Top

Published in:

2024 | OriginalPaper | Chapter

7. Sichere Digitalwirtschaft

Cyber-Sicherheit, mehr als nur Technik

Author : Tom F. Hofmann

Published in: Digitalwirtschaft

Publisher: Springer Fachmedien Wiesbaden

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Zusammenfassung

Cybersicherheit ist ein elementarer Bestandteil jeder Organisation. Trotz dieser Feststellung sehen wir seit Jahren einen Anstieg der Vorfälle. Technik allein scheint nicht die Lösung zu sein, die Herausforderungen im Aufbau und Betrieb von Cybersicherheit sind sehr viel komplexer. Dieses Kapitel adressiert die Grundlagen des Aufbaus einer gesamtheitlichen Cybersicherheit, darunter die richtige Definition der CISO-Rolle, den Faktor Mensch in der Cybersicherheit, sowie alternative Lösungswege und -ansätze für Organisationen. Hierzu verknüpfe ich Organisationsdesign, Sozialwissenschaft und Human-Centered-Design und liefert den Lesenden konkrete Beispiele und Vorlagen.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Vertrauen

next chapter Nachhaltige Digitalwirtschaft

Ackoff, Russell L. (1979). „The future of operational research is past“. Journal of the operational research society, 30(2), 93–104.

Ackoff, R. L. (1994). Systems thinking and thinking systems. System Dynamics Review, 10(2–3), 175–188. https://doi.org/10.1002/sdr.4260100206CrossRef

Alshaikh, M. (2020). Developing cybersecurity culture to influence employee behavior: A practice perspective. Computers & Security, 98, 102003. https://doi.org/10.1016/j.cose.2020.102003CrossRef

Andress, A. (2003). Surviving security: How to integrate people, process, and technology (2. Aufl.). Auerbach Publications. https://doi.org/10.1201/9780203501405CrossRef

Arntz, P. (2022, March 15). Stolen Nvidia certificates used to sign malware – Here’s what to do. Malwarebytes. https://web.archive.org/web/20230225215449/https://www.malwarebytes.com/blog/news/2022/03/stolen-nvidia-certificates-used-to-sign-malware-heres-what-to-do. Zugegriffen am 26.04.2024.

Arwinge, O., & Olve, N.-G. (2017). Three lines of defense for organizing risk management. In Bank regulation (S. 284–309). Routledge.CrossRef

Axelos. (2023). ITIL | IT Service Management | Axelos. https://www.axelos.com/certifications/itil-service-management/. Zugegriffen am 26.04.2024.

Bada, M., Sasse, A. M., & Nurse, J. R. C. (2015). Cyber security awareness campaigns: Why do they fail to change behaviour? 15. https://arxiv.org/abs/1901.02672. Zugegriffen am 26.04.2024.

BBC News. (2022, March 24). Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal. https://web.archive.org/web/20230318131126/https://www.bbc.com/news/technology-60864283. Zugegriffen am 26.04.2024.

Bennis, W. G., Nanus, B., & Bennis, S. (1985). Leaders: Strategies for taking charge (Bd. 200). Harper & Row.

Bernard, R. (2017). Cyberkriminelle nehmen heimliche Weltmarktführer ins Visier. eco. https://web.archive.org/web/2/https://www.eco.de/presse/cyberkriminelle-nehmen-heimliche-weltmarktfuehrer-ins-visier/. Zugegriffen am 26.04.2024.

Beuth, P. (2022, March 29). Ablauf eines peinlichen Hacks: Wie Lapsus$ eine IT-Sicherheitsfirma vorführte. https://web.archive.org/web/20230318130432/https://www.spiegel.de/netzwelt/web/okta-wie-lapsususd-eine-it-sicherheitsfirma-vorfuehrte-a-4763ebfd-dc40-416c-88c0-fb4d57f1d1ac. Zugegriffen am 26.04.2024.

BITKOM. (2021). Wirtschaftsschutz 2021. https://web.archive.org/web/20230306012724/https://www.bitkom.org/Presse/Presseinformation/Angriffsziel-deutsche-Wirtschaft-mehr-als-220-Milliarden-Euro-Schaden-pro-Jahr. Zugegriffen am 26.04.2024.

BITKOM. (2022). Wirtschaftsschutz 2022. https://web.archive.org/web/20230318115829/https://www.bitkom.org/Presse/Presseinformation/Wirtschaftsschutz-2022. Zugegriffen am 26.04.2024.

Brenner, W., & Uebernickel, F. (Hrsg.). (2016). Design thinking for innovation. Springer International Publishing. https://doi.org/10.1007/978-3-319-26100-3CrossRef

Brenner, W., Uebernickel, F., & Abrell, T. (2016). Design thinking as mindset, process, and toolbox. In W. Brenner & F. Uebernickel (Hrsg.), Design thinking for innovation (S. 3–21). Springer International Publishing. https://doi.org/10.1007/978-3-319-26100-3_1CrossRef

Brown, T. (2008, June 1). Design thinking. Harvard Business Review, June 2008. https://web.archive.org/web/20220422102812/https://hbr.org/2008/06/design-thinking. Zugegriffen am 26.04.2024.

