Brought to you by:
Student Guide to the Case Method: Note 4 - Preparing a Written Case Report
By: Susan J. Van Weelden, Laurie George Busuttil
Case analysis is an effective tool for teaching, learning, and most importantly, practising the art and science of management. The case method immerses students in real-life situations, allowing them…
- Length: 13 page(s)
- Publication Date: Mar 22, 2018
- Discipline: Teaching & the Case Method
- Product #: W18210-PDF-ENG
- Educator Copy
$4.25 per student
degree granting course
$7.46 per student
non-degree granting course
Get access to this material, plus much more with a free Educator Account:
- Access to world-famous HBS cases
- Up to 60% off materials for your students
- Resources for teaching online
- Tips and reviews from other Educators
Already registered? Sign in
- Student Registration
- Non-Academic Registration
- Included Materials
Case analysis is an effective tool for teaching, learning, and most importantly, practising the art and science of management. The case method immerses students in real-life situations, allowing them to develop their business skills by analyzing realistic situations, applying business theories and tools, and making substantiated recommendations for a course of action. However, working with cases is a pedagogical approach that is unfamiliar to most new business students and often inadequately understood by advanced students. The Case Guide Series introduces students to the case method and, in discrete notes, walks them through the tasks that are typically involved in case assignments: analyzing a case, discussing cases in class, writing case reports and giving presentations (individually and in groups), and writing case exams. A final note introduces students to the most common business tools used for case analysis. This field-tested series is best used as a complete package to orient students to the case method, but each note also stands on its own and can be used to supplement other course materials. Preparing a Written Case Report: When students are asked to prepare a written case report, either individually or as part of a small team, the emphasis is on organizing their analysis and findings in a written report that effectively communicates those findings to the reader. Note 4 of the Case Guide Series orients students to the qualities of effective and useful reports in academia and in business, and provides students with a time-tested format and approach to writing a case report.
Susan J. Van Weelden and Laurie George Busuttil are affiliated with Redeemer University College.
This Case Guide Series is suitable for use in undergraduate, graduate, or executive program using the case method. The series will help students: become oriented to the case method; build confidence in using cases and performing case analyses; write effective reports, deliver engaging presentations, and pass exams using reliable structures and tips; and understand basic business tools and their use in case analysis.
Mar 22, 2018
Teaching & the Case Method
An official website of the United States government
The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
- Account settings
- Advanced Search
- Journal List
- v.9(8); 2017 Aug
Case Reports, Case Series – From Clinical Practice to Evidence-Based Medicine in Graduate Medical Education
Jerry w sayre.
1 Family Medicine, North Florida Regional Medical Center
Hale Z Toklu
2 Graduate Medical Education, North Florida Regional Medical Center
3 Department of Clinical Research, Marshfield Clinic Research Foundation
4 Internal Medicine, University of Central Florida College of Medicine
Case reports and case series or case study research are descriptive studies that are prepared for illustrating novel, unusual, or atypical features identified in patients in medical practice, and they potentially generate new research questions. They are empirical inquiries or investigations of a patient or a group of patients in a natural, real-world clinical setting. Case study research is a method that focuses on the contextual analysis of a number of events or conditions and their relationships. There is disagreement among physicians on the value of case studies in the medical literature, particularly for educators focused on teaching evidence-based medicine (EBM) for student learners in graduate medical education. Despite their limitations, case study research is a beneficial tool and learning experience in graduate medical education and among novice researchers. The preparation and presentation of case studies can help students and graduate medical education programs evaluate and apply the six American College of Graduate Medical Education (ACGME) competencies in the areas of medical knowledge, patient care, practice-based learning, professionalism, systems-based practice, and communication. A goal in graduate medical education should be to assist residents to expand their critical thinking, problem-solving, and decision-making skills. These attributes are required in the teaching and practice of EBM. In this aspect, case studies provide a platform for developing clinical skills and problem-based learning methods. Hence, graduate medical education programs should encourage, assist, and support residents in the publication of clinical case studies; and clinical teachers should encourage graduate students to publish case reports during their graduate medical education.
