A multitude of studies have suggested potential factors that influence internet security awareness (ISA). Some, for example, used GDP and nationality to explain different ISA levels in other countries but yielded inconsistent results. This study proposed an extended knowledge-attitude-behaviour (KAB) model, which postulates an influence of the education level of society at large is a moderator to the relationship between knowledge and attitude. Using exposure to a full-time working environment as a proxy for the influence, it was hypothesized that significant differences would be found in the attitude and behaviour dimensions across groups with different conditions of exposure and that exposure to full-time work plays a moderating role in KAB. To test the hypotheses, a large-scale survey adopting the Human Aspects of Information Security Questionnaire (HAIS-Q) was conducted with three groups of participants, namely 852 Year 1–3 students, 325 final-year students (age = 18–25) and 475 full-time employees (age = 18–50) in two cities of China.

As individuals, businesses and governments increasingly rely on digital devices and IT, cyber attacks have increased in number, scale and impact and the attack surface for cyber attacks is expanding. First, this paper lists some of the characteristics of the cybersecurity and AI landscape that are relevant to policy and governance. Second, the paper reviews the ways that AI may affect cybersecurity: through vulnerabilities in AI models and by enabling cyber offence and defense. Third, it surveys current governance and policy initiatives at the level of international and multilateral institutions, nation-states, industry and the computer science and engineering communities. Finally, it explores open questions and recommendations relevant to key stakeholders including the public, computing community and policymakers. Some key issues include the extent to which international law applies to cyberspace, how AI will alter the offencedefense balance, boundaries for cyber operations, and how to incentivize vulnerability disclosure.

Cyber warfare and the advent of computer network operations have forced us to look again at the concept of the military objective. The definition set out in Article 52(2) of Additional Protocol I – that an object must by its nature, location, purpose or use, make an effective contribution to military action – is accepted as customary international law; its application in the cyber context, however, raises a number of issues which are examined in this article.

The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government
agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of highlevel cybersecurity outcomes that can be used by any organization — regardless of its size,
sector, or maturity — to better understand, assess, prioritize, and communicate its
cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it
links to online resources that provide additional guidance on practices and controls that could
be used to achieve those outcomes. This document describes CSF 2.0, its components, and
some of the many ways that it can be used.

n liberal democratic countries, the role of the state in cybersecurity is a politically contested space. We investigate that role along three dimensions: the first is theoretical and we look at existing cybersecurity literature, showing that international affairs literature is almost exclusively highlighting the role of the state as a security actor. We argue that this view is too narrow and risks limiting the discussion to only a few aspects of what cybersecurity entails. The second is empirical and we analyse policy development, showing the diversity of the roles the state imagines for itself. The state occupies six different roles in cybersecurity: (1) security guarantor, (2) legislator and regulator, (3) supporter and representative of the whole of society, (4) security partner, (5) knowledge generator and distributor, and (6) threat actor. The third dimension is normative and we investigate what the role of the state should be.

The increasing demand for cybersecurity has been met by a global supply, namely, a rapidly growing market of private companies that offer their services worldwide. Cybersecurity firms develop both defensive (e.g. protection of own networks) and offensive innovations (e.g. development of zero days), whereby they provide operational capacities and expertise to overstrained states. Yet, there is hardly any systematic knowledge of these new cybersecurity warriors to date. Who are they, and how can we differentiate them? This contribution to the special issue seeks to give an initial overview of the coordination between public and private actors in cyberspace. I thus explore these new private security forces by mapping the emerging market for these goods and services. The analysis develops a generic typology from a newly generated data set of almost one hundred companies. As a result of this stock-taking exercise, I suggest how to theorize public-private coordination as network relationships in order to provide a number of preliminary insights into the rise of this ‘brave new industry’ and to point out critical implications for the future of private security forces.

This paper examines the multifaceted role of AI in cybersecurity, elucidating its applications in threat detection, vulnerability assessment, incident response, and predictive analysis.

The Russia-Ukraine war has clearly shown that critical infrastructures are prime targets for cyber operations in addition to the physical domain. In practice, in many cases, these critical infrastructures are protected by civilian cybersecurity companies in the context of a managed security service, so their defense operations must necessarily be coordinated with military defense activities. This includes among others the sharing of information classified under different classification systems (national, EU, NATO) between different actors in national cyber defense, the inclusion of appropriate civilian experts in the armed forces, and the usage of cutting-edge cybersecurity technologies (e.g. AI-enabled solutions) that are first introduced for civilian use, with military organizations only having access to them later or possibly not encountering them at all due to procurement difficulties. The main goal of this paper is to introduce the existing opportunities and obstacles to civilians’ involvement in military cyber operations in the areas of legislation, technology, and human resources from the European perspective. Moreover, the paper deals with the actual questions of cybersecurity intelligence sharing between civilian and military entities and the European Union’s actions in order to improve the overall cybersecurity posture of the region.

Civilian innovation is often said to be an important facilitator in the development of Lethal Autonomous Weapon Systems (LAWS). This claim is held up as both a reason to ban LAWS urgently, and why a ban would be impractical. But we know little about how this dynamic plays out in practice. Theoretical insights on technology transfer can help to analyse the situation. They suggest that obtaining and utilising the civilian technology is harder than often assumed. Civil-military cooperation is hindered by the stark differences between the civilian and defence industries. Business practices are out of sync, there are few social ties between the two worlds, innovative cultures do not translate, and many civilian engineers resist cooperation with the military. Additionally, defence still needs to modify civilian technologies to meet military standards and develop military-exclusive applications of autonomy. While civilian innovation thus advances what is technologically possible, this does not automatically translate into major advances or rapid diffusion of LAWS.

This paper investigates the role of general cybersecurity and cybersecurity policy awareness in enhancing supply chain cyber resilience reactive capabilities. Theorizing from the Protection Motivation Theory, 200 Small and Medium Enterprises (SMEs) were contacted to understand their perception of cybersecurity and policy awareness in affecting their overall cybersecurity hygiene. Data collection was carried out using a questionnaire survey and analysed via Partial Least Squares-based Structural Equation Modelling to validate the research framework.