ArticlePDF Available

Maritime cybersecurity: are onboard systems ready?

Authors:

Abstract

Recent maritime cybersecurity accidents reveal that shipping is facing increased exposure to cyber threats, especially due to the fast-growing digitalisation of the sector, leaving vessels and their onboard systems vulnerable to cyberattacks. This research aims at evaluating the relationship among the critical dimensions influencing cybersecurity performance in the maritime industry. To achieve this, six critical dimensions related to cybersecurity preparedness are first identified through literature review, namely 'regulations', 'company procedures' from a managerial perspective and 'shipboard systems readiness', 'training and awareness', 'human factor' and 'compliance monitoring' at an operation level. A Likert-scale questionnaire is designed and used to collect empirical data from 133 seafarers and shore-based staff. Structural Equation Modelling (SEM) is applied to examine the causal relationships between the six dimensions and shipboard cybersecurity performance. The results show that 'regula-tions' positively influence shipping companies' cybersecurity-related 'pro-cedures', which in turn positively affects 'shipboard systems readiness', 'training and awareness', and 'monitoring'. Further, 'training and aware-ness' positively influences the cybersecurity performance of ships. The results have profound implications for the shipping industry on how to strengthen their cyber practices in order to improve their cybersecurity performance. Recommendations for future academic research related to maritime cybersecurity are also provided.
Full Terms & Conditions of access and use can be found at
https://www.tandfonline.com/action/journalInformation?journalCode=tmpm20
Maritime Policy & Management
The flagship journal of international shipping and port research
ISSN: (Print) (Online) Journal homepage: https://www.tandfonline.com/loi/tmpm20
Maritime cybersecurity: are onboard systems
ready?
Kamlesh Kanwal, Wenming Shi, Christos Kontovas, Zaili Yang & Chia-Hsun
Chang
To cite this article: Kamlesh Kanwal, Wenming Shi, Christos Kontovas, Zaili Yang & Chia-
Hsun Chang (2022): Maritime cybersecurity: are onboard systems ready?, Maritime Policy &
Management, DOI: 10.1080/03088839.2022.2124464
To link to this article: https://doi.org/10.1080/03088839.2022.2124464
© 2022 The Author(s). Published by Informa
UK Limited, trading as Taylor & Francis
Group.
Published online: 16 Sep 2022.
Submit your article to this journal
View related articles
View Crossmark data
Maritime cybersecurity: are onboard systems ready?
Kamlesh Kanwal
a
, Wenming Shi
b
, Christos Kontovas
a
, Zaili Yang
a
and Chia-
Hsun Chang
a
a
Liverpool Logistics, Offshore and Marine Research Institute (LOOM), Liverpool John Moores University, Liverpool,
UK;
b
Maritime and Logistics Management, Australian Maritime College, University of Tasmania, , Newnham, TAS
7248, Australia
ABSTRACT
Recent maritime cybersecurity accidents reveal that shipping is facing
increased exposure to cyber threats, especially due to the fast-growing
digitalisation of the sector, leaving vessels and their onboard systems
vulnerable to cyberattacks. This research aims at evaluating the relation-
ship among the critical dimensions inuencing cybersecurity performance
in the maritime industry. To achieve this, six critical dimensions related to
cybersecurity preparedness are rst identied through literature review,
namely ‘regulations’, ‘company procedures’ from a managerial perspec-
tive and ‘shipboard systems readiness’, ‘training and awareness’, ‘human
factor’ and ‘compliance monitoring’ at an operation level. A Likert-scale
questionnaire is designed and used to collect empirical data from 133
seafarers and shore-based sta. Structural Equation Modelling (SEM) is
applied to examine the causal relationships between the six dimensions
and shipboard cybersecurity performance. The results show that ‘regula-
tions’ positively inuence shipping companies’ cybersecurity-related ‘pro-
cedures’, which in turn positively aects ‘shipboard systems readiness’,
‘training and awareness’, and ‘monitoring’. Further, ‘training and aware-
ness’ positively inuences the cybersecurity performance of ships. The
results have profound implications for the shipping industry on how to
strengthen their cyber practices in order to improve their cybersecurity
performance. Recommendations for future academic research related to
maritime cybersecurity are also provided.
KEYWORDS
Cybersecurity; maritime
security; human factor;
cybersecurity compliance
monitoring; structural
equation modelling
1. Introduction
Cybercrime is recognised as one of the most significant threats any company would face in the next
decades. According to Cybersecurity Ventures (2020), the costs of global cybercrime are expected
increasing 15% per year between 2021 and 2025, and reaching USD 10.5 trillion by 2025, compared
to USD 3 trillion in 2015. The introduction of automation, integration and the drive for digitalisa-
tion of systems and processes for optimising management processes makes ships increasingly prone
to cyberattacks (Kala and Balakrishnan 2019).
A cyber incident poses a major risk to the maritime sector, which might lead to severe
consequences in terms of human casualties, economic and environmental ramifications
(Alcaide and Llave 2020). Cyberattacks are, therefore, considered important threats to the
maritime industry. Vulnerabilities in hardware, software and network systems are exploited by
cybercriminals, for example, by introducing malware into the victim’s equipment. The motive
CONTACT Chia-Hsun Chang c.chang@ljmu.ac.uk Liverpool Logistics, Offshore and Marine Research Institute (LOOM),
Liverpool John Moores University, Liverpool, James Parsons Building, Byrom Street, L3 3AF, UK.
MARITIME POLICY & MANAGEMENT
https://doi.org/10.1080/03088839.2022.2124464
© 2022 The Author(s). Published by Informa UK Limited, trading as Taylor & Francis Group.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.
0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
behind such attacks can be manifold and not limited to data theft, financial gains, disruption of
service, obtaining intelligence, gaining media attention and political vendetta (CaproCaprolu
et al. 2020; Kala and Balakrishnan 2019). Large companies (e.g. Maersk Line, BW group,
COSCO) have witnessed serious attacks in the past, resulting in data breaches and significant
commercial losses (Sakar et al. 2019). Even the global maritime regulatory body, the United
Nations’ International Maritime Organization (IMO) was cyberattacked in September 2020
(Kuhn, Bicakci, and Shaikh 2021).
Some research has been conducted on cybersecurity issues in the maritime industry focusing
mainly on hazards/threats influencing cybersecurity (e.g., Chang et al. 2019), policies and measures
(Tam and Jones 2018), and training of maritime professionals (Tam, Moara-Nkwe and Jones 2020).
However, there is a lack of sufficient analysis on the relationship between the critical factors and
cybersecurity performance in the maritime industry, and it is widely recognised that such
a relationship analysis is essential for effective risk control/management (e.g., Yang et al. 2018).
To that extent, this work aims at evaluating the relationship between the critical dimensions and
cybersecurity performance in the maritime sector. The key dimensions refer to the recognised
groups of crucial risk factors influencing ship onboard cybersecurity performance (Chang et al.
2019).
This research adopts the ‘Diffusion of innovations’ theory to explain how the novel concept of
cybersecurity is adopted by the relatively conservative maritime industry. Six critical dimensions
that influence maritime cybersecurity performance are discussed in the literature review section,
including ‘regulatory framework’, ‘company procedures’ from a managerial perspective, and
‘shipboard systems readiness’, ‘cyber training and awareness’, ‘compliance monitoring’ and
‘human factor’ at an internal operational level. A Likert-scale questionnaire is designed for
collecting empirical data from 133 seafarers and onshore shipping company staff. This research
further applies Structural Equation Modelling (SEM) to analyse the interrelationship amount the
factors and cybersecurity performance in the maritime sector. The contributions of this research
include: (1) provision of useful insights on the important factors that affect cybersecurity
performance on ships, which could be further explored in order to identify measures to enhance
maritime cybersecurity; (2) a new definition of maritime cybersecurity performance, as well as
a novel causal relationship framework for modelling maritime cybersecurity factors and perfor-
mance; (3) a number of cybersecurity policy recommendations for the interested parties.
The rest of this paper is structured as follows. Section 2 provides a literature review by identifying
the critical dimensions affecting the cybersecurity performance of ships. Section 3 describes the
research methodology and the hypotheses. The study findings and discussion are presented in
Sections 4 and 5 respectively, the conclusions are drawn in Section 6.
2. Literature review
2.1. Diusion of innovations theory
‘Diffusion of innovations’ theory, proposed by Rogers (1995), addresses how the public accepts new
innovations (e.g., technologies, concepts, products). The process of acceptance of innovation
includes the following five steps: awareness, interest, evaluation, trial and adoption. The theory
has been applied in various areas such as mobile applications (Min, So, and Jeong 2019), environ-
mental construction (Sartipi 2020), transportation (Nordhoff et al. 2021; Wang, Douglas, and
Hazen 2021), and cybersecurity (Miron and Muita 2014). Our study is in line with this theory
because the maritime industry has a long history of using established techniques as the best practice.
Compared to other main classical transport modes (e.g., aviation), it often sits back in terms of
accepting innovative technologies, especially for addressing safety and security that are often driven
by accidents in a reactive way.
2K. KANWAL ET AL.
2.2. Critical factors inuencing maritime cybersecurity
The section will elaborate on the critical factors influencing the cybersecurity of ships. Based on
a thorough survey of the relevant literature, the following six critical dimensions are identified,
reviewed, and categorised as the fundamentals affecting the cybersecurity performance of ships.
Their definitions, justification of selection and supporting references are described in detail in the
ensuing sections.
2.2.1. Regulatory framework
The International Maritime Organisation (see IMO document MSC-FAL.1/Cir. 3) provides recom-
mendations for addressing the cyber risks associated with the industry and developing and
implementing best practices through the company’s safety management system (CaproCaprolu
et al. 2020). The guidelines follow the five-step framework of the United States National Institute of
Science and Technology (NIST) i.e. identify, protect, detect, respond and recover and have become
mandatory for all ships following the company’s first annual verification of the Document of
Compliance (DOC) after January 1
st
, 2021 (Kala and Balakrishnan 2019). Its compliance will be
inspected by Port State Control officers (Wingrove 2021).