Buchanan, R. (1992). Wicked problems in design thinking. Design Issues, 8(2), 5. https://doi.org/10.2307/1511637CrossRef

Buchanan, R. (2019). Systems thinking and design thinking: The search for principles in the world we are making. She Ji: The Journal of Design, Economics, and Innovation, 5(2), 85–104. https://doi.org/10.1016/j.sheji.2019.04.001CrossRef

Bundesamt für Sicherheit in der Informationstechnik (BSI). (2017a). BSI-Standard 200-1: Managementsysteme für Informationssicherheit (ISMS). https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/BSI-Standards/BSI-Standard-200-1-Managementsysteme-fuer-Informationssicherheit/bsi-standard-200-1-managementsysteme-fuer-informationssicherheit_node.html. Zugegriffen am 26.04.2024.

Bundesamt für Sicherheit in der Informationstechnik (BSI). (2017b). BSI-Standard 200-2: IT-Grundschutz-Methodik. https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/BSI-Standards/BSI-Standard-200-2-IT-Grundschutz-Methodik/bsi-standard-200-2-it-grundschutz-methodik_node.html. Zugegriffen am 26.04.2024.

Bundesamt für Sicherheit in der Informationstechnik (BSI). (2017c). Leitfaden zur Basis-Absicherung nach IT-Grundschutz.

Bundesamt für Sicherheit in der Informationstechnik (BSI). (2022). Die Lage der IT-Sicherheit in Deutschland 2022. https://web.archive.org/web/20230319201517/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2022.pdf?__blob=publicationFile&v=6. Zugegriffen am 26.04.2024.

Bundesamt für Statistik. (2022). Polizeiliche Kriminalstatistik (PKS) – Jahresbericht 2021 der polizeilich registrierten Straftaten | Publikation. https://web.archive.org/web/2/https://www.bfs.admin.ch/bfs/de/home/statistiken/kriminalitaet-strafrecht/polizei/digitale-kriminalitaet.assetdetail.22164350.html. Zugegriffen am 26.04.2024.

Bundesamt für Verfassungsschutz. (2023). Single Point of Contact – SPOC. Wettlauf um Zukunft Spionage in Wirtschaft und Forschung. https://web.archive.org/web/2/https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/wirtschafts-wissenschaftsschutz/2023-03-23-spoc-magazin.pdf?__blob=publicationFile&v=2. Zugegriffen am 26.04.2024.

Bundesanstalt für Finanzdienstleistungsaufsicht. (2021). Rundschreiben 10/2017 (BA) in der Fassung vom 16.08.2021. https://web.archive.org/web/20221015081336/https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_1710_ba_BAIT.pdf?__blob=publicationFile&v=6. Zugegriffen am 26.04.2024.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin). (2017). Rundschreiben 10/2017 (BA) – Bankaufsichtliche Anforderungen an die IT (BAIT). https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_1710_ba_BAIT.pdf?__blob=publicationFile&v=11. Zugegriffen am 26.04.2024.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin). (2018). Rundschreiben 10/2018 – Versicherungsaufsichtliche Anforderungen an die IT (VAIT) in der Fassung vom 03.03.2022. https://web.archive.org/web/2/https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Rundschreiben/2018/rs_18_10_vait_va.html. Zugegriffen am 26.04.2024.

Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin). (2019). Rundschreiben 11/2019 (WA) – Kapitalverwaltungsaufsichtliche Anforderungen an die IT (KAIT) vom 01.10.2019. https://web.archive.org/web/20230724134426/https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_1911_kait_wa.pdf;jsessionid=FE5E20C8057F4562358A3F311A6F2621.1_cid501?__blob=publicationFile&v=3. Zugegriffen am 26.04.2024.

Bundesgesetz über die Informationssicherheit beim Bund, Die Bundesversammlung der Schweizerischen Eidgenossenschaft. (2020). https://web.archive.org/web/2/https://www.fedlex.admin.ch/eli/oc/2022/232/de. Zugegriffen am 26.04.2024.

Bundesministerium für Inneres, Bundeskriminalamt. (2023). Polizeiliche Kriminalstatistik 2022. https://web.archive.org/web/2/https://www.bundeskriminalamt.at/501/files/2023/PKS_Broschuere_2022.pdf. Zugegriffen am 26.04.2024.

Campobasso, M., & Allodi, L. (2020). Impersonation-as-a-service: Characterizing the emerging criminal infrastructure for user impersonation at scale. Proceedings of the 2020 ACM SIGSAC conference on computer and communications security, 1665–1680.

Campobasso, Michele, and Luca Allodi. „Know your cybercriminal: Evaluating attacker preferences by measuring profile sales on an active, leading criminal market for user impersonation at scale.“ 32nd USENIX Security Symposium (USENIX Security 23). 2023.

CBS News. (2021). GoDaddy apologizes for “insensitive” phishing email offering bonuses to employees. https://web.archive.org/web/20220422112814/https://www.cbsnews.com/news/godaddy-apologizes-insensitive-phishing-email-bonuses-employees/. Zugegriffen am 26.04.2024.

Check Point Research. (2022, March 10). Leaks of conti ransomware group paint picture of a surprisingly normal tech start-up … sort of. Check Point Research. https://web.archive.org/web/20230318121738/https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/. Zugegriffen am 26.04.2024.

Cherns, A. (1976). The principles of sociotechnical design. Human Relations, 29(8), 783–792. https://doi.org/10.1177/001872677602900806CrossRef

Conklin, J. (2005). Wicked problems and social complexity. Building shared understanding of wicked problems. John Wiley & Sons.

