Cybersecurity incidents are increasingly becoming the focus of companies’ risk management. In order to respond effectively to the constantly evolving threats and improve cyber resilience, it is crucial to analyze and learn from cyber security incidents. This article summarizes the study I don’t think we’re there yet: The practices and challenges of organizational learning from cyber security incidents and attempts to derive guidelines for Swiss companies from the results of the study.

Overview

Rapid developments in digital technologies have enabled companies to increase operational efficiency and reduce costs. However, these benefits come with increasing and constantly evolving cyber threats. The traditional notion of organizational defense is outdated as companies now operate in a dynamic ecosystem characterized by fluid boundaries and complex supplier relationships. The integration of new digital technologies into existing IT infrastructures increases cybersecurity risks as attack surfaces for cyberattacks grow. This underlines the need to continuously improve cyber security capabilities. The global number of cyberattacks is increasing and the costs and impact are significant. Cyber attacks are seen as one of the biggest threats to businesses. The shortage of skilled cybersecurity professionals requires organizations to find more effective ways to reduce security incidents. Cybersecurity incidents can serve as a learning opportunity for organizations to strengthen their defenses and protect themselves from future threats.

Research methods

A qualitative approach was chosen for the study. This approach allowed for a deep understanding of the phenomenon and considered both positivist and constructivist theoretical frameworks. The aim of the study was to understand and analyze the practices that organizations use to learn from cybersecurity incidents. The results of the study were presented in a generalized and anonymized form and offered aggregated insights from multiple sources. To gain insights into the learning practices of organizations, interviews were conducted with 34 security professionals from various industries in the UK. Participants were purposively selected to ensure they had sufficient knowledge of how their organization learns from cybersecurity incidents. Both virtual and face-to-face interviews were conducted, which were recorded and transcribed. The coding and analysis of the interviews aimed to identify prevailing patterns and significant learnings from the interviewees.

Findings

Neoinstitutional theory has a significant impact on the development of learning practices in organizations, especially in the context of cybersecurity incidents. It influences the way organizations learn from such incidents.

Isomorphic pressure

According to neoinstitutional theory, under isomorphic pressure, organizations tend to adopt practices similar to those of other organizations in their environment in order to be seen as legitimate and acceptable. They look to the standards and expectations of other organizations to shape their own learning processes. Respondents indicated that their organizations do not explicitly evaluate the effectiveness of learning practices. However, the absence of repeated incidents was cited as an indicator of successful learning.

Coercive measures

Coercive measures play a critical role in shaping communications practices and engaging legal and communications teams when responding to cybersecurity incidents. The challenges in this area often result from the global structure of organizations, as jurisdiction is difficult to determine due to various factors such as the subject involved, the location of the incident and the identity of the attacker. In addition, the need to communicate with various regulatory bodies and government organizations significantly increases the complexity of communication in the event of a specific cybersecurity incident. Another aspect highlighted in the study is that while many organizations have put in place contractual obligations for their suppliers to report cybersecurity incidents, the reporting is usually not transparent enough. Fear of legal consequences and regulatory action often limits the willingness to share detailed information about cybersecurity incidents with other organizations. This makes learning from such incidents considerably more difficult. Open communication could not only help to respond better to cyber security incidents, but also to protect against them.

Normative pressure

It was noted that mandatory cybersecurity incident reporting training exists, but there is no consistent assessment of its effectiveness.Some organizations supplement this training with additional encouragement to create a blame-free culture.Incident classification varies from organization to organization and there is no uniform method.This leads to standardization challenges and makes it difficult to compile reliable cybersecurity incident statistics.

head3.Mimetic pressure

Legal concerns, regulatory implications and contractual obligations are often barriers to sharing detailed cybersecurity incident information, as mentioned earlier.Organizations tend to mimic practices of other organizations because leadership often has a limited understanding of cyber risk and the field is constantly evolving. The distance between another cybersecurity incident and their own organization influences respondents’ willingness to address these foreign incidents. Still, they acknowledge that lessons learned from other cybersecurity incidents influence the perception of threats to their own organization.

Recognition of cybersecurity incidents

Respondents said they were aware that it was only a matter of time before a serious cybersecurity incident could occur if they had not already experienced one. This awareness motivates them to proactively look for potential problems and emphasizes the importance of identifying incidents early.The majority of respondents emphasized the need for a work environment that views cybersecurity incidents as opportunities for growth and improvement, rather than viewing them as opportunities for personal growth or to harm others. However, it was also noted that creating a culture of openness and transparency poses significant challenges and cannot be achieved overnight.

