Encouraging organisational information security incident reporting

Fabian Lucas Ballreich, Melanie Volkamer, Dirk Müllmann, Benjamin Berens, Elena Marie Häußler, Karen Renaud

Research output: Chapter in Book/Report/Conference proceedingConference contribution book

1 Citation (Scopus)
24 Downloads (Pure)

Abstract

21st-century organisations can only learn how to respond effectively to, and recover from, adverse information security incidents if their employees report any incidents they notice. This should happen irrespective of whether or not they themselves triggered the incident. Organisations have started to inform their employees about their incident reporting obligations. However, there is little research that organisations can benefit from to make their reporting provisions maximally effective. For this work, we follow a multi-step approach.(1) We review the related research on reporting, including reporting reluctance, and the legalities of incident reporting in the European Union. (2) We explain how we developed variations of information texts that raise awareness of incident reporting obligations and aim to ameliorate reporting reluctance. (3) We conducted an online user study (n=257) to identify the most effective information text. (4) The most effective text was deployed by the CISO of a German energy company and we collected feedback from 24 employees to support a qualitative analysis. We discuss our experiences and the implications of such information text design. We make recommendations for encouraging information security incident reporting and suggest future work.

Original languageEnglish
Title of host publicationEuroUSEC '23
Subtitle of host publicationProceedings of the 2023 European Symposium on Usable Security
Place of PublicationNew York
Pages224–236
Number of pages13
DOIs
Publication statusPublished - 16 Oct 2023
EventThe 2023 European Symposium on Usable Security
October 16 & 17, 2023 in Copenhagen, Denmark
- Copenhagen, Denmark
Duration: 16 Oct 202317 Oct 2023
https://eurousec23.itu.dk/

Publication series

NameACM International Conference Proceeding Series

Conference

ConferenceThe 2023 European Symposium on Usable Security
October 16 & 17, 2023 in Copenhagen, Denmark
Abbreviated titleEuroUSEC
Country/TerritoryDenmark
CityCopenhagen
Period16/10/2317/10/23
Internet address

Keywords

  • information security
  • security incidents
  • cyber attacks
  • security and privacy

Fingerprint

Dive into the research topics of 'Encouraging organisational information security incident reporting'. Together they form a unique fingerprint.

Cite this