Corradini, I. (2020). Building a cybersecurity culture in organizations: How to bridge the gap between people and digital technology (Bd. 284). Springer International Publishing. https://doi.org/10.1007/978-3-030-43999-6CrossRef

Credit Suisse. (2015, June 9). Die „Hidden Champions“ der Schweiz: Klein, aber Weltklasse. Credit Suisse. https://web.archive.org/web/20221021135239/https://www.credit-suisse.com/about-us-news/de/articles/news-and-expertise/the-hidden-swiss-champions-small-but-world-class-201506.html. Zugegriffen am 26.04.2024.

Cybersecurity and Infrastructure Security Agency (CISA). (2023). Enhanced Monitoring to Detect APT Activity Targeting Outlook Online | CISA. https://web.archive.org/web/2/https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a. Zugegriffen am 26.04.2024.

d.School. (2010). An introduction to design thinking PROCESS GUIDE.

Dam, R. F., & Teo, Y. S. (2024). Empathy map – Why and how to use it. Interaction Design Foundation – IxDF. https://www.interaction-design.org/literature/article/empathy-map-why-and-how-to-use-it. Zugegriffen am 08.07.2024.

Departement of Homeland Security. (2014). Aurora Test Footage – YouTube. January 13, 2023. https://web.archive.org/web/20230113083528/https://www.youtube.com/watch?v=LM8kLaJ2NDU&t=1s. Zugegriffen am 26.04.2024.

Design Council. (2024). The double diamond. https://www.designcouncil.org.uk/our-resources/the-double-diamond/. Zugegriffen am 18.06.2024.

DHR Global. (2023, January 18). Cybersecurity on U.S. Public Company Boards. https://web.archive.org/web/2/https://www.dhrglobal.com/insights/cisos-in-the-boardroom-the-state-of-cybersecurity-for-the-top-500-u-s-public-company-boards-of-directors/. Zugegriffen am 26.04.2024.

Diderich, C. (2020). Design thinking for strategy: Innovating towards competitive advantage. Springer International Publishing. https://doi.org/10.1007/978-3-030-25875-7CrossRef

DiStaso, M. W. (2018). Communication challenges in cybersecurity. Journal of Communication Technology, 1(1), 43–60.CrossRef

Eidgenössische Finanzmarktaufsicht FINMA. (2008). Rundschreiben 2008/21 Operationelle Risiken – Banken. https://web.archive.org/web/2/https://www.finma.ch/de/~/media/finma/dokumente/dokumentencenter/myfinma/rundschreiben/finma-rs-2008-21-20200101.pdf?la=de. Zugegriffen am 26.04.2024.

Emery, F. (1993). Characteristics of socio-technical systems. In E. Trist, H. Murray, & B. Trist (Hrsg.), The social engagement of social science, Volume 2. University of Pennsylvania Press. https://doi.org/10.9783/9781512819052-009CrossRef

ENX Association. (2023). TISAX participant handbook. https://web.archive.org/web/2/https://www.enx.com/handbook/tisax-participant-handbook.html. Zugegriffen am 26.04.2024.

Etter, B. (2022, December 6). Direktion der Justiz und des Innern (JI) des Kantons Zürich veröffentlicht Untersuchungsbericht zu Datenskandal. Strafrechtonline. https://web.archive.org/web/2/https://strafrechtonline.ch/direktion-der-justiz-und-des-innern-ji-des-kantons-zuerich-veroeffentlicht-untersuchungsbericht-zu-datenskandal/. Zugegriffen am 26.04.2024.

Europäischen Union. (2016a). RICHTLINIE (EU) 2016/1148 DES EUROPÄISCHEN PARLAMENTS UND DES RATES. https://web.archive.org/web/2/https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016L1148&from=EN. Zugegriffen am 26.04.2024.

Europäischen Union. (2016b). VERORDNUNG (EU) 2016/679 DES EUROPÄISCHEN PARLAMENTS UND DES RATES. https://web.archive.org/web/2/https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679&from=EN. Zugegriffen am 26.04.2024.

Europäischen Union. (2016c). (2022). RICHTLINIE (EU) 2022/2555. https://web.archive.org/web/2/https://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32022L2555&qid=1679331561118&from=en. Zugegriffen am 26.04.2024.

European Union Agency for Law Enforcement Cooperation. (2021). INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2021. https://web.archive.org/web/20220422111850/https://www.europol.europa.eu/cms/sites/default/files/documents/internet_organised_crime_threat_assessment_iocta_2021.pdf. Zugegriffen am 26.04.2024.

Faulkner, L., Brown, K., & Quinn, T. (2018). Analyzing community resilience as an emergent property of dynamic social-ecological systems. Ecology and Society, 23(1), art24. https://doi.org/10.5751/ES-09784-230124CrossRef

Federal Bureau of Investigation (FBI). (2022). 2022 INTERNET CRIME REPORT. https://web.archive.org/web/20230317015949/https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf. Zugegriffen am 26.04.2024.

Federal Office for Information Security. (2021). IT-Grundschutz. https://web.archive.org/web/20220422112647/https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz.html;jsessionid=5F4760179C140F73A1EE6F82D6B6537A.internet081?nn=409850. Zugegriffen am 26.04.2024.

Forcepoint. (2021, March 25). “Tiny Crimes” – How minor mistakes when remote working could lead to major cybersecurity breaches (part 1). Forcepoint. https://web.archive.org/save/https://www.forcepoint.com/blog/x-labs/minor-mistakes-major-breaches-pt-2. Zugegriffen am 26.04.2024.

Frans M. van Eijnatten. (1991). An anthology of the socio-technical systems design (STSD) paradigm:.

