Further Reading: When Things Go Wrong: Breach Response and Crisis Ethics

The sources below provide deeper engagement with the themes introduced in Chapter 30, including breach anatomy, incident response planning, notification law, crisis communication, ethical obligations in breach response, and post-incident learning. Annotations describe what each source covers and why it is relevant.

Incident Response Frameworks

National Institute of Standards and Technology. "Computer Security Incident Handling Guide." NIST Special Publication 800-61 Revision 2. August 2012. The foundational US government guide for incident response planning. SP 800-61 defines the six-phase framework (preparation, detection, containment, eradication, recovery, lessons learned) used throughout this chapter. While oriented toward government agencies, the framework is widely adopted in the private sector. The guide provides practical, detailed guidance on team composition, escalation procedures, evidence handling, and post-incident review. Essential reference for anyone designing or evaluating an incident response plan.

Cichonski, Paul, Tom Millar, Tim Grance, and Karen Scarfone. "Computer Security Incident Handling Guide." NIST SP 800-61r2. August 2012. The same NIST publication, cited here by primary authors. The guide's appendices include sample incident reporting forms, incident categorization taxonomies, and contact lists for federal incident response resources. Particularly useful for the tabletop exercise design in Exercise E.3.

SANS Institute. "Incident Handler's Handbook." SANS Reading Room, 2011. A practitioner-oriented guide to incident handling that complements NIST's framework with tactical advice. The SANS handbook is widely used in security operations training and provides step-by-step procedures for each phase of incident response. Relevant for students seeking the operational details behind the frameworks described in Section 30.2.

Breach Notification Law

Solove, Daniel J., and Woodrow Hartzog. "The FTC and the New Common Law of Privacy." Columbia Law Review 114, no. 3 (2014): 583-676. A comprehensive analysis of how the Federal Trade Commission has shaped US privacy and data security law through enforcement actions, including breach notification expectations. Solove and Hartzog argue that the FTC's consent decrees have created a de facto common law of privacy. Directly relevant to understanding the regulatory landscape for breach response in the US, where no comprehensive federal breach notification law exists.

European Parliament and Council. "General Data Protection Regulation (GDPR)." Regulation (EU) 2016/679. Articles 33-34. The primary legal text governing breach notification in the EU and EEA. Article 33 establishes the 72-hour notification requirement to supervisory authorities. Article 34 establishes notification requirements to data subjects when breaches pose high risk. The recitals accompanying these articles provide interpretive guidance on what constitutes "awareness" of a breach (triggering the clock) and what qualifies as "high risk." Essential reference for the notification framework discussed in Section 30.3.

Romanosky, Sasha. "Examining the Costs and Causes of Cyber Incidents." Journal of Cybersecurity 2, no. 2 (2016): 121-135. An empirical analysis of the causes and costs of data breaches using data from the Privacy Rights Clearinghouse and Advisen cyber loss databases. Romanosky finds that the average cost of a breach is lower than commonly reported but that costs vary dramatically by breach type, industry, and response quality. Useful for grounding the chapter's discussion of breach costs in empirical data rather than vendor-sponsored estimates.

Crisis Communication

Coombs, W. Timothy. Ongoing Crisis Communication: Planning, Managing, and Responding. 5th ed. Sage Publications, 2019. The leading academic textbook on crisis communication, grounded in Situational Crisis Communication Theory (SCCT). Coombs provides a research-based framework for matching communication strategies to crisis types. His analysis of how organizational reputation affects stakeholder attributions during crises directly informs the communication principles in Section 30.4.2. The book's case studies offer rich comparisons to the breach communication examples in this chapter.

Seeger, Matthew W. "Best Practices in Crisis Communication: An Expert Panel Process." Journal of Applied Communication Research 34, no. 3 (2006): 232-244. A study that synthesized expert opinion to identify best practices in crisis communication. The resulting principles -- including the emphasis on being first, being honest, and being victim-centered -- directly informed the crisis communication framework in Section 30.4.2. Seeger's emphasis on the ethical dimensions of crisis communication (not just the strategic ones) aligns with the chapter's argument that communication is an ethical obligation, not just a reputation management tool.

Breach Case Studies

Riley, Michael, Benjamin Elgin, Dune Lawrence, and Carol Matlack. "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It." Bloomberg Businessweek, March 13, 2014. The definitive investigative account of the Target breach, based on extensive reporting and internal sources. The article reveals the specific sequence of events -- from the HVAC vendor compromise to the ignored FireEye alerts to the external discovery by law enforcement -- in granular detail. Essential reading for the Target case study (Section 30.8.1 and Case Study 01). The article's central finding -- that Target had the tools to stop the breach and failed to use them -- illustrates the chapter's argument about the gap between technical capability and organizational governance.

