Notes on the lectures & video materials from the course (2025) Cyber Crisis Management and
Resilience. INCLUDES notes from lectures 1-12 (Total: 45 pages).
Cyber Crisis Management and Resilience Lecture Notes (Lectures
1-12)
Table of Contents
Lectures 1
Lecture 1: Introduction to Cyber Crises 1
Lecture 2: Crisis Management 101 (Chiara Anfuso) 3
Lecture 3: How do cyber crises affect us? 6
Lecture 4: The Human Cost of Cyber Incidents 9
Lecture 5: Regulatory Frameworks for Cyber Crisis Management in the European Union
13
Lecture 6: Organisational Preparedness for Cyber Incidents 18
Lecture 7: Fragmentation - Integration & Communication (Parto Mirzaei) 20
Lecture 8: Detection & Response to Cyber Crises 24
Lecture 9: Decision-Making & Meaning-Making in Cyber Crisis Management 28
Lecture 10: Cyber Crisis Communication 32
Lecture 11: Learning from Cyber Crises (Dr Jason R.C. Nurse) 33
Lecture 12: Toward Resilience – Accountability & Learning from Cyber Crises 34
Video Materials 39
Video 1: Qualitative & Quantitative Data Analysis 39
Video 2: Content Analysis 40
Video 3: Descriptive Analysis of Quantitative Data 41
Video 4: Mean, Variance & Standard Deviation 42
Video 5: Parametric & Non-Paramatric Test Analysis 42
, 1
Lectures
Lecture 1: Introduction to Cyber Crises
Definitions
Crisis: When a group, organisation or community experiences “a Key components (based on
serious threat to the basic structures or the fundamental values and PERCEPTION):
1. Threat to values.
norms of a system, which under time pressures & highly uncertain
2. Sense of urgency.
circumstances necessitates making vital decisions.” 3. Uncertainty & ambiguity.
➔ Moment when decisions can be made (“distinguish, choose, decide”) about the problem at
hand (to avoid it becoming a disaster). It is NOT a disaster (i.e when things go wrong)
➔ Crises are about perceptions as labels put on an event (NOT objective).
◆ COVID-19 = perceived as a crisis.
◆ Climate change = NOT perceived as a crisis (despite being framed as one).
Cyber Incident: An event that causes damage to data, systems &/or networks; & people their
possessions or things they consider valuable. Can be intentional or accidental.
➔ Important aspect = mean/target is digital technology.
➔ 2 separate concepts that are increasingly intertwined:
◆ Crisis = perception of a situation as threatening, urgent & uncertain (e.g. 2024
Valencia floods).
◆ Cyber incident = event that affects us through/in cyberspace (e.g. 2024 CrowdStrike
incident).
Cyber Crisis: When a social system (e.g. community, organisation, policy sector, country, region)
experiences an urgent threat to its basic structures or fundamental values, which harbors many
‘unknowns’ & appears to require far-reaching response. The mean &/or the target is digital
technology.
➔ A window of time from t1 (perception of a serious cyber threat) to t2 (finished with
perception) to decide (focus on decision-making).
➔ In practice, it exceeds the social system’s social system & threatens reputation.
➔ Risks reputational damage, with escalation & cascading effects (difficult to predict).
➔ Requires public & stakeholder communication.
➔ Most common cyber crises:
◆ Data Breaches: When attackers enter the system & leak/publish the data. Risks
reputational damage. Difficult to detect intrusions & when attackers have been
removed from the system
◆ Ransomeware: Malware that once installed encrypts the data demanding a ransom
to decrypt the data (e.g. phishing, infiltration). Commonly used today where
companies are largely online. It demands instant decision-making.
◆ Distributed Denial-of-Service (DDoS) Attack: Overloads the system, preventing
access to it.
◆ Poisoning Attack: Growing attack against AI & large-language models, where
attackers enter false data to skew & influence results.
, 2
Means
NO Cyberspace Cyberspace
NO Traditional crisis (e.g. 2024 Valencia Cyber-enabled crisis (e.g. data breach,
Cyberspace floods). fraud affecting individuals/things
outside the cyber realm).
