<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta>
      <journal-title-group>
        <journal-title>ORCID:</journal-title>
      </journal-title-group>
    </journal-meta>
    <article-meta>
      <title-group>
        <article-title>Dependencies among Challenges for Quantum-safe</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Ini Kong</string-name>
          <email>i.kong@tudelft.nl</email>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Marijn. Janssen</string-name>
          <email>m.f.w.h.a.janssen@tudelft.nl</email>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Nitesh. Bharosa</string-name>
          <email>n.bharosa@tudelft.nl</email>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>Delft University of Technology</institution>
          ,
          <addr-line>Delft, Jaffalaan 5, 2628 BX Delf</addr-line>
          ,
          <country country="NL">The Netherlands</country>
        </aff>
      </contrib-group>
      <volume>000</volume>
      <fpage>0</fpage>
      <lpage>0002</lpage>
      <abstract>
        <p>The quantum computing-based threats call for a critical information infrastructure to modify widely used cryptographic algorithms to ones that are quantum-safe (QS). Yet, little scholarly research has been undertaken to study QS transition, and the guidance to prepare for socio-technical predicaments of the transition falls short. To address the gaps, the paper aims to determine the contextual interaction between QS transition challenges and classify these challenges into driving power and dependency power. In doing so, we use an integrated Interpretive Structural Modelling (ISM)-Matrice d'Impacts Croisés Multiplication Appliqués à un Classement (MICMAC) approach. The results of ISM-MICMAC analysis indicate that the dominant challenges that organizations need to prioritize are establishing a clear QS transition governance and collaborations in the ecosystem. The findings show that it is crucial for organizations to understand the ecosystem making up the critical information infrastructure they are operating in and collaboratively navigate the action approaches for the QS transition. This also implies that preparation for the QS transition not only includes developing QS solution standards but also requires well-defined roles and responsibilities for various actors in the ecosystem. Quantum-safe transition, Transition challenges, ISM MICMAC analysis EGOV-CeDEM-EPart2023, September 05-07, Corvinus University of Budapest, Hungary</p>
      </abstract>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>Introduction</title>
      <p>We now live in a world in which nearly everything is connected to everything else [1, 2]. Information
has become the most important building block of our societies, and maintaining the secure transaction
of information has become a necessity. Likewise, critical information infrastructure for governments
plays an important role in maintaining vital public services for individuals and organizations. The secure
functioning of critical information infrastructure not only forms the backbone of a nation’s security but
also maintains public safety [3, 4].</p>
      <p>While many of these services provided by critical information infrastructure depend on today’s
widely used cryptographic algorithms, we are now entering an era where the infrastructure may no
longer be protected. The computation power of quantum computers can potentially break the entire
foundational cryptographic layers that information architectures depend on [5, 6]. Although there is no
large-scale quantum computer available at the time of writing, information that requires long-term
security can still be harvested, stored now, and decrypted later [7-9].</p>
      <p>The topic of Quantum-safe (QS) transition is relatively new in the field of Information Systems.
In order to safeguard the critical information infrastructure, current cryptographic algorithms need to
be modified with ones that are quantum-safe (QS). The National Institute for Standards and Technology
(NIST) is currently standardizing QS algorithms using Post Quantum Cryptography (PQC) [7, 10, 11].
Although the development has been ongoing since 2016, substituting these QS algorithms in the current
infrastructures with a simple drop-in approach may not be feasible [12, 13].</p>
      <p>Due to various use cases and multiple actors involved in critical information infrastructure, QS
transition remains complex, and organizations may need to consider all aspects of social-technical
predicaments [7, 14-20]. However, there is a void in the literature about the relationship between QS</p>
      <p>2023 Copyright for this paper by its authors.
transition challenges and how significant they may be to each other in realizing QS transition. To
address the gaps in the literature, a research question has been formulated:</p>
      <p>RQ. What are the relationships between challenges toward QS transition?</p>
      <p>Understanding the relationship between challenges will help us to identify which challenges should
be tackled first to transition toward QS. We use the list of QS transition challenges obtained from both
literature and expert opinions as input for an Integrated Interpretive Structural Modelling (ISM)-Matrice
d’Impacts Croisés Multiplication Appliqués à un Classement (MICMAC) approach. The paper provides
the following contribution: i) to discover contextual relationships between QS transition challenges, ii)
to develop a hierarchical structural model of QS transition challenges, iii) to identify QS transition
challenges that can be tackled first, and iv) to suggest areas for further research.</p>
      <p>The paper is structured as follows: section two provides background information on Public Key
Infrastructure (PKI) ecosystem and a list of QS transition challenges. Section three discusses the
research methodology and provides an overview of the integrated Interpretive Structural Modelling
(ISM)-Matrice d’Impacts Croisés Multiplication Appliqués à un Classement (MICMAC) approach.