Many other entities such as classification societies, associations and unions have developed
individual guidelines for the protection of ships, ports and connected organisations from cyber-
crimes. For instance, BIMCO proposes a guideline for shipboard Information Technology (IT) and
Operational Technology (OT) systems for the identification of threats and vulnerabilities, their
assessment, development of mitigation and contingency measures, and responding and recovering
from such threats (BIMCO, CLIA, ICS, Intercargo, Intermanager, Intertanko, IUMI, OCIMF and
World Shipping Council 2020). American Bureau of Shipping (American Bureau of Shipping
(2016)) presents guidelines for marine and offshore operations on cybersecurity, best practices,
criteria for assessment of systems/assets and certification, concepts of data integrity, software
systems verification and quality management. Lloyd’s Register (2016) provides guidelines for
stakeholders on the design, installation, integration and operation of digitally enabled systems
onboard ships and marine platforms to understand the implications of technology in digital
systems. DNV-GL (2016) also provides guidance on the application of standards such as ISO/IEC
27001 and ISA-99/IEC-62443 (standard for OT security of industrial control systems such as Global
Positioning System (GPS)).
2.2.2. Cyber security-related company procedures
In compliance with the IMO (2017) guidelines, plans and procedures will need to be devised, taking
into consideration the relevant standards, and guidelines to ensure the safety of ships/crew and the
protection of the marine environment.
An effective company cybersecurity strategy would involve designing a policy in cooperation
with the organisation and the stakeholders, and addressing key areas such as risk management,
resource management, strategic alignment with the organisation, performance measurement, value
delivery and integration with security. This will encompass the identification of key systems with
respect to safety, operations and environmental protection and the level of acceptable risk for these
(Kala and Balakrishnan 2019). The requirements as per the IMO’s International Safety
Management (ISM) Code and the International Ship and Port Facility Security (ISPS) Code should
now be matched with companies’ plans and procedures for cyber risk management.
2.2.3. Ship’s systems readiness
IT and OT systems onboard ships have been integrated through network connectivity and the
internet for improving performance, making them prone to cyberattacks. Attackers could hack the
cyber-enabled systems through loosely secured network connections and bypass firewalls to disrupt
services in order to steal data for selling or ask for ransom, to facilitate the illegal movement of
MARITIME POLICY & MANAGEMENT 3
cargo, to gather intelligence and knowledge of critical systems/infrastructure, for political gains, and
many more, including even the use of the vessel as a weapon to attack other potential targets
(CaproCaprolu et al. 2020).
It is also possible to undertake an attack on essential navigation equipment such as Automatic
Identification System (AIS), Electronic Chart Display and Information System (ECDIS), GPS,
Voyage data recorder (VDR) through jamming and. The disruption of these systems can result in
severe consequences (e.g., collision or grounding) and may lead to human losses and/or pose
a danger to the environment. IHS Fairplay (2016) conducts a survey and finds that several onboard
systems including shipboard systems including GPS, ECDIS and Engine Control are very vulner-
able to attacks.
Outdated software systems also pose a tangible cybersecurity risk and lack of timely application
of patches/updates can also render the current systems vulnerable (Jones, Tam, and Papadaki 2016).
Tam and Jones (2019) conduct a survey and disclose that 79% of the participants feel that shipboard
computers and their internet activity are the weakest links. Sakar et al. (2019) study 14 Tukey-based
shipping companies using semi-structured interviews to gain some understanding of their pre-
paredness both ashore and onboard ships for dealing with cyber risks. They reveal that the ship-
board IT systems are not fully protected against cyber threats and required investments for
improvement.
2.2.4. Cyber training and awareness
Recent cyber incidents in the maritime industry have revealed that many employees are not trained
to respond appropriately to cyber threats, potentially leading to behaviour that does not contribute
much to minimising risks and managing the issue (DNV-GL 2016). Previous studies have stated
that cyber training raises awareness which in turn enhances cybersecurity (Bolat and Kayisoglu
2019; El-Bably 2021). Through comprehensive and regular training, sea crews would have aware-
ness of what activities may cause cyberattacks and sufficient knowledge to mitigate the impact of
being cyberattacked.
IMO doc. MSC-FAL.1/Circ.3 stated that there is an urgent need to raise awareness to have
effective maritime cyber management. Tam and Jones (2019) analysed the factors affecting
security and individual training levels, and find that most of the respondents consider the
standards of crew training as the biggest issue. Svilicic et al. (2019) also found that the likelihood
of lack of training and awareness to seafarers is the highest among their identified cyber threats.
To avoid cyber assaults and to prepare both the crew and on-shore personnel to deal with such
threats, training and awareness in cybersecurity-related matters is required (Chang et al. 2019).
Training can be imparted to the company IT professionals for raising the defence skills, and the
ship’s crew who lack the expertise and the background but play a crucial role in emergency and
crisis management (Tam, Moara-Nkwe, and Jones 2020). Overall, crew awareness and readiness
can constitute the primary barrier against any kind of cyberattack guided on ships (Alcaide and
Llave 2020).
2.2.5. Compliance monitoring
To comply with the IMO’s cyber regulations, organisations need to determine their cybersecurity
priorities by conducting a risk assessment to identify risks and weaknesses specific to their ships
and, then, adopt effective cyber control measures and industry best practices to mitigate them
(Whitterker 2016). Enforcement of the IMO’s Guidelines will be verified by Port State Control
officers in a way that the ships do not only need to carry the required certificates and documents but
also to prove through their procedures a good understanding of cyber risks. Failure to appropriately
address cyber risks as per the Guidelines would result in non-compliance, fines and other actions
that could follow based on the identified deficiencies (Wingrove 2021).
4K. KANWAL ET AL.
Regular internal and external audits can assist in re-evaluating the cybersecurity measures in
place and provide an early indication of loopholes and weaknesses in the system. Any pitfalls could
be bridged timely to maintain efficient and sound security practices.
2.2.6. Human factor
Around 80% to 90% of maritime accidents are attributed to human factors (Macrae 2009; Heij and
Knapp 2018; Chang et al. 2021). Humans are seen as the weakest link in the management of
cybersecurity and lack of knowledge and awareness on their part can result in human errors (Boyce
et al. 2011; El-Bably 2021). According to an IBM report, 95% of cyber security breaches are caused by
human error and may result in unauthorised access through a secure door or barrier, the so-called
‘tailgating’ (IBM 2014). Such breaches may cause data loss, disruption of service or even using ships as
a potential weapon and can therefore result in economic losses and/or environmental damages.
The modern-day sophisticated systems onboard vessels are operated by a staff who are rotated
on a variety of ships with different systems thereby making them unfamiliar and prone to errors in
the management of security breaches (Hopcraft and Martin 2018). A number of cybersecurity-
related human errors can be linked to any of the following activities such as accessing suspicious
websites or links or disabling firewalls due to carelessness or for a specific purpose, using personal
devices on shipboard systems, etc.
2.3. Cybersecurity performance
The term ‘cybersecurity performance’ is in general described as the security performance of an
entity from a cyber perspective. It has been used in the academic literature. For instance, Lee (2021)
proposed a new framework for cyber risk management that includes four layers: cyber ecosystem,
cyber infrastructure, cyber risk assessment and cyber performance, which includes three activities
(i.e., implementation, monitoring and controlling, and continuous improvement). Garcia-Perez,
Sallos, and Tiwasing (2021) defined four indicators for cybersecurity performance, including Focus
(provision of foundational cybersecurity element), Capability, Resilience and Prep (cybersecurity
training and preparation efforts). However, there is no universally accepted definition of cyberse-
curity performance. Through the description of cybersecurity performance from the existing
research, we propose the following definition of maritime cybersecurity performance: the eective-
ness and eciency of a range of actions taken to prevent or mitigate the impact of cyberattacks on OT/
IT systems of ships, as well as the financial performance and reputation of companies.
We have identified five main ship systems, which need protection against cybercrimes, namely,
navigation systems, plant and machinery, communication systems, OT, and IT systems. Loss or
compromise of any of these systems can impact the operational capability and efficiency and
jeopardise the safety of their ship and staff (Boyes and Isbell 2017). Cybercrimes affect the safety
of navigation by exploiting the vulnerabilities of some of the essential navigation equipment such as
AIS, GPS, ECDIS, VDR, and communication systems. These systems can be hacked, jammed,
spoofed and servicse can be disrupted, which can lead to disastrous consequences such as collisions
and groundings etc. Such incidents would not only lead to severe economic losses but also result in
environmental pollution, which can in turn damage habitats and ecosystems. Other cases may
involve the breach of systems to manipulate data such as cargo manifests in order to carry out a theft
of cargo or obtain the client’s confidential information. Such devastating effects of cybercrimes can
damage the reputation of shipping companies and result in further business disruption.
Considering the growing threat of cybercrimes on ships and their devasting consequences on the
reputation and the financial performance of shipping companies, an indepth study is needed to
enhance the cybersecurity performance of ships by focusing on efficient cybersecurity practices. To
address it, new research hypotheses are proposed in Section 2.4.
MARITIME POLICY & MANAGEMENT 5
2.4. Research hypotheses
To examine how the above six dimensions affect the overall cybersecurity performance of ships,
nine hypotheses are proposed in this paper.
Adoption of a cyber regulatory framework and guidelines can ensure that organisations develop
a robust cybersecurity management system to address cyber threats using proven risk management
principles to prioritize security activities and performance within the organisation (Belmont 2014).
