Summary of the reading materials for the course (2025) Cyber Crisis Management and Resilience.
INCLUDES notes from (Total: 85 pages):
● See * Summary List * on page 1.
Cyber Crisis Management and Resilience Notes on Readings
Table of Contents
* Summary List * 1
“Handbook of Disaster Research” 3
2 The Crisis Approach (Boin, Hart & Kuipers) 3
“Beyond Ones and Zeros: Conceptualizing Cyber Crises” 7
“Vulnerabilities and Cyberspace: A New Kind of Crises” 11
“Rumors, False Flags, and Digital Vigilantes: Misinformation on Twitter after the 2013 Boston
Marathon Bombing” 16
“The Scourge of Ransomware: Victim Insights on Harms to Individuals, Organisations and Society”
18
“‘There was a bit of PTSD every time I walked through the office door’: Ransomware harms and
the factors that influence the victim organization’s experience” 24
“Antecedents and consequences of data breaches: A systematic review” 27
“After the Crisis Comes the Blow – The Mental Impact of Ransomware Attacks” 31
“The Palgrave Handbook of International Cybercrime and Cyberdeviance” 35
12 Data Breaches and GDPR (Cortez) 35
“The new F-word: The case of fragmentation in Dutch cybersecurity governance” 38
“The E.U.’s Digital Operational Resilience Act: Cloud Services & Financial Companies” 41
“Cybersecurity in the EU: How the NIS2-directive stacks up against its predecessor” 45
“Getting ready for crises: Strategic excellence” 48
“A survey on technical threat intelligence in the age of sophisticated cyber attacks” 50
“Investigating the influence of governance determinants on reporting cybersecurity incidents to
police: Evidence from Canadian organizations’ perspectives” 55
“Negotiations in Tech : An Analysis of Asymmetric Ransomware Negotiations” 58
“The perception of crisis, the existence of crisis: navigating the social construction of crisis” 61
“We’re sorry but it’s not our fault: Organizational apologies in ambiguous crisis situations” 65
“Apologize or justify? Examining the impact of data breach response actions on stock value of
affected companies?” 69
““I don’t think we’re there yet”: The practices and challenges of organisational learning from cyber
security incidents” 72
“Learning from cyber security incidents: A systematic review and future research agenda” 77
“Ransomware and the Robin Hood effect?: Experimental evidence on Americans’ willingness to
support cyber‑extortion” 80
“Empirical Analysis of Data Breach Litigation” 83
, 1
* Summary List *
These notes include a summary of each of the following readings:
● Havidán Rodríguez, William Donner & Joseph E. Trainor’s (eds.) (2018) “Handbook of Disaster
Research”, chapter 2 (Arjen Boin, Paul ‘t Hart & Sanneke Kuipers).
● Maria F. Prevezianou’s article (2021) “Beyond Ones and Zeros: Conceptualizing Cyber Crises”.
● Bibi van den Berg & Sanneke Kuipers’ article (2022) “Vulnerabilities and Cyberspace: A New Kind of
Crises”.
● Kate Starbird, Jim Maddock, Mania Orand, Peg Achterman & Robert M. Mason’s article (2014)
“Rumors, False Flags, and Digital Vigilantes: Misinformation on Twitter after the 2013 Boston
Marathon Bombing”.
● Jamie MacColl, Pia Hüsch, Gareth Mott, James Sullivan, Jason R C Nurse, Sarah Turner & Nandita
Pattnaik’s occasional paper (2024) “The Scourge of Ransomware: Victim Insights on Harms to
Individuals, Organisations and Society”.
● Gareth Mott, Sarah Turner, Jason R.C. Nurse, Nandita Pattnaik, Jamie MacColl, Pia Huesch & James
Sullivan’s article (2024) “‘There was a bit of PTSD every time I walked through the office door’:
Ransomware harms and the factors that influence the victim organization’s experience”.
● Frederic Schlackl, Nico Link & Hartmut Hoehle’s article (2022) “Antecedents and consequences of data
breaches: A systematic review”.
● Northwave Cybersecurity’s summary (2022) “After the Crisis Comes the Blow – The Mental Impact of
Ransomware Attacks”.
● Thomas J. Holt & Adam M. Bossler’s (eds.) (2020) “The Palgrave Handbook of International Cybercrime
and Cyberdeviance”, chapter 12 (Elif Kiesow Cortez).
● Parto Mirzaei & Els De Busser’s article (2024) “The new F-word: The case of fragmentation in Dutch
cybersecurity governance”.
