Cybercrimeology

Wake up Calling: Impacting businesses by communicating cybersecurity risk

Episode Summary

How can we encourage businesses to tackle cybersecurity? In this episode, we speak with Dr. Susanne van ’t Hoff-de Goede, Associate Professor at the Centre of Expertise Cyber Security in The Hague University of Applied Sciences. Susanne’s work focuses on the human factor in cybercrime—whether examining online victims, offenders, or the law enforcement response. Here, she introduces an innovative “low-threshold” cybersecurity intervention experiment that scanned company websites and sent tailored risk reports through traditional mail. We explore what worked, what didn’t, and how she plans to refine the approach to get more businesses proactively engaged in their cybersecurity.

Episode Notes

Episode Notes

• SMEs struggle with cybersecurity due to time, cost, and lack of expertise, despite recognizing its importance.
• An automated cybersecurity scan was developed to assess SME websites and email security without requiring them to opt-in.
• Physical reports were mailed instead of emailed to avoid phishing concerns and increase credibility.
• Reports included security ratings on ten key areas and recommendations for improvement.
• Businesses were encouraged to consult their existing IT providers for fixes rather than relying on external services.
• Different risk communication strategies were tested to encourage SMEs to act on the findings.
• “Anticipated Regret” messaging (“Fix it now or regret it later”) led to the highest cybersecurity improvements.
• All groups, including the control group, showed some improvement, suggesting broader awareness of cybersecurity issues.
• Engagement was low, with only a small number of businesses reaching out after receiving the report.
• Legal concerns about scanning businesses without consent were addressed—publicly available cybersecurity data can be legally assessed.
• Ethical approval confirmed the project was non-commercial and aimed solely at helping businesses improve security.
• A follow-up version of the project will introduce an opt-out option before scanning businesses.
• Industry associations may partner with the project to increase credibility and adoption.
• The intervention will be scaled up, with more businesses included and a longer time frame for assessing impact.
• Future plans include adapting the intervention internationally, using lessons learned to assist SMEs in other regions.

About Our Guest

Dr. Susanne van ’t Hoff-de Goede

https://www.linkedin.com/in/susanne-van-t-hoff-de-goede/

https://www.thuas.com/research/centre-expertise/team-cyber-security

Resources and Research Mentioned

Examining Ransomware Payment Decision-making Among SMEs

Matthijsse, S. R., Moneva, A., van ’t Hoff-de Goede, M. S., & Leukfeldt, E. R.

European Journal of Criminology.

Explaining Cybercrime Victimization Using a Longitudinal Population-based Survey Experiment

van ’t Hoff-de Goede, M. S., van de Weijer, S., & Leukfeldt, R.

Journal of Crime and Justice, 47(4), 472-491 (2024).

How Safely Do We Behave Online? An Explanatory Study into the Cybersecurity Behaviors of Dutch Citizens

van der Kleij, R., van ’t Hoff-de Goede, S., van de Weijer, S., & Leukfeldt, R.

In: International Conference on Applied Human Factors and Ergonomics (2021), pp. 238-246.

The Online Behaviour and Victimization Study

van ’t Hoff-de Goede, M. S., Leukfeldt, E. R., van der Kleij, R., …

In:Cybercrime in Context: The human factor in victimization, offending, and … (2021).

Other

Dutch Government Cybersecurity Resource

https://english.ncsc.nl

(English-language site for the Netherlands’ National Cyber Security Centre)

Secure Internetting (in Dutch)

https://veiliginternetten.nl/