Data Breaches in the Cloud—Business Security and Risk Management
Citation: D. Kolevski, K. Michael and M. Freeman, "In This Special Issue: Data Breaches in the Cloud—Business Security and Risk Management," in IEEE Transactions on Technology and Society, vol. 6, no. 1, pp. 2-14, March 2025, doi: 10.1109/TTS.2024.3477828.
Image by Christina Morillo
SECTION I.
Introduction
Data breaches in the cloud is a widely discussed topic among executives. As businesses and governments utilize more cloud services, the number of cyber-attacks and data breaches impacting the privacy and security of end-user personally identifiable information (PII) has increased. Apart from introducing eight papers in the special issue, this editorial will also investigate 5 notable data breaches that have impacted hundreds of millions of end-users with personal information disclosure. The data breach cases presented are (1) 2011 Sony PlayStation Network (PSN); (2) 2014 eBay Inc.; (3) 2016 Yahoo! Inc.; (4) 2022 Singtel Optus; and (5) 2022 Medibank Private. In most cyber data breach reports, the cause most likely to be cited in the explanation of a cloud computing breach is human error, considered the single most prominent point of failure. Secondarily, vulnerabilities in security settings are cited that allow hackers to gain unauthorized network access to the cloud. But typically, the fuller story remains hidden from public discourse.
This editorial at large applies a socio-technical framing to identify key business stakeholders with respect to themes of data security, risk management, and data protection regulation. In the analysis of business trade journals, we describe how the data breach occurred, as well as stakeholder insights and opinions. The outcomes from the cases demonstrate that cloud customers fail to apply appropriate security controls on end-user data, have inadequate employee cyber training, and regulators do not enforce penalties on the breached entities, inclusive of cloud providers. The outcomes from the cases provide opportunities for additional discussion on the inner workings of present and future cybersecurity practices. These include a multi-stakeholder and multi-disciplinary approach focused on technical and non-technical approaches to combat hacking. Our discussion concentrates on increasing law enforcement cooperation to enable sharing of vital case information and understanding hacker motives in targeting systems. These considerations need to be addressed in the medium-to-long term to ensure the privacy of the end-user, and the security of the cloud customer. The 8 accepted papers in the special issue complement the findings, focused on varying aspects of data breaches from a variety of stakeholder perspectives.
SECTION II.
Cloud Computing Stakeholders and Services
Kolevski et al. [1] identify two types of stakeholders, operational and non-operational. Operational stakeholders (e.g., cloud providers) are integral in the service deployment and functionality of cloud services. The cloud ecosystem is scalable and elastic, without compromising and degrading service usage if stakeholders are unavailable or no longer operational. Non-operational stakeholders focus on the utilization, standards, and the output of service consumption. These stakeholders set parameters and support guidance practices for other stakeholders within the ecosystem.
Cloud computing providers provision cloud services that have been utilized by organizations and governments for over two decades to reduce capital expenditures, and to improve operations and service offerings. Stakeholders with on-premise data centres continue to migrate their processing and storage needs to the cloud. There are four delivery models for this transition: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and anything as a service (XaaS) [2]. Cloud computing has allowed for scalability for business customers, government agencies and other non-government organizations [3]. Instead of determining up front that a business needs x number of computers, and y number of servers in-house, and z types of applications, the major trend has been to move to shared services or collocated services on the cloud. This usually costs less, as the cloud customer can pre-define their utilization of central processing units (CPUs), storage requirements, and number of simultaneous end-users on a given online application (e.g., eCommerce cart) as their business grows. Cloud services allow business customers to take advantage of the scalability without outright owning equipment. Rather than large capital expenditure that can date with high maintenance costs, businesses can use the cloud to gain benefits as a monthly operational expenditure.
From a business perspective, considering cloud services as an expense against revenues allows for future technology road mapping and planning [4]. And yet, as business always needs technology and online services for their operations, important questions are raised as to the suitability of cloud services. For example, how can businesses utilize the cloud for information processing? And how can they protect their information and storage needs? How can businesses secure their digital assets, including customer-based information, sales information, and other metadata and location details? As more data has been moved to the cloud, cyber-attacks and data breaches have become commonplace. Hackers have targeted cloud services attracted by large data troves. By gaining access to PII, such as sensitive health and financial information, businesses can be threatened with ransom and subsequently distributed denial of service (DDOS) attacks, and even unauthorized disclosure.
SECTION III.
Data Breaches, Causes and Protections
A data breach is defined as unauthorized data access with the intent to steal, disclose or compromise data [5], [6]. Riedy and Hanus [7] define a data breach as the result of unauthorized access to PII and sensitive information. PII includes names, physical addresses, email addresses, telephone numbers, postal codes, and passwords. Sensitive information includes credit and debit card information, healthcare information, and religious affiliation, among other details. The intent of a data breach is to gain access to information that comprises a user’s identity (ID) [8]. The hacker then discloses this information for their benefit on the dark web, where other affiliated syndicates trade disclosed end-user information. The disclosed information can also be misused for illicit activities such as opening credit accounts and loans, and making health-related claims.
It is anticipated that the frequency and scale of attempted cyber-attacks are expected to increase, given the growing international pool of hackers and growing number of vectors. An article published in Forbes reported that cybercrime is growing exponentially, from an estimated USD$8 trillion in 2023 to USD$10.5 trillion by 2025 [9]. The top sectors reporting data breaches include health service providers; financial service providers; recruitment agencies; legal, accounting and management services; and insurance providers, with 70% of data breaches attributed to criminal or malicious activity [10]. The information collected by these businesses is attractive to hackers, as cloud providers collect some of the largest data stores of personal information.
Cloud computing hacks could be the outcome of poor security, lost or stolen storage devices or accidental publication to the Web. On the other hand, a cloud hack could be an insider attack from a disgruntled employee intending to disrupt business operations at a cloud provider or large business. Data leakages are another form of cloud hack and occur most often when security vulnerabilities are not patched or fixed [11], [12]. An example of a data leakage is when an Amazon Web Services (AWS) S3 bucket is unsecured and attacked through a ransomware hack [13]. Security misconfigurations on servers and storage devices also allow hackers to exploit vulnerabilities known as a zero-day vulnerability. This permits hackers and other actors, such as rogue contractors and ex-employees, to keep hacking until the vulnerability is patched.
In some situations, businesses determine that the problem with data breaches has to do with their system and security configurations [14]. However, it could be that cloud customers have security issues in their configuration processes or it could be the cloud computing provider. The breakdown of responsibility is usually driven in the form of service level agreements (SLAs), i.e., an agreement between the cloud provider and cloud customer [15]. SLAs do not incorporate end-users directly. Thus, typical questions include: What actions are to be performed by the business or government agency when a breach occurs and how do end-users learn about the breach? Courts are finding that end-users are unable to prove harm through lost credentials. These decisions may change in the future.
It is important to consider end-user data protection and the mechanisms for safeguarding private and sensitive information. Concerns about data protection are raised when a data breach has occurred. Each jurisdiction has laws and regulations that aim to safeguard data and what actions must be taken by cloud computing stakeholders when an unauthorized disclosure occurs. More recently, there are regulations that address data protection issues in the cloud such as, the European Union (EU) General Data Protection Regulation 2018 (GDPR) [16] and the newly established EU AI Act 2024. In the USA, there are several federal approaches addressing data in different sectors, such as the Health Insurance Portability and Accountability Act of 1996 (HIPPA) focused on health information, the Gramm Leach Bliley Act 1999 covering financial information, and the Stored Communications Act 1986 protecting wire and electronic records. In some nation-states, regulations and laws can exist at both the federal and provincial levels.
SECTION IV.
Methodology
A. Data Breach Cases
TABLE I 5 Data Breach Cases and PII Data Compromised
The unit of analysis in this editorial is the case under investigation, i.e., a single data breach event in which a hacker gained access to a cloud computing service, disclosing end-user data [17]. In this editorial 5 cloud computing data breaches are explored: 2011 Sony, 2014 eBay Inc., 2016 Yahoo! Inc., 2022 Optus, and 2022 Medibank Private (Table I). These cases were chosen due to the significant size of the data breach and the sensitivity of PII that was compromised.
1) Case 1 - The 2011 Sony PlayStation Network Data Breach:
The first case presented in the editorial is the 2011 Sony PSN data breach. The initial reporting of the breach was on April 27, 2011 [18]. More than 77 million end-users had their PII compromised [18]. However, it was later revised that 100 million end-users were impacted [24]. Sony initially took the PSN offline for a period of two weeks, and then the service was gradually restored. While the initial reporting indicated the network had suffered a technical outage, a later statement confirmed it was a significant cyber hack and end-user information had been stolen [25].
2) Case 2 - The 2014 eBay Inc. Data Breach:
The second case presented is the 2014 eBay data breach. Media outlets began reporting on May 21, 2014. The reports indicated that the hackers were inside eBay’s network for more than two months prior to notification, undetected and operating in stealth mode. The number of end-users impacted by the breach was believed to be 140 million, with later reports confirming an additional 5 million had been affected [26]. The company recommended that end-users change their login passwords [27]. Furthermore, the reports pointed out that the hacker obtained an employee’s corporate credentials and then exfiltrated end-user data. At the time eBay used insignificant data encryption [19].
