Data Breach Risks and Resolutions: A Literature Synthesis

Despite increasing data breach vulnerabilities, we know little about how organizations effectively identify and manage data breach incidents. To address this void, we conceptualize data breach risks and resolutions by drawing on risk management theory and a literature review. We conceptualize three areas of data breach risks (data breach cause, data breach locus, and data breach impact) and three forms of data breach resolutions (prevention, containment, and recovery) with detailed instances of each. As such, we provide a theoretical foundation for researchers to develop different types of risk management models in the context of data breaches. In addition, it provides insights for how practitioners can orchestrate actions for effective data breach management based on comprehensive profiles of risk items and resolution techniques.

[1]  Graeme G. Shanks,et al.  A case analysis of information systems and security incident responses , 2015, Int. J. Inf. Manag..

[2]  Shari Lawrence Pfleeger,et al.  Security Decision Support Challenges in Data Collection and Use , 2010, IEEE Security & Privacy.

[3]  Hai Nguyen,et al.  Security Breach: The Case of TJX Companies, Inc , 2008, Commun. Assoc. Inf. Syst..

[4]  Martin Eling,et al.  Insurability of Cyber Risk: An Empirical Analysis , 2014, The Geneva Papers on Risk and Insurance - Issues and Practice.

[5]  Seymour E. Goodman,et al.  Global Sourcing of IT Services and Information Security: Prudence before Playing , 2007, Commun. Assoc. Inf. Syst..

[6]  Shari Lawrence Pfleeger,et al.  Security through Information Risk Management , 2009, IEEE Security & Privacy.

[7]  Robert Ogie,et al.  Bring Your Own Device: An overview of risk assessment , 2016, IEEE Consumer Electronics Magazine.

[8]  Mary J. Culnan,et al.  Why IT Executives Should Help Employees Secure Their Home Computers , 2008, MIS Q. Executive.

[9]  Alok Choudhary,et al.  Risks in Enterprise Cloud Computing: The Perspective of it Experts , 2013, J. Comput. Inf. Syst..

[10]  Mary J. Culnan,et al.  How Ethics Can Enhance Organizational Privacy: Lessons from the ChoicePoint and TJX Data Breaches , 2009, MIS Q..

[11]  Lorrie Faith Cranor,et al.  Engineering Privacy , 2009, IEEE Transactions on Software Engineering.

[12]  Kalle Lyytinen,et al.  Attention Shaping and Software Risk - A Categorical Analysis of Four Classical Risk Management Approaches , 1998, Inf. Syst. Res..

[13]  Gunnar Peterson,et al.  Introduction to identity management risk metrics , 2006, IEEE Security & Privacy.

[14]  Muttukrishnan Rajarajan,et al.  A survey on security issues and solutions at different layers of Cloud computing , 2012, The Journal of Supercomputing.

[15]  Michel Benaroch,et al.  An Internal Control Perspective on the Market Value Consequences of IT Operational Risk Events , 2012, Int. J. Account. Inf. Syst..

[16]  M. Eric Johnson,et al.  Information Risk of Inadvertent Disclosure: An Analysis of File-Sharing Risk in the Financial Supply Chain , 2008, J. Manag. Inf. Syst..

[17]  Jongwoo Kim,et al.  Incident-centered information security: Managing a strategic balance between prevention and response , 2014, Inf. Manag..

[18]  David Harries,et al.  Cyberterrorism: is the U.S. healthcare system safe? , 2013, Telemedicine journal and e-health : the official journal of the American Telemedicine Association.

[19]  Nima Zahadat,et al.  BYOD security engineering: A framework and its analysis , 2015, Comput. Secur..

[20]  Bernd Grobauer,et al.  Understanding Cloud Computing Vulnerabilities , 2011, IEEE Security & Privacy.

[21]  Sharad Borle,et al.  Estimating the Contextual Risk of Data Breach: An Empirical Approach , 2015, J. Manag. Inf. Syst..

[22]  Mark Button,et al.  Addressing the weakest link: Implementing converged security , 2013, Security Journal.

[23]  Viswanath Venkatesh,et al.  User Compensation as a Data Breach Recovery Action: An Investigation of the Sony PlayStation Network Breach , 2017, MIS Q..

[24]  C. Matthew Curtin,et al.  Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry , 2008 .