Frans M. van Eijnatten. (1992). The socio-technical systems design (STSD) paradigm: A full bibliography of English-language literature. University of Technology, Eindhoven.

Fust, A., Fueglistaller, U., Brunner, C., Züger, T., & Graf, A. (2022). Schweizer KMU: Eine Analyse der aktuellsten Zahlen (Ausgabe 2022) [Monograph]. OBT AG. https://www.alexandria.unisg.ch/266150/. Zugegriffen am 26.04.2024.

GDPR Enforcement Tracker – List of GDPR fines. (2021). https://web.archive.org/web/20220422112754/https://www.enforcementtracker.com/. Zugegriffen am 26.04.2024.

Gerken, S., Uebernickel, F., & de Paula, D. (2022). Design thinking: A global study on implementation practices in organizations: past-present-future. Universitätsverlag Potsdam.

Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSI-Gesetz – BSIG). (2021). https://www.gesetze-im-internet.de/bsig_2009/index.html. Zugegriffen am 26.04.2024.

Google. (2023). The Design Sprint Kit. The Design Sprint Kit. https://web.archive.org/web/2/https://designsprintkit.withgoogle.com/. Zugegriffen am 26.04.2024.

Gorzeń-Mitka, I., & Okręglicka, M. (2014). Improving decision making in complexity environment. Procedia Economics and Finance, 16, 402–409. https://doi.org/10.1016/S2212-5671(14)00819-3CrossRef

Graf, M. (2023, March 16). Telefonbetrug mit WhatsApp. Telefonbetrug. https://telefonbetrug.ch/telefonbetrug-durch-schockanrufe-2/. Zugegriffen am 26.04.2024.

Gray, D., Brown, S., & Macanufo, J. (2010). Gamestorming: A playbook for innovators, rulebreakers, and changemakers. O’Reilly Media. https://gamestorming.com/

Grimm, J. (2021, September 26). The Way of System Thinking – Was Systemdenken ausmacht | Computer Science Blog. https://web.archive.org/web/2/https://blog.mi.hdm-stuttgart.de/index.php/2021/09/26/the-way-of-system-thinking/. Zugegriffen am 26.04.2024.

Hasan, H., & Kazlauskas, A. (2014). The Cynefin framework: putting complexity into perspective. In H. Hasan (Hrsg.), Being Practical with Theory: A Window into Business Research (S. 55–57). Wollongong, Australia: THEORI. http://eurekaconnection.files.wordpress.com/2014/02/p-55-57-cynefin-frameworktheori-ebook_finaljan2014-v3.pdf

Hehn, J., Mendez, D., Uebernickel, F., Brenner, W., & Broy, M. (2020). On integrating design thinking for human-centered requirements engineering. IEEE Software, 37(2), 25–31. https://doi.org/10.1109/MS.2019.2957715CrossRef

Henseler-Unger, I., & Hillebrand, A. (2018). Aktuelle Lage der IT-Sicherheit in KMU: Wie kann man die Umsetzungslücke schließen? Datenschutz und Datensicherheit – DuD, 42(11), 686–690. https://doi.org/10.1007/s11623-018-1025-yCrossRef

Hill, A. D., Kern, D. A., & White, M. A. (2012). Building understanding in strategy research: The importance of employing consistent terminology and convergent measures. Strategic Organization, 10(2), 187–200.CrossRef

Hofmann, T. F., de Paula, D., & Uebernickel, F. (2023). Social aspects in organisational cyber-security effectiveness – Of British coal mines, resilience and emergence. In Wirtschaftsinformatik 2023 Proceedings (Bd. 89). https://aisel.aisnet.org/wi2023/89. Zugegriffen am 26.04.2024.

Holland, J. H. (1992). Complex adaptive systems. Daedalus, 121(1), 17–30.

Holland, J. H. (2002). Complex adaptive systems and spontaneous emergence. In A. Q. Curzio & M. Fortis (Hrsg.), Complexity and industrial clusters (S. 25–34). Physica-Verlag HD. https://doi.org/10.1007/978-3-642-50007-7_3CrossRef

Hostettler, O. (2023, February 3). Zugangsdaten auf Plattform angeboten: Uni-Zürich-Hack kostet nur 10 Dollar. https://web.archive.org/web/20230319143026/https://www.beobachter.ch/digital/sicherheit/cyberangriff-auf-universitat-zurich-uzh-hack-wurde-auf-plattform-fur-10-dollar-angeboten-570369. Zugegriffen am 26.04.2024.

Howard Harry Rosenbrock. (1990). Designing human-centred technology: A cross-disciplinary project in computer-aided manufacturing. Choice Reviews Online, 27(11), 27-6352-27–6352. https://doi.org/10.5860/CHOICE.27-6352CrossRef

IDEO.org. (2015). The field guide to human-centered design. https://web.archive.org/web/20230531172307/https://www.designkit.org/methods.html. Zugegriffen am 26.04.2024.

Information Systems Audit and Control Association (Hrsg.). (2012). COBIT 5 for information security. ISACA.

Interaction Design Foundation. (2023). What is human-centered design? The Interaction Design Foundation. https://web.archive.org/web/2/https://www.interaction-design.org/literature/topics/human-centered-design. Zugegriffen am 26.04.2024.

International Organization for Standardization. (2022). ISO/IEC 27001:2022 Information technology – Security techniques – Information security management systems – Requirements. https://web.archive.org/web/2/https://www.iso.org/standard/82875.html. Zugegriffen am 26.04.2024.