Hence, the following hypothesis is proposed:
H1—Regulatory framework positively impacts company procedures
Effective company cyber procedures may improve cybersecurity through several internal opera-
tional factors. Shipping companies can utilise specific security procedures and policies for the
management of digital/technology enabled systems and networks to enhance the resilience and
robustness of the systems (BIMCO, CLIA, ICS, Intercargo, Intermanager, Intertanko, IUMI,
OCIMF and World Shipping Council 2020). Moreover, effective policies and procedures can also
enhance the cybersecurity awareness of staff by addressing training requirements based on their
roles (Bolat and Kayisoglu 2019). Procedures can impact company training plans and further
enhance staff cybersecurity awareness. In addition, a proper cybersecurity procedure can provide
a clear guideline for the requirement of cybersecurity monitoring. Monitoring, reviewing and
auditing requirements of cyber critical ship systems and processes are defined by the organisational
procedures and plans (Boyes and Isbell 2017; DNV-GL 2016). This includes verification of controls
and identification of gaps for ensuring enhanced protection against such crimes. Besides, straight-
forward cybersecurity procedures can reduce human errors and prevent their negative impacts
(Chang et al. 2019). Hence, the following hypotheses are proposed:
H2—Cyber procedures have a positive effect on the resilience and robustness of ship’s systems
H3—Cyber procedures have a positive impact on cyber training and awareness
H4—Cyber procedures have a positive impact on compliance monitoring
H5—Cyber procedures have a negative impact on the occurrence of human factor
On the other side, proper implementation of internal operations can lead to better cybersecurity
performance. The resilience of shipboard systems is closely linked to the vessel’s safety and
operational capability (Boyes and Isbell 2017). Systems with up-to-date firewalls and antivirus
software to deal with cyberattacks can largely improve cybersecurity performance and further
enhance the company’s competitiveness (Chang et al. 2019). Moreover, with the growing use of
technology in shipboard functions, a lack of cyber-related training and staff/seafarers’ cybersecurity
awareness becomes detrimental. Training can help respond to cyber risks more proactively and
enhance safety and security (Chang et al. 2019; Tam, Moara-Nkwe, and Jones 2020). In addition,
regular monitoring and inspections of network components can help organisations to analyse their
cybersecurity measures and further mitigate the impact of cybersecurity risk (Pandey et al. 2020). In
addition, information security breaches related to human factors can result in serious consequences
such as losses of revenue, productivity, reputation and competitive advantage (Chang et al. 2019).
This leads us to the following hypotheses:
H6—Resilience of onboard systems has a positive impact on ship’s cybersecurity performance.
H7—Cyber training and awareness has a positive impact on ship’s cybersecurity performance.
6K. KANWAL ET AL.
H8—Cyber compliance monitoring has a positive impact on ship’s cybersecurity performance
H9—Human factor has a negative impact on ship’s cybersecurity performance
A conceptual model to illustrate the relationship of the above nine hypotheses is shown in
Figure 1.
3. Methodology
3.1. Data collection
To ensure collecting adequate representation for the research, a non-probability convenience
sampling combined with a snowball sampling technique is used. The target sample for the study
is seafarers and shipping company staff, who are directly responsible for implementing and
monitoring cybersecurity measures on ships. A five-point Likert scale (1: Strongly Disagree, 2:
Disagree, 3: Neutral, 4: Agree, 5: Strongly Agree) questionnaire has been utilised through an online
survey tool and a total of 150 questionnaires are sent out to ensure an unbiased response and an
adequate representation in May 2021. The academic literature that inspired the question item
design is listed in Appendix A. The main reasons for using an online survey are its advantages of
easiness of administration and analysis, and to capture more respondents (including seafarers who
have busy and irregular schedules, and are spread all across the world).
3.2. Analysis method
First, we conduct a descriptive analysis using SPSS 27 to derive the respondents’ perception towards
the cybersecurity readiness of ships. Reliability and validity tests are performed using the Composite
Reliability (CR) and Average Variance Extracted (AVE) metrics. CR and AVE values are calculated
using Equations (1–2) respectively (Chang et al., 2021):
C:R:¼Pn
1λ
2
Pn
1λ
2þPn
11λ2
(1)
AVE ¼Pn
1λ2
Pn
1λ2þPn
11λ2
(2)
where λ is factor loading and n is the number of items under each dimension.
Figure 1. Conceptual research framework.
MARITIME POLICY & MANAGEMENT 7
Confirmatory Factor analysis (CFA) has also been performed for finding a direct and indirect
correlation between the factors. Thereafter a Structural Equation Modelling (SEM) analysis is
employed to test the specified hypotheses. SEM is a multivariate analysis for simultaneously
investigating complex causal relationships among observable variables and latent variables, as
well as between latent variables; see Kline (2016) for more on SEM. The observable variables are
the question items, whereas the latent variables are the seven identified dimensions. Each dimension
has several relevant questions. Compared to normal regression that can also analyse causal relation-
ships, the advantage of SEM is the ability to simultaneously investigate the whole model with both
measurement and structural considerations (Kao, Stewart, and Lee 2009). SEM has been widely
applied in the maritime research domain; see for example Lu, Shang, and Lin (2016), Lu et al.
(2020)), Lin and Chang (2021).
Through this SEM analysis, the nine proposed hypotheses will be tested, and we can understand
whether the managerial factors would influence internal operational ones, which further affect
maritime cybersecurity performance. A number of fit indices are used to test the fitness of the
model; see Table 4. We utilise the SEM and perform the analysis using the AMOS 27 statistical
package.
4. Research ndings
4.1. Respondent prole
A total of valid 133 replies are collected. Most of the respondents are seafarers (84.2%), while the
remaining 15.8% are onshore personnel working for various shipping companies. Regarding their
work experience, around half of the participants have a considerable experience (more than
16 years) in the maritime industry (50.4%), followed by 11 to 15 years (22.6%), 6 to 10 years
(21%) and less than 5 years (6%). These indicate that the respondents can provide valuable opinions
on this topic as they have adequate and relevant experience.
4.2. Results of descriptive analysis
The results of the descriptive analysis are shown in Table 1. Overall, the identified six cybersecurity-
related dimensions have a neutral to high agreement response with the overall cybersecurity
readiness (mean between 3 and 4). The highest factor is ‘Procedures’ (mean: 3.94), followed by
‘Systems’ (mean: 3.90), ‘Monitoring’ (mean: 3.85), ‘Training and awareness’ (mean: 3.79),
‘Regulations’ (mean: 3.58), and ‘Human factor’ (mean: 3.36). Apart from the six dimensions, the
overall cybersecurity performance of ships is currently high (mean: 4.26), which indicates that most
of the respondents agree that shipping companies could have better performance through the above
cybersecurity implementations. Among the identified items, four have mean values higher than 4,
see items Pro3, Tra4, Sys2, and Sys3 in Table 1.
4.3. Results of CFA
CFA is conducted to verify the proposed structure, the results of which are presented in Figure 2.
Several statistical tests are used to determine how well the model fits the data; see Table 2 for the
metrics used and the fitness criteria. All metrics meet the recommended criteria.
4.4. Reliability and validity tests
Table 3 shows the results of the reliability and validity tests for the proposed model. The factor
loadings λð Þfor the variables are in the range between 0.56 and 0.9, more than the recommended value
of 0.5, indicating a good relationship between the latent construct and the observed variables. It also
8K. KANWAL ET AL.
confirms that the variance of the variables is sufficient for extraction by each dimension. The CR and
AVE values are well above the recommended thresholds of 0.7 and 0.5 respectively (see Fornell and
Larcker (1981) for more), implying that the model meets the reliability and validity tests.
4.5. Results of SEM
The SEM model with the standardised estimate results is shown in Figure 3. The results of the
model fitness parameters are presented in Table 4. Overall, the model meets the recommended
criteria indicating a good fit.
Table 5 shows the results of SEM. Based on a threshold p-value of 0.1, the results show that
‘Regulations’ has a positive and significant impact on company ‘Procedures’ (supporting H1);
‘Procedures’ also has a significant and positive impact on ‘Systems Readiness’, ‘Training and
awareness’ and ‘Monitoring’ (supporting H2, H3 and H4, respectively). However, ‘Procedures’
Table 1. Respondents’ perceptions of the critical dimensions and performance.
Question Items Code Mean S.D.
Regulation 3.58 0.66
The current regulations for maritime cybersecurity are easy to understand and have clarity. Reg1 3.72 0.70
The requirements for maritime cybersecurity are specific and detailed i.e. cover the necessary areas. Reg2 3.62 0.81
The requirements are easy to apply to existing navigation/transaction operations. Reg3 3.41 0.89
Procedures 3.94 0.78
Our company procedures are specific and detailed and cover all aspects of cybersecurity in accordance
with the required regulations.
Pro1 3.89 0.83
Third-party access to systems has been properly and appropriately addressed by our company
procedures.
Pro2 3.86 0.94
Our company policy on the use of personal devices on the systems is clear and appropriate. Pro3 4.08 0.91
The procedures are reviewed and updated by our company at regular intervals for addressing new
vulnerabilities.
Pro4 3.93 1.02
Systems 3.90 0.80
The IT and OT systems/equipment are designed and maintained to provide maximum protection i.e. are
difficult to breach
Sys1 3.59 0.97
The latest firewall and antivirus are used for the systems. Sys2 4.02 0.89
The software for the systems is kept up to date at all times. Sys3 4.02 1.03
Patches to the systems are applied timely. Sys4 3.97 0.93
Training and awareness 3.79 0.88
Our company regularly holds maritime cybersecurity training. Tra1 3.73 1.07
Cybersecurity training that is carried out by our company covers all critical aspects of shipboard/shore
security.
Tra2 3.70 1.07
I have received appropriate training in cybersecurity. Tra3 3.65 1.07
I am aware of the various cyber risks on ships. Tra4 4.03 0.86
I am aware of the procedures to follow in case of a cyberattack. Tra5 3.85 0.98
Human factor 3.36 0.84
It is possible that the staff bypass firewalls for specific purposes or due to a lack of awareness. Her1 3.19 1.16
It is possible that the staff access suspicious websites and links due to careless operations or for a specific
purpose.
Her2 3.40 1.04
The awareness of not using personal devices on systems is low. Her3 3.33 0.94
Third-party removable media is not always scanned before inserting in shipboard/shore systems. Her4 3.47 1.07
It is possible that shipboard/shore sensitive information is shared via social media. Her5 3.42 1.01
Monitoring 3.85 0.76
Cyber compliance with the statutory and company procedures is regularly monitored by a responsible
officer on our ships/ashore.