Section four presents data analysis and results of the integrated ISM-MICMAC approach, followed by
discussions in section five. The paper concludes in section six with an overview of limitations and
directions for future research.
2
2.1</p>
    </sec>
    <sec id="sec-2">
      <title>Background</title>
      <sec id="sec-2-1">
        <title>Public Key Infrastructure Ecosystem</title>
        <p>Critical information infrastructure plays an important role in providing digital transactions and
communication [3, 4]. Notably, Public Key Infrastructure (PKI) ensures the security of these services
and also supports platforms of other critical infrastructure, including yet not limited to, finance,
healthcare, defense, or national government. By managing identities of users and encryption of
information over networks, the security framework of PKI provides a secure environment for
individuals, businesses, and government agencies to access information on applications and connected
devices [21-23].</p>
        <p>Although this paper does not rush to classify the theoretical stands of the term ecosystem, we use the
definition of ecosystem proposed by Adner [24] to describe the interdependencies in the PKI. The term
is defined as “the alignment structure of the multilateral set of partners that need to interact in order
for a focal value proposition to materialize”[24]. The following definition meets the description of the
PKI ecosystem in four ways: 1. Multilateral set of actors have roles they play in the PKI 2. Actors need
to interact with each other to perform configuration of activities underlying technical interdependencies
of PKI 3. Cryptographic algorithms that are used in PKI need to maintain interoperability and backward
compatibility, and 4. The security framework of PKIs has a value proposition to deliver secure digital
transactions to its users.</p>
        <p>In the context of the Dutch government, governmental PKIs authenticate the identities of users,
secure web access and information sharing, and allow digital communications [25]. One of the largest
information communication technology (ICT) service providers for the government called SSC-ICT
ensures digital means of public services via emails, websites, and other data exchanges [25, 26]. Aside
from SSC-ICT maintaining the security of the national government across seven ministries, one of the
PKIs in the public sector known as PKIoverheid manages electronic identities of users with PKIo
certificates for data exchange systems (e.g. eHerkenning, MedMij, Digikoppeling, and Digipoort) [25].</p>
        <p>The Ministry of the Interior and Kingdom Relations (BZK) makes decisions regarding policy and
strategy for PKIoverheid, and Logius acts as Policy Authority (PA) managing the infrastructure
[2729]. The external organizations that provide PKIoverheid-related services and products are in
compliance with international and EU regulations as well as the Programme of Requirement (PoR) [28].
The standardization bodies such as the National Institute of Standards and Technology (NIST), and
European Standard Organizations (ESOs) also have an influence on PKI standards [28]. The user of
such governmental PKIs includes Tax Authority, Customs, Food, and Consumer Product Safety
Authority, the Dutch Bank, and other ministries [25].</p>
        <p>For QS transition, modifying the cryptographic primitives in governmental PKIs is complex and
may need to consider both socio-technical predicaments [15, 19]. PKI is considered as installed system
with a set of roles, security policies, encryption mechanisms and procedures [7, 30, 31, 27, 28]. From
standardization bodies, regulatory bodies, PKI users to external experts that include service providers,
software companies and hardware vendors, many levels of actors that are involved in facilitating PKI
systems and delivering PKI-managed services may need to be part of the transition [14-16, 19, 20].
While QS solutions continue to remain undecided, guidance to prepare for the transition falls short and
organizations are left with unclear steps for QS transition.
2.2</p>
      </sec>
      <sec id="sec-2-2">
        <title>List of QS Transition Challenges</title>
        <p>The QS Transition Challenges are categorized into three different contexts: Technological,
Organizational, and Ecosystem Context [32, 33]. Although Technology-Organization-Environment
(TOE) framework has been initially used to cluster the QS transition challenges, the term environment
has been revised with the term ecosystem to better address challenges that may arise in the context of
QS transition. Error! Reference source not found. provides an overview of QS transition challenges that
have been used as input for ISM-MICMAC approach.
3
3.1</p>
      </sec>
    </sec>
    <sec id="sec-3">
      <title>Research Methodology</title>
      <sec id="sec-3-1">
        <title>ISM-MICMAC</title>
        <p>In order to examine the contextual relationships among QS transition challenges, we chose an integrated
Interpretive Structural Modelling (ISM)-Matrice d’Impacts Croisés Multiplication Appliqués à un
Classement (MICMAC) approach. The ISM is a methodology of systemic structuring modelling
introduced by Warfield [34], which can be applied when identifying relationships among factors [34].
