Security Breach Disclosure

Abstract

Security breach disclosure is the public disclosure of information regarding a data security incident. It allows organizations to communicate salient information to the affected parties and stakeholders regarding the nature and impact of the breach, and remediating solutions undertaken regarding the breach. Recent cases of large-scale security breaches have revealed that security breach disclosure remains a challenging subject for policymakers, practitioners, and researchers. There is a lack of understanding and consensus on what breaches need to be disclosed and little evidence on how actual practices are employed. Using an adapted grounded theory methodology that combines computerized textual extraction and ground theory coding techniques, this study explores relevant issues through four research questions with distinct objectives that would enhance understanding of the issues in public breach disclosure. First, recent regulations from the US, EU, and Canada are reviewed to identify the core elements in breach disclosure. Second, this study develops methods to extract information content from disclosures. Third, matrices and measuring instruments are developed to evaluate the quality, and last, a framework is proposed to map out the paths and directions for future research. These advancements lay the crucial groundwork in the field of security breach disclosure and will contribute greatly towards future policies, practice, and research. The expected societal significance of this research is profound. The research is relevant to practitioners, regulators, and the information security community as it provides valuable insight on current challenges and future directions. The ultimate goal is to strengthen our understanding of security breach disclosure and enhance the accumulation and transfer of knowledge obtained through security breach disclosure; thereby providing organizations, regulators, and the information security community with the information necessary to develop policies, tools, and controls for identifying, managing, and reducing the risks of future security incidents. The proposed core elements, methods of extracting relevant information content, quality evaluation matrices, and framework mark a significant advancement towards this vision.