International Society of Automation (ISA). (2023). ISA/IEC 62443 Series of Standards – ISA. https://web.archive.org/web/2/https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards. Zugegriffen am 26.04.2024.

ISO/IEC. (2022). ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection – Information security controls.

Jakkal, V. (2023, July 19). How Microsoft is expanding cloud logging to give customers deeper security visibility. Microsoft Security Blog. https://web.archive.org/web/2/https://www.microsoft.com/en-us/security/blog/2023/07/19/expanding-cloud-logging-to-give-customers-deeper-security-visibility/. Zugegriffen am 26.04.2024.

Jeff Conklin & Min Basadur. (2007). Rethinking Wicked Problems: Unpacking Paradigms, Bridging Universes (Part 1 of 2). NextD Journal. https://web.archive.org/web/20220422113358/https://issuu.com/nextd/docs/conv28. Zugegriffen am 26.04.2024.

Kapur, M. (2008). Productive failure. Cognition and Instruction, 26(3), 379–424. https://doi.org/10.1080/07370000802212669CrossRef

Kapur, M. (2016). Examining productive failure, productive success, unproductive failure, and unproductive success in learning. Educational Psychologist, 51(2), 289–299. https://doi.org/10.1080/00461520.2016.1155457CrossRef

Kelley, T. K., & D. (2013, November 8). Three creativity challenges from IDEO’s leaders. Harvard Business Review. https://web.archive.org/web/2/https://hbr.org/2013/11/three-creativity-challenges-from-ideos-leaders. Zugegriffen am 26.04.2024.

Kolko, J. (2015, September 1). Design thinking comes of age. Harvard Business Review, September 2015. https://hbr.org/2015/09/design-thinking-comes-of-age

Kurtz, C. F., & Snowden, D. J. (2003). The new dynamics of strategy: Sense-making in a complex and complicated world. IBM SYSTEMS JOURNAL, 42(3), 22.CrossRef

Lewrick, M., Link, P., & Leifer, L. (2020). The design thinking toolbox: A guide to mastering the most popular and valuable innovation methods. Wiley.CrossRef

Liu, Y., Lusch, R. F., Chen, Y., & Zhang, J. (2018). The emergence of innovation as a social process: Theoretical exploration and implications for entrepreneurship and innovation (S. 163–194). https://doi.org/10.1142/9789813149083_0007CrossRef

Luzeaux, D. (Hrsg.). (2011). Complex systems and systems of systems engineering. ISTE.

Malwarebytes Lab. (2022). How Initial Access Brokers get into corporate networks (and how to stop them). https://web.archive.org/web/2/https://www.malwarebytes.com/blog/business/2022/11/initial-access-brokers-iabs-3-ways-they-break-into-corporate-networks-and-how-to-detect-them. Zugegriffen am 26.04.2024.

McGregor, L., & Doshi, N. (2015, November 25). How company culture shapes employee motivation. Harvard Business Review. https://web.archive.org/web/20220422114114/https://hbr.org/2015/11/how-company-culture-shapes-employee-motivation. Zugegriffen am 26.04.2024.

Mencken, H. L. (1922). Prejudices: Second series. Alfred A. Knopf.

Michael Lewrick. (2021). Design Thinking Toolbox. dt-playbook. https://web.archive.org/web/2/https://www.dt-toolbook.com/tools. Zugegriffen am 26.04.2024.

Microsoft. (2023). Compare Office 365 Enterprise Pricing and Plans | Microsoft 365. https://web.archive.org/web/2/https://www.microsoft.com/en-us/microsoft-365/enterprise/office365-plans-and-pricing. Zugegriffen am 26.04.2024.

Microsoft Security Response Center. (2023). Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email | MSRC Blog | Microsoft Security Response Center. https://web.archive.org/web/20230722064936/https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/. Zugegriffen am 26.04.2024.

Microsoft Threat Intelligence. (2023, July 14). Analysis of Storm-0558 techniques for unauthorized email access. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/. Zugegriffen am 26.04.2024.

Mingers, J., & Rosenhead, J. (2004). Problem structuring methods in action. European Journal of Operational Research, 152(3), 530–554. https://doi.org/10.1016/S0377-2217(03)00056-0CrossRef

Moen, R. D., & Norman, C. L. (2010). Circling back. Quality Progress, 43(11), 22.

Nast, C. (2022). A mysterious satellite hack has victims far beyond Ukraine. Wired UK. https://www.wired.co.uk/article/viasat-internet-hack-ukraine-russia. Zugegriffen am 26.04.2024.

Nemertes Research. (2022). Ideal CISO reporting structure is to high-level business leaders. https://web.archive.org/web/20221113053239/https:/www.techtarget.com/searchsecurity/tip/Why-the-ideal-CISO-reporting-structure-is-highest-level. Zugegriffen am 26.04.2024.

Norman, D. A. (2013). The design of everyday things (Revised and expanded edition). Basic Books.

Norsk Hydro. (2019). Cyber-attack on Hydro. https://web.archive.org/web/2/https://www.hydro.com/de-CH/medien/on-the-agenda/cyber-attack/. Zugegriffen am 26.04.2024.

Office of the U.S. & Intellectual Property Enforcement Coordinator. (2021). Annual intellectual property report to congress. https://www.whitehouse.gov/wp-content/uploads/2022/04/FY21-IPEC-Annual-Report-Final.pdf. Zugegriffen am 26.04.2024.

