Organisational Cyber Resilience and its Influence on Cyber Attack Outcomes: An Exploratory Study of 1,145 Publicised Attacks

Abstract

Evidence shows that it is paramount for stakeholders to understand the cybersecurity of organizations they are dealing with (Kamiya et al. 2021). However, the secrecy surrounding cyber attacks and how organizations manage their cyber resilience (CR) create difficulties in developing this understanding. This paper analyses organizational CR, the contextual factors that affect it and its impact on the outcomes of cyber attacks based on publicly available data. Using the PRISMA methodology, we reviewed and analyzed a dataset of 1,145 publicly-known cyber attacks. We conceptualize and operationalize CR from a governance perspective. Our findings indicate that organizations that suffered cyber attacks had the following CR characteristics: a relatively low level of CR reflected in the low frequency of cybersecurity roles, low reliance on cybersecurity frameworks, and relatively low strength of prevention, detection, and recovery controls. Organizations' responses appear to be related to the impact attacks had on organizations' data. However, variation is large. CR is found to be associated with the sector, size, and digital intensity. Surprisingly, we did not find any evidence that critical industries would have higher CR. Even though the analyzed attacks had a relatively high impact on data, they do not seem to have led to a high frequency of litigation, penalties and fines imposed. We discuss our findings and their implications for CR regulation, information disclosure and sector cooperation.