A number of institutions make reports available regarding the types, impacts, or origins of cybersecurity breaches. The information content of cyber breach reports is examined in light of Principle 15 of the 2017 Committee on Sponsoring Organizations Enterprise Risk Management (COSO ERM) information security control framework to understand the degree to which cyber breach reports reflect the established COSO internal control framework. This study utilizes the COSO ERM internal control framework to examine whether current cyber breach reports contain information that may influence a firm’s ability to assess substantial change within its industry due to external forces (COSO ERM Principle 15). As such, this study focuses on data breaches, a special type of cyber incident, which may result in the loss of confidential information. Cyber decision makers rely on this type of information to calibrate information security programs to ensure coverage of relevant threats and the efficient use of available funds. These reports may be used for the purposes of cybersecurity risk assessment and strategic planning. We compare, contrast, and analyzie the reports to identify their utility in such contexts. We also provide an overview of the current cybersecurity reporting environment and suggest revisions to US national cyber policy with the intent of increasing the benefit to reporters and consumers of the data.

This study is focused on education as to the current structure of breach reporting based upon our review and synthesis of publicly-available breach reports.

In this study, we review nine (9) reports that meet four (4) criteria. We relate these criteria to the framework provided by COSO ERM Principle 15 by analyzing and placing the criteria into a taxonomy developed for this purpose. We analyze the degree to which the reports are complementary, reflect potential improvements of internal controls, and provide recommendations for ways in which these types of reports might be used by practitioners, while highlighting potential limitations. Our findings indicate that the sample reports contain little information that may be incorporated to improve the risk profile of an entity. We provide recommendations to improve the information content and timeliness of breach reports.

许多机构提供有关网络安全漏洞的类型、影响或来源的报告。网络违规报告的信息内容根据 2017 年发起组织企业风险管理委员会 (COSO ERM) 信息安全控制框架的原则 15 进行审查，以了解网络违规报告在多大程度上反映了既定的 COSO 内部控制框架。本研究利用 COSO ERM 内部控制框架来检查当前的网络违规报告是否包含可能影响公司评估其行业内因外部力量而发生重大变化的能力的信息（COSO ERM 原则 15）。因此，本研究重点关注数据泄露，这是一种特殊类型的网络事件，可能导致机密信息丢失。网络决策者依靠此类信息来校准信息安全计划，以确保覆盖相关威胁并有效利用可用资金。这些报告可用于网络安全风险评估和战略规划。我们对报告进行比较、对比和分析，以确定它们在这种情况下的效用。我们还概述了当前的网络安全报告环境，并建议对美国国家网络政策进行修订，以增加报告者和数据消费者的利益。并分析报告以确定它们在这种情况下的效用。我们还概述了当前的网络安全报告环境，并建议对美国国家网络政策进行修订，以增加报告者和数据消费者的利益。并分析报告以确定它们在这种情况下的效用。我们还概述了当前的网络安全报告环境，并建议对美国国家网络政策进行修订，以增加报告者和数据消费者的利益。

这项研究的重点是根据我们对公开违规报告的审查和综合，就当前的违规报告结构进行教育。

在本研究中，我们审查了符合四 (4) 项标准的九 (9) 份报告。我们通过分析这些标准并将其放入为此目的开发的分类法，将这些标准与 COSO ERM 原则 15 提供的框架联系起来。我们分析报告的互补程度，反映内部控制的潜在改进，并就从业人员可能使用这些类型的报告的方式提供建议，同时强调潜在的局限性。我们的调查结果表明，样本报告包含的信息很少，可用于改善实体的风险状况。我们提供建议以改进违规报告的信息内容和及时性。