A set of factors in complex issues are structured into a comprehensive systemic hierarchical model [35,
36]. The MICMAC analysis validates the results obtained from ISM and is introduced by Godet [37] to
illustrate the relationship between the factors according to their driving power and dependence power
using four categories: autonomous, dependent, linkage, and independent [38, 39, 37, 35]. While ISM
can analyze the interrelationships between the factors that influence the system, the MICMAC classifies
factors based on driving power and dependence power.
3.2</p>
      </sec>
      <sec id="sec-3-2">
        <title>Expert Opinion</title>
        <p>Semi-structured Interviews: The aim of the interviews was to refine the list of QS transition
challenges that were previously identified in the literature, Challenges in the Transition towards a
Quantum-safe Government [15]. The interviews were conducted in the form of semi-structured
interviews with experts from industry and government. The selected experts were contacted via emails,
and all experts had relevant work experience with PKI systems and had prior knowledge of
organizational and/or technical challenges on QS transition. After 12 expert interviews, the list of 15
QS transition challenges was derived as an input for ISM-MICMAC approach. Table 1 shows the list
of experts that participated in the interviews.</p>
        <p>Workshop: In order to collect the data for Structural Self-Interaction Matrix (SSIM), a workshop was
organized in January 2023. Since the workshop provides an opportunity for practitioners to examine
the context of the study and share their insights, we invited an expert who maintains the security of
critical information infrastructure across Dutch ministries. The selected expert has a prior technical
background and holds relevant knowledge and experience from both industry and government. The
expert is also familiar with the topic of QS transition and the challenges regarding security strategy,
policy, and regulations. Due to the decentralized nature of IT infrastructure in the Dutch government,
we saw that inviting expert who is affiliated with the government PKIs among ministries would help us
understand the QS transition challenges among ministries.</p>
      </sec>
    </sec>
    <sec id="sec-4">
      <title>Data Analysis and Results of ISM-MICMAC</title>
      <p>This section explains the detailed process of data analysis and the results of the ISM-MICMAC
approach.
4.1</p>
      <sec id="sec-4-1">
        <title>Data Analysis of ISM-MICMAC</title>
        <p>The steps used in the data analysis of ISM-MICMAC are described below in relation to the topic of this
paper.</p>
        <p>Step 1: Identify and finalize the list of factors that will be used as input for the ISM-MICMAC
approach. The list of QS transition challenges generated by the literature review and expert interviews
is shown in Appendix 1.</p>
        <p>Step 2: Develop Structural Self-Interaction Matrix (SSIM) to collect data on contextual relationships
between the list of QS transition challenges.</p>
        <p>Step 3: Examine the contextual relationship between any two factors (i and j) and fill out the SSIM.
Start from a yellow box (C1, C2) and indicate one of the four symbols below to represent the
relationship between factors.</p>
        <p>V: Challenge i will influence Challenge j
A: Challenge j will influence Challenge i
X: Challenge i and Challenge j will influence each other
O: Challenge i and Challenge j are not related</p>
        <p>Step 4: Establish Initial Reachability Matrix (IRM) from the SSIM matrix. IRM is a binary matrix
with 0’s and 1’s that is derived in accordance to four symbols following the rules for the substitution.
If the (i,j) in the SSIM is V, then (i,j) in the reachability matrix becomes 1 and the (j,i) becomes 0
If the (i,j) in the SSIM is A, then (i,j) in the reachability matrix becomes 0 and the (j,i) becomes 1
If the (i,j) in the SSIM is X, then (i,j) in the reachability matrix becomes 1 and the (j,i) becomes 1
If the (i,j) in the SSIM is O, then (i,j) in the reachability matrix becomes 0 and the (j,i) becomes 0</p>
        <p>Step 5: Test the IRM for transitivity and derive the Final Reachability Matrix (FRM). The transitivity
is incorporated to fill the gap and 1* entries are indicated to show the changed relationships for the final
reachability matrix. Table 2 shows the FRM that is revised from the IRM in accordance with the
transitivity. The changes are highlighted in grey boxes and are indicated with 1* entries
Concept of Transitivity: If factor A influences factor B, and factor B influences factor C, then factor A also influences factor
C. If there was no initial relationship between factor A and factor C in IRM, then the concept of transitivity is achieved between
factor A and factor C, and 1* entry is indicated in the FRM.</p>
        <p>Step 7: Obtain a reachability matrix with reachability set and antecedent set from the entries in rows
and columns in FRM. E.g. In the reachability set, factors in the row that are affected by factor C1 are
identified. In the antecedent set, factors in the column that are affecting factor C1 are identified. After
the reachability set and antecedent set are determined, the intersection set is derived from the list of
factors from the intersection of these sets.</p>
        <p>Step 8: Once the reachability matrix is determined in Step 7, Step 8 is taken to determine the level
of each QS transition challenge. Partition the reachability matrix and classify the FRM into various
levels. The top-level factors (L1) include those factors that will be led by other factors in the lower level
(L2, L3.. etc.). Once the top-level factor is identified, it is removed from consideration. Then, the same
process is repeated to find out the factors in the next level. This process continues until the level of each
factor is found. Table 3 shows different levels for QS transition challenges.</p>