3) Case 3 - The 2016 Yahoo! Inc. Data Breach:
The Yahoo! data breach compromised over 500 million end-users [20]. The media reported the data breach on September 22, 2016, two years after the hackers penetrated Yahoo!s security defenses and exfiltrated private and sensitive information. This case displays the significant hurdles that cloud customers have in safeguarding against cyber intrusions. In March 2017, it was announced that the U.S. Department of Justice had issued indictment charges for four men, including two Russian intelligence officials [28]. The Russian Government denied any involvement in the Yahoo! data breach and denied any responsibility for damages caused by the hack [29].
4) Case 4 - The 2022 Singtel Optus Data Breach:
The fourth case presented is the Singtel Optus data breach which disclosed the private and sensitive information of 9.8 million Australian users, more than 30% of the country’s population. Optus’s IT and Technical Department raised suspicion on September 20, 2022, declaring that unusual activity was prevalent on the network [21]. The first official reports on the data breach occurred on September 22, 2022 [22]. It was also confirmed that the disclosed end-user data included 2.8 million passport and driver’s license numbers deemed to pose a “significant risk of identity theft and fraud” [30].
5) Case 5 - The 2022 Medibank Private Data Breach:
The fifth case relates to the Australian health care insurer, Medibank Private. The hacker targeted Medibank’s infrastructure and systems and impacted 9.7 million users. The hacker compromised the records of users, including private and sensitive information, and then demanded a ransom to be paid in exchange for the deletion of customer records [31]. Medibank along with the Australian Signals Directorate (ASD) were corresponding with the alleged hacker via WhatsApp and then later Proton Mail [32]. Medibank, with the guidance of the Australian and U.S. governments, opted not to pay the ransom. This was a major cyber breach in terms of the percentage of the population impacted, and the sensitivity of data disclosed [23].
B. Data Collection
TABLE II Search Criteria of Trade Journals
Business trade journals, often referred to as trade press or industry magazines, offer specific information related to product and service developments and identify key issues that have occurred in industry. The primary purpose of using trade journals in this editorial was to seek out information related to the data breach cases under investigation and to present issues that confront businesses as a result of cyber incidents and hacks. While data security and risk management practices are investigated in other studies using news media [15], [33], [34], the business lens is a vital part of the larger cybersecurity ecosystem that cannot be ignored. Other works that have used trade journals in their research have acknowledged its importance [35], [36], [37]. The researchers in this editorial used the online database ProQuest ABI/Inform to set search criteria and retrieve trade data (Table II). For this study, the researchers defined a 1-year timeframe for the data collection post the data breach incident. Beyond this time horizon it was found that articles would be cross-reporting on other unrelated data breach cases with little to add to the original case. Finally, duplicate reports were identified and removed.
C. Data Analysis
The data analysis approach in this editorial used qualitative analysis. The researchers critically evaluated each trade journal report in the context of the data breach case, as well as business and other relevant information pertaining to the 5 cases. Key themes were then identified qualitatively. Following this, the trade journals were analyzed to identify the stakeholders that were represented. For brevity, each primary stakeholder representative was identified with their corresponding position title, allowing further context for their cited responses. This also permitted stakeholder perspectives to be captured on the state of play on data breaches and the impact that cyber incidents have on business and society. Organizational insights are especially important but often not shared publicly. Issues were clustered around key themes on (1) data security, (2) risk management, (3) cybersecurity practices, and (4) data protection regulation. The intertwining of trade journals and stakeholder responses and opinions brings together the interplay of all those involved in the cloud computing ecosystem and the lessons learned from large, national, and international cyber hacks. The 8 papers included in the special issue related directly or indirectly to data breaches in the cloud from multiple stakeholder points of view, and are complementary in that they largely rely on qualitative findings at multiple levels of inquiry.
SECTION V.
Data Security
A. Case 1: Social Engineering Attacks on Sony’s Employees
The 2011 Sony PlayStation Network data breach immediately received criticism from users and the wider business community on the severity of the hack. Trade journals reported that hackers were able to bypass Sony’s security defenses and retrieve end-user PII and financial information. Data security issues concentrated on employee vulnerabilities in identifying and preventing social engineering attacks. For example, [38] indicated that the social implications of cloud data breaches were related to the human element in that hackers targeted Sony employees. Robert Mullins elaborated that most data breaches had “one thing in common: they all involved, to some extent, human error” [38]. Similarly, Alan Paller, the Research Director at the non-profit SANS Institute (SysAdmin, Audit, Network, and Security) said: “Most probably it was a ‘spear-phishing’ attack that fooled a system administrator into installing an infected piece of software, from where the attackers could pivot to do the rest” [39]. Importantly, it was reported that the hackers gained access through a series of security loopholes, initially gaining high-level privileges, allowing them to access network resources. Jeremiah Grossman, founder of WhiteHat Security, said that once the hackers gained low-level privileges they used “a technique known as SQL injection, in which the database fail[ed] to recognize that it [was] executing an improper command” [40]. This technique allowed hackers to move “through the network... escalat[ing] the level of access to which they were entitled” [41].
B. Case 2: eBay’s Inadequate Employee Security Training
Industry publications reported that the hackers targeted a small number of eBay’s employees through social engineering attacks. The hackers executed a series of phishing attacks containing malicious email attachments which they then used to access eBay’s cloud infrastructure and extract end-user data. eBay confirmed that hackers had obtained employee log-ins and “accessed internal databases between late February and early March” [42]. They reported “that only a small number of employee log-in credentials were hijacked” allowing the hackers access to sensitive databases [43]. Dan Dinnar, VP Sales Asia Pacific at CyberArk explained the social engineering risks associated with the eBay data breach. He said: “The very fact that just a small number of compromised accounts has resulted in such significant access to eBay’s corporate network is extremely concerning. Clearly, there has not been enough attention paid to protecting privileged access accounts, where one small human error or mistake can cause an enterprise-wide security breach” [43]. Other business journals reported that social engineering attacks had caused businesses to rethink their data security strategies [44], [45], [46]. For example, employee training programs are important tools that businesses can apply to mitigate the risk of attacks. While the technology landscape has changed, the social engineering component has remained, and hackers proceed to exploit the human aspect in data security. Reference [47] reported that continued weakness in human factors directly affects the success factors of the technology. Furthermore, the trade journals reported that the eBay data breach not only set a precedent for businesses to prioritize employee training, but also exposed the aftermath of mass end-user PII exposure.
C. Case 3: Yahoo!’s Outdated Data Security Encryption
Security stakeholders responded on Yahoo!s data breach and on the company’s outdated encryption standard that was used to protect the users PII and sensitive information. Dave Palmer, director of technology at Darktrace said Yahoo! protected its end-user’s passwords “using a method known as an MD5 hash,” in which the “methodology [was] extremely dated” [48]. Similarly, Paul German, CEO of Certes Networks, said the Yahoo! data breach should be used as an example of companies failing to take cybersecurity seriously, bringing the “attitude to cyber security into question” [49]. The overarching sentiment in the trade journals was that Yahoo! had to better integrate humans and technology into one system. In this situation, technology alone is futile against cybersecurity attacks. Sarah Stephens, Head of Cyber, Media and E&O at Marsh JLT Specialty, said the “attack on Yahoo! highlight[ed] the pervasive nature of cyber-attacks in the complex world of data protection, and particularly the issue of latency in discovering that an attack ha[d] occurred” [29]. Stephens also stated that incorporating humans and technology was vital in discovering data breaches. Greg Reber, the founder and CEO of AsTech Consulting, reiterated Stephens’ viewpoint that businesses need to adapt to having human and technology systems working together [50]. Reber said data breaches are “evolving” and businesses “need to keep an eye out on developments.”
D. Case 4: Singtel Optus Battle of a Basic Security Dilemma
In terms of significance, the Optus data breach is among the largest data breaches within the Australian context, disclosing as many as 9.8 million records [51]. It was estimated that 40% of Australia’s population had their personal information stolen, including: names, birthdates, home addresses, phone and email contacts, and passport and driver’s license numbers [52]. A further 10,000 individuals had their Medicare details stolen, and about 2.8 million were deemed to be at quite a significant risk of ID theft and fraud [53]. While the company has maintained the attack was sophisticated, the Australian Government declared that the attack was anything but sophisticated, akin to a kid in a garage using a freely accessible software interface. The hacker demanded AUD $1.5 million [54], and the company was fined AUD $2.2 million. The Australian Government and the Australian Federal Police (AFP) launched Operation Guardian, working alongside the private sector to investigate the Optus data breach [55]. Grant Nicholls, AFP’s Acting Deputy Commissioner was responsible for managing and driving this operation with other law enforcement agencies. Furthermore, the taskforce liaised with the Australian Interpol branch and Russian law enforcement [53].