● Hal S. Scott’s report (2021) “The E.U.’s Digital Operational Resilience Act: Cloud Services & Financial
Companies”.
● Niels Vandezande’s article (2024) “Cybersecurity in the EU: How the NIS2-directive stacks up against its
predecessor”.
● Jaesub Lee, Jennifer H. Woeste & Robert L. Heath’s article (2007) “Getting ready for crises: Strategic
excellence”.
● Wiem Tounsi & Helmi Rais’ article (2017) “A survey on technical threat intelligence in the age of
sophisticated cyber attacks”.
● Kouassi Raymond Agbodoh-Falschau & Bako Harinivo Ravaonorohanta-Falschau’s article (2023)
“Investigating the influence of governance determinants on reporting cybersecurity incidents to police:
Evidence from Canadian organizations’ perspectives”.
● Juliette Faivre’s article (2023) “Negotiations in Tech : An Analysis of Asymmetric Ransomware
Negotiations”.
● Ralph A. Gigliotti’s article (2020) “The perception of crisis, the existence of crisis: navigating the social
construction of crisis”.
● Joshua M. Bentley, Kimberly R. Oostman & Sayyed Fawad Ali Shah’s article (2017) “We’re sorry but it’s
not our fault: Organizational apologies in ambiguous crisis situations”.
● Kristin Masuch, Maike Greve, Simon Trang & Lutz M. Kolbe’s article (2021) “Apologize or justify?
Examining the impact of data breach response actions on stock value of affected companies?”.
● Clare M. Patterson, Jason R.C. Nurse & Virginia N.L. Franqueira’s article (2024) “”I don’t think we’re
there yet”: The practices and challenges of organisational learning from cyber security incidents”.
● Clare M. Patterson, Jason R.C. Nurse & Virginia N.L. Franqueira’s article (2023) “Learning from cyber
security incidents: A systematic review and future research agenda”.
, 2
● Murat Haner, Melissa M. Sloan, Amanda Graham, Justin T. Pickett & Francis T. Cullen’s article (2023)
“Ransomware and the Robin Hood effect?: Experimental evidence on Americans’ willingness to
support cyber‑extortion”.
● Sasha Romanosky, David Hoffman & Alessandro Acquisti’s article (2014) “Empirical Analysis of Data
Breach Litigation”.
, 3
“Handbook of Disaster Research”
2 The Crisis Approach (Boin, Hart & Kuipers)
2.1 Introduction: Crisis & Disaster
Disaster: An event that causes human suffering & infrastructural damage. Previously predominant
focus on agents of destruction that fall into the category of natural forces (e.g. floods, hurricanes,
tsunamis). Recently a greater focus on “man-made” events (e.g. terrorism, ethnic conflicts,
economic breakdowns, technological failure).
➔ Researchers = interested in the prevention, mitigation & consequences of these events.
Crisis: A serious & existential threat to the system’s structures of fundamental values. The threat in
question may still be averted if people, communities, institutions, leaders or systems rise to the
challenge.
➔ Researchers = focus on a temporal slice of the process through which a disaster emerges &
eventually fades (i.e. the phase where intervention can still limit the effects of an emerging
or escalating incident).
2.2 The Nature of Crisis
Crisis combines the grave threat & the escape door:
● Vital decisions (first responders, public managers & political leaders) are crucial under time
pressure & highly uncertain circumstances, where essential information (causes &
consequences) remains unavailable, unreliable or incomplete.
● Allows for the comparison of a variety of adversity (e.g. natural disasters, financial
meltdowns).
3 key components:
1. Threat = crises occur when core values or life-sustaining systems of a community come
under threat.
2. Uncertainty = it is the threat’s perception of threat that matters (i.e. widespread fear will
force authorities to act).
3. Urgency = crises induce a sense of urgency & time compression (i.e. threat is here, real &
must be dealt with now). Threats that do NOT pose immediate problems (e.g. climate
change) do NOT induce a widespread sense of crisis.
A crisis is the product of shared perception (i.e. people do NOT always agree whether a threat exists,
whether it is urgent & what should be done to mend it).
2.3 The Ubiquity of Crisis
Crises = result of multiple causes, which interact over time to produce a threat with devastating
potential.
➔ Traditional logic = focuses on “triggers” & underlying causes.
➔ Linear thinking = emphasises the unintended consequences of increased complexity (“big
events must have big causes”), proposing that escalatory processes undermine a social
system’s capacity to cope with disturbances.