Case reports and case series or case study research are descriptive studies to present patients in their natural clinical setting. Case reports, which generally consist of three or fewer patients, are prepared to illustrate features in the practice of medicine and potentially create new research questions that may contribute to the acquisition of additional knowledge in the literature. Case studies involve multiple patients; they are a qualitative research method and include in-depth analyses or experiential inquiries of a person or group in their real-world setting. Case study research focuses on the contextual analysis of several events or conditions and their relationships [ 1 ]. In addition to their teaching value for students and graduate medical education programs, case reports provide a starting point for novice investigators, which may prepare and encourage them to seek more contextual writing experiences for future research investigation. It may also provide senior physicians with clues about emerging epidemics or a recognition of previously unrecognized syndromes. Limitations primarily involve the lack of generalizability and implications in clinical practice, which are factors extraneous to the learning model (Table (Table1 1 ).
There is disagreement among physicians on the value of case reports in the medical literature and in evidence-based medicine (EBM) [ 2 ]. EBM aims to optimize decision-making by using evidence from well-conducted research. Therefore, not all data has the same value as the evidence. The pyramid (Figure (Figure1) 1 ) classifies publications based on their study outlines and according to the power of evidence they provide [ 2 - 3 ]. In the classical pyramid represented below, systematic reviews and a meta-analysis are expected to provide the strongest evidence. However, a recent modification of the pyramid was suggested by Murad et al. [ 2 ]: the meta-analysis and systematic reviews are removed from the pyramid and are suggested to be a lens through which evidence is viewed (Figure 1 ).
Modified from Murad et al. [ 2 ]
Because case reports do not rank highly in the hierarchy of evidence and are not frequently cited, as they describe the clinical circumstances of single patients, they are seldom published by high-impact medical journals. However, case reports are proposed to have significant educational value because they advance medical knowledge and constitute evidence for EBM. In addition, well-developed publication resources can be difficult to find, especially for medical residents; those that do exist vary in quality and may not be suitable for the aim and scope of the journals. Over the last several years, a number (approximately 160) of new peer-reviewed journals that focus on publishing case reports have emerged. These are mostly open-access journals with considerably high acceptance rates [ 4 ]. Packer et al. reported a 6% publication rate for case reports [ 5 ]; however, they did not disclose the number of papers submitted but rejected and neither did they state whether any of the reported cases were submitted to open-access journals.
The development of open-access journals has created a new venue for students and faculty to publish. In contrast to subscription-based and peer-reviewed e-journals, many of these new case report journals are not adequately reviewed and, instead, have a questionably high acceptance rate [ 4 ]. There, however, remains the issue of the fee-based publication of case reports in open-access journals without proper peer reviews, which increases the burden of scientific literature. Trainees should be made aware of the potential for academic dilution, particularly with some open-access publishers. While case reports with high-quality peer reviews are associated with a relatively low acceptance rate, this rigorous process introduces trainees to the experience and expectations of peer reviews and addresses other issues or flaws not considered prior to submission. We believe that these are important skills that should be emphasized and experienced during training, and authors should seek these journals for the submission of their manuscripts.
Importance of Case Reports and Case Series in Graduate Medical Education
The Accreditation Council for Graduate Medical Education (ACGME) has challenged faculties to adapt teaching methodologies to accommodate the different learning modalities of the next generation of physicians. As evidenced by its implementation by ACGME, competency-based medical education is rapidly gaining international acceptance, moving from classic didactic lectures to self-directed learning opportunities with experiential learning aids in the development of critical cognitive and scholarly skills. As graduate medical educators, we are in agreement with Packer et al. about the value of the educational benefits resulting from student-generated case reports [ 5 ]. Case study assignments help residents develop a variety of key skills, as previously described. EBM is an eventual decision-making process for executing the most appropriate treatment approach by using the tools that are compatible with the national health policy, medical evidence, and the personal factors of physician and patient (Figure (Figure2). The 2 ). The practice of identifying and developing a case study creates a learning opportunity for listening skills and appreciation for the patient’s narrative as well as for developing critical learning and thinking skills that are directly applicable to the practice of EBM. This critically important process simultaneously enhances both the medical and the humanistic importance of physician-patient interaction. In addition, case-based learning is an active learner-centered approach for medical students and residents. It serves as a curricular context, which can promote the retention of information and evidence-based thinking.