Mon1 3.84 0.87
Internal cyber audits are regularly conducted by our company representative to verify any loopholes. Mon2 3.82 0.93
Our company ships/offices are frequently inspected by parties such as Port State Control officers/oil
major companies/third parties for cybersecurity preparedness.
Mon3 3.90 0.94
Cybersecurity Performance 4.26 0.69
Cybersecurity implementation can largely improve the safety/security of ships/ shipping companies and
prevent cybercrimes.
Per1 4.29 0.74
Cybersecurity implementation can help ships/shipping companies have a better reputation. Per2 4.21 0.79
Cybersecurity implementation can help ships/shipping companies have a better financial performance. Per3 4.29 0.85
MARITIME POLICY & MANAGEMENT 9
Figure 2. CFA with standardised estimates.
Table 2. Results of CFA.
Metric Value Criteria
Chi-square/degrees of freedom (CMIN/df) 1.51 < 3.0
Comparative Fit Index (CFI) 0.93 > 0.9
Goodness of Fit (GFI) 0.81 > 0.8
Tucker-Lewis Index (TLI) 0.92 > 0.9
Incremental Fit Index (IFI) 0.93 > 0.9
Root Mean Square Residual (RMR) 0.06 < 0.1
Root means square of approximation (RMSEA) 0.06 < 0.08
10 K. KANWAL ET AL.
does not have a significant and negative impact on the occurrence of ‘Human factor’ (H5 is not
supported). Besides, ‘Training and awareness’ has a significant positive impact on ‘Performance’
(supporting H7). However, the results do not show a significant impact of ‘Monitoring’, ‘Systems’
and ‘Human factor’ on ‘Performance’ (not supporting H6, H8 and H9).
5. Discussion
5.1. Current level of cyber preparedness in the maritime industry
Due to the growing widespread concern about cyber-crimes, in 2017, the IMO adopted Resolution
MSC.428(98) ‘Maritime Cyber Risk Management in Safety Management Systems’ and issued
‘Guidelines on Maritime Cyber Risk Management’ (see IMO doc. MSC-FAL.1/Circ.3), to provide
guidance on how to contact an assessment of cyber risk through the shipping company’s safety
management system (CaproCaprolu et al. 2020). A company safety management system needs to
appropriately address the cyber risks by taking into consideration the relevant standards and guide-
lines to ensure the safety of ships/crew and the protection of the marine environment (BIMCO, CLIA,
ICS, Intercargo, Intermanager, Intertanko, IUMI, OCIMF and World Shipping Council 2020).
Despite this general guidance, there is a lack of a clear description on how to develop such a safety
Table 3. Reliability and validity test results.
Research Item
Factor
Loadings λð Þ Error
Composite
Reliability (CR)
Average Variance
extracted (AVE)
Regulation 0.83 0.53
Reg1 0.79 0.19
Reg2 0.76 0.27
Reg3 0.62 0.48
Procedures 0.89 0.63
Pro1 0.75 0.30
Pro2 0.83 0.28
Pro3 0.82 0.26
Pro4 0.77 0.42
Systems 0.88 0.63
Sys1 0.63 0.56
Sys2 0.83 0.24
Sys3 0.86 0.27
Sys4 0.83 0.26
Training and
Awareness
0.91 0.68
Tra1 0.76 0.47
Tra2 0.83 0.35
Tra3 0.83 0.35
Tra4 0.86 0.20
Tra5 0.83 0.29
Human factor 0.85 0.58
Her1 0.56 0.91
Her2 0.91 0.18
Her3 0.80 0.32
Her4 0.62 0.70
Her5 0.85 0.28
Monitoring 0.82 0.57
Mon1 0.76 0.32
Mon2 0.83 0.26
Mon3 0.66 0.50
Cybersecurity
Performance
0.89 0.65
Per1 0.78 0.21
Per2 0.94 0.08
Per3 0.68 0.39
MARITIME POLICY & MANAGEMENT 11
Figure 3. SEM results with standardised estimates.
Table 4. Results of fitness tests.
Metric Value Threshold
Chi-square/degrees of freedom (CMIN/df) 1.47 < 3.0
Comparative Fit Index (CFI) 0.93 > 0.9
Goodness of Fit (GFI) 0.81 0.8–0.9
Normed Fit Index (NFI) 0.82 0.8–0.9
Tucker-Lewis Index (TLI) 0.93 > 0.9
Incremental Fit Index (IFI) 0.94 > 0.9
Root Mean Square Residual (RMR) 0.05 < 0.1
Root means square of approximation (RMSEA) 0.06 < 0.08
12 K. KANWAL ET AL.
management system in shipping companies for cybersecurity, in part because the causal relationship
between key influential dimensions/factors and cybersecurity performance remains unclear. Shipping
companies have therefore complied with the IMO cyber risk management requirements based on the
best practice in the field, devised and implemented company-specific cyber procedures and policies for
their ships. However, the issues on whether these procedures can adequately address the cybersecurity
of onboard systems, maintenance of cyber-related equipment, training of their staff and compliance
monitoring requirements still remain unclear. In addition, the procedures should be clear and easy to
understand for the seafarers and staff, e.g., using flowcharts with concise descriptions to present the
necessary activities to enhance maritime cybersecurity performance.
Shipboard systems with up-to-date anti-cyberattack designs are vital. For the mitigation of
cyberattacks, onboard systems should be equipped with cybersecurity functions such as intelligent
isolation and fast recovery, and also be regularly updated (Jones, Tam, and Papadaki 2016). For
example, equipment such as ECDIS requires regular updates to ensure safe operation. These
updates can be applied online or through a USB stick, both methods are prone to viruses.
Cybersecurity training is another key factor that affects cybersecurity performance. To enhance
the cyber awareness and skills for mitigating cyber threats and thus enhancing the cybersecurity
readiness, shipping companies need to conduct regular and up-to-date training in conjunction with
sound cybersecurity solutions such as the use of antivirus software, spam filters, firewalls, enforce-
ment of complex passwords, etc. Besides, behaviour-based training needs to be implemented for the
staff to prevent intentional errors. To change the behaviour of both offshore staff and onboard crew,
shipping companies need to do much more than annual training. A solution could be to foster
a cybersecurity culture that includes an effective engagement with sound and robust cybersecurity
best practices. A refresher training should also be carried out at regular intervals by shipping
companies to cater for the dynamic environment, change in requirements, new personnel etc.
(DNV-GL 2016).
Monitoring is also crucial to enhance ship’s cybersecurity performance. There is a need to put in
place stringent monitoring requirements to ensure that industry recommendations, company
policies and best practices are being adhered to at all times.
Meanwhile, some gaps in cybersecurity in the form of human factor still exist. Certain unsafe
practices such as using personal devices and accessing suspicious websites are still prevalent in the
industry; these can be exploited and infringed by criminals. This is in line with the findings reported
in Alcaide and Llave (2020). Respondents accepted the possibility of indulging in unsafe activities
such as accessing suspicious websites/links, using personal devices on shipboard systems and
sharing sensitive information via social media. Third-party removable media are also being used
on shipboard systems without scanning them first, thereby, putting the ship’s systems at risk.
5.2. Impact of the cyber critical factors on cybersecurity performance
Regulations have a significant positive impact on procedures. Hence, shipping companies must
strictly adhere to the regulatory framework for developing efficient cybersecurity policies,
Table 5. Results of SEM.
Estimate S.E. C.R. P Results
Procedure <– Regulation 0.741 0.147 5.055 *** Supports H1
Systems <– Procedure 0.994 0.144 6.883 *** Supports H2
Training and awareness <– Procedure 1.246 0.154 8.088 *** Supports H3
Monitoring <– Procedure 0.892 0.134 6.666 *** Supports H4
Human factor <– Procedure −0.189 0.115 −1.639 0.101 Not Support H5
Performance <– Systems 0.081 0.083 0.982 0.326 Not Support H6
Performance <– Training and awareness 0.45 0.129 3.494 *** Supports H7
Performance <– Monitoring −0.314 0.195 −1.614 0.106 Not Support H8
Performance <– Human factor 0.1 0.067 1.505 0.132 Not Support H9
MARITIME POLICY & MANAGEMENT 13
procedures and plans. Many regulations have been proposed by various organisations (see
Section 2.2.1). Cyber security-related procedures have a significant positive effect on the resilience
of onboard systems, training and awareness, and monitoring. Shipping should set stringent
cybersecurity procedures, which provide guidelines for seafarers on shipboard systems operations
and for the requirements of shipboard systems in cyber protection such as applying web and email
content filtering.
Training and awareness have a significant positive impact on cybersecurity performance.
Therefore, organisations must identify and address specific cyber training requirements for their
staff and ensure that this is performed timely and upgraded at regular intervals. The training should
also be provided regularly (e.g., every year or every half year) to staff and seafarers. Shipping
companies could provide industrial case studies and best practices and collaborate with maritime
universities, which in turn could provide high-standard cyber training courses to students, new
seafarers and shipping company staff, and thus raise higher cybersecurity awareness related, for
example, to phishing emails and websites, and encourage using strong passwords and changing
them regularly. Government or maritime related associations could also recommend, mandate or
provide cybersecurity training courses with recognised certificates to motivate more seafarers and
staff to take the training.
5.3. Implications
The implications of this research are discussed from three aspects: managerial, academic and policy
recommendations.
For managerial implications, this research addresses how shipping companies and seafarers can
benefit in a more cost-effective way since the most influencing factors have been identified to guide
and prioritise the measures to improve cybersecurity performance. Given that shipping companies
often have limited budgets to address safety and cybersecurity concerns, this is especially the case
also for small enterprises, our findings are insightful for them as they can guide these companies on
how to obtain a satisfactory cybersecurity performance in a cost-effective manner. By ranking the
crucial factors, companies can understand which factors are important and more efficient to
improve their cybersecurity performance.
