From Breach to Breakthrough: Embedding Organisational Learning in Cyber Incident Management

Security has been defined as “the safety of an organisation, establishment, or building from espionage, criminal activity, illegal entrance or escape”. The term may be used to refer to encryption, or the state of being protected from unauthorised access and the risk of being intercepted (Oxford English Dictionary, 2025). The broad nature of these definitions prepares readers for the complexity which may be attached to the consideration of cyber security. Bay (2016) identifies the challenges in considering what should be captured by its meaning, when contributing to the pursuit of an agreed definition for cyber security. The author suggests that a definition should recognise the existence of a digital threat that can compromise assets and cause harm, which organisations should be protected from, through the design and implementation of security systems. This view is supported by the National Institute of Standards and Technology (NIST) (2025) who state that cyber security refers to the “prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation”. NIST (2025)further describes cyber security as “the process of protecting information by preventing, detecting, and responding to attacks”. Such attacks or incidents are identified once a cyber event reaches a pre-defined criteria, which is used to describe a level of impact upon “the availability, integrity or confidentiality of networks and information systems” (EU NIS Directive, 2018). Despite incidents being unavoidable (NIST, 2016), Onwubiko and Ouazzane (2020) suggest that many organisations fail to adopt incident management procedures which mitigate the risk of substantial damage and disruptions from taking place in the future. This paper will identify and critique reasons why cyber incident investigations that include organisational learning are often not conducted by large organisations, before evaluating incident response practices and presenting recommendations for encouraging organisational learning.

Recognising the potential impact of cyber incidents upon critical infrastructure, an executive order was signed by the US President in 2013, which directed NIST to develop and share a cyber security best practice framework (Romanosky, 2016). In response, NIST’s Incident Reporting and Investigation Program has provided access to “policies, procedures, and tools for reporting safety incidents, conducting investigations of their causes, and implementing corrective actions to prevent recurrence” (NIST, 2023). Such resources are available to organisations of all sizes, including large ones, which the Companies House (2024) describes as having more than 250 employees, an annual turnover of more than £36 million and a balance sheet total of more than £18 million. Despite recognition of the importance of cyber security, early research has indicated that many organisations, with nearly 90 percent of financial organisations, suggested that they could not afford to investigate cyber-crimes themselves (Bequai, 1998). This was supported by a report by the US Government Accounting Office (2014), which found that under than ten percent of federal agencies possessed the ability to investigate cyber incidents.

The identified gaps in the cyber security structure of some organisations may limit the potential opportunity for lessons to be learned, which may otherwise reduce the risk of future events and incidents occurring and having a detrimental impact. The importance of including a lessons learnt phase is emphasised by its inclusion in ISO/IEC 27035–1:2023 Information technology — Information Security Incident Management, a document which acts to provide an internationally agreed approach towards best practice. Prastowo and Sudiana (2024) praise the standard for offering an opportunity to make improvements to the information security incident management plan and documentation, based on the findings of the lessons learned phase. Although the standard aims to encourage organisations to look for opportunities to improve their security risk and incident management processes, Patterson, Nurse and Franqueira (2023) identify a limitation in the standards approach and that of NIST 800–61, the Computer Security Incident Handling Guide (2012), in failing to provide detailed information on organisational learning, which may limit the benefits of post-incident activities. While Patterson et al. (2023) and Ahmad et al. (2020) criticise the standard for failing to provide readers with details about organisational learning, the present paper contends that the standard can act as an exemplar to other Incident Management procedures, through encouraging them to include a lessons learnt phase, which may offer opportunities for some improvements to take place.

While Argyris and Schön (1978) suggest that organisational learning can take place on multiple levels, Patterson et al. (2023) contend that there is an absence of agreement over a definition for the term. This is despite the recognised importance of organisations learning from cyber security incidents, in order to reduce their frequency and impact (Connolly & Wall, 2019). Argyris and Schön (1978) propose that single-loop learning initially takes place, which involves the correction of identified deviations and discrepancies. The next level of learning is double-loop learning, which requires for organisations to reflect upon practices, adapting their aims and objectives in response to the discovery of unexpected and undesired outcomes. Schon (1983; 1987) views that reflective practice can involve reflection-in-action and reflection-on-action. This requires for practitioners to reflect upon activities while performing them or after an activity, in order to review previous actions with the aim of developing an understanding of decisions made during an activity and performance. The reflection on activity experience bears similarity to the definition of organisational learning proposed by Argote (2012) and Argote and Ophir (2017), who also emphasises the importance experiential learning, in developing an organisations’ knowledge. Given the importance of organisational learning proposed by researchers (Crossan et al., 1995) and discussed in a number of reviews of the topic (Curado, 2006; Wang & Ahmed, 2003), it may be valid to consider why it may not be conducted during investigations, despite the increase in cyber security incidents.

