[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3617072.3617098acmotherconferencesArticle/Chapter ViewAbstractPublication PageseurousecConference Proceedingsconference-collections
research-article
Open access

Encouraging Organisational Information Security Incident Reporting

Published: 16 October 2023 Publication History

Abstract

21st-century organisations can only learn how to respond effectively to, and recover from, adverse information security incidents if their employees report any incidents they notice. This should happen irrespective of whether or not they themselves triggered the incident. Organisations have started to inform their employees about their incident reporting obligations. However, there is little research that organisations can benefit from to make their reporting provisions maximally effective. For this work, we follow a multi-step approach.(1) We review the related research on reporting, including reporting reluctance, and the legalities of incident reporting in the European Union. (2) We explain how we developed variations of information texts that raise awareness of incident reporting obligations and aim to ameliorate reporting reluctance. (3) We conducted an online user study (n=257) to identify the most effective information text. (4) The most effective text was deployed by the CISO of a German energy company and we collected feedback from 24 employees to support a qualitative analysis. We discuss our experiences and the implications of such information text design. We make recommendations for encouraging information security incident reporting and suggest future work.

Supplemental Material

PDF File
Appendix of paper Encouraging Organisational Information Security Incident Reporting

References

[1]
Austrian Government. 2004. Employees’ Liability Act (Dienstnehmerhaftpflichtgesetz). https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10008209.
[2]
M. Bidgoli, B.P. Knijnenburg, J. Grossklags, and B. Wardman. 2019. Report Now. Report Effectively. Conceptualizing the Industry Practice for Cybercrime Reporting. In 2019 APWG Symposium on Electronic Crime Research (eCrime), Vol. 2019-November. IEEE, 1–10. https://doi.org/10.1109/eCrime47957.2019.9037577.
[3]
Bianka Breyer and Matthias Bluemke. 2016. Deutsche Version der Positive and Negative Affect Schedule PANAS (GESIS Panel). GESIS - Leibniz-Institut für Sozialwissenschaften, Mannheim. 20 pages. https://doi.org/10.6102/zis242
[4]
M Button, Lisa Sugiura, Dean Blackbourn, Richard Kapend, David Shepherd, and Victoria Wang. 2020. VICTIMS OF COMPUTER MISUSE EXECUTIVE SUMMARY. https://researchportal.port.ac.uk/portal/files/20818541/Victims_of_Computer_Misuse_Executive_Summary.pdf.
[5]
James Carr. 2005. Rowe v. Guardian Auto. Products, Inc., Case No. 3:04CV7145 (N.D. Ohio. https://www.casemine.com/judgement/us/59147324add7b0493438a826.
[6]
Cassandra Cross. 2018. Expectations vs reality: Responding to online fraud across the fraud justice network. International Journal of Law, Crime and Justice 55 (2018), 1–12. https://doi.org/10.1016/j.ijlcj.2018.08.001.
[7]
Cassandra Cross, Criminology Research Advisory Council (Australia), Kelly M Richards, and Russell G Smith. 2016. Improving responses to online fraud victims: An examination of reporting and support. Criminology Research Advisory Council. https://eprints.qut.edu.au/98346/.
[8]
DynaSis. [n. d.]. Unreported Cyber Crime. https://dynasis.com/article-unreported-cyber-crimes.
[9]
European Parliament. 2020. Directive on security of network and information systems (NIS Directive). https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2020)654198.
[10]
Federal Ministry of Justice. 2019. Act on the Federal Office for Information Security (BSI Act - BSIG). https://www.gesetze-im-internet.de/englisch_bsig/index.html.
[11]
Andy Field, Jeremy Miles, and Zoë Field. 2012. Discovering statistics using R. Sage Publications.
[12]
Vaibhav Garg, L Jean Camp, Katherine Connelly, and Lesa Lorenzen-Huber. 2012. Risk communication design: Video vs. text. In Privacy Enhancing Technologies: 12th International Symposium, PETS 2012, Vigo, Spain, July 11-13, 2012. Proceedings 12. Springer, 279–298.
[13]
Vaibhav Garg, Lesa Lorenzen-Huber, L Jean Camp, and Kay Connelly. 2012. Risk communication design for older adults. In ISARC. Proceedings of the International Symposium on Automation and Robotics in Construction, Vol. 29. IAARC Publications, 1.
[14]
George Grispos, William Bradley Glisson, David Bourrie, Tim Storer, and Stacy Miller. 2017. Security incident recognition and reporting (SIRR): an industrial perspective. In 2017 Americas Conference on Information Systems (AMCIS 2017), Boston, Massachusetts, United States. https://doi.org/10.48550/arXiv.1706.06818.
[15]
Wolfgang [VerfasserIn] Hau. 2020. Becksche Online-Kommentare BGB.
[16]
Nathan House. 2022. The real reasons why cyber crime goes unreported – and why things are about to change…. https://www.stationx.net/real-reasons-cyber-crime-goes-unreported-things-change/.
[17]
ISACA. 2019. New Study Reveals Cybercrime May Be Widely Underreported—Even When Laws Mandate Disclosure. https://www.isaca.org/why-isaca/about-us/newsroom/press-releases/2019/new-study-reveals-cybercrime-may-be-widely-underreported-even-when-laws-mandate-disclosure.
[18]
U Ismail. 2020. The Nigeria Police Force and Cybercrime Policing: An Appraisal. Dutse Journal of Criminology and Security Studies (DUJSCC) 1 (2020), 78–88.
[19]
Nivedita James. 2023. Cyber Crime Statistics 2023: Cost, Industries, and Trends. https://www.getastra.com/blog/security-audit/cyber-crime-statistics/.
[20]
