ABSTRACT
21st-century organisations can only learn how to respond effectively to, and recover from, adverse information security incidents if their employees report any incidents they notice. This should happen irrespective of whether or not they themselves triggered the incident. Organisations have started to inform their employees about their incident reporting obligations. However, there is little research that organisations can benefit from to make their reporting provisions maximally effective. For this work, we follow a multi-step approach.(1) We review the related research on reporting, including reporting reluctance, and the legalities of incident reporting in the European Union. (2) We explain how we developed variations of information texts that raise awareness of incident reporting obligations and aim to ameliorate reporting reluctance. (3) We conducted an online user study (n=257) to identify the most effective information text. (4) The most effective text was deployed by the CISO of a German energy company and we collected feedback from 24 employees to support a qualitative analysis. We discuss our experiences and the implications of such information text design. We make recommendations for encouraging information security incident reporting and suggest future work.
Supplemental Material
Available for Download
- Austrian Government. 2004. Employees’ Liability Act (Dienstnehmerhaftpflichtgesetz). https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008209.Google Scholar
- M. Bidgoli, B.P. Knijnenburg, J. Grossklags, and B. Wardman. 2019. Report Now. Report Effectively. Conceptualizing the Industry Practice for Cybercrime Reporting. In 2019 APWG Symposium on Electronic Crime Research (eCrime), Vol. 2019-November. IEEE, 1–10. https://doi.org/10.1109/eCrime47957.2019.9037577.Google ScholarCross Ref
- Bianka Breyer and Matthias Bluemke. 2016. Deutsche Version der Positive and Negative Affect Schedule PANAS (GESIS Panel). GESIS - Leibniz-Institut für Sozialwissenschaften, Mannheim. 20 pages. https://doi.org/10.6102/zis242Google ScholarCross Ref
- M Button, Lisa Sugiura, Dean Blackbourn, Richard Kapend, David Shepherd, and Victoria Wang. 2020. VICTIMS OF COMPUTER MISUSE EXECUTIVE SUMMARY. https://researchportal.port.ac.uk/portal/files/20818541/Victims_of_Computer_Misuse_Executive_Summary.pdf.Google Scholar
- James Carr. 2005. Rowe v. Guardian Auto. Products, Inc., Case No. 3:04CV7145 (N.D. Ohio. https://www.casemine.com/judgement/us/59147324add7b0493438a826.Google Scholar
- Cassandra Cross. 2018. Expectations vs reality: Responding to online fraud across the fraud justice network. International Journal of Law, Crime and Justice 55 (2018), 1–12. https://doi.org/10.1016/j.ijlcj.2018.08.001.Google ScholarCross Ref
- Cassandra Cross, Criminology Research Advisory Council (Australia), Kelly M Richards, and Russell G Smith. 2016. Improving responses to online fraud victims: An examination of reporting and support. Criminology Research Advisory Council. https://eprints.qut.edu.au/98346/.Google Scholar
- DynaSis. [n. d.]. Unreported Cyber Crime. https://dynasis.com/article-unreported-cyber-crimes.Google Scholar
- European Parliament. 2020. Directive on security of network and information systems (NIS Directive). https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2020)654198.Google Scholar
- Federal Ministry of Justice. 2019. Act on the Federal Office for Information Security (BSI Act - BSIG). https://www.gesetze-im-internet.de/englisch_bsig/index.html.Google Scholar
- Andy Field, Jeremy Miles, and Zoë Field. 2012. Discovering statistics using R. Sage Publications.Google ScholarDigital Library
- Vaibhav Garg, L Jean Camp, Katherine Connelly, and Lesa Lorenzen-Huber. 2012. Risk communication design: Video vs. text. In Privacy Enhancing Technologies: 12th International Symposium, PETS 2012, Vigo, Spain, July 11-13, 2012. Proceedings 12. Springer, 279–298.Google ScholarDigital Library
- Vaibhav Garg, Lesa Lorenzen-Huber, L Jean Camp, and Kay Connelly. 2012. Risk communication design for older adults. In ISARC. Proceedings of the International Symposium on Automation and Robotics in Construction, Vol. 29. IAARC Publications, 1.Google ScholarCross Ref