E. Case 5: Medibank Private Ransomware Failure
The Medibank Private data breach is of particular importance in the Australian context as it was a major health data breach that impacted nearly 40% of the nation’s population. It took more than three weeks after the data breach for the company to inform their 9.7 million customers that their private and sensitive information had been stolen [53]. The hackers also used ransomware to lock down specific Medibank systems and services critical to their operation [56]. Australia’s former Federal Home Affairs and Cybersecurity Minister, Clare O’Neil, indicated that both the Optus and Medibank hacks signified turning points in the nation’s approach to data protection and cybersecurity [57]. She said that paying ransoms inclined Australia to be perceived as a soft target and current cyber laws were ineffective against emerging threats. Following the data breach, Australian lawmakers approved legislation updating the Privacy Act in enacting harsher penalties on organizations failing to protect user data, with fines up to AUD $50 million [58]. In addition, the Australian Federal Police were in close correspondence with Interpol, collaborating with that global police cooperation and crime control organization [53]. Andrada Fiscutean reported two key points in data security with respect to the case [59]: (1) that organizations must increase their cybersecurity budgets, and (2) that past data breaches should be lessons on what and what not to do concerning cyber threats and attacks such as increasing employee training, identifying vulnerabilities and protecting against supply chain attacks. This view is confirmed by former Telstra’s CEO, Andrew Penn, leading Australia’s Expert Advisory Board on Cyber [60], who said that the industry needs to improve their cybersecurity practice in combination with government securing their systems.
SECTION VI.
Risk Management
A. Case 1: Sony’s Shift Towards Employee Security Training and a Company Focus on Cyber Policies
Risk management was highlighted in the context of Sony’s PSN data breach. In this case, there was a clear focus in better understanding the breach in the context of the cloud ecosystem. Representative trade journal responses noted that “the focus for investment... [had to] move [from] protecting key business assets from direct threat, such as malign or socially engineered intruders” [61] toward “proactive risk management techniques and employee training that the entity either ha[d] in place or need[ed] to establish” [62]. In the context of business risk, Nick Chaffey, Head of Defense, Security and Resilience Consulting at PA Consulting Group highlighted that no system was foolproof and that “[d]esigning resilience into every aspect of systems and process” would ensure business continuity [61]. He continued that “[u]nderpinning all this work need[ed] to be recognition that achieving 100 per cent security [was] expensive, impractical and virtually impossible” [61].
Several industry journals reported that cyber insurance policies provided additional business protection [63], [64], [65], [66]. Reports also implied that cyber policies were a reactive approach procured by businesses to reduce data breach litigation costs. In Sony’s case, its insurer, Zurich Insurance Group Ltd withdrew its liability coverage in its entirety as the commercial general liability (CGL) insurance did not insure against cyber liability claims [63]. Others reported that cyber policies needed to be reviewed and more closely aligned with the company’s strategy. The authors of [64] suggested that companies faced “a moving target, both for them and for the insurance companies.” Similarly [67] reported that cyber coverage had “moved from an afterthought to a front-burner issue for many risk managers” as more cyber incidents and data breaches made front-page news following the Sony PSN data breach.
B. Case 2: eBay’s Data Breach Urges Companies to Revise Risk Management Strategies
A key aspect of the 2014 eBay data breach was the position of stakeholders to view risk management as protecting both users and organizations. The authors of [68] presented that one strategy was for employees to identify likely cyber risks and to categorize them as business risks. Trade publications also highlighted that allowing employees to identify cyber risks, satisfied risk management “best practices.” Another strategy was to opt for a top-down method incorporating internal stakeholders in the decision-making process. Nathan Smolenski, the Chief Information Security Officer (CISO) at Zurich North America said that the integration of key stakeholders into the risk management process had changed the way businesses viewed cyber risks [69]. Smolenski said eBay and other “high-profile data breaches have certainly attracted the attention of C-suites.”
From a broader standpoint, it has been shown that businesses are opting for cyber policies in order to protect themselves from data breach litigation. Cyber policies are regarded as a reactive solutions-based approach. It is important to note that the business publications did not report whether eBay, Inc. approached any cyber insurers at the time of the breach. Stephen Wares, head at Marsh Inc. said business executives recognize “cyber as a risk” and demand “to see if they can find a solution” [70]. Likewise, the cyber insurance sector is responding to demand from executives. As a result, one of Britain’s leading insurance providers, Brit Insurance, launched a cyber policy covering “business interruption and the cost of restoring digital assets” in 2015 [71]. Finally, cyber policies have gained executive approval and are considered paramount to risk management success.
C. Case 3: Yahoo!’s Data Breach Prompts Change in Other Boardroom Cyber Preparedness Strategies
In the aftermath of the Yahoo! data breach, it was reported that executives and the board of directors needed to revise their risk management strategies urgently [72], [73], [74], [75], [76]. Michael Osterman, President of Osterman Research, emphasized that executives and boards are becoming better at recognizing the importance of cybersecurity issues [72]. Similarly, [77] reported: “A company culture that is predicated upon solution management will continue to thrive and generate unity by adapting and preparing for change.” A company can obtain the benefits of addressing cyber threats and risk management plans by having the backing and support of executives and board members. Stuart Madnick, Professor of IT and Engineering Systems at M.I.T. Sloan School of Management said: “[t]he high-level ramifications of cyber-attacks mean they have to be addressed by executives who steer corporate strategy, instead of being left to the techies” [76].
In addition to board members becoming aware of cyber breaches, other stakeholders indicated businesses should adopt cyber policies in their risk management plans. The important benefits associated with cyber policies are liability coverage and risk mitigation strategies. Michael Patsalos-Fox, CEO of Stroz Friedberg, LLC, explained that cyber policies benefit businesses as they “face greater systemic risk from cyberthreats than ever before” [78]. Michael Shultz, CEO of Cybernance Corp., added that the benefits of cyber policies allow “companies like Yahoo” to have third-party liability from cyber-attacks [79]. Other stakeholder responses also present cyber policies and intended use in business. For example, Steve Britt, a Partner and Director of Corporate and Technology Law at Berenzweig Leonard, LLP said: “Cybersecurity is only getting more complicated and the first thing any company should do is take it seriously and begin the process of understanding what they need to protect themselves... If there is a breach, you definitely have to have experienced data security privacy counsel, because it is just too complex a world” [80]. And Donald Houser, a Partner in Alston & Bird, LLP said: “Data breaches are multi-faceted and produce various issues, such as litigation, government inquiries, investigations, etc. So, retailers should carefully understand the limits or sub-limits applicable to each of these categories” [81].
D. Case 4: Singtel Optus Risk Management Deficiencies and Improper Communication
Immediately following the data breach announcement, Optus began offering a 12-month subscription to ID theft protection to customers who had their information disclosed [51]. The ID protection subscription allowed Optus customers to monitor their credit applications and reduce ID theft. Australian law firm, Slater and Gordon, launched an investigation into Optus’s management team to determine if deficiency in their knowledge and capability had a role to play in the massive data breach [52]. ID protection also plays a role in easing users’ anxiety and fears credit accounts and other sensitive applications will be opened as a result of their stolen data [82]. Furthermore, it is obvious that Optus lacked a proper cyber risk plan and viewed ID threat monitoring as a way to present themselves to the general public in a better light.
Another key aspect of the Optus data breach was the organization’s lack of or improper communications concerning events that occurred prior to and after the hack [54]. Mark Forbes, director of Icon Reputation, outlined Optus communicated conflicting stories about the hack [54]. For instance, he noted that Optus’s CEO indicated the hack was sophisticated while the Australian Government declared it was not. However, it was John Mullan, Telstra’s Chair, who defended Optus’s management team, including their CEO and the Chief Marketing Officer (CMO), Melissa Hopkins, on their approach to handling the breach [83]. The OAIC and the Australian Communications and Media Authority (ACMA) jointly investigated the Optus data breach [84], [85]. The OAIC highlighted in their primary reporting, that if the Optus breach violated the Australian Privacy Act, then penalties would be AUD $2.2 million per violation [85]. Australian Attorney-General Mark Dreyfus presented the Federal Government bill proposing amendments to the Privacy Act that aimed to impose stricter penalties which were later realized [86].
E. Case 5: Medibank Private Cyber Risk Management Failure
The Medibank Private data breach signified the magnitude of cyber-attacks, including those involving ransomware on complex ecosystems. There was debate over whether Medibank should or should not pay the ransom demanded by the hackers. Medibank indicated they would not pay the ransom, following the advice from the Australian and U.S. Governments on managing ransomware attacks [87]. Michael Phillips, Chief Claims Officer at Resilience Cyber Insurance, noted that Medibank had done an excellent job in avoiding paying the extortion and ransom to the hackers [87]. However, Australian Attorney-General Mark Dreyfus argued that better user and data protection was needed in the increasingly complex landscape where breaches occur. Dreyfus also stated that increasing information-sharing capabilities between OAIC and ACMA would allow for more comprehensive knowledge sharing [86]. This view was also shared by Reece Kershaw, the Australian Federal Police Commissioner, who noted that national and international cooperation was required to overcome cyber criminals who operate “like a business with affiliates and associates, who are supporting the business, and that some affiliates are believed to be in other countries” [53].
Matt Warren, RMIT’s Cyber Security and Innovation Research Centre Director, highlighted that organizations need to view cyber threats “as a business risk rather than a technical one” [88]. Professor Warren states that creating cyber-aware boards permits directors to act responsibly and obliges them to protect critical infrastructure and systems storing user data. On reporting on the Medibank Private cyber ransomware attack, Patricia Vowinkel concluded that cyber insurance is another way organizations can protect themselves against legal and litigation costs [56]. Commenting on the cyber health space, Sundar Balasubramanian, reported that cyber resiliency needs to include awareness by all stakeholders including the board of directors [89]. He also noted that healthcare organizations must protect themselves against zero-day and fifth-generation threats on all networks, including cloud and Internet of Things (IoT) services. While organizations and their executives and boards intend to improve their cybersecurity preparedness, the Australian Government, in the context of the Medibank breach, indicated through legislation the intent to “significantly increase penalties for repeated or serious breaches” [85]. Finally, both the private and public sectors are striving towards cyber resiliency and awareness, where they have not previously taken the appropriate steps in cyber prevention.
