Security Breach Disclosure

Lee, Yao-Tien

11 1900

Security breach disclosure is the public disclosure of information regarding a data security incident. It allows organizations to communicate salient information to the affected parties and stakeholders regarding the nature and impact of the breach, and remediating solutions undertaken regarding the breach. Recent cases of large-scale security breaches have revealed that security breach disclosure remains a challenging subject for policymakers, practitioners, and researchers. There is a lack of understanding and consensus on what breaches need to be disclosed and little evidence on how actual practices are employed. Using an adapted grounded theory methodology that combines computerized textual extraction and ground theory coding techniques, this study explores relevant issues through four research questions with distinct objectives that would enhance understanding of the issues in public breach disclosure. First, recent regulations from the US, EU, and Canada are reviewed to identify the core elements in breach disclosure. Second, this study develops methods to extract information content from disclosures. Third, matrices and measuring instruments are developed to evaluate the quality, and last, a framework is proposed to map out the paths and directions for future research. These advancements lay the crucial groundwork in the field of security breach disclosure and will contribute greatly towards future policies, practice, and research. The expected societal significance of this research is profound. The research is relevant to practitioners, regulators, and the information security community as it provides valuable insight on current challenges and future directions. The ultimate goal is to strengthen our understanding of security breach disclosure and enhance the accumulation and transfer of knowledge obtained through security breach disclosure; thereby providing organizations, regulators, and the information security community with the information necessary to develop policies, tools, and controls for identifying, managing, and reducing the risks of future security incidents. The proposed core elements, methods of extracting relevant information content, quality evaluation matrices, and framework mark a significant advancement towards this vision. / Thesis / Doctor of Philosophy (PhD) / Recent cases of security breach at Equifax, Yahoo, and Uber have raised attention from the public and regulators on the issues of public disclosure of security incidents. However, the lack of understanding and research in security breach disclosures has hampered our ability in defining what needs to be disclosed, understanding what are actually disclosed, and determining how well the incidents are disclosed. These issues are urgent and important thus warrant considerable efforts to carefully examine the current landscape of policy and practice, and to provide methods to evaluate disclosures so that meaningful advancements in research and improvements in practice can be made. This study recommends a set of core elements in disclosure, develops methods to extract information from disclosure, establishes ways to evaluate quality, and proposes a framework that maps out future research. These are important advancements in the study of security breach disclosure and will contribute greatly towards future policies, practice, and research.

Information Security

Breach Disclosure