CSEC framework assessment dataset: Expert evaluations of cybersecurity skills for job profiles in Europe.

This dataset contains expert assessments of the cybersecurity skills required for six job profiles in Europe, as determined via surveys responded by cybersecurity experts from academia and industry. The data can be used to identify educational needs in the cybersecurity sector and compare against other frameworks. The six cybersecurity-oriented job profiles used in the surveys are: General cybersec auditor; Technical cybersec auditor; Threat modelling engineer; Security engineer; Enterprise cybersecurity practitioner; Cybersecurity analyst.

The Work-Averse Cyberattacker Model: Theory and Evidence from Two Million Attack Signatures.

The assumption that a cyberattacker will potentially exploit all present vulnerabilities drives most modern cyber risk management practices and the corresponding security investments. We propose a new attacker model, based on dynamic optimization, where we demonstrate that large, initial, fixed costs of exploit development induce attackers to delay implementation and deployment of exploits of vulnerabilities. The theoretical model predicts that mass attackers will preferably (i) exploit only one vulnerability per software version, (ii) largely include only vulnerabilities requiring low attack complexity, and (iii) be slow at trying to weaponize new vulnerabilities .

Who Should Pay for Interdependent Risk? Policy Implications for Security Interdependence Among Airports.

We study interdependent risks in security, and shed light on the economic and policy implications of increasing security interdependence in presence of reactive attackers. We investigate the impact of potential public policy arrangements on the security of a group of interdependent organizations, namely, airports. Focusing on security expenditures and costs to society, as assessed by a social planner, to individual airports and to attackers, we first develop a game-theoretic framework, and derive explicit Nash equilibrium and socially optimal solutions in the airports network.

IoT Security Configurability with Security-by-Contract.

Cybersecurity is one of the biggest challenges in the Internet of Things (IoT) domain, as well as one of its most embarrassing failures. As a matter of fact, nowadays IoT devices still exhibit various shortcomings. For example, they lack secure default configurations and sufficient security configurability.

Security Events and Vulnerability Data for Cybersecurity Risk Estimation.

Current industry standards for estimating cybersecurity risk are based on qualitative risk matrices as opposed to quantitative risk estimates. In contrast, risk assessment in most other industry sectors aims at deriving quantitative risk estimations (e.g.

Agency Problems and Airport Security: Quantitative and Qualitative Evidence on the Impact of Security Training.

We analyze the issue of agency costs in aviation security by combining results from a quantitative economic model with a qualitative study based on semi-structured interviews. Our model extends previous principal-agent models by combining the traditional fixed and varying monetary responses to physical and cognitive effort with nonmonetary welfare and potentially transferable value of employees' own human capital. To provide empirical evidence for the tradeoffs identified in the quantitative model, we have undertaken an extensive interview process with regulators, airport managers, security personnel, and those tasked with training security personnel from an airport operating in a relatively high-risk state, Turkey.