Strategic dilemmas when managing cyber attacks.

Cyber attacks have a significant business impact, with the potential to escalate into crises if poorly managed. A recurring pattern is strategic dilemmas that cannot be resolved satisfactorily. Some dilemmas are more pronounced, others less so, and therefore often catch decision-makers unprepared, leaving only bad options for decision-making. Something that all dilemmas have in common is that the associated decisions can have a lasting impact on relationships with stakeholders. This paper introduces four recurring dilemmas; shows the typical considerations; lists options for mitigating these dilemmas; and describes the basic requirements for implementing mitigations. The dilemmas and options, in turn, are rooted in the organisation-specific design of: cyber security incident management and response; IT service continuity and disaster recovery management; business continuity management; and crisis management and communication.

Effective crisis decision-making.

When an organisation's reputation is at stake, crisis decision-making (CDM) is challenging and prone to failure. Most CDM schemes are strong at certain aspects of the overall CDM process, but almost none are strong at all of them. This paper defines criteria for good CDM schemes, analyses common approaches and introduces an alternative, stakeholder-driven scheme. Focusing on the most important stakeholders and directing any actions to preserve the relationships with them is crucial. When doing so, the interdependencies between the stakeholders must be identified and considered. Without knowledge of the sometimes less than obvious links, wellmeaning actions can cause adverse effects, so a cross-check for the impacts of potential options is recommended before making the final decision. The paper also gives recommendations on how to implement these steps at any organisation in order to enhance the quality of CDM and thus protect the organisation's reputation.

Resilience and legislation: Will IT security legislation boost critical infrastructure resilience in Germany?

The German government is seeking to enhance the resilience of critical national infrastructures via its new IT Security Law. This paper analyses the content of the law, as well as the limitations and constraints arising from the conflicting interests of affected stakeholders. The paper also offers solutions to help the IT Security Law fulfil its potential despite the constraints.