Harms
Cyberspace Cyber-targeted crisis through Cyber-dependent crisis (e.g. DDOS
non-cyber means (e.g. targeting attack, critical infrastructure attack).
internet connection tubes/wires).
Analytical dimensions:
1. Public vs. private
● Public = influences society & public interests (2017 WannaCry ransomware attacks).
● Private = affects individuals & subjects within 1 organisation (2022 ICRC data breach).
2. Incidental vs. intentional
◆ Incidental = NO malicious aim (2024 CrowdStrike incident). Although blurred lines
(i.e. can be used as an opportunity for other attackers to strike).
◆ Intentional = clear malicious & targeted intent (2016 NotPetya attack).
3. Operational vs. reputational
◆ Operational = affecting a system’s operations (2024 CrowdStrike incident).
◆ Reputational = influencing customer’s trust of the company (2018-2020 Vastaamo
data breach).
4. Harms IN vs. VIA cyberspace
◆ Harms IN cyberspace (2016 NotPetya attack).
◆ Harms VIA cyberspace = affecting knowledge &
trust in institutions (2016 US Presidential
Elections).
5. Localised vs. widespread
◆ Localised = geographically-based at a specific
location (2019 Baltimore ransomware).
◆ Widespread = worldwide impact (2017
WannaCry ransomware attacks).
Particularities different to traditional crises:
● Technical/technological complexity (difficulties for public understanding).
● Detection & visibility (typically remain undiscovered for a long time).
● Public perception (difficulties in public communication & understanding).
● Transboundary nature (widespread consequences).
Implications:
● Cyber crises are more complex & transboundary, less detectable & sharing more difficulties
in controlling public perception.
, 3
● Different expertise is required for preparation, detection & response (e.g. cybersecurity
training, Security Operation Centers, CERT/CSIRT, forensic/threat intelligence teams).
● Difficulties obtaining a shared situation awareness that leads to good decision-making.
● Communication strategies must be adapted & well-explained if action is needed.
● Coordination between different organisations & states.
Lecture 2: Crisis Management 101 (Chiara Anfuso)
Defining Crisis
How would you manage this situation? Is this scenario considered a crisis? Why/why not?
You are the Operations Manager for a regional hospital located Managing this situation:
in Dixham, a city along the coast. A severe storm is expected to ● Classifying it as a crisis (trigger
hit in the next 24 hours. Weather experts have warned that responses).
there is a medium to high possibility that the storm could
● House staff in the hospital.
intensify into a Category 4 or 5 hurricane, but its exact path &
impact remain unclear. Your hospital is one of the few medical ● Focus on emergency & urgent care.
facilities in the region that can provide emergency care & is ● Focus on pre- (before the hurricane
currently treating several at-risk patients. Local Authorities have hits) & post-crisis situations.
begun issuing warnings & advising the population to remain
home. You anticipate possible staff shortages & restrictions to
road access. Additionally, patients have started to reach out with
concerns about their safety.
Crisis (Rosenthal et al.): “A serious threat to the basic structures or fundamental values and norms of
a social system, which, under conditions of time pressure and very uncertain circumstances,
demands critical decision-making.”
➔ Boin et al. = a crisis is a critical juncture (i.e. can change the way we approach it) in the life of
a system. Can be viewed as a:
○ Crisis (occurs when damage happens).
○ Window of opportunity = change something that does NOT currently work in
society, values & norms (i.e. climate change → more recycling).
Categorising crises:
● Basic locus of crisis:
○ Internal = starts from within the organisations. Viewed from the outside as the fault
of the organisation (e.g. reputational damage).
○ External = outside situations affecting the organisation (e.g. hurricane).
● Where the crisis hits:
○ Transboundary = happening at the same time crossing boundaries, jurisdictions,
states, regions & legislations (e.g. Syrian refugee crisis starts locally, before
escalating).
○ Cascading = more isolated domino effect (e.g. Fukushima disaster earthquake →
tsunami → nuclear accident).
