This study analyses four case studies of cybersecurity incidents (Equifax, NHS, Australian National University, and Desjardins) to determine the causes of management-related cybersecurity risks in organisations. Five main causes are identified: anticipation, understanding, commitment, accuracy, and strategy. They exert their influence over the whole organisation through the leading teams and structures, and especially top managers. They are interrelated and able to trigger and influence each other. Managers should use this framework to identify the weaknesses of their organisations and prevent cybersecurity incidents. A potential sixth cause have been identified: implementation, the rationale behind cybersecurity management structures in practice. Further observation and research are required to confirm it.

Reference
2020 Data Breach Investigation Report. (2020). Verizon. https://www.verizon.com/business/resources/reports/2020-data-breach-investigations-report.pdf
2022 Thales Data Threat Report. (2022). Thales. https://mb.cision.com/Public/20506/3530950/b55a39d9e52a4074.pdf
Ahmetoglu, H., & Das, R. (2022). A comprehensive review on detection of cyber-attacks: Data sets, methods, challenges, and future research directions. Internet of Things, 20, 100615. https://doi.org/10.1016/j.iot.2022.100615
Alahmari, A., & Duncan, B. (2020). Cybersecurity Risk Management in Small and Medium-Sized Enterprises: A Systematic Review of Recent Evidence. 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 1–5. https://doi.org/10.1109/CyberSA49311.2020.9139638
Alexander, D. E. (2002). Principles of Emergency Planning and Management. Oxford University Press.
Alford, J. (2019, October 2). NHS cyber-attacks could delay life-saving care and cost millions. Imperial News. https://www.imperial.ac.uk/news/193151/nhs-cyber-attacks-could-delay-life-saving-care/
Aljaidi, M., Alsarhan, A., Samara, G., Alazaidah, R., Almatarneh, S., Khalid, M., & Al-Gumaei, Y. A. (2022). NHS WannaCry Ransomware Attack: Technical Explanation of The Vulnerability, Exploitation, and Countermeasures. 2022 International Engineering Conference on Electrical, Energy, and Artificial Intelligence (EICEEAI), 1–6.
Aljohani, T. M. (2022). Cyberattacks on Energy Infrastructures: Modern War Weapons.
Altulaihan, E., Almaiah, M. A., & Aljughaiman, A. (2022). Cybersecurity Threats, Countermeasures and Mitigation Techniques on the IoT: Future Research Directions. Electronics, 11(20). https://doi.org/10.3390/electronics11203330
Anant, V., Caso, J., & Schwarz, A. (2020). COVID-19 crisis shifts cybersecurity priorities and budgets.
Annab, R. (2021, August 12). Cybersecurity management: Academic Centre of Cyber Security Excellence, The University of Melbourne. School of Computing and Information Systems. https://cis.unimelb.edu.au/cyber-security-excellence/research/cybersecurity-management
ANU releases detailed account of data breach. (2019, October 1). ANU; The Australian National University. https://www.anu.edu.au/news/all-news/anu-releases-detailed-account-of-data-breach
Arthur, C. (2017, May 13). The ransomware attack is all about the insufficient funding of the NHS. The Observer. https://www.theguardian.com/commentisfree/2017/may/13/nhs-computer-systems-insufficient-funding
Asen, A., Bohmayr, W., Deutscher, S., González, M., & Mkrtchian, D. (2019). Are You Spending Enough on Cybersecurity?
Ashraf, M., Jiang, J. (Xuefeng), & Wang, I. Y. (2022). Are there trade-offs with mandating timely disclosure of cybersecurity incidents? Evidence from state-level data breach disclosure laws. The Journal of Finance and Data Science, 8, 202–213. https://doi.org/10.1016/j.jfds.2022.08.001
Azmi, R., Tibben, W., & Win, K. T. (2018). Review of cybersecurity frameworks: Context and shared concepts. Journal of Cyber Policy, 3(2), 258–283. https://doi.org/10.1080/23738871.2018.1520271
Ball, R. A. (1966). An Empirical Exploration of Neutralization Theory. Criminologica, 4(2), 22–32.
Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2013). Don’t make excuses! Discouraging neutralization to reduce IT policy violation. Computers & Security, 39, 145–159. https://doi.org/10.1016/j.cose.2013.05.006
Barlow, J., Warkentin, M., Ormond, D., & Dennis, A. (2018). Don’t Even Think About It! The Effects of Antineutralization, Informational, and Normative Communication on Information Security Compliance. Journal of the Association for Information Systems, 19(8). https://aisel.aisnet.org/jais/vol19/iss8/3
Berthier, T. (2015). Hacktivisme: Vers une complexification des cyberattaques. Revue Défense Nationale, 784(9), 45–48. Cairn.info. https://doi.org/10.3917/rdna.784.0045
Borys, S. (2019, October 2). Hackers gained access to ANU’s network with a single email—Here’s what we know. ABC News. https://www.abc.net.au/news/2019-10-02/the-sophisticated-anu-hack-that-compromised-private-details/11566540
Bronskill, J. (2020, December 14). Data breach at Desjardins caused by series of gaps, privacy watchdog says | Globalnews.ca. Global News. https://globalnews.ca/news/7520414/desjardins-data-breach-privacy-watchdog-probe/
Calleja, A., Tapiador, J., & Caballero, J. (2019). The MalSource Dataset: Quantifying Complexity and Code Reuse in Malware Development. IEEE Transactions on Information Forensics and Security, 14(12), 3175–3190. https://doi.org/10.1109/TIFS.2018.2885512
Canada, O. of the P. C. of. (2020, December 14). PIPEDA Findings #2020-005: Investigation into Desjardins’ compliance with PIPEDA following a breach of personal information between 2017 and 2019. https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2020/pipeda-2020-005/
Carlton, M., Levy, Y., & Ramim, M. (2019). Mitigating cyber attacks through the measurement of non-IT professionals’ cybersecurity skills. Information & Computer Security, 27(1), 101–121. https://doi.org/10.1108/ICS-11-2016-0088
Center, E. P. I. (n.d.). EPIC - Equifax Data Breach. Retrieved May 20, 2023, from https://archive.epic.org/privacy/data-breach/equifax/
Chigada, J., & Madzinga, R. (2021). Cyberattacks and threats during COVID-19: A systematic literature review. South African Journal of Information Management, 23, 1–11.
Chinese Hackers Charged in Equifax Breach. (n.d.). [Story]. Federal Bureau of Investigation. Retrieved May 20, 2023, from https://www.fbi.gov/news/stories/chinese-hackers-charged-in-equifax-breach-021020
Coccia, M. (2020). Critical decisions in crisis management: Rational strategies of decision making. Journal of Economics Library, 7(2), 81–96.
Collier, R. (2017). NHS ransomware attack spreads worldwide. Can Med Assoc.
Comptroller and Auditor General. (2016). Financial sustainability of the NHS (No. 2016–17). National Audit Office - Department of Health.
Corallo, A., Lazoi, M., Lezzi, M., & Luperto, A. (2022). Cybersecurity awareness in the context of the Industrial Internet of Things: A systematic literature review. Computers in Industry, 137, 103614. https://doi.org/10.1016/j.compind.2022.103614
Craigen, D., Diakun-Thibault, N., & Purse, R. (2014). Defining Cybersecurity. Technology Innovation Management Review, 4(10), 13–21.
Cremer, F., Sheehan, B., Fortmann, M., Kia, A. N., Mullins, M., Murphy, F., & Materne, S. (2022). Cyber risk and cybersecurity: A systematic review of data availability. The Geneva Papers on Risk and Insurance - Issues and Practice, 47(3), 698–736. https://doi.org/10.1057/s41288-022-00266-6
Cyber-attack on the NHS (Report of Parliamentary Session No. 2017-19 (32)). (2018). House of Commons Committee of Public Accounts.