- George Grispos, William Bradley Glisson, David Bourrie, Tim Storer, and Stacy Miller. 2017. Security incident recognition and reporting (SIRR): an industrial perspective. In 2017 Americas Conference on Information Systems (AMCIS 2017), Boston, Massachusetts, United States. https://doi.org/10.48550/arXiv.1706.06818.Google ScholarCross Ref
- Wolfgang [VerfasserIn] Hau. 2020. Becksche Online-Kommentare BGB.Google Scholar
- Nathan House. 2022. The real reasons why cyber crime goes unreported – and why things are about to change…. https://www.stationx.net/real-reasons-cyber-crime-goes-unreported-things-change/.Google Scholar
- ISACA. 2019. New Study Reveals Cybercrime May Be Widely Underreported—Even When Laws Mandate Disclosure. https://www.isaca.org/why-isaca/about-us/newsroom/press-releases/2019/new-study-reveals-cybercrime-may-be-widely-underreported-even-when-laws-mandate-disclosure.Google Scholar
- U Ismail. 2020. The Nigeria Police Force and Cybercrime Policing: An Appraisal. Dutse Journal of Criminology and Security Studies (DUJSCC) 1 (2020), 78–88.Google Scholar
- Nivedita James. 2023. Cyber Crime Statistics 2023: Cost, Industries, and Trends. https://www.getastra.com/blog/security-audit/cyber-crime-statistics/.Google Scholar
- Manpreet Kaur and Munish Saini. 2022. Indian government initiatives on cyberbullying: A case study on cyberbullying in Indian higher education institutions. Education and Information Technologies (2022), 1–35. https://doi.org/10.1007/s10639-022-11168-4.Google ScholarDigital Library
- Erka Koivunen. 2012. “Why Wasn’t I Notified?”: Information Security Incident Reporting Demystified. In Information Security Technology for Applications: 15th Nordic Conference on Secure IT Systems, NordSec 2010, Espoo, Finland, October 27-29, 2010, Revised Selected Papers 15. Springer, 55–70. https://doi.org/10.1007/978-3-642-27937-9_5.Google ScholarDigital Library
- T. L. Kuo. 2022. Criminal Victimisation in Taiwan: an opportunity perspective. Ph. D. Dissertation. UCL Department of Security and Crime Science, University College London.Google Scholar
- Law Case Summaries. 2012. Hodgson v Amcor [2012] VSC 94. https://lawcasesummaries.com/knowledge-base/hodgson-v-amco-2012-vsc-94/.Google Scholar
- Guillaume Lovet. 2009. Fighting Cybercrime: Technical, juridical and ethical challenges., 63–76 pages.Google Scholar
- Laure Lydon. 2021. Corporate under reporting of cybercrime: Why does reporting to authorities matter?Master’s thesis. Royal Holloway University London.Google Scholar
- Kenny MacDonald. 2019. Action Fraud. Technical Report V3-A0718. Scottish Police Authority.Google Scholar
- Mike McGuire and Samantha Dowling. 2013. Cyber crime: A review of the evidence Chapter 4: Improving the cyber crime evidence base. Home Office Research Report 75 https://www.gov.uk/government/publications/cyber-crime-a-review-of-the-evidence.Google Scholar
- Alexis Michail. 2020. Tackling the Challenges of Information Security Incident Reporting: A Decentralized Approach. Ph. D. Dissertation. University of East London.Google Scholar
- Roderick Mooi and Reinhardt A Botha. 2015. Prerequisites for building a computer security incident response capability. In 2015 Information Security for South Africa (ISSA). IEEE, 1–8. https://doi.org/10.1109/ISSA.2015.7335057.Google ScholarCross Ref
- Dirk Müllmann and Melanie Volkamer. 2021. Meldepflicht von IT-Sicherheits-und Datenschutzvorfällen durch Mitarbeitende-Betrachtung möglicher arbeitsrechtlicher Konsequenzen. In Informatik. Gesellschaft für Informatik, Bonn. https://doi.org/10.18420/inf2020_74.Google ScholarCross Ref
- Rudi [VerfasserIn] Müller-Glöge. 2020. Erfurter Kommentar zum Arbeitsrecht (20., neu bearbeitete auflage ed.). C.H. Beck, München.Google Scholar
- PSI Media. 2020. HOW CAN WE ADDRESS THE UNDER-REPORTING OF CYBER-CRIME?Counter Terror Business 43 (2020). https://counterterrorbusiness.com/features/how-can-we-address-under-reporting-cyber-crime.Google Scholar
- Karen Renaud, Rosalind Searle, and Marc Dupuis. 2021. Shame in cyber security: effective behavior modification tool or counterproductive foil?. In New Security Paradigms Workshop. Online, 70–87. https://doi.org/10.1145/3498891.3498896.Google ScholarDigital Library
- Christian [VerfasserIn] Rolfs. 2019. BeckOK Arbeitsrecht. C.H. Beck, München.Google Scholar