Regarding academic implications, SEM has been applied in many fields but there are limited
applications related to cybersecurity. It shifts a new paradigm on the analysis of critical factors and
performance in different maritime domains and even in a wider range of applied contexts such as
those suffering high level of cybersecurity risks (e.g., finance and military). Further, the SEM based
study presented in this paper also paves the way for further studies on the rational development of
cybersecurity risk control measures. Future research can be extended in two directions: a) model-
ling of the relationships between risk factors/dimensions and the joint impact of multiple factors on
cybersecurity performance; and b) modelling of cybersecurity risk-based decision making by
incorporating our findings with economic information of the identified cybersecurity measures.
This paper also provides some policy recommendations to enhance the cybersecurity perfor-
mance of the industry and to help more seafarers and staff understand the importance of cyberse-
curity as well as the skills required for dealing with cyberattacks. Through the collaboration among
industry, government and academics, maritime cybersecurity performance can be significantly and
efficiently enhanced.
6. Conclusions
This paper evaluates the interrelationship between six cybersecurity dimensions and the cyberse-
curity performance of ships. The results suggest that the shipping sector has had a positive outlook
on the cyber regulatory framework and shipping companies have developed and implemented
specific cyber procedures through their safety management system. These policies adequately cover
14 K. KANWAL ET AL.
critical areas of shipboard cybersecurity such as systems readiness, training and monitoring
requirements. The results also show that cyber regulations positively impact the organisational
procedures, which further positively and significantly impact the systems, training and awareness,
and monitoring requirements. In addition, training and awareness is also found to have a positive
impact on the overall cybersecurity performance of ships. Hence, to address cyber threats and the
weak links in current cybersecurity practices, the maritime industry needs to improve cyber risk
awareness among both onboard and shore-based staff by conducting regular and up-to-date
training.
Unlike previous research, which mainly focused on identifying cyber weaknesses in the maritime
industry, this research focuses on assessing the cybersecurity preparedness of ships and explaining
the link of critical dimensions of cybersecurity to the overall preparedness and performance of
ships. To our knowledge, this is among the first papers addressing these aspects of maritime
cybersecurity and, thus, provides new research directions for academic research.
This paper has some research limitations which can be the focus of future research. First, the
research framework is based on a literature review. Future research could further streamline the
questionnaire and the theoretical framework, while incorporating other aspects such as user
behaviour based on the so-called ‘protection motivation theory’, the ‘technology acceptance
model’ and the ‘diffusion of innovations theory’. Secondly, future work can focus on collecting
a larger sample from multinational seafarers to get a more representative opinion of the industry
and potentially to focus on cultural behaviour differences. In addition, an analysis of the respon-
dents’ opinions based on their background (e.g., experience, position, company size) can enhance
our understanding of the respondents’ professional experience, e.g., related to the size of the
technology on board the ships and the role of training the personnel involved in the operational
processes. Finally, apart from the factors discussed in this work, there are various variables that can
also affect the overall cybersecurity performance such as education, position, leadership, culture,
and some human factors-related aspects such as fatigue, mental health issues, frustration, cognitive
workload (for more details see Paul and Dykstra 2017; Zăgan et al. 2018; Tam et al. 2021; Telschow
and Neider 2021). Future research could include these variables into the structure in order to obtain
a more comprehensive picture.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Funding
TThis work was partially supported by grants from the UK Economic and Social Research Council (ESRC) (ESRC-
MOST UK-Taiwan Network Grant 2021) and the European Commission (H2020 European Research Council (ERC)
Consolidator Grant TRUST, Grant agreement ID: 864724)
ORCID
Wenming Shi http://orcid.org/0000-0001-6551-0499
Christos Kontovas http://orcid.org/0000-0001-9461-6436
Zaili Yang http://orcid.org/0000-0003-1385-493X
Chia-Hsun Chang http://orcid.org/0000-0002-7351-8471
References
Alcaide, J. I., and R. G. Llave. 2020. “Critical Infrastructures Cybersecurity and the Maritime Sector.” Transportation
Research Procedia 45: 547–554. doi:10.1016/j.trpro.2020.03.058.
MARITIME POLICY & MANAGEMENT 15
American Bureau of Shipping. 2016. “The Application of Cybersecurity Principles to Marine and Offshore
Operations”. Accessed 10th November 2021. https://ww2.eagle.org/content/dam/eagle/rules-and-guides/cur
rent/other/250_cybersafetyV1/CyberSafety_V1_Cybersecurity_GN_e.pdf
Belmont, K. 2014. “Maritime Cybersecurity: A Growing Threat Goes Unanswered.” Accessed 10 May 2021 http://
cybersecuritylawwatch.com/
BIMCO, CLIA, ICS, Intercargo, Intermanager, Intertanko, IUMI, OCIMF and World Shipping Council. 2020. “The
Guidelines on Cyber Security Onboard Ships (Version 4)”. Accessed 04 May 2021 https://www.bimco.org/about-
us-and-our-members/publications/the-guidelines-on-cyber-security-onboard-ships
Bolat, P., and G. Kayisoglu. 2019. “Antecedents and Consequences of Cybersecurity Awareness: A Case Study for
Turkish Maritime Sector.” Journal of ETA Maritime Science 7 (4): 344–360. doi:10.5505/jems.2019.85057.
Boyce, M. W., K. M. Duma, L. J. Hettinger, T. B. Malone, D. P. Wilson, and J. Lockett-Reynolds. 2011. “Human
Performance in Cybersecurity: A Research Agenda.” Proceedings of the Human Factors and Ergonomics Society
Annual Meeting. 55 (1): 1115–1119. Sage CA: Los Angeles, CA: SAGE Publications. 10.1177/
1071181311551233.
Boyes, H., and R. Isbell. 2017. Code of Practice, Cyber Security for Ships. London: Institution of Engineering and
Technology.
Caprolu, M., R. Di Pietro, S. Raponi, S. Sciancalepore, and P. Tedeschi. 2020. “Vessels Cybersecurity: Issues,
Challenges, and the Road Ahead.” IEEE Communications Magazine 58 (6): 90–96. doi:10.1109/MCOM.001.
1900632.
Chang, C. H., C. Kontovas, Q. Yu, and Z. Yang. 2021. “Risk Assessment of the Operations of Maritime Autonomous
Surface Ships.” Reliability Engineering & System Safety 207: 107324. doi:10.1016/j.ress.2020.107324.
Chang, C. H., C. S. Lu, and P. L. Lai. 2021. “Examining the Drivers of Competitive Advantage of the International
Logistics Industry.” International Journal of Logistics Research and Applications 1–19. doi:10.1080/13675567.2021.
1915263.
Chang, C. H., W. Shi, W. Zhang, C. Park, and C. Kontovas 2019. “Evaluating Cybersecurity Risks in the Maritime
Industry: A Literature Review.” Paper presented at the International Association of Maritime Universities (IAMU)
Conference, Tokyo, October - 01st November 29th October - 01st.
Chang, C. H., W. Zhang, W. Shi, and C. Park 2020. “Evaluating Cybersecurity in the Maritime Industry.” Paper
presented at the 10th Asian Logistics Round Table (ALRT) 2020 Conference, Tasmania, 19-20 November.
Cybersecurity Ventures. 2020. “Cybercrime to Cost the World $10.5 Trillion Annually by 2025.” Accessed 03 May
2021 https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
DNV-GL. 2016. “Cyber Security Resilience Management for Ships and Mobile Offshore Units in Operation”,
DNVGL-RP-0496.” Accessed 21 May 2021 https://www.gard.no/Content/21865536/DNVGL-RP-0496.pdf
El-Bably, A. Y. 2021. “Overview of the Impact of Human Error on Cybersecurity Based on ISO/IEC 27001
Information Security Management.” Journal of Information Security and Cybercrimes Research 4 (1): 95–102.
doi:10.26735/WLPW6121.
Fornell, C., and D. F. Larcker. 1981. “Evaluating Structural Equation Models with Unobservable Variables and
Measurement Error.” Journal of Marketing Research 18 (1): 39–50. doi:10.1177/002224378101800104.
Garcia-Perez, A., M. P. Sallos, and P. Tiwasing. 2021. “Dimensions of Cybersecurity Performance and Crisis
Response in Critical Infrastructure Organisations: An Intellectual Capital Perspective.” Journal of Intellectual
Capital. doi:10.1108/JIC-06-2021-0166.
Heij, C., and S. Knapp. 2018. “Predictive Power of Inspection Outcomes for Future Shipping accidents–an Empirical
Appraisal with Special Attention for Human Factor Aspects.” Maritime Policy & Management 45 (5): 604–621.
doi:10.1080/03088839.2018.1440441.
Hopcraft, R., and K. M. Martin. 2018. “Effective Maritime Cybersecurity regulation–the Case for a Cyber Code.”
Journal of the Indian Ocean Region 14 (3): 354–366. doi:10.1080/19480881.2018.1519056.
IBM. 2014. “IBM Security Services 2014 Cyber Security Intelligence Index.” Accessed 25 October 2021. https://i.crn.
com/sites/default/files/ckfinderimages/userfiles/images/crn/custom/IBMSecurityServices2014.PDF
IHS Fairplay. 2016. “Cyber security survey in association with BIMCO.” Accessed May 15 May 2021. https://cybersail.
org/wp-content/uploads/2017/02/IHS-BIMCO-Survey-Findings.pdf
IMO. 2017. “Maritime Cyber Risk Management in Safety Management Systems.” Accessed 28 October 2021. https://
wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/Resolution%20MSC.428(98).pdf
Jones, K. D., K. Tam, and M. Papadaki. 2016. “Threats and Impacts in Maritime Cyber Security.” Engineering and
Technology Reference 1 (5): 1–13. doi:10.1049/etr.2015.0123.
Kala, N., and M. Balakrishnan. 2019. “Cyber Preparedness in Maritime Industry.” International Journal of Scientific
and Technical Advancements 5: 19–28.
16 K. KANWAL ET AL.
Kao, L. H., M. Stewart, and K. H. Lee. 2009. “Using Structural Equation Modeling to Predict Cabin Safety Outcomes
among Taiwanese Airlines.” Transportation Research Part E: Logistics and Transportation Review 45 (2): 357–365.
doi:10.1016/j.tre.2008.09.007.