CYBERSECURITY: CHALLENGES FROM A SYSTEMS, COMPLEXITY, KNOWLEDGE MANAGEMENT AND BUSINESS INTELLIGENCE PERSPECTIVE. (2015). Issues In Information Systems. https://doi.org/10.48009/3_iis_2015_191-198
Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach (GAO-18-559). (2018). United-States Government Accountability Office. https://www.warren.senate.gov/imo/media/doc/2018.09.06%20GAO%20Equifax%20report.pdf
Davis, J. (2020, March 12). ANU releases details of data breach. The Uni Guide. https://theuniguide.com.au/news/anu-releases-details-of-data-breach
Debb, S. M., & McClellan, M. K. (2021). Perceived Vulnerability As a Determinant of Increased Risk for Cybersecurity Risk Behavior. Cyberpsychology, Behavior, and Social Networking, 24(9), 605–611. https://doi.org/10.1089/cyber.2021.0043
Définitions: Cybernétique—Dictionnaire de français Larousse. (n.d.). Larousse. Retrieved May 20, 2023, from https://www.larousse.fr/dictionnaires/francais/cybern%C3%A9tique/21261
Desjardins says employee who stole personal data also accessed credit card info. (2019, December 10). BNN Bloomberg. https://www.bnnbloomberg.ca/desjardins-says-employee-who-stole-personal-data-also-accessed-credit-card-info-1.1360652
Desjardins settles 2019 data breach class-action lawsuit for up to nearly $201M | CBC News. (2021, December 16). CBC. https://www.cbc.ca/news/canada/montreal/desjardins-data-breach-lawsuit-settlement-1.6288428
Dionne, G. (2013). Risk Management: History, Definition, and Critique. Risk Management and Insurance Review, 16(2), 147–166. https://doi.org/10.1111/rmir.12016
Dwyer, A. (2018). The NHS cyber-attack: A look at the complex environmental conditions of WannaCry. RAD Magazine, 44(512), 25–26.
Echt, K. V., Morrell, R. W., & Park, D. C. (1998). Effects of Age and Training Formats on Basic Computer Skill Acquisition in Older Adults. Educational Gerontology, 24(1), 3–25. https://doi.org/10.1080/0360127980240101
Equifax Data Security Breach: What You Need to Know. (n.d.). Department of Financial Services. Retrieved May 20, 2023, from https://www.dfs.ny.gov/consumers/alerts/equifax_data_breach
Fruhlinger, J. (2020, February 12). Equifax data breach FAQ: What happened, who was affected, what was the impact? CSO Online. https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html
Ganin, A. A., Quach, P., Panwar, M., Collier, Z. A., Keisler, J. M., Marchese, D., & Linkov, I. (2020). Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management. Risk Analysis, 40(1), 183–199. https://doi.org/10.1111/risa.12891
Gebayew, C., Hardini, I. R., Panjaitan, G. H. A., Kurniawan, N. B., & Suhardi. (2018). A Systematic Literature Review on Digital Transformation. 2018 International Conference on Information Technology Systems and Innovation (ICITSI), 260–265. https://doi.org/10.1109/ICITSI.2018.8695912
Ghafur, S., Kristensen, S., Honeyford, K., Martin, G., Darzi, A., & Aylin, P. (2019). A retrospective impact analysis of the WannaCry cyberattack on the NHS. Npj Digital Medicine, 2(1), 98. https://doi.org/10.1038/s41746-019-0161-6
Gredley, R. (2019, October 2). China suspected of sophisticated uni hack. News.Com.Au — Australia’s Leading News Site. https://www.news.com.au/national/shocking-in-its-sophistication-how-hackers-targeted-anu-student-data/news-story/f80269d9bee79916fe9f5f48a860d2ec
Gressin, S. (2017). The equifax data breach: What to do. Federal Trade Commission, 8.
Groch, S. (2019, October 2). “Like a diamond heist”: How hackers got into Australia’s top university. The Canberra Times. https://www.canberratimes.com.au/story/6414841/like-a-diamond-heist-how-hackers-got-into-australias-top-uni/
Haggard, S., & Lindsay, J. R. (2015). North Korea and the Sony hack: Exporting instability through cyberspace.
