PhD Researcher: Regulation and governance of patching security in organizations

We are in an age of regular news stories about vulnerabilities in IT organization being exploited, for theft of customer data or injection of malware and ransomware. The costs seem to be rising, yet organizations still do not appear to be patching their IT systems and keeping software up-to-date. 
The reality is that organizations face a painful dilemma: patch too soon and incur potential downtime and failures; patch too late and get compromised by attacks. As a result, organizations take a long time to patch even critical security vulnerabilities. The way to get out of this catch-22 is to radically change the risk governance of patching. That is the objective of the NWO-funded THESEUS project, part of the Dutch National Research Agenda, theme Cybersecurity - towards a secure and trustful digital domain.

In the THESEUS project an interdisciplinary team of over 20 scientists jointly research cybersecurity issues. The team consists of people from different disciplines, countries, and backgrounds. In this project we have partnered with real-world partner organizations, such as KLM-AirFrance, Philips, Rijkswaterstaat, City of Amsterdam, City of The Hague, KPN, CyberSprint, and the National Cyber Security Center, which offers the unique opportunity to work closely with security managers and IT management teams of these entities as well as with leading solutions providers who are developing policies and practices for organizations.

The Theseus project aims at changing the risk of patching for enterprises by developing interdisciplinary breakthroughs at three interdependent levels: 

• Systems: reducing risk of patching via new techniques in automatic vulnerability and patch triaging, as well as automatic patch generation with live update for cases where critical patches pose unacceptable availability risks.
• Enterprises: better quantifying risk of patching by assessing and aggregating the results of the patch triaging, as a way to estimate exploit likelihood in a coherent picture that accounts for different attacker models and functional impact. 
• Governance: more effectively managing risks of patching by introducing incentive mechanisms via notifications and information sharing, sector-wide benchmarks of patching speed, and potentially legal instruments. 

The PhD Researcher based at Tilburg University will be part of the third track (Governance) and investigate existing legal frameworks and governance mechanisms regulating cyber security and handling potential liability to third parties from security incidents resulting from unpatched systems and the role of cyber insurance in patching and vulnerability response, in order to decide at which level and what type(s) of regulatory intervention can be deployed to improve patching practices of companies preventing such potential third party damages (rather than regulating liability after the fact). The researcher will deliver concrete recommendations to legislators, both at the national and European level. You will work closely with researchers reviewing governance of patching practices of companies, which will culminate in an overall portfolio of governance options.  The candidate will have the opportunity to present his/her work at international conferences, to conduct research abroad and to collaborate with the world's leading researchers working towards a secure digital future.

This fulltime position contains both research and teaching activities. More specifically:

Research (0.8 fte):

• Pursue academically path-breaking research leading to an excellent PhD-dissertation;
• Actively contribute to the operationalization of the THESEUS program;
• Participate in the Tilburg Graduate Law School courses and activities; 
• Be an active member of the department TILT by participating in and organizing TILT events and activities, presenting and discussing research output within TILT, and representing TILT outside Tilburg University; 
• Be an active member of THESEUS by participating in and organizing THESEUS events and activities, presenting and discussing research output within and outside of THESEUS. 

Teaching (0.2 fte):

• Co-supervise Law & Technology master thesis students; 
• Assist in the coordination and management of courses at the undergraduate and/or LLM programs that TILT is involved in; 
• Cooperate with other TILT members in developing new or modifying existing courses.

Tilburg University believes that academic excellence is achieved through the combination of outstanding research and education, in which social impact is made by sharing knowledge. In doing so, we recognize that excellence is not only achieved through individual performance, but mostly through team effort in which each team member acts as a leader connecting people. 

Applicants must: 

• Hold a Master in Law (LLM) at the time of application; 
• Have very good academic results at Master level; 
• Show a research interest in cybersecurity, governance, technology regulation as evidenced by your master thesis and/or other activities. Work that combines two or more of these regimes is preferred; 
• Be willing to complete a PhD-project within four years, that fits within the THESEUS project area and the above-mentioned research interests; 
• Be able and willing to work in a team and undertake teaching and administrative support in parallel to the PhD-research; 
• Have excellent communication skills in English, orally and in writing. Knowledge of the Dutch language would be an asset, but is not required; 
• Be available to start working in September 2022;
• Be present at Tilburg University at least 2 days a week in line with TILT's hybrid working policy office hours and commit to integrate in the environment provided by the department TILT and Tilburg Law School. 

