An exploratory study of organizational cyber resilience, its precursors and outcomes

IF 2 4区管理学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Organizational Computing and Electronic Commerce Pub Date : 2021-09-17 DOI:10.1080/10919392.2022.2068906

Elinor Tsen, Ryan K. L. Ko, S. Slapničar

{"title":"An exploratory study of organizational cyber resilience, its precursors and outcomes","authors":"Elinor Tsen, Ryan K. L. Ko, S. Slapničar","doi":"10.1080/10919392.2022.2068906","DOIUrl":null,"url":null,"abstract":"ABSTRACT Evidence shows that it is paramount for stakeholders to understand the cybersecurity of relevant organizations. However, the secrecy surrounding cyber attacks and how organizations manage their cyber resilience make it impossible for stakeholders to develop this understanding. This paper analyzes organizational cyber resilience, its contextual factors and its impact on the outcomes of cyber attacks based on publicly available data. Using the PRISMA methodology, we collated and analyzed a dataset of 1,145 publicly known cyber attacks. We conceptualize and operationalize cyber resilience from a governance perspective. Our findings indicate that organizations that suffered cyber attacks had the following cyber resilience characteristics: a relatively low level of cyber resilience reflected in the low frequency of cybersecurity roles, low reliance on cybersecurity frameworks, and relatively low strength of prevention, detection, and recovery controls. Cyber resilience is found to be associated with the sector, size, and digital intensity. Linear regression indicates that, expectedly, stronger prevention, detection, and recovery processes are related to lower breach severity and occurrence of investigations or penalties, but contrary to expectations, cybersecurity roles and frameworks are not. Furthermore, better organizational responses are associated with higher breach severity but they are not found to have an impact on the level of investigations, fines, and penalties imposed. We discuss our findings and their implications for cyber resilience regulation, future research, and sector cooperation.","PeriodicalId":54777,"journal":{"name":"Journal of Organizational Computing and Electronic Commerce","volume":"32 1","pages":"153 - 174"},"PeriodicalIF":2.0000,"publicationDate":"2021-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Organizational Computing and Electronic Commerce","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1080/10919392.2022.2068906","RegionNum":4,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 4

Abstract

ABSTRACT Evidence shows that it is paramount for stakeholders to understand the cybersecurity of relevant organizations. However, the secrecy surrounding cyber attacks and how organizations manage their cyber resilience make it impossible for stakeholders to develop this understanding. This paper analyzes organizational cyber resilience, its contextual factors and its impact on the outcomes of cyber attacks based on publicly available data. Using the PRISMA methodology, we collated and analyzed a dataset of 1,145 publicly known cyber attacks. We conceptualize and operationalize cyber resilience from a governance perspective. Our findings indicate that organizations that suffered cyber attacks had the following cyber resilience characteristics: a relatively low level of cyber resilience reflected in the low frequency of cybersecurity roles, low reliance on cybersecurity frameworks, and relatively low strength of prevention, detection, and recovery controls. Cyber resilience is found to be associated with the sector, size, and digital intensity. Linear regression indicates that, expectedly, stronger prevention, detection, and recovery processes are related to lower breach severity and occurrence of investigations or penalties, but contrary to expectations, cybersecurity roles and frameworks are not. Furthermore, better organizational responses are associated with higher breach severity but they are not found to have an impact on the level of investigations, fines, and penalties imposed. We discuss our findings and their implications for cyber resilience regulation, future research, and sector cooperation.

查看原文本刊更多论文

组织网络弹性及其前兆和结果的探索性研究

摘要证据表明，利益相关者了解相关组织的网络安全至关重要。然而，围绕网络攻击的保密性以及组织如何管理其网络弹性，使利益相关者无法形成这种理解。本文基于公开的数据分析了组织的网络弹性、其背景因素及其对网络攻击结果的影响。使用PRISMA方法，我们整理和分析了1145个已知网络攻击的数据集。我们从治理的角度对网络弹性进行概念化和操作化。我们的研究结果表明，遭受网络攻击的组织具有以下网络弹性特征：网络弹性水平相对较低，反映在网络安全角色的频率较低，对网络安全框架的依赖程度较低，以及预防、检测和恢复控制的强度相对较低。研究发现，网络弹性与行业、规模和数字强度有关。线性回归表明，不出所料，更强的预防、检测和恢复过程与较低的违规严重程度和调查或处罚的发生有关，但与预期相反，网络安全角色和框架并非如此。此外，更好的组织反应与更高的违规严重程度有关，但没有发现它们对调查、罚款和处罚的水平产生影响。我们讨论了我们的研究结果及其对网络弹性监管、未来研究和部门合作的影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Organizational Computing and Electronic Commerce 工程技术-计算机：跨学科应用

CiteScore

5.80

自引率

17.20%

发文量

审稿时长

>12 weeks

期刊介绍： The aim of the Journal of Organizational Computing and Electronic Commerce (JOCEC) is to publish quality, fresh, and innovative work that will make a difference for future research and practice rather than focusing on well-established research areas. JOCEC publishes original research that explores the relationships between computer/communication technology and the design, operations, and performance of organizations. This includes implications of the technologies for organizational structure and dynamics, technological advances to keep pace with changes of organizations and their environments, emerging technological possibilities for improving organizational performance, and the many facets of electronic business. Theoretical, experimental, survey, and design science research are all welcome and might look at: • E-commerce • Collaborative commerce • Interorganizational systems • Enterprise systems • Supply chain technologies • Computer-supported cooperative work • Computer-aided coordination • Economics of organizational computing • Technologies for organizational learning • Behavioral aspects of organizational computing.