Okta. (2022). Okta concludes its investigation Into the January 2022 compromise. https://web.archive.org/web/20230315025927/https://www.okta.com/blog/2022/04/okta-concludes-its-investigation-into-the-january-2022-compromise/. Zugegriffen am 26.04.2024.

Oliver Dehning & eco – Verband der Internetwirtschaft e.V. (2017). Eco StudieIT-Sicherheit 2017. https://web.archive.org/web/20170708090759/https://www.eco.de/wp-content/blogs.dir/eco_report_it-sicherheit-2017.pdf. Zugegriffen am 26.04.2024.

Osterwalder, A., Pigneur, Y., Oliveira, M. A.-Y., & Ferreira, J. J. P. (2011). Business model generation: A handbook for visionaries, game changers and challengers. African Journal of Business Management, 5(7), 22–30.

Osterwalder, A., Pigneur, Y., Bernarda, G., & Smith, A. (2015). Value proposition design: How to create products and services customers want. Wiley.

Pasmore, W., Winby, S., Mohrman, S. A., & Vanasse, R. (2019). Reflections: Sociotechnical systems design and organization change. Journal of Change Management, 19(2), 67–85. https://doi.org/10.1080/14697017.2018.1553761CrossRef

Pasmore, W. A., & Khalsa, G. S. (1993). The contributions of Eric Trist to the social engagement of social science. Academy of Management Review, 18(3), 546–569.CrossRef

PCI Security Standards Council. (2018). Payment card industry (PCI) data security standard, v3.2.1. https://web.archive.org/web/20220422114542/https://www.pcisecuritystandards.org/document_library. Zugegriffen am 26.04.2024.

Pearson, N. (2014). A larger problem: Financial and reputational risks. Computer Fraud & Security, 2014(4), 11–13. https://doi.org/10.1016/S1361-3723(14)70480-4CrossRef

Perera, S., Jin, X., Maurushat, A., & Opoku, D.-G. J. (2022). Factors affecting reputational damage to organisations due to cyberattacks. Informatics, 9(1), 28.CrossRef

Philipp Rothmann. (2014). ISM und ITIL. BSI Forum. https://web.archive.org/web/2/http://2014.kes.info/archiv/heft/abonnent/07-6/07-6-055.htm. Zugegriffen am 26.04.2024.

POWER. (2013, September 1). What you need to know (and don’t) about the AURORA Vulnerability. POWER Magazine. https://web.archive.org/web/2/https://www.powermag.com/what-you-need-to-know-and-dont-about-the-aurora-vulnerability/. Zugegriffen am 26.04.2024.

Protzen, J.-P., & Harris, D. J. (2010). The universe of design: Horst Rittel’s theories of design and planning. Routledge.CrossRef

Rammer, C., & Spielkamp, A. (2015). Hidden champions – driven by innovation: Empirische Befunde auf Basis des Mannheimer Innovationspanels. ZEW-Dokumentation, 15.

RIS – Netz- und Informationssystemsicherheitsgesetz – Bundesrecht konsolidiert, Fassung vom 20.03.2023. (2023). https://web.archive.org/web/2/https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20010536. Zugegriffen am 26.04.2024.

Rittel, H. W., & Webber, M. M. (1973). Dilemmas in a general theory of planning. Policy Sciences, 4(2), 155–169.CrossRef

Rosenthal, D. (2020). Das neue Datenschutzgesetz, Jusletter 16. November 2020

Rothrock, R. A., Kaplan, J., & Van Der Oord, F. (2018). The board’s role in managing cybersecurity risks. MIT Sloan Management Review, 59(2), 12–15.

Sawaragi, T. (2020). Design of resilient socio-technical systems by human-system co-creation. Artificial Life and Robotics, 25(2), 219–232. https://doi.org/10.1007/s10015-020-00598-3CrossRef

Schallmo, D. R. A., & Lang, K. (2020). Design Thinking erfolgreich anwenden: So entwickeln Sie in 7 Phasen kundenorientierte Produkte und Dienstleistungen. Springer Fachmedien. https://doi.org/10.1007/978-3-658-28325-4CrossRef

Schlienger, T., & Teufel, S. (2003). Analyzing information security culture: Increased trust by an appropriate information security culture. In 14th international workshop on database and expert systems applications, 2003. Proceedings (S. 405–409). https://doi.org/10.1109/DEXA.2003.1232055CrossRef

Secretary of Defense. (2005). Use of the “Not Releasable toForeign Nationals” (NOFORN) Caveat on Department o f Defense (DoD) Information. https://web.archive.org/web/2/https://sgp.fas.org/othergov/dod/noforn051705.pdf. Zugegriffen am 26.04.2024.

Seppälä, E., & Cameron, K. (2015, December 1). Proof that positive work cultures are more productive. Harvard Business Review. https://hbr.org/2015/12/proof-that-positive-work-cultures-are-more-productive. Zugegriffen am 26.04.2024.

Service Design Team Digital Victoria. (2020). Human-Centred Design Playbook. Government of Victoria, Australia. https://web.archive.org/web/2/https://www.vic.gov.au/download-human-centred-design-playbook. Zugegriffen am 26.04.2024.

Snowden, D. (2000). “Cynefin, A Sense of Time and Place: an Ecological Approach to Sense Making and Learning in Formal and Informal Communities” conference proceedings of KMAC at the University of Aston, July 2000.