The National Cyber Security Centre (2022) released a report in 2022 outlining the findings of the survey of 1200 businesses and charities, which identified that approximately half of the contributors had suffered from a cyber security incident, during the course of the previous year. This may not be surprising and should be expected to increase, as organisations and societies increasingly rely upon services and systems, which are integrated through digital infrastructure and communications (McLennan, 2022). Emphasising the impacts upon the financial services, Adejumo and Ogburie (2025) stress how the increased adoption of digital technologies which have enabled the adoption of online banking, digital payments and the use of digital currencies, have potentially increased the risk of cyber enabled and cyber dependent attacks. The potential anonymity offered by operating in cyberspace (Balleste, 2025; Pati, 2025) and the vast vulnerabilities which exist across systems (Adejumo & Ogburie, 2025) may have provided threat actors of varied capabilities who are motivated to conduct nefarious activities with the opportunity to conduct them, while believing that they will avoid sanctions or retribution. The wide choice of attack vectors available to actors including ransomware, denial of service, man in the middle, insider threats, phishing and malware attacks, alongside the increased availability of Artificial Intelligence tools (AI) and Machine learning (ML) may have contributed to the increased frequency of cyber security incidents (Khan et al., 2025). Although both tools may improve the ability to detect threats, to identify vulnerabilities and to automate security responses, AI and ML may have enabled less capable Threat Actors to design and conduct offensive operations they weren’t previously capable of, through exploiting vulnerabilities in cyber security defence systems (Adejumo & Ogburie 2025; Coppolino et al., 2025). This has introduced a significant risk to the cybersecurity of organisations, as an integration of AI and ML may enable Threat Actors to overcome or bypass security systems. Having recognised this shift in the threat landscape and the expectation that this will increase the frequency of attacks and cyber security incidents, organisations may benefit from reviewing their incident management and investigation processes.

The UK government offers guidance on what a cyber incident is and how to report it, signposting individuals and organisations towards the National Cyber Security Centre (NCSC) (HM Government, 2022). The NCSC Incident Management team is responsible for responding to serious cyber incidents, conducting triage and responding as needed. This collaborative relationship between public and private sector organisations helps both to understand and manage incidents and to increase their understanding of the tactics and procedures of Threat Actors. Under provisions eleven and twelve of the Network and Information Systems Regulations (2018) organisations who are classed as ‘relevant digital service providers’ (RDSP’s), must report any incident which has an ‘actual adverse effect on the security of network and information systems’ to the Information Commissioners Office, no later than seventy-two hours after becoming aware of it. Organisations who are not classed as RDSP’s, but are ‘operators of essential services’ (OES) are required to notify their sector relevant competent authorities. Provision twelve (5) specifies that notifications must include details about the nature and impact of an incident, which would require for organisations to have conducted some analysis of an incident and potentially investigations to determine their root causes, which may offer opportunities to learn from incidents and to reduce the risk of reoccurrence.

The legislative requirement to report cyber incidents is a strategic security risk management approach adopted by numerous countries and includes the NIS1 Directive EU 2016/1148, NIS2 Directive EU (2022)/2555), GDPR (2018) the UK Data Protection Act (2018) and the USA (Cybersecurity Information Sharing Act S.2588/2015) (Christou, 2016; Cram & Mouajou-Kenfack, 2022). Busetti and Scanni (2025) identify the importance that NIST places on incident reporting, calling it “the most important aspect of incident response coordination” (NIST, 2012, p. 45) and reference authors who have also suggested its importance in improving future mitigation strategies (Johnson & Chris, 2015; Khurana et al., 2009). Dunsin et al. (2025) further stress the importance of post-incident investigations, particularly given the damage incidents can cause and the increased prevalence of malicious software. Referencing Quertier et al. (2022), Dunsin et al. (2025) records that AV-TEST suggested that estimates approximately 450,000 new malware instances are identified on a daily basis, which requires for the conduct of effective investigations in order to mitigate the harmful risks they could result in. Despite this need, Busetti and Scanni (2025) identify the lack of evidence to suggest whether incident reporting is effective. Attempting to respond to this research gap, the authors performed a theory-based evaluation of incident reporting, identifying it effectiveness in serving as an indicator of incident occurrence, yet recognised a limitation in linking investigation findings with post-incident learning.

