Abstract
Chief Information Security Officers (CISO) have been confronted with new legal requirements, a high threat level and international liability cases in recent years. As there is nocourt decision in Austria on the liability of a CISO, there is a lack of clarity regarding
the liability risks. The aim of this Master’s thesis is to analyse the liability of a CISO
and possible liability-reducing measures with a focus on austrian critical infrastructure
companies.
In order to be able to analyse the liability of a CISO, a role description of a CISO is
required. This role description includes normative and legal requirements and the organisational forms of a CISO. The requirements, divided into task areas and requirement
profiles, were analysed in a literature review as well as through a qualitative content
analysis of job advertisements for CISOs and employees in the CISO team. The results
from the literature were compared with empirical research. The investigation of jurisdictions and liability requirements distinguishes between the different organisational forms
of a CISO. EU regulations and austrian laws are applied to the role of a CISO. Finally,
liability-reducing measures are listed.
The results show that there are both normative and legal requirements for the description of a CISO’s task area. The normative requirements predominate in the requirement profile. The results of the empirical analysis of the job advertisements largely
coincide with the information already available in the literature. In the organisation
of a CISO, a distinction can primarily be made between two types, internal CISO
and external CISO as well as three employment relationships: employee, level of management and external service. For the liability of a CISO, the Strafgesetzbuch, the
Verwaltungsstrafgesetz, the GmbH-Gesetz and the Aktien-Gesetz, the ABGB, the Dienstnehmerhaftpflichtgesetz and the NISG are considered relevant and analysed in more
detail. An overview of the NISG 2024 is presented as well. In most cases negligent behaviour is sufficient as a prerequisite for liability. The Strafgesetzbuch is an exception to
this. For the practical reference to liability cases in the context of the role of a CISO, two
international indictments against those responsible for information security at Uber and
SolarWinds are analysed. In addition to preventive measures to minimise liability, such
as complete documentation, the conclusion of D&O insurance or professional liability
insurance, there is also the possibility that liability-reducing measures from austrian
case law may be applied in the event of an incident.
| Date of Award | 2024 |
|---|---|
| Original language | German (Austria) |
| Supervisor | Peter Burgstaller (Supervisor) |