Snowden, D. J., & Boone, M. E. (2007). A leader’s framework for decision making. Issue November 2007. Harvard Business Review, 85(11), 68–76.

von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97–102. https://doi.org/10.1016/j.cose.2013.04.004CrossRef

Sottek, T. C. (2021). GoDaddy wins our 2020 award for most evil company email. The Verge. https://web.archive.org/web/20220422115513/https://www.theverge.com/2020/12/24/22199406/godaddy-wins-2020-stupidity-award. Zugegriffen am 26.04.2024.

Speed, R. (2018). Microsoft reveals train of mistakes that killed Azure in the South Central US “incident”. https://web.archive.org/web/2/https://www.theregister.com/2018/09/17/azure_outage_report/. Zugegriffen am 26.04.2024.

Statistisches Bundesamt. (2020). Kleine und mittlere Unternehmen. Statistisches Bundesamt. https://web.archive.org/web/2/https://www.destatis.de/DE/Themen/Branchen-Unternehmen/Unternehmen/Kleine-Unternehmen-Mittlere-Unternehmen/_inhalt.html. Zugegriffen am 26.04.2024.

Stefanie Schappert. (2023, February 22). Sensitive US military emails exposed for two weeks in the wild. Cybernews. https://cybernews.com/security/sensitive-us-military-emails-exposed-for-two-weeks-in-the-wild/. Zugegriffen am 26.04.2024.

Stone, J., & Reid, B. (2023). Why leaders should avoid security framework traps. Google Cloud Blog. https://cloud.google.com/blog/transform/why-leaders-should-avoid-security-framework-traps. Zugegriffen am 26.04.2024.

Streeter, D. C. (2013). The effect of human error on modern security breaches, 6.

The Copper Courier. (2020, December 23). GoDaddy employees were told they were getting a holiday bonus. It was actually a phishing test. The Copper Courier. https://web.archive.org/web/20220422115744/https://coppercourier.com/story/godaddy-employees-holiday-bonus-secruity-test/. Zugegriffen am 26.04.2024.

The Culture Factor. (2018, January 1). Harvard Business Review. https://hbr.org/2018/01/the-culture-factor. Zugegriffen am 26.04.2024.

The Institute of Internal Auditors. (2020). THE IIA’S THREE LINES MODEL. https://web.archive.org/web/2/https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf. Zugegriffen am 26.04.2024.

The Leader’s Guide to Corporate Culture. (2018, January 1). Harvard Business Review. https://hbr.org/2018/01/the-leaders-guide-to-corporate-culture. Zugegriffen am 26.04.2024.

The Record. (2021a). I scrounged through the trash heaps … Now I’m a millionaire:’ An interview with REvil\’s Unknown [Interview]. https://web.archive.org/web/2/https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown. Zugegriffen am 26.04.2024.

The Record. (2021b). Supermarket chain Coop closes 800 stores following Kaseya ransomware attack. https://web.archive.org/web/2/https://therecord.media/supermarket-chain-coop-closes-800-stores-following-kaseya-ransomware-attack. Zugegriffen am 26.04.2024.

The Record. (2022). UK water company confirms cyberattack after confusion over ransomware group threats. https://web.archive.org/web/2/https://therecord.media/uk-water-company-confirms-cyberattack-after-confusion-over-ransomware-group-threats. Zugegriffen am 26.04.2024.

Trendmicro. (2023). Ransomware as a Service (RaaS) – Definition. https://web.archive.org/web/20230211142320/https://www.trendmicro.com/vinfo/us/security/definition/ransomware-as-a-service-raas. Zugegriffen am 26.04.2024.

Trist, E. L., & Bamforth, K. W. (1951). Some social and psychological consequences of the longwall method of coal-getting: An examination of the psychological situation and defences of a work group in relation to the social structure and technological content of the work system. Human Relations, 4(1), 3–38. https://doi.org/10.1177/001872675100400101. Zugegriffen am 26.04.2024.CrossRef

Trist, E. L., & Centre, O. Q. of W. L. (1981). The evolution of socio-technical systems: A conceptual framework and an action research program. Ontario Quality of Working Life Centre. https://web.archive.org/web/20220422115915/https://trove.nla.gov.au/work/18802828. Zugegriffen am 26.04.2024.

U.S. Securities and Exchange Commission (SEC). (2022). SEC.gov | SEC proposes rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. https://www.sec.gov/news/press-release/2022-39. Zugegriffen am 26.04.2024.

UpGuard, Inc. (2017a). Black box, red disk: How top secret NSA and army data leaked online | UpGuard. https://web.archive.org/save/https://www.upguard.com/breaches/cloud-leak-inscom. Zugegriffen am 26.04.2024.

UpGuard, Inc. (2017b). Dark cloud: Inside The pentagon’s leaked internet surveillance archive | UpGuard. https://web.archive.org/save/https://www.upguard.com/breaches/cloud-leak-centcom. Zugegriffen am 26.04.2024.

US National Institute of Standards and Technology (NIST). (2013). NIST cybersecurity framework. https://web.archive.org/web/20220422114306/https://www.nist.gov/cyberframework. Zugegriffen am 26.04.2024.

Van Beurden, E. K., Kia, A. M., Zask, A., Dietrich, U., & Rose, L. (2013). Making sense in a complex landscape: How the cynefin framework from complex adaptive systems theory can inform health promotion practice. Health Promotion International, 28(1), 73–83. https://doi.org/10.1093/heapro/dar089. Zugegriffen am 26.04.2024.CrossRef

Verizon. (2013). 2012 data breach investigations report (DBIR). Verizon. https://web.archive.org/web/20220422121749/https://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdf. Zugegriffen am 26.04.2024.