Haislip, J., Pinsker, R., Kolev, K., & Steffen, T. (n.d.). The economic cost of cybersecurity breaches: A broad-based analysis.
Hills, M. (2017). Lessons from the NHS ransomware calamity. EDQuarter, 26.
Huang, K., & Madnick, S. (2020). A cyberattack doesn’t have to sink your stock price. Harvard Business Review.
Hubbard, D. W., & Seiersen, R. (2023). How to Measure Anything in Cybersecurity Risk. John Wiley & Sons.
IBM. (2022a). Cost of a Data Breach Report 2022. https://www.ibm.com/downloads/cas/3R8N1DZJ
IBM. (2022b, July). Global average cost of a data breach by industry 2022. Statista. https://www.statista.com/statistics/387861/cost-data-breach-by-industry/
(ICS)2. (2022). (ISC)2 Cybersecurity Workforce Study 2022. https://www.isc2.org//-/media/ISC2/Research/2022-WorkForce-Study/ISC2-Cybersecurity-Workforce-Study.ashx
Juneja, P. (n.d.). The Equifax Data Breach Scandal. Management Study Guide. Retrieved May 20, 2023, from https://www.managementstudyguide.com/equifax-data-breach-scandal.htm
Karp, P. (2019, October 2). ANU says blaming China for massive data breach is speculative and “harmful.” The Guardian. https://www.theguardian.com/australia-news/2019/oct/02/anu-says-blaming-china-for-massive-data-breach-is-speculative-and-harmful
Kenny, C. (2018). The Equifax data breach and the resulting legal recourse. Brook. J. Corp. Fin. & Com. L., 13, 215.
Khairi, M. H., Ariffin, S. H., Latiff, N. A., Abdullah, A. S., & Hassan, M. K. (2018). A review of anomaly detection techniques and distributed denial of service (DDoS) on software defined network (SDN). Engineering, Technology & Applied Science Research, 8(2), 2724–2730.
Kiener, K. (2019, March). Cybercrime Module 5 Key Issues: Obstacles to Cybercrime Investigations. UNODC. https://www.unodc.org/e4j/zh/cybercrime/module-5/key-issues/obstacles-to-cybercrime-investigations.html
Kimathi, S. (2020, December 22). Combination of weaknesses led to massive data breach at Desjardins—FinTech Futures. FinTech Futures. https://www.fintechfutures.com/2020/12/combination-of-weaknesses-led-to-massive-data-breach-at-desjardins/
Kramer, S., & Bradfield, J. C. (2010). A general definition of malware. Journal in Computer Virology, 6(2), 105–114. https://doi.org/10.1007/s11416-009-0137-1
Layton, R., & Watters, P. A. (2014). A methodology for estimating the tangible cost of data breaches. Journal of Information Security and Applications, 19(6), 321–330.
Maalem Lahcen, R. A., Caulkins, B., Mohapatra, R., & Kumar, M. (2020). Review and insight on the behavioral aspects of cybersecurity. Cybersecurity, 3(1), 10. https://doi.org/10.1186/s42400-020-00050-w
Manager Demographics and Statistics [2023]: Number Of Managers In The US. (2021, January 29). https://www.zippia.com/manager-jobs/demographics/
Martin, L. (2019, June 4). Australian National University hit by huge data breach. The Guardian. https://www.theguardian.com/australia-news/2019/jun/04/australian-national-university-hit-by-huge-data-breach
Meszaros, J., & Buchalcevova, A. (2017). Introducing OSSF: A framework for online service cybersecurity risk management. Computers & Security, 65, 300–313. https://doi.org/10.1016/j.cose.2016.12.008
Nahari, S. (2019, June 21). Data Breach at Desjardins Bank Caused by Malicious Insider. https://www.cyberark.com/resources/blog/data-breach-at-desjardins-bank-caused-by-malicious-insider
National Audit Office. (2018). Investigation: WannaCry cyber attack and the NHS. https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf
National Institute of Standards and Technology. (2018). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.CSWP.04162018
NHS cyber-attack fears return as all tested trusts fail assessments. (2018, 06). https://www.nationalhealthexecutive.com/News/nhs-cyber-attack-fears-return-as-all-tested-trusts-fail-assessments/193261
O’dowd, A. (2017). Major global cyber-attack hits NHS and delays treatment. British Medical Journal Publishing Group.