The lack of detail about learning is emphasised in the findings of Paterson et al. (2023) who also identify the absence of studies which have considered the learning opportunities offered by cyber security incident management approaches (Grispos et al., 2014; Line & Albrechtsen 2016). It could be suggested that the identification by Patterson et al. (2023) of this gap in both ISO/IEC 27035 and NIST 800–61, may have influenced the lack of focus upon organisational learning in both post-incident investigations and academic literature which has considered the area. This situation could in itself result in a feedback loop, which without a fundamental change, would continue to ignore the opportunities for organisational learning. It is suggested that Patterson et al. (2023) have made a positive contribution in attempting to shift the direction of current practice.

While recognising that Argyris (1976) was not referring to post-incident learning, Patterson et al. (2023) refer to this early writing when emphasising the role of people in organisational learning. The author proposes that greater learning could take effect within an organisation, should double-loop learning occur, whereby organisations consider what factors may have contributed to an incident occurring, in addition to the direct causes of it. Such reflections may identify wider organisational challenges, such as policy or human factors, which may have had an aggravating effect on the cause of an incident. Through identifying and managing these factors, organisations may reduce the risk of future recurrence. Patterson et al. (2023) refers to a body of work which has considered the positive effects of double-loop learning (Ahmad et al., 2015; Zietsma et al., 2002;) and identifies how the approaches have been adopted by some cyber security researchers (Ahmad et al., 2020; Shedden et al., 2010; Shedden et al., 2011), but concedes that organisations have been provided with little guidance on how to best to encourage organisational learning. This view is supported by Van der Kleij et al. (2017) who also hold the view that Cyber Security Incident and Response Teams do not effectively learn from incidents, endorsing the findings of Tatu et al. (2018), who suggests that the incorporation of lessons learnt practices may improve the overall security awareness of organisations. Despite this, some organisations may not culturally prioritise organisational learning or see the benefits of conducting cyber security investigations in order to understand the underlying causes of incidents (Bartnes et al., 2016).

Organisational culture has been defined by McLean and Marshall (1993, p.1) as “the collection of traditions, values, policies, beliefs, and attitudes that constitute a pervasive context for everything we do and think in an organisation”. Reflecting the roots of this definition, the NCSC (2023) describes security culture as the “values that determine how people are expected to think about and approach security in an organisation”. The level of security mindedness and vigilance displayed by individuals within an organisation may influence the frequency of security incidents that occur, particularly through the key threat vectors of phishing, malicious and inadvertent insiders and human errors in system configuration (Coffey, 2017; Desolda et al., 2021). The existence of an inappropriate culture situated within an increasingly digital environment may contribute to the increased frequency of incidents, as well as fail to see the potential benefits in conducting effective investigations which result in organisational learning. A workforce which does not view security as a business enabler, may not value taking the time to perform the reflective learning which is associated with double-loop learning.

The identification of the critical role that people play is appropriate, given the view that organisational learning involves knowledge development and sharing between individuals, groups and larger organisations (Kim, 1993; Schein, 1993). The effective integration and institutionalisation of learning at an organisational level (Crossan et al., 1995) is reliant upon the existence of an organisational culture which welcomes and encourages learning (Cook & Yanow, 1993; DeLong & Fahey, 2000). Cultures which encourage the development of close relations between individuals, trust and participation have been associated with positive learning (Cameron & Quinn, 2011; Hartnell et al., 2011; Kostova, 1999). Such positive ‘clan’ cultures may encourage organisation members to view information generated during post incident investigations to be important, valid and useful (Oh & Han, 2020). People are more likely to generate new knowledge and to share findings with each other, thereby encouraging organisational learning, contrary to the concerns raised by Bartnes et al. (2016), regarding organisations who may not prioritise organisational learning. Having suggested reasons for the increased frequency of cyber incidents, the role that people may play in causing them and the limiting effect they may have upon investigations and the organisational learning opportunities they offer, this paper will now conclude by making recommendations for how incident response management practices can be adapted to bring about organisational learning in broader contexts so as to protect organisations from future attacks.