        <p>Step 9: Organize the ISM-based hierarchy factors using different levels of a partition obtained in
Step 7. Develop a visual representation of the ISM-based hierarchy model. The result of the ISM-based
hierarchy for QS transition is shown in Figure 2.</p>
        <p>Step 10: Analyze the FRM obtained in Step 5 and calculate the summation of rows and columns
based on their driving and dependence power. Table 4 shows the summation of driving power and
dependence power of QS transition challenges.</p>
        <p>Step 11: Classify the factors in a driving and dependence power diagram in accordance with the
summation of driving power and dependence power obtained in Step 9. Find out which of the four
quadrants each factor belongs to. There are four quadrants in the driving and dependence power
diagram:
Autonomous: Factors that have weak drive power and weak dependence power.</p>
        <p>Dependent: Factors that have weak drive power but strong dependence power.</p>
        <p>Linkage: Factors that have strong drive power as well as strong dependence power.</p>
        <p>Independent: Factors that have strong drive power but weak dependence power.</p>
        <p>The result of the MICMAC analysis for QS transition is shown in the driving and dependence power diagram in
Figure 1.
4.2</p>
      </sec>
      <sec id="sec-4-2">
        <title>Driving and Dependence Power Diagram for QS Transition</title>
        <p>After obtaining the driving power and dependence power of each QS transition challenge, the challenge
is placed in one of the four quadrants in the power diagram (autonomous, dependent, linkage, and
independent). Figure 1 shows the categorization of QS transition challenges in four quadrants based on
the MICMAC approach, and the results are discussed below.</p>
        <p>Autonomous: A set of challenges in this quadrant has weak driving power and weak dependence
power, which signals that the challenges are relatively disconnected from the context. For the QS
transition, no transition challenges were placed in an autonomous quadrant. Having no challenge
belonging to the autonomous set indicates that all 15 QS transition challenges have a significant
influence on the QS transition.</p>
        <p>Dependent: A set of challenges in this quadrant has weak driving power and strong dependence power.
The challenges with strong dependence power would require all other QS transition challenges to
address the QS transition. For the QS transition, no transition challenges were placed in a dependent
quadrant. This indicates that no QS transition challenges have weak driving power and strong
dependence power.</p>
        <p>Linkage: A set of challenges in this quadrant has strong driving power and strong dependence power.
Having both strong driving power and dependence power signals that addressing change regarding the
challenge will impact other challenges and have impact on themselves. For the QS transition, all 15 QS
transition challenges were placed in the linkage quadrant. This indicates that all the QS transition
challenges are interrelated and they impact each other.</p>
        <p>Independent: A set of challenges in this quadrant has strong driving power and weak dependence
power. These factors are also known as key factors falling into the quadrant of independent or linkage.
The challenges with strong driving power can impact other challenges, which should be given priority.
For QS transition, no transition challenges were placed in an independent quadrant and this indicates
that key factors for QS may still need to be identified.
The result of ISM-based hierarchy for QS transition shows that there are four levels of hierarchy. While
the top level (Level 1) consists of challenges that have weak driving power, the lower level of the
hierarchy consists of challenges that have stronger driving power. Thus, challenges in the lowest level
(Level 4) have the strongest driving power among the QS transition challenges. Figure 2 shows the
ISM-based hierarchical model of QS transition challenges.</p>
        <p>In Level 4, there are two challenges which include: Unclear QS Governance in the Ecosystem (C12)
and a Lack of Collaboration in the Ecosystem (C13). In Level 3, there are eight challenges which
include: No Availability of QS Standardization (C2), No QS Standards &amp; Selection (C3), No Reliable
&amp; Secure QS Solutions (C4), No Availability of QS Hardware &amp; Software (C5), No Business Case for
Organizations (C8), Lack of Urgency in the Ecosystem (C11), Lack of Policy &amp; Regulations for QS
Solutions (C14) and Complex Technological Interdependency in the Ecosystem (C15). In Level 2, there
are three challenges which include: Knowledge Needs within Organizations (C6), Lack of Urgency
within Organizations (C7), and Lack of Technical Skills &amp; Qualified Personnel (C9). In Level 1, there
are two challenges which include: Legacy System Constraints (C1) and Unclear QS Governance within
Organizations (C10).</p>
        <p>The result of QS transition challenges in the ISM-based hierarchy concludes that two challenges in
the organizational context such as Legacy System Constraints (C1) and Unclear QS Governance within
Organizations (C10) have the weak driving power and are influenced a whole range of other challenges
in the lower hierarchy (Level 2-4). At first glance, making changes in the legacy systems and
establishing the QS governance within organizations do not seem complex due to the scope of change
being within organizations. However, the results show that addressing the QS transition within
organizations is much more complicated. Since QS transition challenges are interdependent, challenges
that exist at the lower hierarchy may first need to be addressed before the challenges at the top hierarchy
are addressed.</p>
      </sec>
    </sec>
    <sec id="sec-5">
      <title>Discussion</title>
