Investigating the influence of governance determinants on reporting cybersecurity incidents to police: Evidence from Canadian organizations' perspectives

Government agencies and standard setters require organizations operating in critical infrastructure sectors to disclose cybersecurity incidents, yet little is known about whether organizations report these incidents to law enforcement. This study examines this issue based on data from the 2017-2021 periods of the Canadian Survey of Cybersecurity and Cybercrime administered to Canadian organizations. We assessed the effects of governance determinants along with cyber incidents and their impacts using partial least squares equation modelling to identify the relationships between these factors and cybersecurity incidents reported to police services. To conceptualize these relationships, we developed a framework based on resource-dependence theory, protection motivation theory, and previous empirical evidence. The overall governance determinants as well as the impacts of the incidents explained 51% of the intention to report cybersecurity incidents to police, and the intensity of the impacts explained 30% of these intentions to signal incidents to law enforcement. The results also revealed that the intensity of cyber incident impacts dictates the attitudes of organizations towards reporting digital attacks. This study makes a significant theoretical contribution to the information security literature and has practical implications for standard setters and government agencies that aim to combat cybersecurity incidents.