Identifying root causes

Practical constraints such as limited time and resources make it difficult to investigate root causes thoroughly. Interviewees also state that it is challenging to motivate teams to prioritize the investigation of underlying causes. The quality of investigations is highly dependent on the involvement of the right people at the right time.Furthermore, company policies and individual defensiveness were identified as significant barriers to root cause investigations.These challenges highlight the complexity of root cause investigation of cybersecurity incidents and underscore the importance of cultural change, appropriate resource allocation and trend analysis capabilities to improve the effectiveness of incident investigations and learning processes within organizations. Fully understanding the root causes of a cybersecurity incident is critical to learning from it and improving the organization’s security.

Implementation of lessons learned from incidents

There are differences in how organizations track the implementation of lessons learned from cybersecurity incidents and who is responsible for it. In some regulated industries, there are more rigorous reporting mechanisms and risk committees that oversee progress on implementation, while in other organizations, responsibility often ends after an incident report is created. Implementation of lessons learned can diminish over time as energy and focus wane during a cybersecurity incident and other tasks become more pressing. Structural issues and major investments can also cause such measures to be delayed.Some organizations overlook learning opportunities from cybersecurity incidents.Others, however, use them to gain attention and funding for security initiatives. It is necessary to establish robust mechanisms for tracking lessons learned and maintaining implementation momentum, prioritizing strategic investments and conducting regular assessments to ensure that actions taken in response to cybersecurity incidents are indeed effective.

A continuous learning and improvement approach is critical to increasing cyber resilience in organizations.

Guidelines for Swiss companies based on the study from the United Kingdom

Based on the study I don’t think we’re there yet: The practices and challenges of organizational learning from cyber security incidents, Swiss companies can take several measures to improve their cyber security. It is advisable to regularly assess their own learning practices from cyber security incidents and promote a culture of openness in which reporting cyber security incidents and learning from mistakes is encouraged. A uniform method for classifying these incidents is important for standardizing the response. A more in-depth analysis of the causes is also essential in order to identify systemic factors and develop effective countermeasures. Furthermore, the knowledge gained should not only be identified, but also effectively implemented and continuously monitored. Transparent communication with suppliers and partners and the promotion of further training and specialist knowledge in the area of cyber security are also key aspects. Finally, companies should encourage information sharing and collaboration within the industry and with regulators to learn from incidents and adapt to new threats.

Summary

The study I don’t think we’re there yet: The practices and challenges of organizational learning from cyber security incidents underlines the importance of a continuous and organizational learning process to strengthen cyber resilience. Although it is based on data from the UK, the findings may also be relevant for Swiss companies. Companies need to see cyber security incidents not just as a risk, but as an opportunity to learn and strengthen their defenses. This requires a regular review and adaptation of learning practices as well as the establishment of an open and transparent corporate culture. In this culture, reporting cybersecurity incidents and learning from mistakes should be actively encouraged. It also emphasizes the importance of adapting to constantly evolving cyber threats. The progressive integration of new technologies and increasing global networking are leading to an increase in cyber security risks. In this context, it is essential for companies to continuously improve their security capabilities and adapt flexibly to dynamic threat situations. Another point is the thorough analysis of security incidents. Systemic weaknesses can only be identified and effective countermeasures developed through a detailed investigation of the causes. The insights gained from such analyses should not only be identified, but also consistently implemented and regularly reviewed to ensure their effectiveness. The study also emphasizes the importance of communication and collaboration. Open and transparent communication with suppliers, partners and within the industry is essential to collectively learn from incidents and adapt to new threats together. Sharing information and cooperating with regulatory authorities are also important aspects of being able to respond effectively to cyber security incidents. Furthermore, given the shortage of qualified cybersecurity experts, it is essential for companies to invest in the education and training of their employees and to promote cybersecurity expertise. This makes a significant contribution to strengthening skills and competencies in dealing with cyber risks.

About the Author

Michèle Trebo has a Bachelor of Information Technology at ZHAW and worked six years as a police officer in the field of cyber crime investigations. She is responsible for criminal research topics like darknet analysis, cyber threat intelligence, fraud investigation, and forensics. (ORCID 0000-0002-6968-8785)

Links

• https://asistdl.onlinelibrary.wiley.com/doi/10.1002/asi.24311
• https://dl.acm.org/doi/10.1145/3230833.3233284
• https://scholar.google.com/scholar_lookup?title=Dynamics%20of%20Incident%20Response&publication_year=2005&author=J.%20Wiik&author=K.-P.%20Kossakowski
• https://www.sciencedirect.com/science/article/pii/S0167404823006090