United States Senate Committee on Commerce, Science, and Transportation. "A 'Kill Chain' Analysis of the 2013 Target Data Breach." March 26, 2014. A congressional analysis that traces the Target breach through the "kill chain" -- the sequence of steps an attacker takes from initial reconnaissance to data exfiltration. The report identifies specific points at which the breach could have been prevented and makes recommendations for policy and industry practice. Provides the authoritative governmental perspective on the Target incident and its implications for retail cybersecurity.

Krebs, Brian. "Sources: Target Investigating Data Breach." KrebsOnSecurity, December 18, 2013. The original public disclosure of the Target breach, published by security journalist Brian Krebs before Target's own announcement. Krebs's role in the Target case -- breaking the story before the company was ready to disclose -- illustrates the "be first" principle of crisis communication: when organizations do not disclose proactively, journalists and researchers will disclose for them, eliminating the organization's ability to control the narrative.

Ethics of Breach Response

Yaghmaei, Emad, Ibo van de Poel, Markus Christen, Bert Gordijn, Nadine Kleine, Michele Loi, Gwenyth Morgan, and Aimee van Wynsberghe. "Canvas White Paper 1: Cybersecurity and Ethics." SSRN Electronic Journal, 2017. A systematic analysis of the ethical dimensions of cybersecurity, including breach response. The authors examine cybersecurity through multiple ethical frameworks -- consequentialism, deontology, virtue ethics, and care ethics -- and argue that cybersecurity decisions are fundamentally ethical decisions, not merely technical ones. Directly relevant to Section 30.5's argument that ethical obligations in breach response exceed legal requirements.

Held, Virginia. The Ethics of Care: Personal, Political, and Global. Oxford University Press, 2006. The foundational text on care ethics as a comprehensive moral theory. Held argues that care -- attentiveness to vulnerability, responsiveness to need, and the maintenance of relationships -- should be central to ethical reasoning, not peripheral. The book provides the theoretical framework for Section 30.5.3's application of care ethics to breach response: treating affected individuals as people to be cared for, not risks to be managed.

Nissenbaum, Helen. Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford University Press, 2010. Nissenbaum's theory of contextual integrity provides a framework for understanding why data breaches are harmful: they violate the informational norms that govern how data flows within specific social contexts. Patient medical data shared with a healthcare provider flows within a context of clinical care; when that data is exposed through a breach, the contextual norms are violated. This framework helps explain why breach harm is not reducible to financial loss -- it is a violation of the social fabric that governs information sharing.

Post-Incident Learning

Dekker, Sidney. The Field Guide to Understanding 'Human Error.' 3rd ed. CRC Press, 2014. A foundational text on systems-based approaches to failure analysis. Dekker argues that "human error" is never a root cause -- it is a symptom of systemic conditions that made the error possible. His framework for "just culture" (distinguishing between systemic failures and genuine negligence) directly informs the blameless postmortem methodology described in Section 30.6.1. Essential reading for anyone designing post-incident review processes.

Hollnagel, Erik. Safety-I and Safety-II: The Past and Future of Safety Management. CRC Press, 2014. Hollnagel proposes a paradigm shift in safety thinking: from Safety-I (focused on preventing things from going wrong) to Safety-II (focused on understanding why things usually go right). Applied to cybersecurity, this means studying successful defenses as well as failures. The Safety-II framework complements the root cause analysis in Section 30.6.2 by encouraging organizations to understand their resilience factors, not just their vulnerabilities.

IBM Security. Cost of a Data Breach Report 2025. IBM, 2025. IBM's annual analysis of breach costs, based on data from hundreds of organizations worldwide. The 2025 report provides the statistics cited throughout this chapter: the average breach cost ($4.8 million), the mean detection time (194 days), and the finding that organizations with incident response plans and teams reduce breach costs significantly. The report also documents the cost-reducing effect of transparency and speed in notification. While IBM-sponsored and potentially subject to methodological critique, this report is the most widely cited source for breach cost data and provides useful benchmarks for organizational planning.

These readings span from operational frameworks (NIST incident handling) to legal analysis (GDPR notification, FTC enforcement) to ethical theory (care ethics, contextual integrity) to organizational learning (blameless postmortems, systems thinking). Effective breach response requires fluency across all these dimensions -- the technical skills to contain a breach, the legal knowledge to navigate notification requirements, the ethical judgment to exceed legal minimums, and the organizational wisdom to learn from failure.