SECTION VII.
In This Special Issue
Article [A1] in this special issue is a peer-reviewed editorial dedicated to the topic of artificial intelligence (AI) in cybersecurity using a socio-technical framing. The article is co-authored by Katina Michael and Kathleen M. Vogel of Arizona State University, Jeremy Pitt of Imperial College London, and Mariana Zafeirakopoulos of the University of Sydney. This research was supported by The Alan Turing Institute’s Defence and Security Programme. The article recognizes AI as a dual-use technology [90], and as such presents a new formulation of the challenges that considers the complex social, technical, and environmental dimensions and factors that shape both the opportunities and threats for AI in cybersecurity. The paper offers approaches for responding to public interest security, safety, and privacy challenges arising from complex AI in cybersecurity issues in open socio-technical systems.
Article [A2] is written by Wei Xu and Zaifeng Gao of Zhejiang University’s Department of Psychology and Behavioral Sciences, Center for Psychological Sciences. The authors recognize three things: (1) the importance of the socio-technical approach; (2) the importance of human-centered approaches; and (3) the rise of complex systems incorporating AI. Xu and Gao propose an intelligent socio-technical systems (iSTS) framework enabling a hierarchical human-centered AI (hHCAI) approach. Their paper introduces intelligent sociotechnical systems (iSTS) to enhance traditional STS theory and meet the demands of the surge of advancements in AI. The iSTS concept emphasizes human-centered joint optimization across individual, organizational, ecosystem, and societal levels. While the first paper by Michael et al. [A1], presents a socio-technical framing of AI in cybersecurity, Xu and Gao [A2] claim to enhance traditional socio-technical theory.
Article [A3] is written by three MITRE employees, Dorton et al. [A3]. MITRE is a not-for-profit organization that works to address the complex national security challenges in today’s hyper-competitive strategic environment. The author team argue the importance of resilience engineering (RE) tools in the context of socio-technical design and present a compelling case for their adoption in practice. This work is generalizable in the development of participatory tools for human-centered design. The work was supported by both the MITRE Independent Research and Development Program and MITRE’s Software Engineering Innovation Center [L530] Research Enablement and Augmentation Program (REAP).
Article [A4] is co-authored by Susan Helser and Mark Hwang of the Business Information Systems Department at Central Michigan University. Helser and Hwang present an in-depth exploration of the intersection of cybersecurity, AI, and big data (CAB) across six sectors in manufacturing and public service. They highlight the transformative potential of CAB technologies in reshaping industries and enhancing efficiency while also underscoring the challenges they present, particularly to data protection and privacy. The authors propose a three-dimensional security model consisting of the (1) security goal, (2) security control, and (3) data state to ambitiously analyse 6 sectors. The resultant models represent a major step toward more effective risk assessment in practice.
Article [A5] is a cross-institutional and cross-sectoral work written by John Twomey, Didier Ching, Matthew Peter Aylett, Michael Quayle, Conor Linehan and Gillian Murphy. Twomey, Ching, Linehan and Murphy are with the School of Applied Psychology at University College Cork and LERO. Aylett is with the Mathematics and Computer Science department, Heriot Watt University, Edinburgh. Quayle is with the Centre for Social Issues Research and Department of Psychology, University of Limerick, Ireland and the Department of Psychology, School of Applied Human Sciences, University of KwaZulu-Natal, Pietermaritzburg, South Africa. In this article a systematic scoping review was carried out to identify, assemble, and critically analyze academic narratives on deepfakes. The work received financial support from the Science Foundation Ireland and was co-funded under the European Regional Development Fund through the Southern and Eastern Regional Operational Programme to Lero - the Science Foundation Ireland Research Centre for Software.
Article [A6] is co-authored by Matthew Ryan, Glenn Withers, and Frank Den Hartog. Matthew Ryan is with the School of Systems and Computing at the University of New South Wales, Canberra, Glenn Withers is with the Crawford School of Public Policy, Australian National University, and Frank den Hartog is with the University of Canberra. This timely study delves into the escalating risk of a major disruption event involving Cloud Service Providers (CSPs) within the global financial system, amidst shifting supplier dynamics and mounting economic challenges. It focuses on the increasing dependence of financial institutions on three CSPs for critical business services, highlighting the emergent issue of cloud concentration risks.
Article [A7] is written by Jaeung Lee, Jingguo Wang, Melchor C. de Guzman, Manish Gupta, and H. Raghav Rao. The author team present a cross-disciplinary focus on addressing the question of data breaches in the workplace. Lee is with the Computer Information Systems Department at Louisiana Tech. Wang is with the Department of Information Systems and Operations Management at The University of Texas at Arlington. de Guzman is with the Department of Criminal Justice and Criminology at Georgia Gwinnett College. Gupta is with the Department of Management Science and Systems at State University of New York at Buffalo. Rao is with the Department of Information Systems and Cyber Security at The University of Texas at San Antonio. This work was supported in part by multiple grants of the National Science Foundation (NSF). The paper focuses on how employees’ extra-role security behaviors can help organizations reduce safety and security threats in their operational environment and protect organizational assets. The study draws upon Protection Motivation Theory (PMT) and suggests that employees’ threat appraisal and security self-efficacy are key to such extra-role security behaviors. Also, the study opens the closed box of threat appraisal using Routine Activity Theory (RAT), proposing that employees’ appraisal of the threat of data breach is from an understanding of routine activities within their organization.
Article [A8] is written by Philip J. Chmielewski of Loyola Marymount University. The paper explores an ethics for securitization, focusing on the adoption of the multi-dimensional significance of the United Nations Sustainable Development Goals (SDGs). Chmielewski argues that engineering practices are critical in assessing and shaping securitization. The author brings it right down to the lowest common denominator, focusing on persons. Using the work of Hannah Arendt and Elke Schwarz, Chmielewski explores both an individual’s vulnerability and their effective activities to shape a common world. The author argues that economic, social, and governance dimensions of the SDGs correspond to the dwelling, designing, and discursive practices of persons and societies. Thus, the SDGs establish a trans-temporal and global context, and securitization requires an ethical direction. The SDGs orient engineering practices so that persons in society through their collective activities are enabled to strive to maintain their common good.
SECTION VIII.
Discussion and Recommendations
The special issue papers provide for us examples from the macro, meso, and micro views. They consider responses at various levels: by governments, organizations, and individuals or small groups of individuals. We can speak of both community level responses and those at the societal level. Within an organizational context we can choose to focus on particular types of sectors or institutions or we can focus on the employees that work within those organizations. We might even consider the kinds of approaches we are using to address data breaches in the cloud, viewing the ecosystem at large as opposed to merely a given stakeholder perspective. We can adopt human-centered AI approaches with enhanced socio-technical systems thinking in addressing complex problems. Acknowledgement of the meshed networks of stakeholders and the associated risks at every level is paramount. The following provides a holistic discussion and recommendations learned from the 5 presented case studies and the 8 special issue papers. What is starkly noticeable from the data breaches that occurred as far back as 2011 to now is the escalating nature of severity of breaches, the commensurate penalties that ensue, and the continued brazenness of hackers. There must be a whole-of-nation/ whole-of-coalition response to threats of cybersecurity in order to minimize disruptions, maximize end-user trust, and maintain social securitization.
A. Implementing Security Threat Monitoring and Detection Systems as Part of a Unified Cybersecurity Strategy
Cloud customers within the cloud value-chain need to integrate security monitoring and detection systems throughout their operations. The outcomes of the 5 cases indicate that a balanced approach between automated and manual processes is necessary for effective risk management. If there is an imbalance between automated and manual processes, the outcome could result in over-reliance on systems and under-reliance on employees or vice-versa. Stakeholder responses indicate that threat monitoring and detection systems play an important role in risk management. However, they recognize these systems are only part of a unified strategy.
B. Cloud Customers to Review Risk Mitigation Processes
As organizations are migrating their online applications, processing requirements and storage operations to cloud and hybrid cloud services (or have already migrated), it is necessary for them to review their risk mitigation processes. While cloud customers have some or all their threat detection offset by cloud providers, cloud customers could bring these services to in-house means of operation. Furthermore, cloud customers could allow for joint optimization between technology, processes, tasks, and people to identify and mitigate risks.
C. End-Users, Organizations, Law Enforcement and Governments Responding to Cybersecurity Attacks
This section outlines five cybersecurity recommendations that could be incorporated into the overall risk management strategy that cloud stakeholders could implement. This permits responses from multi-stakeholder, multi-paradigmatic and multi-dimensional perspectives [A1].