INCLUDES notes from (Total: 85 pages):
● See * Summary List * on page 1.
Cyber Crisis Management and Resilience Notes on Readings
Table of Contents
* Summary List * 1
“Handbook of Disaster Research” 3
2 The Crisis Approach (Boin, Hart & Kuipers) 3
“Beyond Ones and Zeros: Conceptualizing Cyber Crises” 7
“Vulnerabilities and Cyberspace: A New Kind of Crises” 11
“Rumors, False Flags, and Digital Vigilantes: Misinformation on Twitter after the 2013 Boston
Marathon Bombing” 16
“The Scourge of Ransomware: Victim Insights on Harms to Individuals, Organisations and Society”
18
“‘There was a bit of PTSD every time I walked through the office door’: Ransomware harms and
the factors that influence the victim organization’s experience” 24
“Antecedents and consequences of data breaches: A systematic review” 27
“After the Crisis Comes the Blow – The Mental Impact of Ransomware Attacks” 31
“The Palgrave Handbook of International Cybercrime and Cyberdeviance” 35
12 Data Breaches and GDPR (Cortez) 35
“The new F-word: The case of fragmentation in Dutch cybersecurity governance” 38
“The E.U.’s Digital Operational Resilience Act: Cloud Services & Financial Companies” 41
“Cybersecurity in the EU: How the NIS2-directive stacks up against its predecessor” 45
“Getting ready for crises: Strategic excellence” 48
“A survey on technical threat intelligence in the age of sophisticated cyber attacks” 50
“Investigating the influence of governance determinants on reporting cybersecurity incidents to
police: Evidence from Canadian organizations’ perspectives” 55
“Negotiations in Tech : An Analysis of Asymmetric Ransomware Negotiations” 58
“The perception of crisis, the existence of crisis: navigating the social construction of crisis” 61
“We’re sorry but it’s not our fault: Organizational apologies in ambiguous crisis situations” 65
“Apologize or justify? Examining the impact of data breach response actions on stock value of
affected companies?” 69
““I don’t think we’re there yet”: The practices and challenges of organisational learning from cyber
security incidents” 72
“Learning from cyber security incidents: A systematic review and future research agenda” 77
“Ransomware and the Robin Hood effect?: Experimental evidence on Americans’ willingness to
support cyber‑extortion” 80
“Empirical Analysis of Data Breach Litigation” 83
, 1
* Summary List *
These notes include a summary of each of the following readings:
● Havidán Rodríguez, William Donner & Joseph E. Trainor’s (eds.) (2018) “Handbook of Disaster
Research”, chapter 2 (Arjen Boin, Paul ‘t Hart & Sanneke Kuipers).
● Maria F. Prevezianou’s article (2021) “Beyond Ones and Zeros: Conceptualizing Cyber Crises”.
● Bibi van den Berg & Sanneke Kuipers’ article (2022) “Vulnerabilities and Cyberspace: A New Kind of
Crises”.
● Kate Starbird, Jim Maddock, Mania Orand, Peg Achterman & Robert M. Mason’s article (2014)
“Rumors, False Flags, and Digital Vigilantes: Misinformation on Twitter after the 2013 Boston
Marathon Bombing”.
● Jamie MacColl, Pia Hüsch, Gareth Mott, James Sullivan, Jason R C Nurse, Sarah Turner & Nandita
Pattnaik’s occasional paper (2024) “The Scourge of Ransomware: Victim Insights on Harms to
Individuals, Organisations and Society”.
● Gareth Mott, Sarah Turner, Jason R.C. Nurse, Nandita Pattnaik, Jamie MacColl, Pia Huesch & James
Sullivan’s article (2024) “‘There was a bit of PTSD every time I walked through the office door’:
Ransomware harms and the factors that influence the victim organization’s experience”.
● Frederic Schlackl, Nico Link & Hartmut Hoehle’s article (2022) “Antecedents and consequences of data
breaches: A systematic review”.
● Northwave Cybersecurity’s summary (2022) “After the Crisis Comes the Blow – The Mental Impact of
Ransomware Attacks”.
● Thomas J. Holt & Adam M. Bossler’s (eds.) (2020) “The Palgrave Handbook of International Cybercrime
and Cyberdeviance”, chapter 12 (Elif Kiesow Cortez).
● Parto Mirzaei & Els De Busser’s article (2024) “The new F-word: The case of fragmentation in Dutch
cybersecurity governance”.