Kline, R. B. 2016. Principles and Practice of Structural Equation Modeling. 4th. New York: The Guilford Press.
Kuhn, K., S. Bicakci, and S. A. Shaikh. 2021. “COVID-19 Digitization in Maritime: Understanding Cyber Risks.”
WMU Journal of Maritime Aairs 20 (2): 193–214. doi:10.1007/s13437-021-00235-1.
Lee, I. 2021. “Cybersecurity: Risk Management Framework and Investment Cost Analysis.” Business Horizons 64 (5):
659–671. doi:10.1016/j.bushor.2021.02.022.
Lin, C. C., and C. H. Chang. 2021. “Evaluating Employee’s Perception toward the Promotion of Safety Marketing at
Ports.” International Journal of Shipping and Transport Logistics 13 (3–4): 275–299. doi:10.1504/IJSTL.2021.
113985.
Lloyd’s Register. 2016. “LR Issues Technical Guidance for Ship Design in a Digital Age.” Accessed 20 May 2021
https://www.lr.org/en/latest-news/cyber-shipping-lr-issues-technical-guidance-for-ship-design-in-a-digital-age/
Lu, C. S., K. C. Shang, and C. C. Lin. 2016. “Examining Sustainability Performance at Ports: Port Managers’
Perspectives on Developing Sustainable Supply Chains.” Maritime Policy & Management 43 (8): 909–927.
doi:10.1080/03088839.2016.1199918.
Lu, C. S., H. K. Weng, S. Y. Chen, C. W. Chiu, H. Y. Ma, K. W. Mak, and T. C. Yeung. 2020. “How Port Aesthetics
Affect Destination Image, Tourist Satisfaction and Tourist Loyalty?” Maritime Business Review 5 (2): 211–228.
doi:10.1108/MABR-12-2019-0056.
Macrae, C. 2009. “Human Factors at Sea: Common Patterns of Error in Groundings and Collisions.” Maritime Policy
& Management 36 (1): 21–38. doi:10.1080/03088830802652262.
Min, S., K. K. F. So, and M. Jeong. 2019. “Consumer Adoption of the Uber Mobile Application: Insights from
Diffusion of Innovation Theory and Technology Acceptance Model.” Journal of Travel & Tourism Marketing
36 (7): 770–783. doi:10.1080/10548408.2018.1507866.
Miron, W., and K. Muita. 2014. “Cybersecurity Capability Maturity Models for Providers of Critical Infrastructure.”
Technology Innovation Management Review 4 (10): 33–39. doi:10.22215/timreview/837.
Nordhoff, S., V. Malmsten, B. van Arem, P. Liu, and R. Happee. 2021. “A Structural Equation Modeling Approach for
the Acceptance of Driverless Automated Shuttles Based on Constructs from the Unified Theory of Acceptance and
Use of Technology and the Diffusion of Innovation Theory.” Transportation Research Part F: Trac Psychology
and Behaviour 78: 58–73. doi:10.1016/j.trf.2021.01.001.
Pandey, S., R. K. Singh, A. Gunasekaran, and A. Kaushik. 2020. “Cyber Security Risks in Globalized Supply Chains:
Conceptual Framework.” Journal of Global Operations and Strategic Sourcing 13 (1): 103–128. doi:10.1108/JGOSS-
05-2019-0042.
Paul, C. L., and J. Dykstra. 2017. “Understanding Operator Fatigue, Frustration, and Cognitive Workload in Tactical
Cybersecurity Operations.” Journal of Information Warfare 16 (2): 1–11.
Rogers, E. M. 1995. Diusion of Innovations. 4th ed. New York: Free Press.
Sakar, C., B. Koseoglu, M. Buber, and A. C. Toz 2019. “Are the Ships Fully Secured against the cyber-attacks?” In
Global Conference on Innovation in Marine Technology and the Future of Maritime Transportation 18th-19th of
April 2019 İzmir, 276–288.
Sartipi, F. 2020. “Diffusion of Innovation Theory in the Realm of Environmental Construction.” Journal of
Construction Materials 1 (4): 2–4. doi:10.36756/JCM.v1.3.2.
Svilicic, B., J. Kamahara, M. Rooks, and Y. Yano. 2019. “Maritime Cyber Risk Management: An Experimental Ship
Assessment.” The Journal of Navigation 72 (5): 1108–1120. doi:10.1017/S0373463318001157.
Tam, K., R. Hopcraft, T. Crichton, and K. Jones. 2021. “The Potential Mental Health Effects of Remote Control in an
Autonomous Maritime World.” Journal of International Maritime Safety, Environmental Aairs, and Shipping
5 (2): 40–55. doi:10.1080/25725084.2021.1922148.
Tam, K., and K. D. Jones. 2018. “Maritime Cybersecurity Policy: The Scope and Impact of Evolving Technology on
International Shipping.” Journal of Cyber Policy 3 (2): 147–164. doi:10.1080/23738871.2018.1513053.
Tam, K., and K. Jones. 2019. “Situational Awareness: Examining Factors that Affect cyber-risks in the Maritime
Sector.” International Journal on Cyber Situational Awareness 4 (1): 1–29. doi:10.22619/IJCSA.2019.100125.
Tam, K., K. Moara-Nkwe, and K. Jones. 2020. “The Use of Cyber Ranges in the Maritime Context: Assessing
maritime-cyber Risks, Raising Awareness, and Providing Training.” Maritime Technology and Research 3 (1):
16–30. doi:10.33175/mtr.2021.241410.
Telschow, G., and M. Neider. 2021. “Cybersecurity and Fatigue: Does Fatigue from Visual Contrast Impact Our
Ability to Correctly Classify Emails?” Journal of Vision 21 (9): 2111. doi:10.1167/jov.21.9.2111.
MARITIME POLICY & MANAGEMENT 17
Wang, Y., M. Douglas, and B. Hazen. 2021. “Diffusion of Public Bicycle Systems: Investigating Influences of Users’
Perceived Risk and Switching Intention.” Transportation Research Part A: Policy and Practice 143: 1–13. doi:10.
1016/j.tra.2020.11.002.
Whitteker, W. (2016). Leading Effective Cybersecurity with the Critical Security Controls. Retrieved from: https://
www.sans.org/readingroom/whitepapers/critical/leading-effective-cybersecurity-critical-securitycontrols-36797
Wingrove, M. 2021. “Going beyond Compliance for Effective Cyber Security.” Accessed 03 June 2021 https://www.
rivieramm.com/news-content-hub/news-content-hub/shipping-should-look-beyond-compliance-for-effective-
cyber-security-64394 []
Yang, Z., Z. Yang, J. Yin, and Z. Qu. 2018. “A risk-based Game Model for Rational Inspections in Port State Control.”
Transportation Research Part E: Logistics and Transportation Review 118: 477–495. doi:10.1016/j.tre.2018.08.001.
Zăgan, R., G. Raicu, R. Hanzu-Pazara, and S. Enache. 2018. “Realities in Maritime Domain regarding Cyber Security
Concept.” Advanced Engineering Forum 27: 221–228. Trans Tech Publications Ltd. https://doi.org/10.4028/www.
scientific.net/AEF.27.221.
18 K. KANWAL ET AL.
Appendix A
Question Items References
Regulation
The current regulations for maritime cybersecurity are easy to
understand and have clarity.
IMO (2017); Hopcraft and Martin (2018); Caprolu et al.
(2020)
The requirements for maritime cybersecurity are specific and detailed
i.e. cover the necessary areas.
The requirements are easy to apply to existing navigation/transaction
operations.
Procedures
Our company procedures are specific and detailed and cover all
aspects of cybersecurity in accordance with the required
regulations.
IMO (2017); Chang et al. (2019);
Third-party access to systems has been properly and appropriately
addressed by our company procedures.
Our company policy on the use of personal devices on the systems is
clear and appropriate.
The procedures are reviewed and updated by our company at regular
intervals for addressing new vulnerabilities.
Systems
The IT and OT systems/equipment are designed and maintained to
provide maximum protection i.e. are difficult to breach
Jones, Tam, and Papadaki (2016); Chang et al. (2019);
Sakar et al. (2019); Tam and Jones (2019)
The latest firewall and antivirus are used for the systems.
The software for the systems is kept up to date at all times.
Patches to the systems are applied timely.
Training and awareness
Our company regularly holds maritime cybersecurity training. Bolat and Kayisoglu (2019); Chang et al. (2019); Tam,
Moara-Nkwe, and Jones (2020)Cybersecurity training that is carried out by our company covers all
critical aspects of shipboard/shore security.
I have received appropriate training in cybersecurity.
I am aware of the various cyber risks on ships.
I am aware of the procedures to follow in case of a cyberattack.
Human factor
It is possible that the staff bypass firewalls for specific purposes or due
to a lack of awareness.
Hopcraft and Martin (2018); Tam and Jones (2019);
Chang et al. (2020)
It is possible that the staff access suspicious websites and links due to
careless operations or for a specific purpose.
The awareness of not using personal devices on systems is low.
Third-party removable media is not always scanned before inserting in
shipboard/shore systems.
It is possible that shipboard/shore sensitive information is shared via
social media.
Monitoring
Cyber compliance with the statutory and company procedures is
regularly monitored by a responsible officer on our ships/ashore.
Whitterker (2016); Wingrove (2021)
Internal cyber audits are regularly conducted by our company
representative to verify any loopholes.
Our company ships/offices are frequently inspected by parties such as
Port State Control officers/oil major companies/third parties for
cybersecurity preparedness.
Cybersecurity Performance
Cybersecurity implementation can largely improve the safety/security
of ships/ shipping companies and prevent cybercrimes.
Peng and Lu (2018); Chang et al. (2019); Tam, Moara-
Nkwe, and Jones (2020)
Cybersecurity implementation can help ships/shipping companies
have a better reputation.
Cybersecurity implementation can help ships/shipping companies
have a better financial performance.
