In November 2013, a cybersecurity breach at Target Corporation resulted in the theft of as many as 110 million customers' data, cost the company hundreds of millions of dollars, and triggered the first termination of a publicly traded company's CEO in response to a cyber event (Harris et al., 2014). The attack was one more indicator of a growing trend of cyberinsecurity now challenging every public and private organization. The problem has been noticeably accelerating since the Estonian government and economy were crippled by a large and coordinated cyber attack (primarily from distributed denials of service) on government and private organizations in 2007. The Estonian attacks were a watershed event triggered by the government-led movement of a memorial to the Soviet-led liberation of the country from Nazi Germany to a less prominent location in the city of Tallinn. The ensuing riots and cyber-violence catalyzed a broader international discussion about cyberwarfare (Herzog, 2011). While the cyber attacks in Estonia and the breach at Target had vastly different objectives and used totally different approaches, they illustrate the unanticipated security consequences of embracing increasing connectivity.

In response to these new threats, US public companies are beginning to receive guidance from the Securities and Exchange Commission (SEC) on requirements for investor disclosures related to attacks and compromised networks (SEC, 2011). With a number of high-profile attacks in 2013 and 2014, more regulation is likely on the way (Cleary and Eades, 2014). Organizations such as the North American Electric Reliability Corporation (NERC)—which sets the standards for utility best practices in North America pending regulatory approval—are also conducting scenario-based assessments and issuing guidance about how to protect critical infrastructure from these new threats (FERC, 2013b; NERC, 2012a).