- Alex Scroxton. 2021. Fraud and cyber crime still vastly under-reported. Computer Weekly https://www.computerweekly.com/news/252495844/Fraud-and-cyber-crime-still-vastly-under-reported.Google Scholar
- Frederick Antione Smith. 2020. The Influence of Anonymity Factors on IT Security Incident Reporting. Ph. D. Dissertation. Capella University.Google Scholar
- Martin Sparrius, Moufida Sadok, and Peter Bednar. 2021. What Can We Learn from the Analysis of Information Security Policies? The Case of UK’s Schools. In Human Aspects of Information Security and Assurance: 15th IFIP WG 11.12 International Symposium, HAISA 2021, Virtual Event, July 7–9, 2021, Proceedings 15. Springer, 81–90. https://doi.org/10.1007/978-3-030-81111-2_7.Google ScholarCross Ref
- Statista. 2022. Largest fines issued for General Data Protection Regulation (GDPR) violations as of July 2022. https://www.statista.com/statistics/1133337/largest-fines-issued-gdpr/.Google Scholar
- Finn Olav Sveen, Jose Maria Sarriegi, and Jose J Gonzalez. 2009. The role of incident reporting in reducing information security risk. In Twenty Seventh International Conference of the System Dynamics Society.Google Scholar
- Franz Jürgen [HerausgeberIn] Säcker, Roland [HerausgeberIn] Rixecker, Hartmut [HerausgeberIn] Oetker, and Bettina [HerausgeberIn] Limperg (Eds.). 2020. Münchener Kommentar zum Bürgerlichen Gesetzbuch (8 ed.). Number 666 in Beck-online. Verlag C.H. Beck, München.Google Scholar
- David R. Thomas. 2006. A General Inductive Approach for Analyzing Qualitative Evaluation Data. American Journal of Evaluation 27, 2 (2006), 237–246. https://doi.org/10.1177/1098214005283748 https://doi.org/10.1177/1098214005283748.Google ScholarCross Ref
- S. van de Weijer, R. Leukfeldt, and S. Van der Zee. 2020. Reporting cybercrime victimization: determinants, motives, and previous experiences. Policing, A International Journal 43, 1 (2020), 17–34. https://doi.org/10.1108/PIJPSM-07-2019-0122.Google ScholarCross Ref
- Steve G.A. van de Weijer, Rutger Leukfeldt, and Sophie van der Zee. 2021. Cybercrime reporting behaviors among small-and medium-sized enterprises in the Netherlands. In Cybercrime in Context. Springer, 303–325. https://doi.org/10.1007/978-3-030-60527-8_17.Google ScholarCross Ref
- David Watson, Lee Anna Clark, and Auke Tellegen. 1988. Development and validation of brief measures of positive and negative affect: the PANAS scales.Journal of personality and social psychology 54, 6 (1988), 1063.Google Scholar
- D. Wilson, A. Patterson, G. Powell, and R. Hembury. 2006. Fraud and technology crimes. Findings from the 2003/04 British crime survey. The 2004 offending, crime and justice survey and administrative sources. London: Home Office, https://www.gov.uk/government/publications/the-offending-crime-and-justice-survey-longitudinal-analysis-2003-to-06.Google Scholar
- Josephine Wolff. 2018. The Real Reasons Why Cybercrimes May Be Vastly Undercounted. https://slate.com/technology/2018/02/the-real-reasons-why-cybercrimes-are-vastly-underreported.html.Google Scholar
Index Terms
- Encouraging Organisational Information Security Incident Reporting
Recommendations
An impact of information security investment on information security incidents: a case of Korean organizations
ICEC '16: Proceedings of the 18th Annual International Conference on Electronic Commerce: e-Commerce in Smart connected WorldInformation security incidents are serious threats for a modern business environment. Firms believe that an investment on information security contribute to firms avoiding security incidents. However, there is a little research on economic outcomes of ...
Information Security Incident Forecasting
AbstractThis article suggests methodological approaches to building conventionally determined and stochastic models of forecasting damages from security incidents in information systems of different applications. The original information for modeling ...
Incident response teams - Challenges in supporting the organisational security function
Incident response is a critical security function in organisations that aims to manage incidents in a timely and cost-effective manner. This research was motivated by previous case studies that suggested that the practice of incident response frequently ...
Comments