Postdoc Understanding Practices and Stakeholder Experiences of Patching Security in Organizations

Job description

We are looking for a motivated researcher interested in collecting and analyzing various types of data from within partner organizations—such as interviews, surveys, ticketing systems, and incident logs—to understand the organizational and technical practices around patching security in organizations.

We are in an age of regular news stories about vulnerabilities in organization IT being exploited, for theft of customer data or injection of malware and ransomware. The costs seem to be rising, yet organizations still do not appear to be patching their IT systems and keeping software up-to-date.

The reality is that organizations face a painful dilemma: patch too soon and incur potential downtime and failures; patch too late and get compromised by attacks. As a result, organizations take a long time to patch even critical security vulnerabilities. The way to get out of this catch-22 is to radically change the risk governance of patching. That is the objective of the NWO-funded THESEUS project.

In this project, we work with real-world partner organizations, such as KLM-AirFrance, Rijkswaterstaat, City of Amsterdam, City of The Hague, KPN, and the National Cyber Security Center. We engage with risk management and patch management professionals to understand the challenges they face. We also engage with organizational decision-makers and the wider workforce to rationalize their perspective on the benefits and disruptions of keeping systems patched in a timely manner. This work complements efforts at partner universities to explore automatic vulnerability and patch triaging, risk profiling, and legal instruments such as incentive mechanisms.

Your PhD, degree(s) and experiences could be from social science or an interdisciplinary program, but also from information systems, telecommunications or computer science. You could have a background in social and organizational research and be willing to learn about the technical factors at play. Or vice versa: you could be a technically trained person with an interest in the social aspects. You would work in close collaboration with researchers from computer science and social science disciplines.

The researcher will be part of an interdisciplinary team of over 20 scientists who jointly research cybersecurity issues. The team consists of people from different disciplines, countries, and backgrounds. The project also offers the opportunity to collaborate with real-world companies in government, healthcare, and various other sectors, working closely with security managers and IT management teams. We also work with government organizations and leading solutions providers who are developing policies and practices for organizations. The candidate will have the opportunity to present their work at international conferences, to conduct research abroad and to collaborate with leading researchers working towards a secure digital future.

Job requirements

• In possession of a PhD or equivalent in a social science / behavioural science / organisational science, or in a field investigating the human aspects of information security (which can include some areas of information systems or computer science).
• English language skills.
• Dutch is a plus because interviews will be conducted with employees of Dutch organizations.
• Good academic writing skills and excellent communication skills.
• Being able to organize your work independently.
• Curious and critical mind.
• Can work together in an interdisciplinary team.

TU Delft (Delft University of Technology)

TU Delft is a top international university combining science, engineering and design. It delivers world-class results in education, research and innovation to address challenges in the areas of energy, climate, mobility, health and digital society.

Faculty Technology, Policy and Management

The Faculty of TPM contributes to solving complex technical-social issues, such as energy transition, mobility, digitalisation, water management and (cyber) security. TPM combines insights from engineering, social sciences and the humanities, is internationally oriented and has an extensive network of knowledge institutions, companies, social organisations and governments.

Conditions of employment

• Duration of contract is until 31 March 2026. Temporary.
• Salary and benefits are in accordance with the Collective Labour Agreement for Dutch Universities.
• An excellent pension scheme via the ABP.
• The possibility to compile an individual employment package every year.
• Discount with health insurers on supplemental packages.
• Flexible working week.
• Every year, 232 leave hours (at 38 hours). You can also sell or buy additional leave hours via the individual choice budget.
• Plenty of opportunities for education, training and courses.
• Partially paid parental leave.
• Attention for working healthy and energetically with the vitality program.
• If relocation to the Netherlands is needed, TU Delft offers support to help make the move as smooth as possible, including information and events to help you settle in Delft and expand your social network.
• A Dual Career Programme is available to support an accompanying partner with their job search in the Netherlands.

As part of knowledge security, TU Delft conducts a risk assessment during the recruitment of personnel. This is done, among other things, to prevent the unwanted transfer of sensitive knowledge and technology. The assessment is based on information provided by candidates themselves, such as their motivation letter and CV, and takes place at the final stages of the selection process. When the outcome of the assessment is negative, the candidate will be informed. The processing of personal data in the context of the risk assessment is carried out on the legal basis of the GDPR: performing a public task in the public interest.