● Hal S. Scott’s report (2021) “The E.U.’s Digital Operational Resilience Act: Cloud Services & Financial
Companies”.
● Niels Vandezande’s article (2024) “Cybersecurity in the EU: How the NIS2-directive stacks up against its
predecessor”.
● Jaesub Lee, Jennifer H. Woeste & Robert L. Heath’s article (2007) “Getting ready for crises: Strategic
excellence”.
● Wiem Tounsi & Helmi Rais’ article (2017) “A survey on technical threat intelligence in the age of
sophisticated cyber attacks”.
● Kouassi Raymond Agbodoh-Falschau & Bako Harinivo Ravaonorohanta-Falschau’s article (2023)
“Investigating the influence of governance determinants on reporting cybersecurity incidents to police:
Evidence from Canadian organizations’ perspectives”.
● Juliette Faivre’s article (2023) “Negotiations in Tech : An Analysis of Asymmetric Ransomware
Negotiations”.
● Ralph A. Gigliotti’s article (2020) “The perception of crisis, the existence of crisis: navigating the social
construction of crisis”.
● Joshua M. Bentley, Kimberly R. Oostman & Sayyed Fawad Ali Shah’s article (2017) “We’re sorry but it’s
not our fault: Organizational apologies in ambiguous crisis situations”.
● Kristin Masuch, Maike Greve, Simon Trang & Lutz M. Kolbe’s article (2021) “Apologize or justify?
Examining the impact of data breach response actions on stock value of affected companies?”.
● Clare M. Patterson, Jason R.C. Nurse & Virginia N.L. Franqueira’s article (2024) “”I don’t think we’re
there yet”: The practices and challenges of organisational learning from cyber security incidents”.
● Clare M. Patterson, Jason R.C. Nurse & Virginia N.L. Franqueira’s article (2023) “Learning from cyber
security incidents: A systematic review and future research agenda”.
, 2
● Murat Haner, Melissa M. Sloan, Amanda Graham, Justin T. Pickett & Francis T. Cullen’s article (2023)
“Ransomware and the Robin Hood effect?: Experimental evidence on Americans’ willingness to
support cyber‑extortion”.
● Sasha Romanosky, David Hoffman & Alessandro Acquisti’s article (2014) “Empirical Analysis of Data
Breach Litigation”.
, 3
“Handbook of Disaster Research”
2 The Crisis Approach (Boin, Hart & Kuipers)
2.1 Introduction: Crisis & Disaster
Disaster: An event that causes human suffering & infrastructural damage. Previously predominant
focus on agents of destruction that fall into the category of natural forces (e.g. floods, hurricanes,
tsunamis). Recently a greater focus on “man-made” events (e.g. terrorism, ethnic conflicts,
economic breakdowns, technological failure).
➔ Researchers = interested in the prevention, mitigation & consequences of these events.
Crisis: A serious & existential threat to the system’s structures of fundamental values. The threat in
question may still be averted if people, communities, institutions, leaders or systems rise to the
challenge.
➔ Researchers = focus on a temporal slice of the process through which a disaster emerges &
eventually fades (i.e. the phase where intervention can still limit the effects of an emerging
or escalating incident).
2.2 The Nature of Crisis
Crisis combines the grave threat & the escape door:
● Vital decisions (first responders, public managers & political leaders) are crucial under time
pressure & highly uncertain circumstances, where essential information (causes &
consequences) remains unavailable, unreliable or incomplete.
● Allows for the comparison of a variety of adversity (e.g. natural disasters, financial
meltdowns).
3 key components:
1. Threat = crises occur when core values or life-sustaining systems of a community come
under threat.
2. Uncertainty = it is the threat’s perception of threat that matters (i.e. widespread fear will
force authorities to act).
3. Urgency = crises induce a sense of urgency & time compression (i.e. threat is here, real &
must be dealt with now). Threats that do NOT pose immediate problems (e.g. climate
change) do NOT induce a widespread sense of crisis.
A crisis is the product of shared perception (i.e. people do NOT always agree whether a threat exists,
whether it is urgent & what should be done to mend it).
2.3 The Ubiquity of Crisis
Crises = result of multiple causes, which interact over time to produce a threat with devastating
potential.
➔ Traditional logic = focuses on “triggers” & underlying causes.
➔ Linear thinking = emphasises the unintended consequences of increased complexity (“big
events must have big causes”), proposing that escalatory processes undermine a social
system’s capacity to cope with disturbances.