1) Recommendation 1 - Government and Law Enforcement Cooperation in Cybercrime Activities:
While the focus of data breach cases is to investigate which users are impacted and what information has been stolen, rarely is there any acknowledgment of who is primarily accountable. Accountability could be identified through the following agreements:
Bridging closer agreements between Federal and international police forces such as Europol and Interpol through Mutual Legal Assistance (MLAs). MLAs are not always successful, but they do allow for information on the hacker’s IP address and geolocation to be shared in a timely fashion.
Focusing on the Convention on Cybercrime for identifying unauthorized access and the beginning phase in a much larger targeted attempt in managing data breaches. This places great emphasis on accountability and is often legally binding in international law.
Developing capacity building activities for cyber resilience. On the micro level, developing security activities for citizens and consumers. At the meso level developing capabilities in business. At the macrolevel, understanding cyber implications at the nation state level, such as the 5EYES Nations (the U.S., U.K., New Zealand, Australia, and Canada) to work collaboratively in curbing against emerging threats like AI.
2) Recommendation 2 - Increasing User Trust in Core Technology Infrastructure:
One of the main cybersecurity threats to a nation state is the possibility of destabilizing their core infrastructure, which in turn, could harm their citizens’ sense of belonging and personal security. Hackers breaching defenses of cloud and other platforms can cause pervasive harm and damage at the national level. Making an assessment and recommendation for harms and potential damages could be determined by:
When citizens begin questioning whether their phone settings and personal data on their phone have been modified.
When citizens are unable to discern the difference between a legitimate smartphone communication (e.g., SMS / email) and a phishing attack.
When disinformation messaging of all digital forms is accepted by citizens as legitimate news reporting.
Acknowledging cyber hacking is more than simple hacks.
Education and training are required by everyday citizens, and societies at large to decipher true data from disinformation.
3) Recommendation 3 - A Multidisciplinary Approach to Educating Users About Disinformation Cyber-Attacks:
A key recommendation in battling disinformation and other attacks on trust is to provide additional funding in the educational context. A multidisciplinary approach involving sociologists, business professionals, and psychologists can help to increase understanding of cybersecurity. These stakeholders could help gain an understanding of hackers’ motives and justification behind cyber-attacks. Involving a diverse set of stakeholders can lead to a more comprehensive response to complex problems, such as all-of-coalition.
4) Recommendation 4 - Organizations Reviewing Cybersecurity Scenarios:
To patch cybersecurity loopholes, organizations should review tools such as privacy impact assessments (PIA), risk assessments and bi-lateral/ multi-lateral service level agreements (SLA). In terms of mandatory data breach notification, organizations must review local legislation and regulation and ensure compliance at the provincial and national levels. Governments should enforce mandates on organizations to invest more in security personnel, security infrastructure and knowledge sharing. Furthermore, organizations must begin hiring more employees to handle cyber-related activities from diverse disciplinary backgrounds to help respond to the predicted increase in the number of attacks.
5) Recommendation 5 - Understanding Hacker Motives and Reward Factors Behind Data Breaches:
Fundamentally, the hackers’ motivations are surveillance driven, as their core objective is to retrieve all types of information used for monitoring purposes. For example, in 2015, hackers breached the Federal Bureau of Investigation (FBI) security defenses and retrieved over 5.6 million biometric prints of U.S. federal employees [91]. This cyber breach raised concerns about the data protection strategies of other agencies and whether they unknowingly have suffered a similar fate.
Understanding the hackers’ motivation and reward factors plays an important role in why they target selected platforms and systems. The following could resemble the hackers’ motivation and reward factors:
To destabilize nation states and, to an even greater extent, impact geopolitics. To make citizens question their personal security and make a large portion of the population feel distrust.
The idea that hackers could target critical infrastructure such as healthcare supply chains, payment and communications systems [92]. While we are not altogether at that junction point, ransomware attacks that threaten providers and encrypt large datasets of personal information can have crippling effects on stakeholders, not to mention end-users (i.e., citizens).
Hackers aim to make citizens and consumers feel anxious by disclosing their sensitive information, such as biometric and health information which people cannot change. Increasingly credentials such as passports, Medicare cards, driver’s license data, and social security numbers are being targeted.
Learning more about the system that has been breached and the vulnerabilities associated with that system.
Thought processes could focus on the number of levels unlocked within a system (end-user to systems administrator) and the number of systems breached to gain respect within the cyber community, sharing details in an education context of knowledge transfer.
SECTION IX.
Conclusion
As cloud computing services continue to proliferate and more data is outsourced to cloud providers, cyber-attacks will inevitably continue to occur, and cloud customer and end-user data will be compromised. This study investigated five cloud computing data breaches (2011 Sony PlayStation Network, 2014 eBay, 2014 Yahoo!, 2022 Singtel Optus, and 2022 Medibank) using case studies and explored business-related issues in end-user data disclosures. Notably, the case studies present a 12-year time period, in which the selection of data breaches have occurred, allowing for a detailed investigation of the state of play and progress in cloud data protection. In addition, an outlook trajectory on current and future cyber-related issues facing cloud providers, customers, and end-users was revealed. The path forward was outlined, concentrating on a multidisciplinary, multi-stakeholder, and multidimensional approach.
This editorial has three main outcomes. The first outcome is related to business and data security. While encryption and network threat detection and prevention tools have improved, the cases demonstrate that they have not deterred hackers from continuously attacking cloud services or systems. Hackers are using social engineering techniques targeting cloud customers’ employees, obtaining their credentials and then launching stealth mode attacks allowing them to remain undetected for a considerable amount of time. This allows hackers to patiently retrieve private and sensitive business and end-user information. The second outcome concentrates on the role past data breaches have played in the discussion for more appropriate data protection laws and regulations, increased penalty notices, and greater cooperation between law enforcement agencies. The Sony PSN and eBay data breaches generated discussion for better cyber risk management, including cyber insurance policies. It was the Yahoo! data breach that highlighted the importance of executives and board members becoming more diligent and aware of cyber-attacks. Pressing forward, the Singtel Optus and Medibank Private breaches further solidified the need for cyber risk policies based on risk appetite and through the media, increasing communication and awareness between stakeholders, including end-users.
The third outcome of this editorial provides crucial recommendations on cybersecurity accountability, cooperation, motivation, and education. Accountability and cooperation are often, but not always, mutually dependent because the hacker responsible for breaching a cloud service or system usually cannot be determined without inputs from stakeholders, particularly law enforcement. Successful cooperation can be achieved through national and international agreements and binding international law. It is of equal importance in gaining a deeper understanding of the hackers’ intentions and motivations behind cyber-attacks. While their motives may be linked to financial gains, other motives, such as geopolitical and surveillance, should not be overlooked or ignored. Finally, educating end-users, employees and other stakeholders on cybersecurity is vital in maintaining the status quo and enabling better management of cyber threats.
A. Future Research
The research presented in this special issue suggests two future research topics. The first future research topic could focus on the use of AI in offense and defense cybersecurity capabilities. This is increasingly becoming implemented in risk management strategies where the main focus is on stakeholders protecting their network or services. The research could also concentrate on hacking scenarios using AI, in which it resembles War Games[93]. The second is investigating data breach notifications and regulatory amendments concerning penalties and fines to breached entities. This is an already established area of investigation. However, the changes in penalty notices in the U.S., EU and the Australian [94] setting could provide additional insights into how organizations manage cyber risks and whether fines encourage them to focus on better data protection.
Appendix: Related Articles
K. Michael, K. M. Vogel, J. Pitt, and M. Zafeirakopoulos, “Artificial intelligence in cybersecurity: A socio-technical framing,” IEEE Trans. Technol. Soc., vol. 6, no. 1, pp. 15–30, Mar. 2025, doi: 10.1109/TTS.2024.3460740. [Online]. Available: https://ieeexplore.ieee.org/document/10706119
W. Xu and Z. Gao, “Intelligent sociotechnical systems (iSTS): Enabling a hierarchical human-centered AI (HCAI) approach,” IEEE Trans. Technol. Soc., vol. 6, no. 1, pp. 31–46, Mar. 2025, doi: 10.1109/TTS.2024.3486254.
S. L. Dorton, G. J. Lematta, and K. J. Neville, “The tough sell of resilience engineering,” IEEE Trans. Technol. Soc., vol. 6, no. 1, pp. 47–53, Mar. 2025, doi: 10.1109/TTS.2024.3484176.
S. Helser and M. Hwang, “AI and big data: Synergies and cybersecurity challenges in key sectors,” IEEE Trans. Technol. Soc., vol. 6, no. 1, pp. 54–63, Mar. 2025, doi: 10.1109/TTS.2024.3465935. [Online]. Available: https://ieeexplore.ieee.org/document/10701531
J. Twomey, D. Ching, M. P. Aylett, M. Quayle, C. Linehan, and G. Murphy, “What’s so deep about deepfakes? A multi-disciplinary thematic analysis of academic narratives about deepfake technology,” IEEE Trans. Technol. Soc., vol. 6, no. 1, pp. 64–79, Mar. 2025, doi: 10.1109/TTS.2024.3493465.