Manpreet Kaur and Munish Saini. 2022. Indian government initiatives on cyberbullying: A case study on cyberbullying in Indian higher education institutions. Education and Information Technologies (2022), 1–35. https://doi.org/10.1007/s10639-022-11168-4.
[21]
Erka Koivunen. 2012. “Why Wasn’t I Notified?”: Information Security Incident Reporting Demystified. In Information Security Technology for Applications: 15th Nordic Conference on Secure IT Systems, NordSec 2010, Espoo, Finland, October 27-29, 2010, Revised Selected Papers 15. Springer, 55–70. https://doi.org/10.1007/978-3-642-27937-9_5.
[22]
T. L. Kuo. 2022. Criminal Victimisation in Taiwan: an opportunity perspective. Ph. D. Dissertation. UCL Department of Security and Crime Science, University College London.
[23]
Law Case Summaries. 2012. Hodgson v Amcor [2012] VSC 94. https://lawcasesummaries.com/knowledge-base/hodgson-v-amco-2012-vsc-94/.
[24]
Guillaume Lovet. 2009. Fighting Cybercrime: Technical, juridical and ethical challenges., 63–76 pages.
[25]
Laure Lydon. 2021. Corporate under reporting of cybercrime: Why does reporting to authorities matter?Master’s thesis. Royal Holloway University London.
[26]
Kenny MacDonald. 2019. Action Fraud. Technical Report V3-A0718. Scottish Police Authority.
[27]
Mike McGuire and Samantha Dowling. 2013. Cyber crime: A review of the evidence Chapter 4: Improving the cyber crime evidence base. Home Office Research Report 75 https://www.gov.uk/government/publications/cyber-crime-a-review-of-the-evidence.
[28]
Alexis Michail. 2020. Tackling the Challenges of Information Security Incident Reporting: A Decentralized Approach. Ph. D. Dissertation. University of East London.
[29]
Roderick Mooi and Reinhardt A Botha. 2015. Prerequisites for building a computer security incident response capability. In 2015 Information Security for South Africa (ISSA). IEEE, 1–8. https://doi.org/10.1109/ISSA.2015.7335057.
[30]
Dirk Müllmann and Melanie Volkamer. 2021. Meldepflicht von IT-Sicherheits-und Datenschutzvorfällen durch Mitarbeitende-Betrachtung möglicher arbeitsrechtlicher Konsequenzen. In Informatik. Gesellschaft für Informatik, Bonn. https://doi.org/10.18420/inf2020_74.
[31]
Rudi [VerfasserIn] Müller-Glöge. 2020. Erfurter Kommentar zum Arbeitsrecht (20., neu bearbeitete auflage ed.). C.H. Beck, München.
[32]
PSI Media. 2020. HOW CAN WE ADDRESS THE UNDER-REPORTING OF CYBER-CRIME?Counter Terror Business 43 (2020). https://counterterrorbusiness.com/features/how-can-we-address-under-reporting-cyber-crime.
[33]
Karen Renaud, Rosalind Searle, and Marc Dupuis. 2021. Shame in cyber security: effective behavior modification tool or counterproductive foil?. In New Security Paradigms Workshop. Online, 70–87. https://doi.org/10.1145/3498891.3498896.
[34]
Christian [VerfasserIn] Rolfs. 2019. BeckOK Arbeitsrecht. C.H. Beck, München.
[35]
Alex Scroxton. 2021. Fraud and cyber crime still vastly under-reported. Computer Weekly https://www.computerweekly.com/news/252495844/Fraud-and-cyber-crime-still-vastly-under-reported.
[36]
Frederick Antione Smith. 2020. The Influence of Anonymity Factors on IT Security Incident Reporting. Ph. D. Dissertation. Capella University.
[37]
Martin Sparrius, Moufida Sadok, and Peter Bednar. 2021. What Can We Learn from the Analysis of Information Security Policies? The Case of UK’s Schools. In Human Aspects of Information Security and Assurance: 15th IFIP WG 11.12 International Symposium, HAISA 2021, Virtual Event, July 7–9, 2021, Proceedings 15. Springer, 81–90. https://doi.org/10.1007/978-3-030-81111-2_7.
[38]
Statista. 2022. Largest fines issued for General Data Protection Regulation (GDPR) violations as of July 2022. https://www.statista.com/statistics/1133337/largest-fines-issued-gdpr/.
[39]
Finn Olav Sveen, Jose Maria Sarriegi, and Jose J Gonzalez. 2009. The role of incident reporting in reducing information security risk. In Twenty Seventh International Conference of the System Dynamics Society.
[40]
Franz Jürgen [HerausgeberIn] Säcker, Roland [HerausgeberIn] Rixecker, Hartmut [HerausgeberIn] Oetker, and Bettina [HerausgeberIn] Limperg (Eds.). 2020. Münchener Kommentar zum Bürgerlichen Gesetzbuch (8 ed.). Number 666 in Beck-online. Verlag C.H. Beck, München.
[41]
David R. Thomas. 2006. A General Inductive Approach for Analyzing Qualitative Evaluation Data. American Journal of Evaluation 27, 2 (2006), 237–246. https://doi.org/10.1177/1098214005283748 https://doi.org/10.1177/1098214005283748.
[42]
S. van de Weijer, R. Leukfeldt, and S. Van der Zee. 2020. Reporting cybercrime victimization: determinants, motives, and previous experiences. Policing, A International Journal 43, 1 (2020), 17–34. https://doi.org/10.1108/PIJPSM-07-2019-0122.
[43]
Steve G.A. van de Weijer, Rutger Leukfeldt, and Sophie van der Zee. 2021. Cybercrime reporting behaviors among small-and medium-sized enterprises in the Netherlands. In Cybercrime in Context. Springer, 303–325. https://doi.org/10.1007/978-3-030-60527-8_17.
[44]
David Watson, Lee Anna Clark, and Auke Tellegen. 1988. Development and validation of brief measures of positive and negative affect: the PANAS scales.Journal of personality and social psychology 54, 6 (1988), 1063.
[45]
D. Wilson, A. Patterson, G. Powell, and R. Hembury. 2006. Fraud and technology crimes. Findings from the 2003/04 British crime survey. The 2004 offending, crime and justice survey and administrative sources. London: Home Office, https://www.gov.uk/government/publications/the-offending-crime-and-justice-survey-longitudinal-analysis-2003-to-06.
[46]
Josephine Wolff. 2018. The Real Reasons Why Cybercrimes May Be Vastly Undercounted. https://slate.com/technology/2018/02/the-real-reasons-why-cybercrimes-are-vastly-underreported.html.

