Evaluating incident reporting in cybersecurity. From threat detection to policy learning

Abstract

The escalating threat of cyber risks has propelled cybersecurity policy to the forefront of governmental agendas worldwide. Incident reporting, a cornerstone of cybersecurity legislation, may facilitate swift responses to cyberattacks and foster a learning process for policy enhancement. Despite its widespread adoption, there are no analyses on its efficacy, implementation, and avenues for improvement. This article provides a theory-based evaluation of incident reporting using the methods of realist synthesis and process tracing. We develop a program theory of incident reporting hypothesizing its dual role as a fire alarm and a catalyst for policy learning. The program theory is tested by drawing upon a range of literature and official documents, supplemented by insights from the Italian context through interviews with key informants. The evaluation reveals mixed findings. While incident reporting effectively serves as a fire alarm, particularly for organizations with limited cybersecurity capacity, challenges persist due to capacity gaps and a reluctance to report incidents. The link between incident reporting and policy learning remains tenuous, with evidence of inertia hindering the implementation of more radical changes. Policy recommendations include streamlining internal communications, combining rapid and in-depth reporting, fostering data-sharing agreements, ensuring dedicated communication of lessons from central cyber actors, and streamlining organizational procedures for implementing changes.