Encouraging organisational information security incident reporting

Fabian Lucas Ballreich; Melanie Volkamer; Dirk Müllmann; Benjamin Maximilian Berens; Elena Marie Häußler; Karen Renaud

doi:10.1145/3617072.3617098

Encouraging organisational information security incident reporting

Fabian Lucas Ballreich, Melanie Volkamer, Dirk Müllmann, Benjamin Maximilian Berens, Elena Marie Häußler, Karen Renaud

Department of Cybersecurity and Computing

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

4 Citations (Scopus)

Abstract

21st-century organisations can only learn how to respond effectively to, and recover from, adverse information security incidents if their employees report any incidents they notice. This should happen irrespective of whether or not they themselves triggered the incident. Organisations have started to inform their employees about their incident reporting obligations. However, there is little research that organisations can benefit from to make their reporting provisions maximally effective. For this work, we follow a multi-step approach.(1) We review the related research on reporting, including reporting reluctance, and the legalities of incident reporting in the European Union. (2) We explain how we developed variations of information texts that raise awareness of incident reporting obligations and aim to ameliorate reporting reluctance. (3) We conducted an online user study (n=257) to identify the most effective information text. (4) The most effective text was deployed by the CISO of a German energy company and we collected feedback from 24 employees to support a qualitative analysis. We discuss our experiences and the implications of such information text design. We make recommendations for encouraging information security incident reporting and suggest future work.

Original language	English
Title of host publication	EuroUSEC '23
Subtitle of host publication	proceedings of the 2023 European Symposium on Usable Security
Place of Publication	New York
Publisher	Association for Computing Machinery (ACM)
Pages	224-236
Number of pages	13
ISBN (Electronic)	9798400708145
DOIs	https://doi.org/10.1145/3617072.3617098
Publication status	Published - 16 Oct 2023
Event	The 2023 European Symposium on Usable Security - Copenhagen, Denmark Duration: 16 Oct 2023 → 17 Oct 2023 https://eurousec23.itu.dk/

Conference

Conference	The 2023 European Symposium on Usable Security
Abbreviated title	EuroUSEC 2023
Country/Territory	Denmark
City	Copenhagen
Period	16/10/23 → 17/10/23
Internet address	https://eurousec23.itu.dk/

Keywords

Reporting reluctance
Reporting obligaion
Information security incidents
Barriers to information security incident reporting

Access to Document

10.1145/3617072.3617098

Cite this

@inproceedings{0745ddc4a4ab4475bf30f49d6f78f1e7,

title = "Encouraging organisational information security incident reporting",

abstract = "21st-century organisations can only learn how to respond effectively to, and recover from, adverse information security incidents if their employees report any incidents they notice. This should happen irrespective of whether or not they themselves triggered the incident. Organisations have started to inform their employees about their incident reporting obligations. However, there is little research that organisations can benefit from to make their reporting provisions maximally effective. For this work, we follow a multi-step approach.(1) We review the related research on reporting, including reporting reluctance, and the legalities of incident reporting in the European Union. (2) We explain how we developed variations of information texts that raise awareness of incident reporting obligations and aim to ameliorate reporting reluctance. (3) We conducted an online user study (n=257) to identify the most effective information text. (4) The most effective text was deployed by the CISO of a German energy company and we collected feedback from 24 employees to support a qualitative analysis. We discuss our experiences and the implications of such information text design. We make recommendations for encouraging information security incident reporting and suggest future work.",

author = "Ballreich, \{Fabian Lucas\} and Melanie Volkamer and Dirk M{\"u}llmann and Berens, \{Benjamin Maximilian\} and H{\"a}u{\ss}ler, \{Elena Marie\} and Karen Renaud",

note = "Copyright information: {\textcopyright} 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM Data availability statement: Not present.; The 2023 European Symposium on Usable Security, EuroUSEC 2023 ; Conference date: 16-10-2023 Through 17-10-2023",

year = "2023",

month = oct,

day = "16",

doi = "10.1145/3617072.3617098",

language = "English",

pages = "224--236",

booktitle = "EuroUSEC '23",

publisher = "Association for Computing Machinery (ACM)",

address = "United States",

url = "https://eurousec23.itu.dk/",

}

Ballreich, FL, Volkamer, M, Müllmann, D, Berens, BM, Häußler, EM & Renaud, K 2023, Encouraging organisational information security incident reporting. in EuroUSEC '23: proceedings of the 2023 European Symposium on Usable Security. Association for Computing Machinery (ACM), New York, pp. 224-236, The 2023 European Symposium on Usable Security, Copenhagen, Denmark, 16/10/23. https://doi.org/10.1145/3617072.3617098

Encouraging organisational information security incident reporting. / Ballreich, Fabian Lucas; Volkamer, Melanie; Müllmann, Dirk et al.
EuroUSEC '23: proceedings of the 2023 European Symposium on Usable Security. New York: Association for Computing Machinery (ACM), 2023. p. 224-236.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Encouraging organisational information security incident reporting

AU - Ballreich, Fabian Lucas

AU - Volkamer, Melanie

AU - Müllmann, Dirk

AU - Berens, Benjamin Maximilian

AU - Häußler, Elena Marie

AU - Renaud, Karen

PY - 2023/10/16

Y1 - 2023/10/16

N2 - 21st-century organisations can only learn how to respond effectively to, and recover from, adverse information security incidents if their employees report any incidents they notice. This should happen irrespective of whether or not they themselves triggered the incident. Organisations have started to inform their employees about their incident reporting obligations. However, there is little research that organisations can benefit from to make their reporting provisions maximally effective. For this work, we follow a multi-step approach.(1) We review the related research on reporting, including reporting reluctance, and the legalities of incident reporting in the European Union. (2) We explain how we developed variations of information texts that raise awareness of incident reporting obligations and aim to ameliorate reporting reluctance. (3) We conducted an online user study (n=257) to identify the most effective information text. (4) The most effective text was deployed by the CISO of a German energy company and we collected feedback from 24 employees to support a qualitative analysis. We discuss our experiences and the implications of such information text design. We make recommendations for encouraging information security incident reporting and suggest future work.

AB - 21st-century organisations can only learn how to respond effectively to, and recover from, adverse information security incidents if their employees report any incidents they notice. This should happen irrespective of whether or not they themselves triggered the incident. Organisations have started to inform their employees about their incident reporting obligations. However, there is little research that organisations can benefit from to make their reporting provisions maximally effective. For this work, we follow a multi-step approach.(1) We review the related research on reporting, including reporting reluctance, and the legalities of incident reporting in the European Union. (2) We explain how we developed variations of information texts that raise awareness of incident reporting obligations and aim to ameliorate reporting reluctance. (3) We conducted an online user study (n=257) to identify the most effective information text. (4) The most effective text was deployed by the CISO of a German energy company and we collected feedback from 24 employees to support a qualitative analysis. We discuss our experiences and the implications of such information text design. We make recommendations for encouraging information security incident reporting and suggest future work.

U2 - 10.1145/3617072.3617098

DO - 10.1145/3617072.3617098

M3 - Conference contribution

SP - 224

EP - 236

BT - EuroUSEC '23

PB - Association for Computing Machinery (ACM)

CY - New York

T2 - The 2023 European Symposium on Usable Security

Y2 - 16 October 2023 through 17 October 2023

ER -

Encouraging organisational information security incident reporting

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this