Padilla, V. S., & Freire, F. F. (2019). A contingency plan framework for cyber-attacks. Journal of Information Systems Engineering & Management, 4(2), 2–7.
Petratos, P. N. (2021). Misinformation, disinformation, and fake news: Cyber risks to business. CIBER SPECIAL ISSUE: CYBERSECURITY IN CRISIS, 64(6), 763–774. https://doi.org/10.1016/j.bushor.2021.07.012
Poremba, S. (2023, January 5). The cybersecurity talent shortage: The outlook for 2023. Cybersecurity Dive. https://www.cybersecuritydive.com/news/cybersecurity-talent-gap-worker-shortage/639724/
PurpleSec. (2023). 2023 Cyber Security Statistics Trends & Data. PurpleSec. https://purplesec.us/resources/cyber-security-statistics/
Reed, K., Doty, D. H., & May, D. R. (2005). The Impact of Aging on Self-efficacy and Computer Skill Acquisition. Journal of Managerial Issues, 17(2), 212–228. JSTOR.
Riley, M., Robertson, J., & Sharpe, A. (2017, September 29). The Equifax Hack Has the Hallmarks of State-Sponsored Pros. Bloomberg. https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros
Rodrigues, J. (2022, June 21). The Desjardins Data Breach + What We Can Learn From It. TitanFile. https://www.titanfile.com/blog/the-desjardins-data-breach-what-we-can-learn-from-it/
Rothrock, R. A., Kaplan, J., & Van Der Oord, F. (2018). The Board’s Role in Managing Cybersecurity Risks. 59(2), 12–15.
Russia’s cyberattacks aim to “terrorize” Ukrainians. (2023, January 11). POLITICO. https://www.politico.com/news/2023/01/11/russias-cyberattacks-aim-to-terrorize-ukrainians-00077561
Sarraf, S. (2019, October 3). ANU details findings of data breach. CSO Online. https://www.csoonline.com/article/3572622/anu-details-findings-of-data-breach.html
Security noun—Definition, pictures, pronunciation and usage notes. (n.d.). Oxford Leaner’s Dictionnaries. Retrieved May 20, 2023, from https://www.oxfordlearnersdictionaries.com/definition/american_english/security
Siponen & Vance. (2010). Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations. MIS Quarterly, 34(3), 487. https://doi.org/10.2307/25750688
Smart, W. (2018). Lesson learned review of the WannaCry Ransomware Cyber Attack. Department of Health and Social Care.