      <p>This section provides discussions on data analysis and results of the ISM-MICMAC approach. The
Driving and Dependence Power Diagram in Figure 1 shows that all QS transition challenges were
placed in the linkage quadrant. While QS transition challenges are interrelated, it also indicates that the
QS transition is complex and not stable in nature. If there is a delay in one challenge, it can result in
delays in other challenges. This implies that the QS transition is still at an early stage, and organizations
may need to navigate the transition through a constantly changing environment. Also, there is a
nonoccurrence of autonomous, dependent, and independent challenges. While this indicates that the list of
challenges used in the workshop is all relevant to the topic of QS transition, having no independent
challenges with strong driving power and weak dependence power also signals that there is no single
challenge that can act as a key factor for the QS transition.</p>
      <p>Moreover, the ISM-based hierarchy in Figure 2 provides an overview of QS transition challenges.
Since establishing QS governance and collaboration in the ecosystem have the highest driving power
among the QS transition challenges, addressing these challenges can influence other challenges in the
higher hierarchy (e.g. Levels 1-3). This highlights that the QS transition cannot be single-handled by
one organization and require multiple actors in the PKI ecosystem to be part of the transition. However,
there is a clear institutional void for the QS transition, and many actors in the decentralized nature of
Dutch government PKIs require well-defined roles and responsibilities for the QS transition. Thus,
achieving collective action in the PKI ecosystem is viewed as a priority, and establishing QS
governance. There are various actors in the PKI ecosystem, and public sector is viewed very
decentralized. Thus, addressing collaboration may further crystalize uncertainties in both technological
and ecosystem context.</p>
      <p>In addition, there are many challenges positioned in Level 3, and these include challenges that
require external decisions. While four of these challenges are from the technological context (e.g. QS
standardization, QS standards &amp; selection, secure QS solutions, and QS hardware &amp; software), the other
three challenges are from the ecosystem context (e.g. urgency, policy &amp; regulations for QS solutions
and complex technological interdependencies). Only one challenge belongs to an organizational context
(e.g. having QS transition business cases). This indicates that an external influence is needed across
ministries to proceed with the transition and having business case in organizations may need to align
with the PKI ecosystem they are in. Also, multiple challenges may need to be addressed synchronously
in this level. If everyone is just waiting for each other, delays in one challenge can eventually create a
Catch-22 loop scenario which may lead to a deadlock for the QS transition.</p>
      <p>Furthermore, the challenges in Level 2 and Level 1 relate to the organizational context. Having
urgency within organizations can address knowledge needs and getting technical skills &amp; qualified
personnel within organizations. Although the organizations require external pressures from the lower
hierarchy (e.g. Level 3-4), if organizations already know their cryptographic assets and the impact of
quantum threats in their inventories, it may be possible to raise the level of urgency within
organizations. In Level 1, establishing QS governance within organizations and making changes to
legacy system constraints will only be addressed once many of the technological uncertainties are
discussed and decisions are made in the PKI ecosystem. This also highlights that multiple actors in the
PKI ecosystem may be involved in the different timelines of the QS transition. While some actors may
be involved in making external decisions in the ecosystem, other actors may wait for those decisions
and follow the lead.
6</p>
    </sec>
    <sec id="sec-6">
      <title>Conclusion</title>
      <p>The PKI not only provides digital communication and information sharing but also supports the security
of other critical infrastructures across the national government. With ever-increasing dependency on
PKIs and the possible obsolescence of such infrastructure against quantum threats raises the need to
become quantum-safe. This paper takes a closer look at the QS transition challenges in governmental
PKIs and provides more in-depth understanding of QS transition. While this paper is the first to present
the views of QS transition across governmental PKIs, it is also the first to use a systemic approach to
examine the contextual relationship between QS transition challenges.</p>
      <p>The findings of the paper suggest that QS transition challenges in the ecosystem context and
technological context must be addressed synchronously. Surprisingly, the analyses show that all the QS
transition challenges are interrelated and will impact each other. Nonetheless, QS transition for the
government PKIs cannot be addressed by a single organization and requires decisions to be discussed
across ministries. By prioritizing the QS governance and collaboration in the ecosystem, other important
actors in the ecosystem may be included, and it would set the scene for discussions that is necessary for
the QS transition. While the nature of the QS transition challenges is volatile, if uncertainties
surrounding the technological context and ecosystem context are not addressed in time, it would be
much more challenging for organizations to navigate the transition.</p>
      <p>Although the results of ISM-based hierarchy and MICMAC analysis provide a directional structure
for the QS transition, the analysis also shows that it is a complex problem in which QS transition
challenges are heavily related to one another and actors in the governmental PKIs are interdependent.
