Samenvatting

Many organisations fall victim to cyberattacks, such as ransomware attacks. Nevertheless, organisations have opportunities to bolster their cyber resilience. One way to achieve this is by learning vicariously from the experience of victims. This allows organisations to learn meaningful lessons, while not being burdened by the impact of an incident. However, vicarious learning requires victims to share lessons learned resulting from the investigation into causes and consequences of a cyber incident. Fortunately, some organisations disseminate lessons learned and recommendations through the publication of a publicly available evaluation report. Despite the potential of such sources for meaningful learning, most studies on organisational learning from cyberincidents focus on how individual organisations learn from their own experiences. As a consequence, such studies fail to identify recurring patterns of lessons learned that may generalize to other organisations. This meta-analysis addresses this issue by comparing multiple evaluation reports. The research objective is twofold: 1) to identify recurring lessons learned about causes and consequences of cyberincidents, and 2) to study from which frames of reference incidents are evaluated to understand why certain lessons are learned and others are not. The research question is: which lessons are drawn in evaluation reports into the causes and consequences of cyberincidents at organisations, in order to prevent these from recurring in the future. Various recurring lessons are identified and classified using an analytical framework that incorporates different risk management phases and categories of lessons learned. It is recommended to improve sharing of lessons learned within a network of trusted partners to enable broad vicarious learning and collective cyber resilience.