● Perceived urgency:
○ Short-term = days, weeks or months.
Resilience. INCLUDES notes from lectures 1-12 (Total: 45 pages).
Cyber Crisis Management and Resilience Lecture Notes (Lectures
1-12)
Table of Contents
Lectures 1
Lecture 1: Introduction to Cyber Crises 1
Lecture 2: Crisis Management 101 (Chiara Anfuso) 3
Lecture 3: How do cyber crises affect us? 6
Lecture 4: The Human Cost of Cyber Incidents 9
Lecture 5: Regulatory Frameworks for Cyber Crisis Management in the European Union
13
Lecture 6: Organisational Preparedness for Cyber Incidents 18
Lecture 7: Fragmentation - Integration & Communication (Parto Mirzaei) 20
Lecture 8: Detection & Response to Cyber Crises 24
Lecture 9: Decision-Making & Meaning-Making in Cyber Crisis Management 28
Lecture 10: Cyber Crisis Communication 32
Lecture 11: Learning from Cyber Crises (Dr Jason R.C. Nurse) 33
Lecture 12: Toward Resilience – Accountability & Learning from Cyber Crises 34
Video Materials 39
Video 1: Qualitative & Quantitative Data Analysis 39
Video 2: Content Analysis 40
Video 3: Descriptive Analysis of Quantitative Data 41
Video 4: Mean, Variance & Standard Deviation 42
Video 5: Parametric & Non-Paramatric Test Analysis 42
, 1
Lectures
Lecture 1: Introduction to Cyber Crises
Definitions
Crisis: When a group, organisation or community experiences “a Key components (based on
serious threat to the basic structures or the fundamental values and PERCEPTION):
1. Threat to values.
norms of a system, which under time pressures & highly uncertain
2. Sense of urgency.
circumstances necessitates making vital decisions.” 3. Uncertainty & ambiguity.
➔ Moment when decisions can be made (“distinguish, choose, decide”) about the problem at
hand (to avoid it becoming a disaster). It is NOT a disaster (i.e when things go wrong)
➔ Crises are about perceptions as labels put on an event (NOT objective).
◆ COVID-19 = perceived as a crisis.
◆ Climate change = NOT perceived as a crisis (despite being framed as one).
Cyber Incident: An event that causes damage to data, systems &/or networks; & people their
possessions or things they consider valuable. Can be intentional or accidental.
➔ Important aspect = mean/target is digital technology.
➔ 2 separate concepts that are increasingly intertwined:
◆ Crisis = perception of a situation as threatening, urgent & uncertain (e.g. 2024
Valencia floods).
◆ Cyber incident = event that affects us through/in cyberspace (e.g. 2024 CrowdStrike
incident).
Cyber Crisis: When a social system (e.g. community, organisation, policy sector, country, region)
experiences an urgent threat to its basic structures or fundamental values, which harbors many
‘unknowns’ & appears to require far-reaching response. The mean &/or the target is digital
technology.
➔ A window of time from t1 (perception of a serious cyber threat) to t2 (finished with
perception) to decide (focus on decision-making).
➔ In practice, it exceeds the social system’s social system & threatens reputation.
➔ Risks reputational damage, with escalation & cascading effects (difficult to predict).
➔ Requires public & stakeholder communication.
➔ Most common cyber crises:
◆ Data Breaches: When attackers enter the system & leak/publish the data. Risks
reputational damage. Difficult to detect intrusions & when attackers have been
removed from the system
◆ Ransomeware: Malware that once installed encrypts the data demanding a ransom
to decrypt the data (e.g. phishing, infiltration). Commonly used today where
companies are largely online. It demands instant decision-making.
◆ Distributed Denial-of-Service (DDoS) Attack: Overloads the system, preventing
access to it.
◆ Poisoning Attack: Growing attack against AI & large-language models, where
attackers enter false data to skew & influence results.
, 2
Means
NO Cyberspace Cyberspace
NO Traditional crisis (e.g. 2024 Valencia Cyber-enabled crisis (e.g. data breach,
Cyberspace floods). fraud affecting individuals/things
outside the cyber realm).