While the results indicate that the QS transition is still at its early stage, it shows that there is no single
solution that can address the QS transition, and it is crucial to address both socio-technical
predicaments. Going forth, since legacy system constraints and QS governance within organizations
can be influenced by challenges in the lower hierarchy (Level 2-4), other actions may be needed for
organizations that are looking to become frontrunners for the QS transition.</p>
      <p>Moreover, the paper also found that there are still many more QS transition research opportunities
left to be conducted. While this paper provides the starting point to understand the QS transition and
the dynamics between QS transition challenges, it would also be important to validate the findings with
other experts in the PKI ecosystem to understand different perspectives of QS transition challenges.
Perhaps, the workshops can also be conducted with different actors in different PKI ecosystems other
than governmental PKIs to understand the directions that organizations need to prioritize. Furthermore,
it would be worthwhile to identify what needs to be included in the discussion among different actors
in the PKI ecosystem and further examine some in-between steps that are considered important in
addressing the QS transition challenges.
7</p>
    </sec>
    <sec id="sec-7">
      <title>Acknowledgements</title>
      <p>This publication is part of the HAPKIDO research project with project number NWA.1215.18.002
of the research programme Cybersecurity, which is (partly) financed by the Dutch Research Council
(NWO).
8
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.</p>
      <p>TNO, Migration to Quantum-safe Cryptography: About Making Decisions on When, What and
How to Migrate to a Quantum-safe situation F. Muller and M.P.P. van Heesch, Editors. 2020.
TNO, CWI, and AIVD, The PQC Migration Handbook: Guidelines for Migrating to
PostQuantum Cryptography. 2023.</p>
      <p>Vermeer, M.J.D. and E.D. Peet, Securing Communications in the Quantum Communications
in the Quantum Computing Age: Managing the Risks to Encryption 2020, RAND Corporation.
Bharosa, N., et al., Challenging the Chain - Governing the Automated Exchange and
Processing of Business Information. 2015.</p>
      <p>Hunt, R., Technological infrastructure for PKI and digital certification. Computer
Communications, 2001. 24: p. 1460-1471.</p>
      <p>Linn, J., Trust Models and Management in Public-Key Infrastructures. 2000.</p>
      <p>Adner, R., Ecosystem as Structure. Journal of Management, 2017. 43(1): p. 39-58.
Innovalor, PKIoverheid: Onderzoek naar mogelijkheden om gebruik te vergroten bijvoorbeeld
via verplichtstelling. . 2019.</p>
      <p>SSC-ICT. Jaarverslag SSC-ICT 2018. 2018; Available from:
https://www.sscictspecials.nl/jaarverslag-ssc-ict/2018/01.</p>
      <p>Logius, CERTIFICATION PRACTICE STATEMENT (CPS): Policy Authority PKIoverheid for
Private Root CA certificates to be issued by the Policy Authority of the PKI for the Dutch
government. 2020.</p>
      <p>Logius, PKIoverheid Programme of Requirements v4.10: Part 3 Basic Requirements. 2022,
Ministrie van Binnenlandse Zaken en Koninkrijksrelaties.</p>
      <p>NCSC, PKIoverheid is changing. 2020, National Cyber Security Center, Ministry of Justice
and Security.</p>
      <p>CSIRO, The quantum threat to cybersecurity: Looking through the prism of post-quantum
cryptography. 2021.</p>
      <p>Huang, J. and D.M. Nicol, An anatomy of trust in public key infrastructure. International
Journal of Critical Infrastructures, 2017. 13(2/3).</p>
      <p>Baker, J., The Technology–Organization–Environment Framework, in Information Systems
Theory. 2011. p. 231-245.</p>
      <p>Tornatzky, L.G., M. Fleischer, and A.K. Chakrabarti, Processes of Technological Innovation.
Lexington Books, Lexington. 1990: Lexington Books, Lexington.</p>
      <p>Warfield, J.N., Toward Interpretation of Complex Structural Models. IEEE Transactions on
Systems, Man, and Cybernetics, 1974. SMC-4(5): p. 405-417.</p>
      <p>Janssen, M., et al., Challenges for adopting and implementing IoT in smart cities. Internet
Research, 2019. 29(6): p. 1589-1616.</p>
      <p>Usmani, M.S., et al., Identification and ranking of enablers to green technology adoption for
manufacturing firms using an ISM-MICMAC approach. Environ Sci Pollut Res Int, 2023.
