Cyber crisis management: A decision-support framework for disclosing security incident information

Proceedings of the 2012 ASE International Conference on Cyber Security, CyberSecurity 2012

Volumn , Issue , 2012, Pages 103-112

  Kulikova, Olga ^a   Heil, Ronald ^a   Van Den Berg, Jan ^b   Pieters, Wolter ^b  

^a KPMG   (Netherlands)

^b DELFT UNIVERSITY OF TECHNOLOGY   (Netherlands)

Author keywords

Cyber security; incident response; information disclosure; internal and external stakeholders

Indexed keywords

NETWORK SECURITY;

CRISIS MANAGEMENT; CYBER SECURITY; CYBER-ATTACKS; DECISION SUPPORT FRAMEWORK; EXTERNAL STAKEHOLDERS; INCIDENT RESPONSE; INFORMATION DISCLOSURE; SECURITY INCIDENT;

DECISION SUPPORT SYSTEMS;

EID: 84881068261     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CyberSecurity.2012.20     Document Type: Conference Paper

References (32)

1. W. T. Coombs and S. J. Holladay, The Handbook of Crisis Communication: John Wiley & Sons, 2012.
2. B. Reynolds and M. W. Seeger, "Crisis and Emergency Risk Communication as an Integrative Model," Journal of Health Communication, vol. 10, pp. 43-55, February 2005.
3. M. Hossain and H. Hammami, "Voluntary disclosure in the annual reports of an emerging country: The case of Qatar," Advances in Accounting, vol. 25, pp. 255 - 265, 2009.
4. Verizon. (2012). 2012 Data Breach Investigations Report. Available: http://www.verizonbusiness.com/resources/reports/rp-data-breach-investigations- report-2012-en-xg.pdf
5. RSA. (2011). A New Era of Compliance. Raising the Bar for Organisations Worldwide. Available: http://www.rsa.com/innovation/docs/CISO-RPT-1010.pdf
6. R. L. Dilenschneider and R. C. Hyde, "Crisis communications: Planning for the unplanned," Business Horizons, vol. 28, pp. 35 - 38, 1985.
7. M. Smith, R. Hunter, and K. McGee, "Opportunities and Threats in a World of Great Transperency," Gartner, September 2010.
8. Internet Security Alliance (ISA) and t. A. N. S. I. (ANSI). (2010). The Financial Management of Cyber Risk. Available: http://publicaa.ansi.org/sites/ apdl/khdoc/Financial+Management+of+Cyber+Risk.pdf
9. J. B. Kaufmann and I. F. Kesner, "The myth of full disclosure: A look at organizational communications during crises.," Business Horizons, vol. 37, p. 29, 1994.
10. G. K. Meek, C. B. Roberts, and S. J. Gray, "Factors Influencing Voluntary Annual Report Disclosures By U.S., U.K. and Continental European Multinational Corporations," Journal of International Business Studies, vol. 26, pp. 555-572, 1995.
11. P. M. Healy, A. P. Hutton, and K. G. Palepu, "Stock Performance and Intermediation Changes Surrounding Sustained Increases in Disclosure," Contemporary Accounting Research, vol. 16, pp. 485-520, 1999.
12. W. T. Coombs, "Protecting Organization Reputations During a Crisis: The Development and Application of Situational Crisis Communication Theory," Corp Reputation Rev, vol. 10, pp. 163-176, 2007.
13. P. M. Schwartz and E. J. Janger, "Notification of Data Security Breaches," ed: Michigan Law Review, Vol. 105, p. 913, 2007.
14. H. Khurana, J. Basney, M. Bakht, M. Freemon, V. Welch, and R. Butler, "Palantir: a framework for collaborative incident response and investigation," presented at the Proceedings of the 8th Symposium on Identity and Trust on the Internet, Gaithersburg, Maryland, 2009.
15. K. M. Moriarty, "Incident Coordination," Security Privacy, IEEE, vol. 9, pp. 71 -75, nov.-dec. 2011.
16. S. Romanosky, R. Telang, and R. Acquisti, "Do Data Breach Disclosure Laws Reduce Identity Theft?," Journal of Policy Analysis and Management, pp. 256-286, 2011.
17. K. Hausken, "Information sharing among firms and cyber attacks," Journal of Accounting and Public Policy, vol. 26, pp. 639 - 688, 2007.
18. K. R. Fitzpatrick and M. S. Rubin, "Public relations vs. legal strategies in organizational crisis decisions," Public Relations Review, vol. 21, pp. 21 - 33, 1995.
19. L. Ponemon Institute. (2011). 2010 Annual Study. Global Cost of a Data Breach. Available: http://www.symantec.com/about/news/resources/press-kits/ detail.jsp?pkid=ponemon
20. D. M. Dekker, C. Karsberg, and B. Daskala. (2012). Cyber Incident Reporting in the EU. An overview of security articles in EU legislation. Available: http://www.enisa.europa.eu/activities/Resilience-and- CIIP/Incidents-reporting/cyber-incident-reporting-inthe-eu/at-download/ fullReport
21. NYSE. (2003). Final NYSE. Corporate Governance Rules. Available: http://www.nyse.com/pdfs/finalcorpgovrules.pdf
22. the Division of Corporation Finance of the U.S. Securities and Exchange Commission (SEC), "CF Disclosure Guidance: Topic No. 2 - Cybersecurity," ed, 2011.
23. R. Kalb. (2012). Disclosures 2012: Level of cybersecurity risk disclosures varies after new SEC guidance. Available: http://blogs.reuters.com/ financial-regulatoryforum/2012/04/06/disclosures-2012-level-of-cybersecurity- risk-disclosures-varies-after-new-secguidance/
24. D. S. Alberts and R. E. Hayes, Power to the Edge: Command and Control in the Information Age (Information Age Transformation Series): CCRP Publish Series, 2003.
25. C. E. Carroll, Corporate Reputation and the News Media: Agenda-Setting Within Business News Coverage in Developed, Emerging, and Frontier Markets (Google eBook): Taylor & Francis, 2010.
26. PWC. (2011). Cybercrime: protecting against the growing threat. Global Economic Crime Survey. Available: http://www.pwc.com/en-GX/gx/economic- crimesurvey/assets/GECS-GLOBAL-REPORT.pdf
27. PWC. (2011). Cyber crisis management: A bold approach to a bold and shadowy nemesis. Available: http://www.pwc.com/en-US/us/forensicservices/ publications/assets/cyber-crisismanagement.pdf
28. P. Argenti. (2011). Digital Strategies for Powerful Corporate Communications. Available: http://www.europeanfinancialreview.com/?p=2581
29. M. J. G. van Eeten and J. M. Bauer, "Economics of Malware: Security Decisions, Incentives and Externalities," OECD Publishing, OECD Science, Technology and Industry Working Papers, May 2008.
30. E. Van Ruitenbeek, The Common Misuse Scoring System (CMSS) [electronic resource] : metrics for software feature misuse vulnerabilities / Elizabeth Van Ruitenbeek, Karen Scarfone. Gaithersburg, MD :: U.S. Dept. of Commerce, National Institute of Standards and Technology, 2009.
31. R. McMillan, "Six Decisions You Must Make to Prepare for a Security Incident," Gartner, September 2011.
32. O. Kulikova, "Cyber Crisis Management, a decisionsupport framework for disclosing security incident information," TBM, Delft University of Technology, Delft, 2012.