MARITIME POLICY & MANAGEMENT 19
... TPR suggests that perceived risk can influence consumers' decisions and partially mediate the relationship between perceived quality and perceived value along SCs (Wang et al., 2013). In our theoretical model, the perceived risk is the cyber threat, and perceptions are related to the specific dimensions of cyber risk consequences (Yang et al., 2020) and the effectiveness of cyber resilience strategies (Kanwal et al., 2022). These perceptions are exposed to subjective evaluations, which in turn influence decision-making processes. ...
... Accordingly, we formulated the following hypotheses to investigate the link between the perception of the two typologies of cyber risk consequence (i.e. potential business interruption awareness PBIA and potential reputation demage awareness PRDA) (Ogbanufe et al., 2021) and the commitment to adopting cyber risk governance strategies and policies (CRGSP) (Kanwal et al., 2022;Ram and Zhang, 2020): ...
... From a DC perspective, Easterby-Smith and Prieto (2008) addressed the different configurations of ad-hoc capabilities related to knowledge management and training programmes, according to different learning perspectives that characterised each organisation. Therefore, training programmes should be customised and run regularly to upskill the organisation's employees to identify, avoid, and respond to all the criticalities of cyber risks (Bulgurcu et al., 2010;Kanwal et al., 2022;Singh et al., 2014). This led to the following hypotheses: ...
Article
Purpose This empirical study investigates the direct and indirect effects on managers’ perceptions of cyber risks, the implementation of cyber resilience strategies and the perceived effectiveness of these strategies for supply chains. Cyber risks pose significant threats to organisations and supply chains. Yet they remain insufficiently addressed and managed. Design/methodology/approach Primary data were collected from a sample of Italian organisations using a survey. The structural equation modelling methodology was employed to empirically investigate cyber resilience strategies in supply chains. Findings Results indicate that effective cyber resilience is linked to awareness of the negative impacts of cyber risks, particularly supply chain disruptions. This awareness leads to the adoption of various cyber resilience strategies. According to managers' perceptions, several strategies are identified in the study as the most effective in enhancing the cyber resilience supply chains. The findings offer insights for managers regarding the relationship between cyber risk perceptions, supply chain cyber resilience strategies and their effectiveness. These relationships are studied using the theory of perceived risk and the dynamic capabilities theory. Originality/value This study advances knowledge for academics and practitioners in the fields of supply chain resilience and supply chain risk management. It contributes to the development of a risk-based thinking model in organisations and supply chains by drawing upon a dual theoretical perspective.
... In recent decades, as globalization and competitiveness have intensified, it has become crucial for maritime industry stakeholders to implement Industry 4.0 technology. The objective of this transition toward greater digitization and automation is to reduce waiting times and increase efficiency, particularly in complex operations such as ship navigation and cargo management [3,4]. Nevertheless, this digital transformation introduces various new risks, specifically cyber-attacks, which have emerged as a significant concern for MSCN agents [5][6][7]. ...
Article
Full-text available
The maritime industry is constantly evolving and posing new challenges, especially with increasing digitalization, which has raised concerns about cyber-attacks on maritime supply chain agents. Although scholars have proposed various methods and classification models to counter these cyber threats, a comprehensive cyber-attack taxonomy for maritime supply chain actors based on a systematic literature review is still lacking. This review aims to provide a clear picture of common cyber-attacks and develop a taxonomy for their categorization. In addition, it outlines best practices derived from academic research in maritime cybersecurity using PRISMA principles for a systematic literature review, which identified 110 relevant journal papers. This study highlights that distributed denial of service (DDoS) attacks and malware are top concerns for all maritime supply chain stakeholders. In particular, shipping companies are urged to prioritize defenses against hijacking, spoofing, and jamming. The report identifies 18 practices to combat cyber-attacks, categorized into information security management solutions, information security policies, and cybersecurity awareness and training. Finally, this paper explores how emerging technologies can address cyber-attacks in the maritime supply chain network (MSCN). While Industry 4.0 technologies are highlighted as significant trends in the literature, this study aims to equip MSCN stakeholders with the knowledge to effectively leverage a broader range of emerging technologies. In doing so, it provides forward-looking solutions to prevent and mitigate cyber-attacks, emphasizing that Industry 4.0 is part of a larger landscape of technological innovation.
... Discussed ethical considerations in maritime cybersecurity research, emphasizing ethical challenges in this domain and cybersecurity awareness in the Turkish maritime sector, examining antecedents and consequences. Papers [23][24][25][26][27][28] addressed building maritime cybersecurity capacity against ransomware attacks, presented in an international conference, evaluated hazardous cargo transportation, likely analyzing associated risks during maritime transport and assessed the impact of piracy and sea robbery on Nigerian port throughput performance, focusing on cargo operations. Proposed a Bayesian Network-driven FMEA approach for maritime cybersecurity risk assessment, developments and research directions, analyzing the evolving landscape and investigated the readiness of onboard systems for maritime cybersecurity challenges. ...
Chapter
The increasing automation and integration of new information technologies have brought about heightened vulnerabilities and security risks within the maritime industry. This article discusses the importance of maritime cargo cybersecurity and highlights some of the challenges posed by the potential threats posed by cyberattacks and hacker intrusions on ship and port systems. It explores a range of cyber threats, while assessing their potential impacts on the security of sea-borne cargo transportation. The article suggests practical approaches, solutions, and countermeasures to ensure the cybersecurity of maritime cargo transportation. It underscores the imperative of formulating and implementing cybersecurity strategies on the levels of vessels, ports, and logistic chains. The study examines various techniques and technologies like network perimeter defense, intrusion detection systems (IDS), data encryption, and multi-factor authentication. Additionally, it underscores the significance of providing comprehensive training for both onshore staff and ship crews to establish a security-conscious culture among all participants in maritime cargo transportation. The article concludes by underscoring the value of collaboration among shipowners, cargo proprietors, port authorities, governmental agencies, and other stakeholders in crafting and executing effective cybersecurity strategies across the maritime domain and stresses the necessity of ongoing surveillance and updates of security systems to adeptly address the ever-evolving cyber threats and challenges.
... In response to these identified gaps, they introduced the concept of "cyber-seaworthiness" as a proposed solution. Kanwal et al. (2022) conducted an evaluation examining the interplay between the cybersecurity performance of ships and six distinct cybersecurity dimensions. These dimensions encompassed aspects such as "regulations," "company procedures," "shipboard system readiness," "training and awareness," "human factor," and "compliance monitoring". ...
Article
Full-text available
The distinctive features of maritime infrastructures present significant challenges in terms of security. Disruptions to the normal functioning of any part of maritime transportation can have wide-ranging consequences at both national and international levels, making it an attractive target for malicious attacks. Within this context, the integration of digitalization and technological advancements in seaports, vessels and other maritime elements exposes them to cyber threats. In response to this critical challenge, this paper aims to formulate a novel cybersecurity risk analysis method for ensuring maritime security. This approach is based on a data-driven Bayesian network, utilizing recorded cyber incidents spanning the past two decades. The findings contribute to the identification of highly significant contributing factors, a meticulous examination of their nature, the revelation of their interdependencies, and the estimation of their probabilities of occurrence. Rigorous validation of the developed model ensures its robustness for both diagnostic and prognostic purposes. The implications drawn from this study offer valuable insights for stakeholders and governmental bodies, enhancing their understanding of how to address cyber threats affecting the maritime industry. This knowledge aids in the implementation of necessary preventive measures.
... The maritime industry is undergoing a significant transformation driven by the rapid digitization of ship systems and the widespread adoption of information and operational technologies. These advancements have enabled more efficient control of critical systems such as navigation, communications, sensors, and power management, which are essential for the safe and effective operation of modern ships (Kanwal et al., 2024). However, this increased reliance on digital technologies has also introduced new vulnerabilities, particularly in the realm of cyber security. ...
Article
The efficient operation of ship systems that control navigation, communications, sensors, and power and machinery is dependent on the increasing digitization of the maritime sector and the intense use of information and operational technologies. The goal of issuing and enforcing global regulations and standards is to lessen the impact of potential dangers that could jeopardize on-board systems, network and data integrity, and operation, functionality and safety. At this point, "Cyber Resilience of Ships" (UR E26) is recently released by the International Association of Classification Societies (IACS) to address the need to improve ships' cyber resilience. This regulation will be applicable to new ships built on and after 1 July 2024. This study aims to create a check list for ship cyber security based on IACS UR E26 standard. With a focus on clean seas and safe ships, the IACS provides technical assistance, verifies compliance, and conducts research and development to enhance maritime safety, security and regulation. This study provides practical tool to ships for ship cyber security management under the safety management system besides IACS standard benefits. Creating a checklist in accordance with the IACS UR E26 standard also allows ship owners and operators to comply with the standards and facilitate inspection processes. This reduces the effort spent to comply with international regulations. It helps to proactively manage cyber risks by providing a systematic approach to ship cyber security management. Key Words: Maritime cyber security, Ship cyber security check list, Ship cyber resilience, IACS UR E26
Chapter
The logistics industry is rapidly transforming, driven by emerging technologies and evolving cybersecurity threats. These threats have also affected the industries financially on one side but also fined some of the most reputed industries due to poor quality supplied to the customers. Many cybersecurity threats have also been reported. However, due to the usage of cloud services, many more threats have been opened to this industry. Therefore, this study explores the complex relationship between logistics and cybersecurity, highlighting the industry's challenges and opportunities. The adoption of technologies like the Internet of Things (IoT), cloud computing, and artificial intelligence offers new possibilities for efficiency and visibility, but also introduces cybersecurity vulnerabilities that must be addressed. From securing supply chains to implementing advanced encryption and access control, logistics companies are navigating a dynamic landscape that demands proactive cybersecurity measures. Furthermore, this study underscores the importance of staying informed about emerging threats and trends while adopting innovative solutions to protect data, operations, and customer trust in an interconnected world.