It is suggested that, reflecting best practice, ISO 27035 may be the appropriate vehicle for incorporating the findings of literature which has acknowledged the importance of organisational learning, alongside Incident Management procedures. As proposed by Ahmad et al. (2020), organisations could avoid lost opportunities to respond to security incidents and to identify risks, if double-loop learning takes place at a strategic level, so that the root causes of incidents are mitigated and security strategies optimised. The inclusion of coordinated reflective learning periods may support the knowledge generated and shared during the lessons learnt phases of incident management procedures. Accepting the important influence of culture improvements on organisational performance (Akpa et al., 2021; Awadh & Saad, 2013), it is the additional suggestion of the present paper to encourage the development of positive security cultures in concert with the review of strategies and the development of incident management processes. Efforts to improve the relations between organisation members will have an influence on organisational learning broader than security, potentially improving organisational safety and operational effectiveness (Granerud & Rocha, 2011; Johnsen & Håbrekke, 2008).

Arguably offering the greatest impact on organisation learning, organisations could develop policies and approaches which incorporate reflective learning phases within a coordinated lessons learnt phase. In addition, to counter the limitation identified by Patterson et al. (2023), who suggests that standards may assume that organisations possess the capability to identify lessons without guidance, it is the recommendation of the present article that concerted efforts to improve organisational cultures are made so as to encourage an openness to knowledge development and sharing, alongside the inclusion of reflective learning periods. This would further support organisations to evaluate and improve information sharing activities during a coordinated learning phase of incident responses practices.

References

Adejumo, A. & Ogburie, C. (2025). The role of cybersecurity in safeguarding finance in a digital era. World Journal of Advanced Research and Reviews, 25.

Ahmad, A., Maynard, S. B. & Shanks, G. (2015). A case analysis of information systems and security incident responses. International Journal of Information Management, 35(6), 717–723.

Ahmad, A., Desouza, K. C. Maynard, S. B., Naseer, H., & Baskerville, R. L. (2020). How integration of cyber security management and incident response enables organisational learning. Journal of the Association for Information Science and Technology, 71(8), 939–953.

Akpa, V. O., Asikhia, O. U. & Nneji, N. E. (2021). Organisational culture and organizational performance: A review of literature. International Journal of Advances in Engineering and Management, 3(1), 361–372.

Argote, L. (2012). Organisational learning: Creating, retaining and transferring knowledge. Springer Science & Business Media.

Argote, L. & Ophir, R. (2017). Intraorganisational learning. The Blackwell companion to organisations, 181–207.

Argyris, C. (1976). Theories of action that inhibit individual learning. American Psychologist, 31(9), 638.

Argyris, C. & Schon, D. (1978). Organisational learning: A theory of action perspective. Addison-Wesley.

Awadh, A. M. & Saad, A. M. (2013). Impact of organisational culture on employee performance. International Review of Management and Business Research, 2(1), 168- 175.

Balleste, R. (2025). Cyberspace domain and legal norms. In A Research Agenda for Cybersecurity Law and Policy (pp. 5–32). Edward Elgar Publishing.

Bartnes, M., Moe, N. B. & Heegaard, P. E. (2016). The future of information security incident management training: A case study of electrical power companies. Computers & Security, 61, 32–45.

Bay, M. (2016). What is cybersecurity. French Journal for Media Research, 6, 1–28. Bequai, A. (1998). A guide to cyber-crime investigations. Computers & Security, 17, 579- 482.

Busetti, S. & Scanni, F. M. (2025). Evaluating incident reporting in cybersecurity. From threat detection to policy learning. Government Information Quarterly, 42(1), 102000.

Cameron, K. S. & Quinn, R. E. (2011). Diagnosing and changing organizational culture: Based on the competing values framework. John Wiley & Sons.

Christou, G. (2016). Cybersecurity in the European Union: Resilience and adaptability in governance policy. Springer.

Coffey, J. W. (2017). Ameliorating sources of human error in cybersecurity: technological and human-centered approaches. In The 8th International Multi-Conference on Complexity, Informatics, and Cybernetics, Pensacola (pp. 85–88).

