Learning from cyber security incidents: A systematic review and future research agenda

Cyber security incidents are now prevalent in many organisations. Arguably, those who can learn from security incidents and address the underlying causes will reduce the prevalence of similar ones in the future. This research provides a new examination of how organisations learn from incidents by systematically reviewing academic research on organisational learning from cyber security incidents and identifies further research needed in this area. To do this, it considers three research questions: what research has been conducted on learning from cyber security incidents, what learning practices in organisations have been found by research and what improvements have been recommended, and what further research is needed as organisations learn from such incidents. Using the PRISMA method, a total of 3,986 articles were extracted and, from these, a relevant set of 30 were selected for analysis to map the body of research, and to identify future research avenues. Despite learning lessons being recommended by both researchers and industry standards, our findings suggest that this advice is not being fully adopted by organisations. Importantly, these studies have found inadequate participation in learning activities, with superficial causal investigations, scarce effort on ensuring lessons are implemented and no evaluation if the actions taken actually reduce future security incidents. More research is needed to understand the right level and which learning practices to invest in for the greatest impact. For practitioners, this review discusses the essential elements of an effective process to learn from incidents. This review provides academics with a novel synthesis of the research undertaken on this topic, enabling them to incorporate the significant findings into their work and potentially explore the research agenda suggested.