Skip to main content
Kent Academic Repository

Learning from cyber security incidents: A systematic review and future research agenda

Patterson, Clare M., Nurse, Jason R. C., Franqueira, Virginia N. L. (2023) Learning from cyber security incidents: A systematic review and future research agenda. Computers & Security, 132 . Article Number 103309. ISSN 0167-4048. (doi:10.1016/j.cose.2023.103309) (KAR id:101556)

PDF Publisher pdf
Language: English


Download this file
(PDF/1MB)
[thumbnail of 1-s2.0-S0167404823002195-main.pdf]
Preview
Request a format suitable for use with assistive technology e.g. a screenreader
PDF Author's Accepted Manuscript
Language: English

Restricted to Repository staff only
Contact us about this Publication
[thumbnail of CS-2023-PNF-preproof.pdf]
Official URL:
https://doi.org/10.1016/j.cose.2023.103309

Abstract

Cyber security incidents are now prevalent in many organisations. Arguably, those who can learn from security incidents and address the underlying causes will reduce the prevalence of similar ones in the future. This research provides a new examination of how organisations learn from incidents by systematically reviewing academic research on organisational learning from cyber security incidents and identifies further research needed in this area. To do this, it considers three research questions: what research has been conducted on learning from cyber security incidents, what learning practices in organisations have been found by research and what improvements have been recommended, and what further research is needed as organisations learn from such incidents. Using the PRISMA method, a total of 3,986 articles were extracted and, from these, a relevant set of 30 were selected for analysis to map the body of research, and to identify future research avenues. Despite learning lessons being recommended by both researchers and industry standards, our findings suggest that this advice is not being fully adopted by organisations. Importantly, these studies have found inadequate participation in learning activities, with superficial causal investigations, scarce effort on ensuring lessons are implemented and no evaluation if the actions taken actually reduce future security incidents. More research is needed to understand the right level and which learning practices to invest in for the greatest impact. For practitioners, this review discusses the essential elements of an effective process to learn from incidents. This review provides academics with a novel synthesis of the research undertaken on this topic, enabling them to incorporate the significant findings into their work and potentially explore the research agenda suggested.

Item Type: Article
DOI/Identification number: 10.1016/j.cose.2023.103309
Uncontrolled keywords: Cyber security; incident investigation; incident response; lessons learned; learning process; organisational learning; post-incident review; security incident; systematic; literature review; research agenda
Subjects: B Philosophy. Psychology. Religion > BF Psychology
H Social Sciences > HF Commerce > HF5351 Business
Q Science > QA Mathematics (inc Computing science)
T Technology
T Technology > T Technology (General)
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
University-wide institutes > Institute of Cyber Security for Society
Funders: University of Kent (https://ror.org/00xkeyj56)
Depositing User: Jason Nurse
Date Deposited: 05 Jun 2023 19:13 UTC
Last Modified: 10 Jan 2024 01:29 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/101556 (The current URI for this page, for reference purposes)

University of Kent Author Information

Nurse, Jason R. C..

Creator's ORCID: https://orcid.org/0000-0003-4118-1680
CReDIT Contributor Roles:

Franqueira, Virginia N. L..

Creator's ORCID: https://orcid.org/0000-0003-1332-9115
CReDIT Contributor Roles:
  • Depositors only (login required):

Total unique views for this document in KAR since July 2020. For more details click on the image.