Godet, M. Methods of Prospective. 1971; Available from:
http://en.laprospective.fr/methodsof-prospective/softwares---cloud-version/4-micmac.html.</p>
      <p>Attri, R., N. Dev, and V. Sharma, Interpretive Structural Modelling (ISM) approach: An
Overview. Research Journal of Management Sciences, 2013. 2(2).</p>
      <p>Deepu, T.S. and V. Ravi, An ISM-MICMAC approach for analyzing dependencies among
barriers of supply chain digitalization. Journal of Modelling in Management, 2022.
No Availability of QS Standardization
No QS Standards &amp; Selection
No Reliable &amp; Secure QS Solutions
No Availability of Certified QS Hardware &amp;
Software
Knowledge Needs within Organizations
Lack of Urgency within Organizations
No Business Case for Organizations
Lack of Technical Skills &amp; Qualified
Personnel
Unclear QS Governance within Organizations
C1
C2
C3
C4
C5
C7
C8
C9
Code
C6
C10
Code
C11
C12</p>
      <p>Description
The existing system is rigid and only supports a handful of algorithms. The existing system
may need changes in the hardware and/ or software depending on the compatibility of new QS
solutions.</p>
      <p>NIST is currently selecting practical standards and guidelines for QS solutions. Thus, stardards
for QS cryptographic algorithms are not yet available.</p>
      <p>Organization has not yet selected which QS solutions will be used and whether or not to have a
full substitution of QS solution or a hybrid solution. The selection criteria for QS solutions are
not clear. Trade-offs in the performance outcomes and usage context of QS solutions may need
to be examined.</p>
      <p>The QS solutions have not been tested and currently, there is no testing is available to prove the
security of QS solutions.</p>
      <p>The suppliers of the current technology are not yet ready to provide the certified technology
compartments for the replacement technology. e.g. HSM and certificate issuance software for
QS solutions.
There is a lack of knowledge on quantum computing-based threats, and risks associated with
the technology in organizational assets e.g. cryptographic assets, and vulnerabilities etc.</p>
      <p>The arrival of a large-scale quantum computer is perceived to be decades away, and there is a
lack of urgency for QS transition in organizations.</p>
      <p>Organization finds it difficult to enter long-term QS transition commitments without clear
business benefits and opportunities.</p>
      <p>There is a lack of qualified personnel who can understand QS solutions and make decisions on
the implementation process.</p>
      <p>Organization does not have transition plans and they do not know what to prioritize for QS
transition.</p>
      <p>Description
There is a lack of collective sense of urgency and it is difficult to achieve inter-agency
coordination and collaborations with multiple stakeholders.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          <string-name>
            <surname>Broeders</surname>
            ,
            <given-names>D.</given-names>
          </string-name>
          ,
          <source>The Secret in the Information Society. Philosophy &amp; Technology</source>
          ,
          <year>2016</year>
          .
          <volume>29</volume>
          (
          <issue>3</issue>
          ): p.
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          <string-name>
            <surname>Quach</surname>
            ,
            <given-names>S.</given-names>
          </string-name>
          , et al.,
          <article-title>Digital technologies: tensions in privacy and data</article-title>
          .
          <source>J Acad Mark Sci</source>
          ,
          <year>2022</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          <volume>50</volume>
          (
          <issue>6</issue>
          ): p.
          <fpage>1299</fpage>
          -
          <lpage>1323</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          <string-name>
            <surname>Haber</surname>
            , E. and
            <given-names>T.</given-names>
          </string-name>
          <string-name>
            <surname>Zarsky</surname>
          </string-name>
          ,
          <article-title>Cybersecurity for Infrastructure: A Critical Analysis</article-title>
          . Florida State University Law Review,
          <year>2017</year>
          .
          <volume>44</volume>
          (
          <issue>2</issue>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          <string-name>
            <surname>Tikk</surname>
            ,
            <given-names>E.</given-names>
          </string-name>
          ,
          <article-title>Defining Critical Information Infrastructure in the Context of Cyber Threats: The Privacy Perspective</article-title>
          .
          <year>2018</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          <string-name>
            <surname>Grover</surname>
            ,
            <given-names>L.K.</given-names>
          </string-name>
          ,
          <article-title>A fast quantum mechanical algorithm for database search</article-title>
          .
          <year>1996</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          <string-name>
            <surname>Shor</surname>
            ,
            <given-names>P.W.</given-names>
          </string-name>
          ,
          <source>Polynomial Time Algorithms for Discrete Logarithms and Factoring on a Quantum Computer</source>
          .
