Evaluating incident reporting in cybersecurity. From threat detection to policy learning

IF 10 1区管理学 Q1 INFORMATION SCIENCE & LIBRARY SCIENCE

Government Information Quarterly Pub Date : 2024-12-24 DOI:10.1016/j.giq.2024.102000

Simone Busetti, Francesco Maria Scanni

{"title":"Evaluating incident reporting in cybersecurity. From threat detection to policy learning","authors":"Simone Busetti, Francesco Maria Scanni","doi":"10.1016/j.giq.2024.102000","DOIUrl":null,"url":null,"abstract":"<div><div>The escalating threat of cyber risks has propelled cybersecurity policy to the forefront of governmental agendas worldwide. Incident reporting, a cornerstone of cybersecurity legislation, may facilitate swift responses to cyberattacks and foster a learning process for policy enhancement. Despite its widespread adoption, there are no analyses on its efficacy, implementation, and avenues for improvement. This article provides a theory-based evaluation of incident reporting using the methods of realist synthesis and process tracing. We develop a program theory of incident reporting hypothesizing its dual role as a fire alarm and a catalyst for policy learning. The program theory is tested by drawing upon a range of literature and official documents, supplemented by insights from the Italian context through interviews with key informants. The evaluation reveals mixed findings. While incident reporting effectively serves as a fire alarm, particularly for organizations with limited cybersecurity capacity, challenges persist due to capacity gaps and a reluctance to report incidents. The link between incident reporting and policy learning remains tenuous, with evidence of inertia hindering the implementation of more radical changes. Policy recommendations include streamlining internal communications, combining rapid and in-depth reporting, fostering data-sharing agreements, ensuring dedicated communication of lessons from central cyber actors, and streamlining organizational procedures for implementing changes.</div></div>","PeriodicalId":48258,"journal":{"name":"Government Information Quarterly","volume":"42 1","pages":"Article 102000"},"PeriodicalIF":10.0000,"publicationDate":"2024-12-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Government Information Quarterly","FirstCategoryId":"91","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0740624X24000923","RegionNum":1,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"INFORMATION SCIENCE & LIBRARY SCIENCE","Score":null,"Total":0}

引用次数: 0

Abstract

The escalating threat of cyber risks has propelled cybersecurity policy to the forefront of governmental agendas worldwide. Incident reporting, a cornerstone of cybersecurity legislation, may facilitate swift responses to cyberattacks and foster a learning process for policy enhancement. Despite its widespread adoption, there are no analyses on its efficacy, implementation, and avenues for improvement. This article provides a theory-based evaluation of incident reporting using the methods of realist synthesis and process tracing. We develop a program theory of incident reporting hypothesizing its dual role as a fire alarm and a catalyst for policy learning. The program theory is tested by drawing upon a range of literature and official documents, supplemented by insights from the Italian context through interviews with key informants. The evaluation reveals mixed findings. While incident reporting effectively serves as a fire alarm, particularly for organizations with limited cybersecurity capacity, challenges persist due to capacity gaps and a reluctance to report incidents. The link between incident reporting and policy learning remains tenuous, with evidence of inertia hindering the implementation of more radical changes. Policy recommendations include streamlining internal communications, combining rapid and in-depth reporting, fostering data-sharing agreements, ensuring dedicated communication of lessons from central cyber actors, and streamlining organizational procedures for implementing changes.

查看原文本刊更多论文

评估网络安全事件报告。从威胁检测到策略学习

不断升级的网络风险威胁已将网络安全政策推向全球政府议程的前沿。事件报告是网络安全立法的基石，可以促进对网络攻击的快速反应，并促进政策改进的学习过程。尽管它被广泛采用，但没有对其有效性、实施和改进途径进行分析。本文采用现实综合和过程追踪的方法，对事件报告进行了基于理论的评估。我们发展了一个事件报告的程序理论，假设其作为火灾警报和政策学习催化剂的双重作用。计划理论通过借鉴一系列文献和官方文件进行测试，并通过对关键线人的采访补充了意大利背景的见解。评估结果好坏参半。虽然事件报告可以有效地作为火警警报，特别是对于网络安全能力有限的组织，但由于能力差距和不愿报告事件，挑战仍然存在。事件报告与政策学习之间的联系仍然薄弱，有证据表明，惰性阻碍了更激进变革的实施。政策建议包括简化内部沟通，结合快速和深入的报告，促进数据共享协议，确保专门沟通中央网络行为者的经验教训，以及简化实施变革的组织程序。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Government Information Quarterly INFORMATION SCIENCE & LIBRARY SCIENCE-

CiteScore

15.70

自引率

16.70%

发文量

106

期刊介绍： Government Information Quarterly (GIQ) delves into the convergence of policy, information technology, government, and the public. It explores the impact of policies on government information flows, the role of technology in innovative government services, and the dynamic between citizens and governing bodies in the digital age. GIQ serves as a premier journal, disseminating high-quality research and insights that bridge the realms of policy, information technology, government, and public engagement.