M. Ryan, G. Withers, and F. den Hartog, “The cloud conundrum: Are financial institutions heading for a catastrophic disruption event?” IEEE Trans. Technol. Soc., vol. 6, no. 1, pp. 80–89, Mar. 2025, doi: 10.1109/TTS.2024.34627260. [Online]. Available: https://ieeexplore.ieee.org/document/10706249
J. Lee, J. Wang, M. de Guzman, M. Gupta, and H. R. Rao, “Can I help prevent data breaches in the workplace? From routine activities to extra-role security behaviors,” IEEE Trans. Technol. Soc., vol. 6, no. 1, pp. 90–101, Mar. 2025, doi: 10.1109/TTS.2024.3418621. [Online]. Available: https://ieeexplore.ieee.org/document/10597621
P. Chmielewski, “Vulnerable agents and sustainable security,” IEEE Trans. Technol. Soc., vol. 6, no. 1, pp. 102–109, Mar. 2025, doi: 10.1109/TTS.2024.3465376. [Online]. Available: https://ieeexplore.ieee.org/document/10715735
References
1. D. Kolevski, K. Michael, R. Abbas, and M. Freeman, "Stakeholders in the cloud computing value-chain: A socio-technical review of data breach literature," in Proc. IEEE Int. Symp. Technol. Society (ISTAS), Tempe, AZ, USA, 2020, pp. 290–293, doi: 10.1109/ISTAS50296.2020.9462169.
2. B. Sonkoly, "5G applications from vision to reality: Multioperator orchestration," IEEE J. Sel. Areas Commun., vol. 38, no. 7, pp. 1401–1416, Jul. 2020, doi: 10.1109/JSAC.2020.2999684.
3. B. Varghese and R. Buyya, "Next generation cloud computing: New trends and research directions," Future Gener. Comput. Syst., vol. 79, pp. 849–861, Feb. 2018.
4. J. F. Salindeho, J. H. Moedjahedy, and O. Lengkong, "Cost-benefit analysis of cloud computing in education using the base cost estimation model," in Proc. 3rd Int. Conf. Cybern. Intell. Syst. (ICORIS), Makasar, Indonesia, 2021, pp. 1–5, doi: 10.1109/ICORIS52787.2021.9649636.
5. A. Daly, "The introduction of data breach notification legislation in Australia: A comparative view," Comput. Law Security Rev., vol. 34, no. 3, pp. 477–495, 2018.
6. J. L. Mills and K. Harclerode, "Privacy, mass intrusion, and the modern data breach," Florida Law Rev., vol. 69, no. 3, pp. 771–830, 2017.
7. M. K. Riedy and B. Hanus, "Yes, your personal data is at risk: Get over it!" SMU Sci. Technol. Law Rev., vol. 19, no. 1, pp. 3–52, 2016.
8. J. H. Ziegeldorf, O. G. Morchon, and K. Wehrle, "Privacy in the Internet of Things: Threats and challenges," Security Commun. Netw., vol. 7, no. 12, pp. 2728–2742, 2014.
9. C. Brooks, "Cybersecurity trends & statistics for 2023; What you need to know." Forbes. Mar. 5, 2023. Accessed: Oct. 26, 2023. [Online]. Available: https://www.forbes.com/sites/chuckbrooks/2023/03/05/cybersecurity-trends-\/-statistics-for-2023-more-treacheryand-risk-ahead-as-attack-surface-and-hacker-capabilities-grow/?sh=48f0aa4919db
10. OAIC, "Notifiable data breaches report: July to December 2022," Australian Government, Mar. 1, 2023. Accessed: Mar. 31, 2024. [Online]. Available: https://www.oaic.gov.au/privacy/notifiabledata-breaches/notifiable-data-breaches-publications/notifiable-databreaches-report-july-to-december-2022
11. H. Pham, J. Woodworth, and M. A. Salehi, "Survey on secure search over encrypted data on the cloud," Concurr. Comput. Pract. Exp., vol. 31, no. 17, 2019, Art. no. e5284, doi: 10.1002/cpe.5284.
12. C. Denninnart, T. Chanikphon, and M. A. Salehi, "Efficiency in the serverless cloud paradigm: A survey on the reusing and approximation aspects," J. Softw. Pract. Exp., vol. 53, no. 10, pp. 1853–1886, 2023, doi: 10.1002/spe.3233.
13. Votiro Team. "How misconfigured Amazon S3 buckets can lead to a ransomware attack." Security Boulevard. Apr. 7, 2021. Accessed: Mar. 31, 2024. [Online]. Available: https://securityboulevard.com/2021/04/how-misconfigured-amazon-s3-buckets-can-lead-to-a-ransomwareattack/
14. L. Cheng, F. Liu, and D. Yao, "Enterprise data breach: Causes, challenges, prevention, and future directions," WIREs Data Min. Knowl. Disc., vol. 7, no. 5, 2017, Art. no. e1211, doi: 10.1002/widm.1211.
15. D. Kolevski, K. Michael, R. Abbas, and M. Freeman, "Cloud computing data breaches in news media: Disclosure of personal and sensitive data," in Proc. IEEE Int. Symp. Technol. Soc. (ISTAS), 2022, pp. 1–11, doi: 10.1109/ISTAS55053.2022.10227100.
16. D. Kolevski, K. Michael, R. Abbas, and M. Freeman, "Cloud data breach disclosures: The consumer and their personally identifiable information (PII)?" in Proc. IEEE Conf. Norbert Wiener 21st Century (21CW), Chennai, India, 2021, pp. 1–9, doi: 10.1109/21CW48944.2021.9532579.
17. R. K. Yin, Case Study Research: Design and Methods, 2nd ed. Publications, CA, USA: SAGE, 1994.
18. B. Quinn and C. Arthur. "PlayStation network hackers access data of 77 million users." The Guardian. Apr. 27, 2011. Accessed: Feb. 28, 2024. [Online]. Available: https://www.theguardian.com/technology/2011/apr/26/playstation-network-hackers-data
19. G. Kelly. "eBay suffers massive security breach, all users must change their passwords." Forbes. May 21, 2024. Accessed: Feb. 28, 2024. [Online]. Available: https://www.forbes.com/sites/gordonkelly/2014/05/21/ebay-suffers-massive-security-breach-all-users-must-theirchange-passwords/?sh=1a3047f37492
20. A. Hern. "Yahoo faces questions after hack of half a billion accounts." The Guardian. Sep. 23, 2016, Accessed: Feb. 28, 2024. [Online]. Available: https://www.theguardian.com/technology/2016/sep/23/yahoo-questinos-hack-researchers
21. P. Smith. "Inside the Optus hack that woke up Australia." The Australian Financial Review. Dec. 22, 2022. Accessed: Feb. 28, 2024. [Online]. Available: https://www.afr.com/technology/inside-the-optushack-that-woke-up-australia-20221123-p5c0lm
22. N. Bonyhady. "'One of the most serious cyberattacks': Customer data exposed in Optus hack." The Sydney Morning Herald. Sep. 22, 2022. Accessed: Feb. 28, 2024. [Online]. Available: https://www.smh.com.au/technology/customer-data-exposed-in-majoroptus-hack-20220922-p5bk7v.html
23. J. Taylor. "Medibank hackers announce 'case closed' and dump huge data file on dark Web." The Guardian. Dec. 1, 2022. Accessed: Feb. 28, 2024. [Online]. Available: https://www.theguardian.com/australia-news/2022/dec/01/medibank-hackers-announce-case-closedand-dump-huge-data-file-on-dark-web
24. J. Halliday. "PlayStation network hack: Sony brings in investigators." The Guardian. May 4, 2011. Accessed: Feb. 28, 2024. [Online]. Available: https://www.theguardian.com/technology/2011/may/04/sony-playstation-network-hack-investigators
25. C. Moriarty. "One year later: Reflecting on the great PSN outage." IGN, Apr. 21, 2012. Accessed: Feb. 28, 2024. [Online]. Available: https://www.ign.com/articles/2012/04/21/one-year-later-reflecting-onthe-great-psn-outage
26. J. Wakefield, "eBay faces investigations over massive data breach." BBC. May 23, 2014. Accessed: Feb. 28, 2024. [Online]. Available: https://www.bbc.com/news/technology-27539799
27. M. Vincent. "Hackers break into eBay database, steal customers' personal information." ABC. May 22, 2014. Accessed: Feb. 28, 2024. [Online]. Available: https://www.abc.net.au/news/2014-05-22/hackerssteal-e-bay-personal-details/5469330
28. T. Brewster. "Russian spies conspired with most wanted cybercriminal in Yahoo hack—DOJ." Forbes. Mar. 15, 2017. Accessed: Mar. 31, 2024. [Online]. Available: https://www.forbes.com/sites/thomasbrewster/2017/03/15/us-claims-two-russian-spies-conspiredwith-most-wanted-cybercriminal-in-yahoo-hack/?sh=393047aa4b2f
29. M. Kan. "Yahoo breach exposes the drawbacks of state-sponsored hacking." CSO. Mar. 17, 2017, Accessed: Feb. 28, 2024. [Online]. Available: https://www.csoonline.com/article/560673/yahoo-breachexposes-the-drawbacks-of-state-sponsored-hacking.html
30. T. Turnbull. "Optus: How a massive data breach has exposed Australia." BBC. Sep. 29, 2022. Accessed: Feb. 28, 2024. [Online]. Available: https://www.bbc.com/news/world-australia-63056838
31. C. Kruger. "'Case closed': Medibank faces heavy fines as hackers dump customer data." Sydney Morning Herald. Dec. 1, 2022. Accessed: Feb. 28, 2024. [Online]. Available: https://www.smh.com.au/business/companies/case-closed-medibank-hackers-releasemassive-data-file-20221201-p5c2pu.html
32. M. Mason, J. Davidson, and A. de Kretser. "Inside Australia's most invasive data hack." Australian Financial Review. Nov. 9, 2022. Accessed: Feb. 28, 2024. [Online]. Available: https://www.afr.com/technology/inside-australia-s-most-invasive-data-hack-20221109-p5bwsk
33. C. Cross, M. Parker, and D. Sansom, "Media discourses surrounding 'non-ideal' victims: The case of the Ashley Madison data breach," Int. Rev. Victimol., vol. 25, no. 1, pp. 53–69, 2019.