Tilburg University offers excellent terms of employment. We believe flexibility, development, and good employee benefits are very important. We make clear agreements on career paths and offer all kinds of facilities and schemes to maintain an optimum balance between work and private life. Tilburg University also fosters diversity & inclusion; that is why we pursue an active policy for inclusive teams where diverse talents can flourish. 
The starting gross salary is € 2,443 - per month (for a full-time appointment) and will raise every 12 months to a maximum of € 3,122 based on the PhD salary scale of the Collective Labour Agreement Universities (vsnu.nl). Employees recruited from abroad may be eligible for the 30% tax facility – this means that 30% of your salary will be paid as a tax-free reimbursement.

The total duration of the PhD trajectory is four years (48 months) and 1.0 FTE. You will initially be appointed for a fixed period of 16 months. After 12 months, an evaluation will take place. If the performance evaluation is positive, your employment contract will be extended for the remaining period of 32 months. 

You are entitled to a holiday allowance amounting to 8% and a year-end bonus of 8.3% of your gross yearly income. If you work 40 hours per week, you receive 41 days of paid recreational leave per year.

Please visit Working at Tilburg University for more information on our employment conditions. 

Under the motto of ‘Understanding society’, Tilburg University’s more than 1,500 employees develop knowledge, transfer it to others, and bring people from various disciplines and organizations together. In this way, we want to contribute to solving complex social issues. Our focus areas are economics, business and entrepreneurship, social and behavioral sciences, law and public administration, the humanities and digital sciences, and theology. Tilburg University is internationally known for its high standards in education and scientific research, as well as its good support facilities. The Tilburg University campus offers both quietness and connectivity as it is located in a wooded park, ten minutes away from the city center, main highways, and railways. A mid-sized city of 200,000 inhabitants in the South of the Netherlands, and in proximity to cities like Amsterdam, Brussels, Paris, and London, Tilburg is situated at the very heart of Western Europe. 

Tilburg Law School offers highly ranked national and international education and research in law and public administration. Currently, almost 4,000 students are enrolled at Tilburg Law School. Students in Tilburg can choose from five Bachelor's programs, one of which is taught in English (Bachelor Global Law) and ten Master's programs, eight of which are taught in English. The international orientation of Tilburg Law School is reflected in these Bachelor's and Master's programs. The research conducted within Tilburg Law School is aimed at social relevance and provides students with the tools and skills to study and deal with current issues at an academic level. The research within Tilburg Law School is organized into five cross-departmental research programs: 1) Global Law and Governance; 2) New Modes of Lawmaking and Governance in a Multilayered Order; 3) Law and Security; 4) Connecting Organizations: Private, Fiscal and Technology-Driven Legal Relations in a Sustainable Society; and 5) Law and Technology.

TILT is one of the leading research groups in Europe at the intersection of law, technology, and society. It is premised on the multidisciplinary study of socio-technical change, aiming at understanding the interaction of technology and social and normative practices, in order to clarify how regulatory challenges of socio-technical change can be addressed. TilT also cooperates with TILEC in the area of energy regulation and energy economics.TILEC, a Center of Excellence at Tilburg University and a global leader in the study of economic governance and economic regulation, including electricity regulation, consists of some 40 committed members working on economic law and regulation as well as institutional, behavioural and experimental economics. In addition, Tilburg University is a social science specialized institution, hosting various research groups on topics covering multiple aspects of transnational, comparative and global law from a theoretical and empirical viewpoint.

Please apply for this position online before May 2, 2022. Address your letter of interest to prof.dr.  E.M.L. (Lokke) Moerel, and add a resume, LLM grade transcript, and a short description of a PhD research topic (max. 750 words). A copy of the Master thesis is not necessary but would be highly appreciated.

First selection interviews take place on May 9, 2022 and second interviews within a week. 
The selection committee consists of:

•    Chair: Prof. dr. S.A.C.M. (Saskia) Lavrijssen (Full Professor & Head of Department)
•    Member: Prof. dr. E.M.L. (Lokke) Moerel, (Full Professor)
•    Member: dr. R.E. (Rosamunde) van Brakel (Associate Professor)  

Ideally, the preferred candidate can start on September 1, 2022.