Cited By

View all

Index Terms

  1. Encouraging Organisational Information Security Incident Reporting
            Index terms have been assigned to the content through auto-classification.

            Recommendations

            Comments

            Please enable JavaScript to view thecomments powered by Disqus.

            Information & Contributors

            Information

            Published In

            cover image ACM Other conferences
            EuroUSEC '23: Proceedings of the 2023 European Symposium on Usable Security
            October 2023
            364 pages
            ISBN:9798400708145
            DOI:10.1145/3617072
            This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives International 4.0 License.

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            Published: 16 October 2023

            Check for updates

            Author Tags

            1. Barriers to information security incident reporting
            2. information security incidents
            3. reporting obligation
            4. reporting reluctance

            Qualifiers

            • Research-article
            • Research
            • Refereed limited

            Conference

            EuroUSEC 2023

            Contributors

            Other Metrics

            Bibliometrics & Citations

            Bibliometrics

            Article Metrics

            • Downloads (Last 12 months)291
            • Downloads (Last 6 weeks)37
            Reflects downloads up to 20 Dec 2024

            Other Metrics

            Citations

            Cited By

            View all

            View Options

            View options

            PDF

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader

            HTML Format

            View this article in HTML Format.

            HTML Format

            Login options

            Media

            Figures

            Other

            Tables

            Share

            Share

            Share this Publication link

            Share on social media