Verizon. (2014). 2013 data breach investigations report (DBIR). Verizon. https://web.archive.org/web/20220422121807/https://www.researchgate.net/publication/289254657_2013_Verizon_Data_Breach_Investigations_Report. Zugegriffen am 26.04.2024.

Verizon. (2015). 2014 data breach investigations report (DBIR). Verizon. https://web.archive.org/web/20220422121823/https://webfiles.dti.delaware.gov/pdfs/rp_Verizon-DBIR-2014_en_xg.pdf. Zugegriffen am 26.04.2024.

Verizon. (2016). 2015 data breach investigations report (DBIR). Verizon. https://web.archive.org/web/20220422121901/https://cybersecurity.idaho.gov/wp-content/uploads/sites/87/2019/04/data-breach-investigation-report_2015.pdf. Zugegriffen am 26.04.2024.

Verizon. (2017). 2016 data breach investigations report (DBIR). Verizon. https://web.archive.org/web/20220422121942/https://conferences.law.stanford.edu/cyberday/wp-content/uploads/sites/10/2016/10/2b_Verizon_Data-Breach-Investigations-Report_2016_Report_en_xg.pdf. Zugegriffen am 26.04.2024.

Verizon. (2018). 2017 data breach investigations report (DBIR) (10). Verizon. https://web.archive.org/web/20211221151528/https://www.verizon.com/business/resources/reports/data-breach-digest-2017-perspective-is-reality.pdf. Zugegriffen am 26.04.2024.

Verizon. (2019). 2018 data breach investigations report (DBIR) (11). Verizon. https://web.archive.org/web/20220422122041/https://www.verizon.com/business/resources/reports/2018-data-breach-digest.pdf. Zugegriffen am 26.04.2024.

Verizon. (2020). 2019 data breach investigations report (DBIR). https://web.archive.org/web/20220422122133/https://www.verizon.com/business/resources/reports/2019-data-breach-investigations-report.pdf. Zugegriffen am 26.04.2024.

Verizon. (2021). 2020 data breach investigations report (DBIR). Verizon. https://web.archive.org/web/20220409025804/https://www.verizon.com/business/resources/reports/2020-data-breach-investigations-report.pdf. Zugegriffen am 26.04.2024.

Verizon. (2022). 2021 Data Breach Investigations Report (DBIR). Verizon. https://web.archive.org/web/20220422122253/https://www.verizon.com/business/resources/reports/2021-data-breach-investigations-report.pdfx. Zugegriffen am 26.04.2024.

Verizon. (2023). 2022 data breach investigations report (DBIR). https://web.archive.org/web/20230317184436/https://www.verizon.com/business/resources/T4c5/reports/dbir/2022-data-breach-investigations-report-dbir.pdf. Zugegriffen am 26.04.2024.

Walker, G. H., Stanton, N. A., Salmon, P. M., & Jenkins, D. P. (2008). A review of sociotechnical systems theory: A classic concept for new command and control paradigms. Theoretical Issues in Ergonomics Science, 9(6), 479–499. https://doi.org/10.1080/14639220701635470CrossRef

Weatherbed, J. (2023, March 30). Microsoft exploit allowed access to private Office 365 data. The Verge. https://web.archive.org/web/2/https://www.theverge.com/2023/3/30/23661426/microsoft-azure-bing-office365-security-exploit-search-results. Zugegriffen am 26.04.2024.

Wiz, Inc. (2023). Compromised Microsoft key: More impactful than we thought | Wiz Blog. https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr. Zugegriffen am 26.04.2024.

wiz.io. (2021, September 14). “Secret” agent exposes azure customers to unauthorized code execution | Wiz Blog. Wiz.Io. https://web.archive.org/web/2/https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution. Zugegriffen am 26.04.2024.

Wu, G., Feder, A., Cohen, H., Kim, J. J., Calderon, S., Charney, D. S., & Mathé, A. A. (2013). Understanding resilience. Frontiers in Behavioral Neuroscience, 7, 10.CrossRef

XTI, Socr. (2022, October 20). Details on the largest B2B Leak: BlueBleed. SOCRadar® Cyber Intelligence Inc. https://socradar.io/details-on-the-largest-b2b-leak-bluebleed/. Zugegriffen am 26.04.2024.

Zeller, M. (2011). Common questions and answers addressing the aurora vulnerability. Schweitzer Engineering Laboratories Report. https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6467_CommonQuestions_MZ_20101209_Web.pdf. Zugegriffen am 26.04.2024.

Zwahlen, F., Marti, I., Richter, M., Konopatsch, C. J., & Hostettler, U. (2020). Wirtschaftsspionage in der Schweiz. Schlussbericht zuhanden des Nachrichtendienstes des Bundes (NDB). Bern: Universität Bern – Institut für Strafrecht und Kriminologie

Zweites Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme, 1122. (2021). https://web.archive.org/web/2/https://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&jumpTo=bgbl121s1122.pdf#__bgbl__%2F%2F*%5B%40attr_id%3D%27bgbl121s1122.pdf%27%5D__1679323829105. Zugegriffen am 26.04.2024.

Title: Sichere Digitalwirtschaft
Author: Tom F. Hofmann
Publisher: Springer Fachmedien Wiesbaden
Book: Digitalwirtschaft
Print ISBN: 978-3-658-45723-5

Electronic ISBN: 978-3-658-45724-2

Copyright Year: 2024
DOI: https://doi.org/10.1007/978-3-658-45724-2_7