Independent thesis Advanced level (degree of Master (Two Years)), 10 credits / 15 HE credits
Critical infrastructure systems, including energy, healthcare, water, and transportation, are becoming increasingly reliant on interconnected digital technologies, making them highly vulnerable to cyber threats. Among these, zero-day vulnerabilities represent a particularly hazardous category, as they are exploited before developers become aware of them, often leading to severe disruptions, financial losses, and risks to public safety. This thesis explores how regulatory frameworks influence the mitigation of zero-day vulnerabilities in critical infrastructure, assessing existing cybersecurity policies and identifying regulatory gaps that allow such threats to persist.
Using a qualitative methodology, the research combines regulatory analysis with case studies of major zero-day incidents such as Stuxnet, WannaCry, and SolarWinds. Key data sources include threat intelligence platforms such as MITRE ATT&CK and CVE databases, as well as national and international cybersecurity standards such as NIST, GDPR, ISO/IEC 27001, and CISA. The study evaluates the effectiveness of regulatory responses before and after these incidents and investigates whether policy interventions have led to measurable reductions in vulnerability exposure.
Findings suggest that while regulatory frameworks provide foundational security guidance, they often lack specificity, agility, and enforcement mechanisms needed to counter rapidly evolving zero-day threats. The thesis culminates in the development of a structured set of policy recommendations aimed at enhancing cybersecurity governance, promoting proactive threat intelligence sharing, and supporting coordinated response strategies across public and private sectors. These recommendations are intended to support policymakers, regulators, and infrastructure operators in strengthening resilience against emerging cyber risks.
2025. , p. 31