Companies House. (2024). Companies House Accounts Guidance. https://www.gov.uk/government/publications/life-of-a-company-annual- requirements/life-of-a-company-part-1-accounts

Congress. (2014). S.2588 — Cybersecurity Information Sharing Act of 2014. Retrieved April 2, 2025, from https://www.congress.gov/bill/113th-congress/senate-bill/2588

Connolly, L. Y. & Wall, D. S. (2019). The rise of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures. Computers & Security, 87, 101568.

Cook, S. D. & Yanow, D. (1993). Culture and organizational learning. Journal of management inquiry, 2(4), 373–390.

Coppolino, L., D’Antonio, S., Mazzeo, G. & Uccello, F. (2025). The good, the bad, and the algorithm: The impact of generative AI on cybersecurity. Neurocomputing, 623, 129406.

Cram, W. A. & Mouajou-Kenfack, R. (2023). Show-and-tell or hide-and-seek? Examining organisational cybersecurity incident notifications. Organisational Cybersecurity Journal: Practice, Process and People, 3(1), 1–17.

Crossan, M. M., Lane, H. W., White, R. E. & Djurfeldt, L. (1995). Organisational learning: Dimensions for a theory. The International Journal of Organisational Analysis, 3(4), 337–360.

Curado, C. (2006). Organisational learning and organisational design. The Learning Organization, 13(1), 25–48.

De Long, D. W. & Fahey, L. (2000). Diagnosing cultural barriers to knowledge management. Academy of Management Perspectives, 14(4), 113–127.

Desolda, G., Ferro, L. S., Marrella, A., Catarci, T. & Costabile, M. F. (2021). Human factors in phishing attacks: a systematic literature review. ACM Computing Surveys (CSUR), 54(8), 1–35.

Dunsin, D., Ghanem, M. C., Ouazzane, K. & Vassilev, V. (2025). Reinforcement learning for an efficient and effective malware investigation during cyber Incident response. High- Confidence Computing, 100299.

European Union. (2016) General Data Protection Regulation. Official Journal of the European Union, 49: L119.

European Union. (2022). NIS 2 Directive. Retrieved April 2, 2025, from https://eur- lex.europa.eu/eli/dir/2022/2555/oj

Granerud, R. L. & Rocha, R. S. (2011). Organisational learning and continuous improvement of health and safety in certified manufacturers. Safety Science, 49(7), 1030–1039.

Grispos, G., Glisson, W. B. & Storer, T. (2014). Rethinking security incident response: The integration of agile principles. arXiv preprint arXiv:1408.2431.

Hartnell, C. A., Ou, A. Y. & Kinicki, A. (2011). Organizational culture and organizational effectiveness: a meta-analytic investigation of the competing values framework’s theoretical suppositions. Journal of Applied Psychology, 96(4), 677.

HM Government. (2018). Data Protection Act 2018. Retrieved April 2, 2025, from http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

HM Government. (2022). Where to report a cyber security incident. Retrieved April 2, 2025, from https://www.gov.uk/guidance/where-to-report-a-cyber-incident

International Standards Organisation. (2023). ISO/IEC 27035–1:2023 Information Technology — Information Security Incident Management.

Johnsen, S. O. & Håbrekke, S. (2008). Can organisational learning improve safety and resilience during changes?. In Safety, Reliability and Risk Analysis (pp. 843–850). CRC Press.

Johnson, C. (2015). Architectures for cyber-security incident reporting in safety-critical systems. Disaster Management: Enabling Resilience, 127–141.

Khan, M. I., Arif, A., Khan, A. R. A., Anjum, N. & Arif, H. (2025). The Dual Role of Artificial Intelligence in Cybersecurity: Enhancing Defence and Navigating Challenges. International Journal of Innovative Research in Computer Science and Technology, 13(1), 62–67.

Khurana, H., Basney, J., Bakht, M., Freemon, M., Welch, V. & Butler, R. (2009, April).

Palantir: a framework for collaborative incident response and investigation. In Proceedings of the 8th Symposium on Identity and Trust on the Internet (pp. 38- 51).

Kim, D. H. (1993) The link between individual and organisational learning. Sloan Management Review, 35(1), 37–50.

Kostova, T. (1999). Transnational transfer of strategic organizational practices: A contextual perspective. Academy of Management Review, 24(2), 308–324.

Line, M. B. & Albrechtsen, E. (2016). Examining the suitability of industrial safety management approaches for information security incident management. Information & Computer Security, 24(1), 20–37.