Harms
Cyberspace Cyber-targeted crisis through Cyber-dependent crisis (e.g. DDOS
non-cyber means (e.g. targeting attack, critical infrastructure attack).
internet connection tubes/wires).
Analytical dimensions:
1. Public vs. private
● Public = influences society & public interests (2017 WannaCry ransomware attacks).
● Private = affects individuals & subjects within 1 organisation (2022 ICRC data breach).
2. Incidental vs. intentional
◆ Incidental = NO malicious aim (2024 CrowdStrike incident). Although blurred lines
(i.e. can be used as an opportunity for other attackers to strike).
◆ Intentional = clear malicious & targeted intent (2016 NotPetya attack).
3. Operational vs. reputational
◆ Operational = affecting a system’s operations (2024 CrowdStrike incident).
◆ Reputational = influencing customer’s trust of the company (2018-2020 Vastaamo
data breach).
4. Harms IN vs. VIA cyberspace
◆ Harms IN cyberspace (2016 NotPetya attack).
◆ Harms VIA cyberspace = affecting knowledge &
trust in institutions (2016 US Presidential
Elections).
5. Localised vs. widespread
◆ Localised = geographically-based at a specific
location (2019 Baltimore ransomware).
◆ Widespread = worldwide impact (2017
WannaCry ransomware attacks).
Particularities different to traditional crises:
● Technical/technological complexity (difficulties for public understanding).
● Detection & visibility (typically remain undiscovered for a long time).
● Public perception (difficulties in public communication & understanding).
● Transboundary nature (widespread consequences).
Implications:
● Cyber crises are more complex & transboundary, less detectable & sharing more difficulties
in controlling public perception.
, 3
● Different expertise is required for preparation, detection & response (e.g. cybersecurity
training, Security Operation Centers, CERT/CSIRT, forensic/threat intelligence teams).
● Difficulties obtaining a shared situation awareness that leads to good decision-making.
● Communication strategies must be adapted & well-explained if action is needed.
● Coordination between different organisations & states.
Lecture 2: Crisis Management 101 (Chiara Anfuso)
Defining Crisis
How would you manage this situation? Is this scenario considered a crisis? Why/why not?
You are the Operations Manager for a regional hospital located Managing this situation:
in Dixham, a city along the coast. A severe storm is expected to ● Classifying it as a crisis (trigger
hit in the next 24 hours. Weather experts have warned that responses).
there is a medium to high possibility that the storm could
● House staff in the hospital.
intensify into a Category 4 or 5 hurricane, but its exact path &
impact remain unclear. Your hospital is one of the few medical ● Focus on emergency & urgent care.
facilities in the region that can provide emergency care & is ● Focus on pre- (before the hurricane
currently treating several at-risk patients. Local Authorities have hits) & post-crisis situations.
begun issuing warnings & advising the population to remain
home. You anticipate possible staff shortages & restrictions to
road access. Additionally, patients have started to reach out with
concerns about their safety.
Crisis (Rosenthal et al.): “A serious threat to the basic structures or fundamental values and norms of
a social system, which, under conditions of time pressure and very uncertain circumstances,
demands critical decision-making.”
➔ Boin et al. = a crisis is a critical juncture (i.e. can change the way we approach it) in the life of
a system. Can be viewed as a:
○ Crisis (occurs when damage happens).
○ Window of opportunity = change something that does NOT currently work in
society, values & norms (i.e. climate change → more recycling).
Categorising crises:
● Basic locus of crisis:
○ Internal = starts from within the organisations. Viewed from the outside as the fault
of the organisation (e.g. reputational damage).
○ External = outside situations affecting the organisation (e.g. hurricane).
● Where the crisis hits:
○ Transboundary = happening at the same time crossing boundaries, jurisdictions,
states, regions & legislations (e.g. Syrian refugee crisis starts locally, before
escalating).
○ Cascading = more isolated domino effect (e.g. Fukushima disaster earthquake →
tsunami → nuclear accident).
● Perceived urgency:
○ Short-term = days, weeks or months.