34. G. Bunker, "Technology is not enough: Taking a holistic view for information assurance," Inf. Security Tech. Rep., vol. 17, nos. 1–2, pp. 19–25, 2012.
35. K. Kim and T. Wyckoff, "What's in your list? A survey of business database holdings and funding sources at top academic institutions," J. Bus. Finance Librarianship, vol. 21, no. 2, pp. 135–151, 2016.
36. J. C. Tucker, "Taking care of business: Selecting the best periodical database for your business patrons," J. Bus. Finance Librarianship, vol. 11, no. 4, pp. 23–44, 2006.
37. C. Piotrowski and T. R. Armstrong, "Major research areas in organization development: An analysis of ABI/INFORM," Org. Develop. J., vol. 23, no. 4, pp. 86–91, 2005.
38. R. Mullins. "Security 2011: Attack of the human errors." Networking Computing. Dec. 22, 2011. Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/security-2011-attack-human-errors/docview/912415352/se-2
39. A. Moses. "Privacy laws to be beefed up following Sony attack." Sydney Morning Herald. May 3, 2011. Accessed: Oct. 26, 2023. [Online]. Available: https://www.smh.com.au/technology/privacy-lawsto-be-beefed-up-following-sony-attack-20110502-1e578.html
40. J. Menn and A. Edgecliffe-Johnson. "Sony under fire after new breach." Financial Times. May 4, 2011. Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/sony-under-fire-after-new-breach/docview/864629547/se-2
41. J. Menn. "McAfee reveals huge series of cyberattacks." Financial Times. Aug. 3, 2011. Accessed: Oct. 23, 2023. [Online]. Available: https://www.proquest.com/trade-journals/mcafee-reveals-huge-seriescyberattacks/docview/881039133/se-2
42. P. Mah. "eBay admits to massive security breach in Feb, March." FierceCIO: TechWatch. May 23, 2014. Accessed: Oct. 23, 2023. [Online]. Available: https://www.proquest.com/trade-journals/ebayadmits-massive-security-breach-feb-march/docview/1528173380/se-2
43. Anonymous. "How to prevent a breach of privileged access accounts." Networks Asia. May 26, 2014. Accessed: Oct. 23, 2023. [Online]. Available: https://www.proquest.com/trade-journals/how-preventbreach-privileged-access-accounts/docview/1528379558/se-2
44. R. Machin. "Comment: Data protection is easy when you know how," Retail Week. May 23, 2014. Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/comment-data-protection-is-easy-when-you-know-how/docview/1527718584/se-2
45. Anonymous. "Singapore businesses have the responsibility to protect customers from cyberattacks." Networks Asia. Jul. 2, 2014. Accessed: Oct. 23, 2023. [Online]. Available: https://www.proquest.com/tradejournals/singapore-businesses-have-responsibility-protect/docview/1542154180/se-2
46. P. Lipman. "Too big to ignore: SMBs confronting today's cybersecurity threats." SecurityInfoWatch.com. Jul. 7, 2014. Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/too-bigignore-smbs-confronting-todays/docview/1543359763/se-2
47. T. Robinson, "Smart defense," SC Mag., vol. 25, no. 9, pp. 20–23, Sep. 2014. Accessed: Oct. 23, 2023. [Online]. Available: https://www.proquest.com/trade-journals/smart-defense/docview/1617794839/se-2
48. R. Miller. "Hulu offers one-week credit to PlayStation Network users, Hulu Plus coming to Xbox 360 this Friday." The Verge. Apr. 27, 2011. Accessed: Oct. 24, 2023. [Online]. Available: https://www.theverge.com/2011/04/27/hulu-plus-on-playstation-network-xbox-360
49. T. Bradshaw, M. Murgia, and A. Samson. "'State-sponsored actor' stole data from 500m Yahoo users." Financial Times. Sep. 23, 2016. Accessed: Oct. 24, 2023. [Online]. Available: https://www.ft.com/content/0ebde3b4-80fb-11e6-8e50-8ec15fb462f4
50. G. Reber. "Cyber insurance coverage must be appropriate to perceived risk." SecurityInfoWatch.com, Jun. 10, 2017. Accessed: Oct. 24, 2023. [Online]. Available: https://www.securityinfowatch.com/cybersecurity/information-security/article/12339579/cyber-insurance-requirescareful-assessment-and-comprehensive-security-measures
51. T. Leithauser. "Australia eyes changes in cyber rules after Optus breach." Cybersecurity Policy Report. ProQuest. Sep. 26, 2022. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/australia-eyes-changes-cyber-rules-after-optus/docview/2718689159/se-2
52. M. Madigan. "'Qantas must be pleased!' Optus' data breach could result in class action lawsuit." B&T Weekly. Sep. 28, 2022. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/tradejournals/qantas-must-be-pleased-optus-data-breach-could/docview/2718735758/se-2
53. S. Sarraf. "Medibank hackers revealed to be in Russia." CSO. Nov. 11, 2022. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/medibank-hackers-revealedbe-russia/docview/2735173093/se-2
54. Anonymous. "Optus' poor communication digs itself into a deeper crisis over data breach." B&T Weekly, Sep. 29, 2022. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/tradejournals/optus-poor-communication-digs-itself-into-deeper/docview/2719227182/se-2
55. S. Sarraf. "DXC technology says global network is not compromised following latitude financial breach." CSO. Mar. 30, 2023. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/dxc-technology-says-global-network-is-not/docview/2792518635/se-2
56. P. Vowinkel. "Ransomware raises difficult questions." Best's Review. Feb. 2, 2023. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/ransomware-raises-difficultquestions/docview/2770359951/se-2
57. T. Leithauser. "Australia eyes ban on ransomware payments: Cybersecurity policy report." ProQuest. Feb. 27, 2023. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/australia-eyes-ban-on-ransomware-payments/docview/2783250616/se-2
58. R. J. Howard, "Australia updates privacy law following data breaches: Cybersecurity policy report." ProQuest. Nov. 29, 2022. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/australia-updates-privacy-law-following-data/docview/2743526879/se-2
59. A. Fiscutean. "14 lessons CISOs learned in 2022." CSO. Dec. 12, 2022. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/14-lessons-cisos-learned-2022/docview/2753277466/se-2
60. T. Leithauser. "Australia plans new national cybersecurity strategy: Cybersecurity policy report," Dec. 12, 2022. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/australiaplans-new-national-cybersecurity/docview/2754553551/se-2
61. P. Walker, China Chief Suspect as Report Reveals Cyberspying on an Industrial Scale, The Guardian, London, U.K., Aug. 4, 2011.