          <year>1994</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          <string-name>
            <surname>Barker</surname>
            ,
            <given-names>W.</given-names>
          </string-name>
          , W. Polk, and
          <string-name>
            <given-names>M.</given-names>
            <surname>Souppaya</surname>
          </string-name>
          ,
          <article-title>Getting Ready for Post-Quantum Cryptography: Exploring Challenges Associated with Adopting and Using Post-Quantum Cryptographic Algorithms</article-title>
          .
          <year>2021</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          <source>International Journal of Advanced Computer Science and Applications (IJACSA)</source>
          ,
          <year>2018</year>
          .
          <volume>9</volume>
          (
          <issue>3</issue>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          <string-name>
            <surname>Yunakovsky</surname>
            ,
            <given-names>S.E.</given-names>
          </string-name>
          , et al.,
          <article-title>Towards security recommendations for public-key infrastructures for production environments in the post-quantum era</article-title>
          .
          <source>EPJ Quantum Technology</source>
          ,
          <year>2021</year>
          .
          <volume>8</volume>
          (
          <issue>1</issue>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          <string-name>
            <surname>NIST</surname>
          </string-name>
          ,
          <string-name>
            <surname>Report on</surname>
          </string-name>
          Post-Quantum
          <string-name>
            <surname>Cryptography</surname>
            ,
            <given-names>L.</given-names>
          </string-name>
          <string-name>
            <surname>Chen</surname>
          </string-name>
          , et al.,
          <source>Editors</source>
          .
          <year>2016</year>
          , National Institute of Standards and Technology, U.S. Department of Commerce.
        </mixed-citation>
      </ref>
      <ref id="ref12">
        <mixed-citation>
          <string-name>
            <surname>NIST. PQC Standardization Process</surname>
          </string-name>
          : Announcing Four Candidates to be Standardized,
          <source>Plus Fourth Round Candidates</source>
          .
          <year>2022</year>
          ; Available from: https://csrc.nist.gov/News/2022/pqccandidates-to
          <article-title>-be-standardized-and-round-4.</article-title>
        </mixed-citation>
      </ref>
      <ref id="ref13">
        <mixed-citation>
          <string-name>
            <surname>Barker</surname>
            ,
            <given-names>W.</given-names>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Souppaya</surname>
          </string-name>
          , and
          <string-name>
            <given-names>W.</given-names>
            <surname>Newhouse</surname>
          </string-name>
          , Migration to Post-Quantum
          <string-name>
            <surname>Cryptography</surname>
          </string-name>
          .
          <year>2021</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref14">
        <mixed-citation>
          <string-name>
            <surname>Bindel</surname>
            ,
            <given-names>N.</given-names>
          </string-name>
          , et al.,
          <article-title>Transitioning to a Quantum-Resistant Public Key Infrastructure</article-title>
          .
          <year>2017</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref15">
        <mixed-citation>
          <string-name>
            <surname>CCC</surname>
          </string-name>
          ,
          <article-title>Identifying Research Challenges in Post Quantum Cryptography Migration</article-title>
          and
          <string-name>
            <given-names>Cryptographic</given-names>
            <surname>Agility</surname>
          </string-name>
          .
          <year>2019</year>
          , Computing Community Consortium.
        </mixed-citation>
      </ref>
      <ref id="ref16">
        <mixed-citation>
          <string-name>
            <surname>Kong</surname>
            ,
            <given-names>I.</given-names>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Janssen</surname>
          </string-name>
          , and
          <string-name>
            <given-names>N.</given-names>
            <surname>Bharosa</surname>
          </string-name>
          ,
          <article-title>Challenges in the Transition towards a Quantum-safe Government</article-title>
          ,
          <source>in DG.O 2022: The 23rd Annual International Conference on Digital Government Research</source>
          .
          <year>2022</year>
          . p.
          <fpage>282</fpage>
          -
          <lpage>292</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref17">
        <mixed-citation>
          <string-name>
            <surname>McKinseyDigital.</surname>
          </string-name>
          ,
          <article-title>When-and how-to prepare for post-quantum cryptography</article-title>
          .
          <year>2022</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref18">
        <mixed-citation>
          <string-name>
            <surname>Tibbetts</surname>
            ,
            <given-names>J.</given-names>
          </string-name>
          ,
          <source>Quantum Computing and Cryptography: Analysis</source>
          ,
          <string-name>
            <surname>Risks</surname>
          </string-name>
          , and
          <article-title>Recommendations for Decision Makers</article-title>
          .
          <year>2019</year>
          , UC Berkeley: Center for Global Security Research.
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>