Article
The emergence of Industry 4.0, within the historical context of industrial revolutions shaped by human needs, signifies a rapid integration of technology into society. Despite societal concerns about technology displacing human labor, cybersecurity is a significant challenge associated with Industry 4.0. This study aims to create a "5-point Likert Scale" to assess the conceptual awareness of cybersecurity among maritime transportation sector employees. The "Cybersecurity Awareness Scale" consists of 43 queries and is subjected to rigorous validity and reliability analyses. Administered to 200 individuals in Istanbul, Türkiye, the scale revealed varying awareness levels, with information technology personnel showing high awareness and others exhibiting comparatively lower awareness, both organizationally and regarding individual security vulnerabilities. This scale contributes significantly to evaluating companies' cybersecurity awareness, aiding them in identifying strengths and weaknesses and implementing necessary measures. Future research can deepen theoretical discussions by utilizing the scale to uncover regional and sectoral differences in cybersecurity awareness. Recommendations include larger sample sizes for subsequent studies, enabling comprehensive comparisons and enriching the literature on this subject.
Chapter
Advances in science and technology play a key role in the development of merchant shipping, influencing both the size and speed of modern ships and their technical characteristics. The gradual increase in the cargo capacity of ships is accompanied by a reduction in the number of crew due to the automation of work processes, including the introduction of IT technologies and modern ship management systems. Despite calls by international maritime organizations for increased protection against cyber-attacks at sea, problems in this area remain unresolved. Owners remain silent about attempts or incidents of cyber-attacks for fear of commercial losses and possible negative consequences, such as loss of reputation, claims from customers and insurance companies, and possible investigations by independent international and state authorities. The issues of cybersecurity in the sphere of ship management in the modern world are becoming more and more important, as the existing threats affect not only the security of technical systems and equipment, but also aspects of environmental and public safety at sea. This article analyzes the application of cyber risk management recommendations in the maritime industry within the framework of security management systems to ensure reliable operation of computer-controlled ship systems.
Article
Full-text available
Information security is the practice of protecting information by mitigating the risk of cyber-attack, and typically includes preventing or reducing the possibility of unauthorized/inappropriate access to data, unlawful use, disclosure, disruption. This concept of information security covers as well various procedures aiming at minimizing the negative effects of such incidents and threats. These threats might be originated from the human behavior which may lead to a wide damage of the organization data assets. Thus, the primary focus of information security is on the balanced protection of confidentiality, integrity and availability of data while maintaining an effective use of the organizations' systems. International standards related to information security such as ISO/IEC 27001 emphasis on effective implementation of the information security policies and applications without hampering the productivity of the organization. This research seeks to draw a set of practical rules to be established within an organization to preserve cybersecurity objectives and protect dada specifically from human errors incidents. The drawn rules are based on ISO/IEC 27001 and its application within organizations will rise the employee’s awareness about their behavior to reduce the impact of such incidents on the organization' systems and data.
Article
Full-text available
Digitization is reshaping the maritime industry which is under increasing pressure to transform. Technology is more common as it offers improvements and carves out early adapters as more competitive. COVID-19 hastens digitization and creates new digital opportunity structures which increase cyber risks. Cyber attacks, which can cripple critical systems and services at significant cost, motivate stakeholders to engage with these risks. This paper reviews current events and introduces an exercise where participants at a NATO Centre of Excellency were shown scenarios involving maritime cyber incidents and evaluated on cyber risk perception. Our findings lend insight on how to assess group cyber risk perception—and how this impacts response. They highlight the need to plan for cyberspace operations and ground cyber risks as a intricate governing factor in maritime.
Article
Full-text available
Many maritime activities, such as loading, unloading and transporting cargoes, consist primarily of long periods of low-stress, with some moments of high stress during complex manoeuvres or unanticipated, dangerous, incidences. The increase in autonomy provided by machines and AI is beginning to take over certain tasks in the maritime sector, to reduce costs and mitigate human error. However, with the current levels of autonomous technology available, legislation, and public trust in the technology, such solutions are only able to remove majority of tasks associated with low-stress periods. In fact, many current remote control solutions still suggest relying on human operators to deal with the complex situations AI struggle with. Such a human–automation relationship could endanger the human element. The concern is that, if the human user is spending a disproportionate part of their time dealing with multiple, unconnected, high-stress tasks, without periods to de-stress, this could increasingly put workers at risk. This paper seeks to highlight potential technical, social, and mental, issues that may arise as the sector begins implementing semi-autonomous and fully autonomous maritime operations.
Article
Full-text available
Enhancing the competitive advantage of the international logistics industry is vital for a country. While most literature addresses the competitive advantage of individual organisations from the resource-based view, relatively few studies assess various governmental influences on providing a competitive advantage to the logistics industry. Drawing on the institutional theory and resource-based view, this study empirically identifies the critical drivers that affect competitive advantage in the international logistics industry. From the initial findings and a review of the relevant literature, this study identifies infrastructure, technology, integration, and regulation as the main drivers. Empirical data were collected from 149 international logistics firms or service providers in Taiwan. The study results show that the logistics industry in Taiwan is satisfied with technology and infrastructure. Using structural equation modelling (SEM), this study finds that regulation and integration have a positive impact on the competitive advantage of the international logistics industry, whereas technology has a positive impact on integration. In addition, based on the results of bootstrapping analysis, integration has a mediating effect on the relationship between technology and competitive advantage of the international logistics industry. Theoretical, managerial, and policy implications are discussed to reinforce the competitive advantage of the international logistics industry.
Article
Full-text available
The present study investigated the attitudes and acceptance of automated shuttles in public transport among 340 individuals physically experiencing the automated shuttle ‘Emily’ from Easymile in a mixed traffic environment on the semi-public EUREF (Europäisches Energieforum) campus in Berlin. Automated vehicle acceptance was modelled as a function of the Unified Theory of Acceptance and Use of Technology (UTAUT) constructs performance expectancy, effort expectancy, social influence, and facilitating conditions, the Diffusion of Innovation Theory (DIT) constructs compatibility and trialability, as well as trust and automated shuttle sharing. The results show that after adding the DIT constructs, automated shuttle sharing, and trust to the model, the effect of performance expectancy on behavioural intention was no longer significant. Instead, compatibility with current travel was the strongest predictor of behavioural intention to use automated shuttles. It was further found that individuals who are willing to share rides in an automated shuttle with fellow travelers (i.e., automated shuttle sharing) and who trust automated shuttles (i.e., trust) are more likely to intend to use automated shuttles (i.e., behavioural intention). The highest mean rating was obtained for believing that automated shuttles are easy to use, while the lowest mean rating was obtained for feeling safe inside the automated shuttle without any type of supervision. The analysis revealed a preference for the supervision of the automated shuttle via an external control room to the supervision by a human steward onboard. We recommend future research to investigate the hypothesis that compatibility could serve as an even stronger predictor of the behavioural intention to use automated shuttles in public transport than performance expectancy.
Article
Full-text available
Public bicycles have been touted as a convenient, environmentally friendly, and sustainable travel mode. Public bicycles have also been viewed as one part of a holistic solution to reducing negative transportation externalities. However, government and private entities need a better understanding of factors influencing user adoption of public bicycle systems. In this survey study, 470 prospective public bicycle users from Beijing, China completed face-to-face and web-based surveys , providing their perceptions of public bicycle system attributes, perceived risk associated with public bicycle use, and their intention to switch to public bicycles as a new mode of transportation. Our findings suggest that switching intention is directly influenced by user perceptions of the risk of public bicycle use, as well as user perceptions of the system's relative advantage over other modes of transportation and perceived compatibility of public bicycles with the user's current travel habits. Moreover, perceptions of risk are found to mediate the relationship between system attributes (complexity and observability) and switching intention. That is, user perceptions that public bicycles are difficult to access and use increases perceived risk and reduces the likelihood they will switch to public bicycles as a mode of transportation. Moreover, when prospective users can observe others using the system, their perceptions of risk decrease, which increases the likelihood they will adopt public bicycles as a new mode of transportation. This research contributes to theory-building in public bicycle adoption and informs business and government leaders on how to promote public bicycle adoption through an increased focus on important public bicycle system attributes.
Article
Purpose This research addresses the relationships between the current, dynamic organisational cyber risk climate, organisational cybersecurity performance and changes in cybersecurity investments, with an aim to address the hostile epistemic climate for intellectual capital management presented by the dynamics of cybersecurity as a phenomenon. Design/methodology/approach Expanding on the views of digital security and resilience as a knowledge problem, the research looks at cybersecurity as a critical capability within organisations, particularly relevant in critical infrastructure sectors. The problem is studied from the perspective of 400 C-level executives from critical infrastructure sectors across the UK. Data collected at the peak of the coronavirus disease 2019 (COVID-19) pandemic, a time when critical infrastructure organisations have been under a significant strain due to an increase in cybersecurity incidents, were analysed using partial least square structural equation modelling. Findings The research found a significant correlation between the board's perception of a change in their cybersecurity risk climate and patterns of both the development of cybersecurity management capabilities and cybersecurity investments. The authors also found that a positive correlation exists between the efforts placed by critical infrastructure organisations in cybersecurity training and the changes in investment in their cybersecurity, particularly in relation to their intellectual capital development efforts. Originality/value To the best of the authors’ knowledge, this is the first paper that explores the board's perception of cybersecurity in critical infrastructure organisations both from the intellectual capital perspective and in the dynamic cyber risk climate derived from the COVID-19 crisis. The authors’ findings expand on the growing perception of cybersecurity as a knowledge problem, and thus inform future research and practice in the domain of intellectual capital management and its role in supporting the cybersecurity and digital resilience of business and society.
Article
As organizations accelerate digital transformation with mobile devices, cloud services, social media, and the Internet of Things (IoT) services, cybersecurity has become a key priority in enterprise risk management. While improving cybersecurity leads to higher levels of customer trust and increased revenue opportunities, rapidly evolving data protection and privacy regulations have complicated cybersecurity management. Against the backdrop of rapidly rising cyber breaches and the emergence of novel cybersecurity technologies such as machine learning and artificial intelligence, this paper introduces a cyber risk management framework and discusses a cyber risk assessment process. This paper illustrates a continuous improvement of cybersecurity performance and cyber investment cost analysis with a real-world cybersecurity example.