62. S. Jones, "Protecting government information," The American City & County. Aug. 1, 2011. Accessed: Oct. 23, 2023. [Online]. Available: https://www.proquest.com/trade-journals/protecting-governmentinformation/docview/881347952/se-2
63. L. B. Baker and J. Finkle. "Sony's insurers to help foot bill for data breach." Reuters. May 5, 2011. Accessed: Oct. 23, 2023. [Online]. Available: https://www.reuters.com/article/ctech-ussony-insurance-idCATRE74472120110505
64. B. Berkowitz. "Hacking Blitz drives cyberinsurance demand." IT News. Jun. 14, 2011. Accessed: Oct. 24, 2023. [Online]. Available: https://www.itnews.com.au/news/hacking-blitz-drives-cyberinsurancedemand-260669
65. J. Jaeger. "More companies turning to data breach insurance." Compliance Week. Jul. 5, 2011. Accessed: Oct. 24, 2023. [Online]. Available: https://www.complianceweek.com/more-companiesturning-to-data-breach-insurance/4512.article
66. M. Cullina, "Branching out," Best's Rev., vol. 112, no. 9, pp. 76–77, Jan. 2012. Accessed: Oct. 23, 2023. [Online]. Available: https://www.proquest.com/trade-journals/branching-out/docview/918712534/se-2
67. Anonymous. "#6 Cyber liability emerges as key coverage for digital age: National underwriter: Property & casualty." Dec. 19, 2011, Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/6-cyber-liability-emerges-as-key-coverage-digital/docview/912285735/se-2
68. "Security 500: The predictive revolution." Security Magazine. Nov. 1, 2014. Accessed: Oct. 24, 2023. [Online]. Available: https://www.securitymagazine.com/articles/85887-security-500-thepredictive-revolution
69. S. Zurier, "Make it stop!" SC Mag., vol. 26, no. 4, pp. 20–23, Apr. 2015. Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/make-stop/docview/1721552331/se-2
70. A. Felsted. "Ebay adds to cyber war worry as hackers grab shopper data." FT.com. Jun. 5, 2014. Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/ebay-adds-cyberwar-worry-as-hackers-grab-shopper/docview/1543078926/se-2
71. I. Wylie. "Danger in the digital age: The Internet of vulnerable things." FT.com. Apr. 26, 2015. Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/dangerdigital-age-internet-vulnerable-things/docview/1683191438/se-2
72. T. Robinson, "A seat on the board…: For real," SC Media, vol. 27, no. 12, pp. 6–9, Dec. 2016. Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/seat-onboard-real/docview/1863563223/se-2
73. K. Bevan. "Why start-ups must step up on data security." Financial Times. Dec. 4, 2016, Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/why-start-ups-must-step-upon-data-security/docview/1854929906/se-2
74. M. Bruemmer. "Data breach digest: Fraud trends for 2017 and how to stop them." SecurityInfoWatch.com. Jan. 4, 2017. Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/data-breach-digest-fraud-trends-2017-how-stop/docview/1855417235/se-2
75. M. K. Flynn, "Embedded," Mergers Acquisit., vol. 52, no. 2, pp. 20–25, Feb. 2017. Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/embedded/docview/1864049113/se-2
76. D. Bradshaw, "MBAs vs hackers: Leaders of the future learn to fight cyber crime." Financial Times. Apr. 5, 2017. Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/mbas-vshackers-leaders-future-learn-fight-cyber/docview/1896001148/se-2
77. J. Martin, "How to root out fraud in your franchise and foster a culture to safeguard against it," Franchising World, vol. 49, no. 3, p. 63, Mar. 2017. Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/trade-journals/how-root-out-fraud-yourfranchise-foster-culture/docview/1891333284/se-2
78. K. Leach, "Aon grows cybersecurity services, acquires Stroz," Mergers Acquisit., vol. 51, no. 12, pp. 6–8, Dec. 2016. Accessed: Oct. 24, 2023. [Online]. Available: https://www.proquest.com/tradejournals/aon-grows-cybersecurity-services-acquires-stroz/docview/1845843604/se-2
79. Anonymous. "Cybernance updates on new DHS safety act award," Professional Services Close–Up. Apr. 4, 2017. Accessed: Oct. 23, 2023. [Online]. Available: https://www.proquest.com/wire-feeds/cybernanceupdates-on-new-dhs-safety-act-award/docview/1883608977/se-2
80. G. Gallucci-White, "On attack," Central Penn Bus. J., vol. 32, no. 52, pp. 6–7, Dec. 2016. Accessed: Oct. 23, 2023. [Online]. Available: https://www.proquest.com/trade-journals/on-attack/docview/1853303301/se-2
81. A. Catelli. "Data breach litigation and risks facing retailers." Inside Counsel. Mar. 7, 2017. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/data-breach-litigation-risksfacing-retailers/docview/1874845240/se-2
82. Anonymous. "Study: A majority of aussies have no trust in Telcos, with Optus decidedly on the nose." B&T Weekly. Oct. 11, 2022. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/study-majority-aussies-have-no-trust-telcos-with/docview/2723638935/se-2
83. M. Madigan. "Adland Guru Adam Ferrier slams sexist treatment of Optus CEO amid data breach." B&T Weekly. Oct. 11, 2022. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/adland-guru-adam-ferrier-slams-sexist-treatment/docview/2723638944/se-2
84. T. Leithauser. "Australian regulators probe Optus data breach: Cybersecurity Policy Report." Oct. 12, 2022. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/australian-regulators-probe-optus-data-breach/docview/2724714341/se-2
85. T. Leithauser, "Following Optus breach, Australia seeks to hike privacy penalties: Cybersecurity Policy Report." Oct. 24, 2022, Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/following-optus-breach-australia-seeks-hike/docview/2731499736/se-2
86. Anonymous. "Bill to increase data breach fines introduced in Australia's Parliament: Cybersecurity Policy Report." Oct. 26, 2022. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/bill-increase-data-breach-finesintroduced/docview/2729972659/se-2
87. T. Davis, "Cyber Dilemma: Insurers face evolving ransomware, demands as attacks escalate," Best's Rev., vol. 2, pp. 20–27, Feb. 2023. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/cyber-dilemma-insurers-faceevolving-ransomware/docview/2770360799/se-2
88. A. N. Palo, "Is your cyber education program up to scratch?" CIO. Nov. 9, 2022. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/trade-journals/is-your-cyber-educationprogram-up-scratch/docview/2734503589/se-2
89. S. Balasubramanian. "Health check of cybersecurity readiness for healthcare providers." Voice & Data. Jan. 5, 2023. Accessed: Mar. 8, 2024. [Online]. Available: https://www.proquest.com/tradejournals/health-check-cybersecurity-readiness-healthcare/docview/2760847934/se-2
90. K. Michael, R. Abbas, and G. Roussos, "AI in cybersecurity: The paradox," in IEEE Trans. Technol. Soc., vol. 4, no. 2, pp. 104–109, Jun. 2023, doi: 10.1109/TTS.2023.3280109.
91. A. Peterson. "OPM says 5.6 million fingerprints stolen in cyberattack, five times as many as previously thought." Washington Post. Accessed: Sep. 23, 2015. [Online]. Available: https://www.washingtonpost.com/news/the-switch/wp/2015/09/23/opm-now-says-more-than-fivemillion-fingerprints-compromised-in-breaches/
92. A. Khalid. "UnitedHealth says blackcat is the reason healthcare providers are going unpaid." The Verge. Accessed: Feb. 29, 2024. [Online]. Available: https://www.theverge.com/2024/2/29/24087105/united-health-black-cat-ransom-ware-hospitals-payments
93. J. Badham. "War Games." 1983. [Online]. Available: https://www.imdb.com/title/tt0086567/
94. 2023–2030 Australian Cyber Security Strategy, Dept. Homeland Affairs, Australian Government, Canberra, ACT, Australia, 1983. Accessed: Oct. 4, 2024. [Online]. Available: https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy/2023-2030-australian-cyber-security-strategy
Authors
School of Computing and Information Technology, University of Wollongong, Wollongong, NSW, Australia
David Kolevski received the Bachelor of Information Technology degree, the Master of Information Communication Technology degree, and the Doctor of Philosophy degree in cloud computing cybersecurity from the School of Computing and Information Technology, University of Wollongong, Wollongong, NSW, Australia. He is an Enterprise Network Communications Specialist. He has worked as a Network Engineer and a Supply Chain Specialist for an international automotive manufacturer. His multidisciplinary research investigates the socio-technical implications of cloud and edge computing, complex stakeholder relationships in cloud and technology ecosystems, and the regulatory impacts on contemporary and emerging technologies all through the lens of cybersecurity. He has published his research in international conferences and journals, including the IEEE International Symposium on Technology and Society, IEEE Conference on Norbert Wiener in the 21st Century, and IEEE Technology and Society Magazine.
School of Business, Newcastle University, Newcastle upon Tyne, U.K.
School for the Future of Innovation in Society and School of Computing and Augmented Intelligence, Arizona State University, Tempe, Arizona, USA
Katina Michael (Senior Member, IEEE) is a Visiting Professor at Newcastle University Business School U.K., and a Professor with Arizona State University (ASU) and a Senior Global Futures Scientist with the Global Futures Laboratory. At ASU, she has a joint appointment with the School for the Future of Innovation in Society and the School of Computing and Augmented Intelligence. Her research focuses on the social implications of emerging technologies. She was responsible for establishing the Human Factors Series in the Research Network for a Secure Australia from 2005 to 2009, was an external member of the Centre of Excellence in Policing and Security from 2009 to 2013, and ran the Social Implications of National Security workshops from 2006 to 2022. Since 2021, she has advised DARPA on matters pertaining to ethics, law, and societal implications of complex socio-technical systems. She has been funded by the National Science Foundation, the Canadian Social Sciences and Humanities Research Council, and the Australian Research Council. She is the Director of the Society Policy Engineering Collective and the Founding Editor-in-Chief of the IEEE Transactions on Technology and Society and was formerly Editor-in-Chief of the IEEE Technology and Society Magazine and an Editor of Computers and Security. She is the Founding Chair of the ASU Master of Science in Public Interest Technology. Prior to academia, she was employed by Nortel Networks, Anderson Consulting, and OTIS Elevator Company.
Business Information Systems Discipline, The University of Sydney Business School, Sydney, NSW, Australia
Mark Freeman received the Bachelor of Information and Communication Technology, Master of Education (Higher Education), and Doctor of Philosophy degrees from the University of Wollongong. His doctoral work examined the relationship between human–computer interaction and e-commerce systems. He is a Senior Lecturer (education-focused) in the discipline of Business Information Systems at The University of Sydney Business School, Australia. His current research interests include understanding the impacts of information systems on human behaviors across different subsections of the population, including children, medical patients, and volunteers, from various perspectives and their broader implications. He has published his work in journals, including Computers in Human Behavior, Journal of Medical Systems, and Journal of Enterprise Information Management, and at several international conferences.
Citation: D. Kolevski, K. Michael and M. Freeman, "In This Special Issue: Data Breaches in the Cloud—Business Security and Risk Management," in IEEE Transactions on Technology and Society, vol. 6, no. 1, pp. 2-14, March 2025, doi: 10.1109/TTS.2024.3477828.