injuries and fatalities. Upon engaging a structured method for gathering information about potential casualties, the consequence calculation model may be applied to failure trees constructed using various approaches. The analysis of failure trees enables decision makers to implement effective strategies for reducing casualties due to critical events.
van den Born, Ad van den Oord, Arjen van Witteloostuijn, and Michal Vit. The contributions to the... more van den Born, Ad van den Oord, Arjen van Witteloostuijn, and Michal Vit. The contributions to the crosscountry comparison of Melody Barlage and Saraï Sapulete are particularly appreciated. The final editing of the full report was done by Arjan van den Born and Arjen van Witteloostuijn.
Factors influencing cross-border knowledge sharing by police organisations: An integration of ten... more Factors influencing cross-border knowledge sharing by police organisations: An integration of ten European case studies.
Towards a new update of the Digital Agenda and creation of the Digital Single Market: challenges and opportunities for Local and Regional Authorities in the European Union
While the discussion about a federal law on data breach notification is ongoing and a rash of lar... more While the discussion about a federal law on data breach notification is ongoing and a rash of large, costly data breaches has galvanized public interest in the issue, this paper investigates on the phenomenon of data breach notification letters. In case of any data breach a company faces a number of dilemmas on how to inform the customers. The choices that a company makes on the missive content result decisive in having a prompt customers' reaction against identity theft and eventually in shaping the relations between customers and the organization itself. Starting from the various regulations in place in US, the analysis has been performed focusing on the content of over 210 letters sent in US in the first semester of 2014. In particular letters are classified based on elements that can be isolated and analysed, e.g. the level of transparency used in communicating the event causing the breach or the time span between data breach identification and its notification to customers....
EP3R 2010-2013 - Four Years of Pan-European Public Private Cooperation
The EP3R (European Public-Private Partnership for Resilience) was established in 2009 and was the... more The EP3R (European Public-Private Partnership for Resilience) was established in 2009 and was the very first attempt at Pan-European level to use a Public-Private Partnership (PPP) to address cross-border Security and Resilience concerns in the Telecom Sector. The EP3R participants initiated many discussions, saw a lot of commitment, and produced interesting conclusions. It also revealed some further needs in the security and resilient field and also some gaps to be filled in order to reach a higher maturity level of the Telecom Sector. The EP3R closed down in April 2013, after 4 years of existence and practically 3 years of operations. The impact of the very first European Public -Private Partnership for Resilience had to be assessed and lessons had to be drawn for future similar initiatives and other funded actions for improving European resilience.
This paper aims to analyse the cybersecurity issue, taking into account the investment behaviour ... more This paper aims to analyse the cybersecurity issue, taking into account the investment behaviour of operators managing ICT infrastructures and providing ICT services and trying to investigate which kind of actions must be implemented to increase their security level. The main finding is that information availability plays a key role in the cyber-risk assessment for ICT operators and is also critical for improving the cybersecurity behaviour of other ICT stakeholders. From the ICT operator perspective, lack of information affects the real perception of cyber-threat occurrence, the vulnerability of his system and the potential loss in case of cyber-attack. As ICT systems have to be regarded as a network of different actor categories, regulation efforts at the European level should focus on spreading information among all ICT stakeholders in order to reduce failures of the cybersecurity market. Virtuous behaviour of other ICT stakeholders may increase the level of cybersecurity also by...
Impatti economici da attacchi cyber. Una metodologia di quantificazione
La società dell’informazione è oggi paragonabile a una piazza virtuale nella quale gran parte del... more La società dell’informazione è oggi paragonabile a una piazza virtuale nella quale gran parte delle attività giornaliere viene svolta dal cittadino digitale. Diffondere la consapevolezza dei rischi, elevando la sicurezza per tutti coloro che navigano, interagiscono, lavorano, vivono in rete e sui social media, diventa quindi un passo fondamentale, non dimenticando le questioni di sicurezza nazionale e l’evoluzione degli scenari internazionali. Ecco allora la necessità di un testo che guidi alla scoperta di questo cyberworld, approfondendo le tematiche centrali di settori chiave quali l’economia, la tecnologia, le leggi. Uno studio interdisciplinare del problema dell’hacking passando per il profiling, le dark network fino alla cyber law e includendo interessanti analisi puntuali su temi verticali, nello stile di un white paper.
eSignature - Study on the supply side of EU e-signature market - Final Study Report by Formit
The objective of the “Study on the supply-side of EU e-signature market” is to collect and analys... more The objective of the “Study on the supply-side of EU e-signature market” is to collect and analyse information on the e-signature market in the EU, with particular attention to the supply-side. The main objectives of study are the following: - To identify the main characteristics of the EU e-signature market actors; - To define the characteristics of products and services on the EU e-signature market; - To provide an overview of the e-signature demand-side; - To provide recommendations to different types of stakeholders, in order to have a clear picture of the e-signature market opportunities in Europe.
Uploads
Papers by Fabio Bisogni