[25]  Audrey J. Dorofee,et al.  Computer Security Incident Response Team Development and Evolution , 2014, IEEE Security & Privacy.

[26]  Kevin Fu,et al.  Controlling for cybersecurity risks of medical device software , 2013, Commun. ACM.

[27]  C. Kruse,et al.  Cybersecurity in healthcare: A systematic review of modern threats and trends. , 2017, Technology and health care : official journal of the European Society for Engineering and Medicine.

[28]  Herbert J. Mattord,et al.  Principles of Incident Response and Disaster Recovery , 2006 .

[29]  Kweku-Muata Osei-Bryson,et al.  Financial Impact of Information Security Breaches on Breached Firms and their Non-Breached Competitors , 2012, Inf. Resour. Manag. J..

[30]  Qing Hu,et al.  Managing Risk Propagation in Extended Enterprise Networks , 2008, IT Professional.

[31]  Mahmood Hussain Shah,et al.  Information security management needs more holistic approach: A literature review , 2016, Int. J. Inf. Manag..

[32]  John Hale,et al.  Secur(e/ity) Management: A Continuing Uphill Climb , 2007, Journal of Network and Systems Management.

[33]  Ebenezer Paintsil,et al.  Evaluation of Privacy and Security Risks Analysis Construct for Identity Management Systems , 2013, IEEE Systems Journal.

[34]  Nikos Vrakas,et al.  An intrusion detection and prevention system for IMS and VoIP services , 2012, International Journal of Information Security.

[35]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[36]  Jennifer L. Bayuk,et al.  Security as a theoretical attribute construct , 2013, Comput. Secur..

[37]  Qing Hu,et al.  The impact of information security events on the stock value of firms: the effect of contingency factors , 2011, J. Inf. Technol..

[38]  D. Hubbard,et al.  Toward Risk Assessment of Large-Impact and Rare Events , 2010 .

[39]  Jackie Rees Ulmer,et al.  Market Reactions to Information Security Breach Announcements: An Empirical Analysis , 2007, Int. J. Electron. Commer..

[40]  Roger Clarke,et al.  Data Risks in the Cloud , 2013, J. Theor. Appl. Electron. Commer. Res..

[41]  Shari Lawrence Pfleeger,et al.  Making the Best Use of Cybersecurity Economic Models , 2009, IEEE Security & Privacy.

[42]  Mohamed Cheriet,et al.  Taxonomy of information security risk assessment (ISRA) , 2016, Comput. Secur..

[43]  Myung S. Ko,et al.  THE IM P ACT OF INFORM A TION SECURITY BREACHES ON FINANCIAL PERFORMANCE OF THE BREACHED FIRMS: AN EMPIRICAL INVESTIG A TION , 2006 .

[44]  Carsten Maple,et al.  A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem , 2012, Decis. Support Syst..

[45]  Marshall A. Kuypers,et al.  Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies , 2018, Risk analysis : an official publication of the Society for Risk Analysis.

[46]  Richard T. Watson,et al.  Analyzing the Past to Prepare for the Future: Writing a Literature Review , 2002, MIS Q..

[47]  Paul Benjamin Lowry,et al.  Using Accountability to Reduce Access Policy Violations in Information Systems , 2013, J. Manag. Inf. Syst..

[48]  Depressed Clients' Attributions of Responsibility for the Causes of and Solutions to Their Problems , 2000 .

[49]  K. Griffiths,et al.  Security Considerations for E-Mental Health Interventions , 2010, Journal of medical Internet research.

[50]  M. Lombard,et al.  Content Analysis in Mass Communication: Assessment and Reporting of Intercoder Reliability , 2002 .

[51]  Lars Mathiassen,et al.  Managing Risk in Software Process Improvement: An Action Research Approach , 2004, MIS Q..

[52]  William Roberds,et al.  Data Breaches and Identity Theft , 2008, WEIS.

[53]  Juhee Kwon,et al.  Proactive Versus Reactive Security Investments in the Healthcare Sector , 2014, MIS Q..

[54]  Salvatore Nicosia,et al.  Government data does not mean data governance: Lessons learned from a public sector application audit , 2015, Gov. Inf. Q..

[55]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[56]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..

[57]  Ahmed Patel,et al.  An intrusion detection and prevention system in cloud computing: A systematic review , 2013, J. Netw. Comput. Appl..