McLean, A. & Marshall, J. (1993). Intervening in cultures. University of Bath. McLennan, M. (2022). The global risks report 2022 17th edition. Cologny, Switzerland: World Economic Forum.

National Cyber Security Centre. (2022). Cyber Security Breaches Survey 2022. Retrieved April 2, 2025, from https://www.gov.uk/government/statistics/cyber-security- breaches-survey-2022/cyber-security-breaches-survey-2022

National Cyber Security Centre. (2023). Developing a Positive Cyber Security Culture.

Retrieved April 2, 2025, from https://www.ncsc.gov.uk/collection/board- toolkit/principle-c-people/developing-a-positive-cyber-security-culture

National Institute of Standards and Technology (NIST). (2012). Computer Security Incident Handling Guide (NIST Special Publication 800–61, Revision 2).

National Institute of Standards and Technology. (2016). Special Publication 800–184, “Guide for Cybersecurity Event Recovery”, 10.6028/NIST.SP.800–184 National Institute of Standards and Technology. (2023). Incident Reporting and Investigation.

https://www.nist.gov/oshe/safety-programs/incident-reporting-and-investigation National Institute of Standards and Technology. (2025). Cyber Security. Retrieved April 2, 2025, from https://csrc.nist.gov/glossary/term/cybersecurity.

Network & Information Systems Regulations (NIS Regulations) 2018. https://www.gov.uk/government/collections/nis-directive-and-nis-regulations-2018 Onwubiko, C. & Ouazzane, K. (2020). SOTER: A playbook for cybersecurity incident management. IEEE Transactions on Engineering Management, 69(6), 3771–3791.

Oxford English Dictionary. (2025). Security. In Oxford English Dictionary. Retrieved April 2, 2025, from https://www.oed.com/dictionary/security_n?tab=meaning_and_use#23686332

Pati, R. (2025). Regulating terrorist activity in cyberspace: issues at stake. In A Research Agenda for Cybersecurity Law and Policy (pp. 125–146). Edward Elgar Publishing.

Patterson, C. M., Nurse, J. R. & Franqueira, V. N. (2023). Learning from cyber security incidents: A systematic review and future research agenda. Computers & Security, 132, 103309.

Prastowo, S. L. & Sudiana, D. (2024). Recommendations for a Framework for Handling Security Incidents of Electronic-Based Government Systems (SPBE) using the ISO/IEC 27035: 2023 Standard. JINAV: Journal of Information and Visualization, 5(1), 107–114.

Quertier, T., Marais, B., Morucci, S. & Fournel, B. (2022). MERLIN — Malware Evasion with Reinforcement LearnINg. arXiv preprint arXiv:2203.12980.

Romanosky, S. (2016). Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2(2), 121–135.

Schein, E. H. (1993). On dialogue, culture, and organizational learning. Organisational Dynamics, 22(2).

Shedden, P., Ahmad, A. & Ruighaver, A. B. (2010). Organisational learning and incident response: promoting effective learning through the incident response process. In Proceedings of the 8th Australian Information Security Management Conference (pp. 139–150). Perth, Australia: Edith Cowan University.

Shedden, P., Scheepers, R., Smith, W. & Ahmad, A. (2011). Incorporating a knowledge perspective into security risk assessments. Vine, 41(2), 152–166.

Schön, D, (1983). The Reflective Practitioner: How Professionals Think in Action. Basic Books.

Schön, D. A. (1987). Educating the reflective practitioner: Toward a new design for teaching and learning in the professions. Jossey-Bass.

Tatu, T., Ament, C. & Jaeger, L. (2018). Lessons learned from an information security incident: a practical recommendation to involve employees in information security. Proceedings of the 51st Hawaii International Conference on System Sciences.

US Government Accountability Office (GAO). (2014). Information Security: Agencies need to improve cyber incident response practices (GAO-14–354). Retrieved April 2, 2025, from http://www.gao.gov/products/GAO-14-354.

Van der Kleij, R., Kleinhuis, G. & Young, H. (2017). Computer security incident response team effectiveness: A needs assessment. Frontiers in Psychology, 8, 2179.

Wang, C. L. & Ahmed, P. K. (2003). Organisational learning: a critical review. The Learning Organisation, 10(1), 8–17.

Zietsma, C., Winn, M., Branzei, O. & Vertinsky, I. (2002). The war of the woods: Facilitators and impediments of organisational learning processes. British Journal of Management, 13(S2), S61-S74.