Smith, C. (2019, June 20). Massive Desjardins Group data breach caused by employee who’s since been fired. The Georgia Straight. https://www.straight.com/news/1257561/massive-desjardins-group-data-breach-caused-employee-whos-been-fired
Solomon, H. (2020, December 14). Desjardins at fault for huge data breach, say privacy commissioners. https://www.itworldcanada.com/article/breaking-desjardins-at-fault-for-huge-data-breach-say-privacy-commissioners/439581
Sophos. (2019, November 19). UK Public Sector Information Vulnerable to Cyberattack Due To Awareness Gap Between IT Professionals. SOPHOS. https://www.sophos.com/en-us/press/press-releases/2019/11/uk-public-sector-information-vulnerable-to-cyberattack-due-to-awareness-gap-between-it-professionals
Stilgherrian. (2019, October 2). ANU incident report on massive data breach is a must-read. ZDNET. https://www.zdnet.com/article/anu-incident-report-on-massive-data-breach-a-must-read/
Swanson, M., Wohl, A., Pope, L., Grance, T., Hash, J., & Thomas, R. (2002). Contingency planning guide for information technology systems: Recommendations of the National Institute of Standards and Technology (NIST SP 800-34; 0 ed., p. NIST SP 800-34). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-34
Thangavelu, M., Krishnaswamy, V., & Sharma, M. (2021). Impact of comprehensive information security awareness and cognitive characteristics on security incident management – an empirical study. Computers & Security, 109, 102401. https://doi.org/10.1016/j.cose.2021.102401
The NHS cyber attack: How and why it happened, and who did it. (2020, February 7). Acronis. https://www.acronis.com/en-us/blog/posts/nhs-cyber-attack/
Tillet, A. (2019, October 2). ANU cyber attack began with email to senior staff member. Australian Financial Review. https://www.afr.com/politics/federal/anu-cyber-attack-began-with-email-to-senior-staff-member-20191001-p52wpv
Tomesco, F. (2019, June 20). Desjardins: Rogue employee caused data breach for 2.9 million members. Montreal Gazette. https://montrealgazette.com/business/desjardins-rogue-employee-caused-data-breach-for-2-9-million-members
Tomesco, F. (2020, December 14). Desjardins slammed by privacy commissioner for handling of data breach. Montreal Gazette. https://montrealgazette.com/business/quebec-financial-watchdog-orders-desjardins-to-overhaul-practices
University, A. N. (2019). Incident report on the breach of the Australian National University’s administrative systems (Australia, China) [Report]. Australian National University. https://apo.org.au/node/262171
Wang, P., & Johnson, C. (2018). Cybersecurity incident handling: A case study of the Equifax data breach. Issues in Information Systems, 19(3).
Wang, S., & Wang, H. (2019). Knowledge Management for Cybersecurity in Business Organizations: A Case Study. Journal of Computer Information Systems, 0(0), 1–8. https://doi.org/10.1080/08874417.2019.1571458
Wang, Z., Sun, L., & Zhu, H. (2020). Defining Social Engineering in Cybersecurity. IEEE Access, 8, 85094–85115. https://doi.org/10.1109/ACCESS.2020.2992807
WannaCry cyber-attack cost the NHS £92m after 19,000 appointments were cancelled. (2018, October 12). National Health Executive. https://www.nationalhealthexecutive.com/articles/wannacry-cyber-attack-cost-nhs-ps92m-after-19000-appointments-were-cancelled
Williams-Banta, P. E. (2019). Security Technology and Awareness Training; Do They Affect Behaviors and Thus Reduce Breaches? [Ph.D., Northcentral University]. In ProQuest Dissertations and Theses (2236379962). ProQuest Dissertations & Theses A&I; ProQuest Dissertations & Theses Global. https://proxyone.lib.nccu.edu.tw/login?url=https://www.proquest.com/dissertations-theses/security-technology-awareness-training-do-they/docview/2236379962/se-2?accountid=10067
Wroe, M. K., David. (2019, June 4). ANU says “sophisticated operator” stole data in new cyber breach. The Sydney Morning Herald. https://www.smh.com.au/politics/federal/anu-says-sophisticated-operator-stole-data-in-cyber-breach-20190604-p51ua9.html
Young, A. L., & Yung, M. (2017). Cryptovirology: The birth, neglect, and explosion of ransomware. Communications of the ACM, 60(7), 24–26. https://doi.org/10.1145/3097347
Yucel, S. (2018). Estimating the Benefits, Drawbacks and Risk of Digital Transformation Strategy. 2018 International Conference on Computational Science and Computational Intelligence (CSCI), 233–238. https://doi.org/10.1109/CSCI46756.2018.00051
Zou, Y., Mhaidli, A. H., McCall, A., & Schaub, F. (2018). “ I’ve Got Nothing to Lose”: Consumers’ Risk Perceptions and Protective Actions after the Equifax Data Breach. SOUPS@ USENIX Security Symposium, 197–216.