Modified from Toklu et al. 2015 [ 3 ]
The value of case studies in the medical literature is controversial among physicians. Despite their limitations, clinical case reports and case series are beneficial tools in graduate medical education. The preparation and presentation of case studies can help students and residents acquire and apply clinical competencies in the areas of medical knowledge, practice-based learning, systems-based practice, professionalism, and communication. In this aspect, case studies provide a tool for developing clinical skills through problem-based learning methods. As a result, journals should encourage the publication of clinical case studies from graduate medical education programs through a commonly applied peer-review process, and clinical teachers should promote medical residents to publish case reports during their graduate medical education.
The content published in Cureus is the result of clinical experience and/or research by independent individuals or organizations. Cureus is not responsible for the scientific accuracy or reliability of data or conclusions published herein. All content published within Cureus is intended only for educational, research and reference purposes. Additionally, articles published within Cureus should not be deemed a suitable substitute for the advice of a qualified health care professional. Do not disregard or avoid professional medical advice due to content published within Cureus.
The authors have declared that no competing interests exist.
- Open supplemental data
- Reference Manager
- Simple TEXT file
People also looked at
Study protocol article, a protocol for the use of case reports/studies and case series in systematic reviews for clinical toxicology.
- 1 Univ Angers, CHU Angers, Univ Rennes, INSERM, EHESP, Institut de Recherche en Santé, Environnement et Travail-UMR_S 1085, Angers, France
- 2 Department of Occupational Medicine, Epidemiology and Prevention, Donald and Barbara Zucker School of Medicine, Northwell Health, Feinstein Institutes for Medical Research, Hofstra University, Great Neck, NY, United States
- 3 Department of Health Sciences, University of California, San Francisco and California State University, Hayward, CA, United States
- 4 Program on Reproductive Health and the Environment, University of California, San Francisco, San Francisco, CA, United States
- 5 Cesare Maltoni Cancer Research Center, Ramazzini Institute, Bologna, Italy
- 6 Department of Research and Public Health, Reims Teaching Hospitals, Robert Debré Hospital, Reims, France
- 7 CHU Angers, Univ Angers, Poisoning Control Center, Clinical Data Center, Angers, France
Introduction: Systematic reviews are routinely used to synthesize current science and evaluate the evidential strength and quality of resulting recommendations. For specific events, such as rare acute poisonings or preliminary reports of new drugs, we posit that case reports/studies and case series (human subjects research with no control group) may provide important evidence for systematic reviews. Our aim, therefore, is to present a protocol that uses rigorous selection criteria, to distinguish high quality case reports/studies and case series for inclusion in systematic reviews.
Methods: This protocol will adapt the existing Navigation Guide methodology for specific inclusion of case studies. The usual procedure for systematic reviews will be followed. Case reports/studies and case series will be specified in the search strategy and included in separate sections. Data from these sources will be extracted and where possible, quantitatively synthesized. Criteria for integrating cases reports/studies and case series into the overall body of evidence are that these studies will need to be well-documented, scientifically rigorous, and follow ethical practices. The instructions and standards for evaluating risk of bias will be based on the Navigation Guide. The risk of bias, quality of evidence and the strength of recommendations will be assessed by two independent review teams that are blinded to each other.
Conclusion: This is a protocol specified for systematic reviews that use case reports/studies and case series to evaluate the quality of evidence and strength of recommendations in disciplines like clinical toxicology, where case reports/studies are the norm.
Systematic reviews are routinely relied upon to qualitatively synthesize current knowledge in a subject area. These reviews are often paired with a meta-analysis for quantitative syntheses. These qualitative and quantitative summaries of pooled data, collectively evaluate the quality of the evidence and the strength of the resulting research recommendations.
There currently exist several guidance documents to instruct on the rigors of systematic review methodology: (i) the Cochrane Collaboration, Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) statement and PRISMA-P (for protocols) that offer directives on data synthesis; and (ii) the Grading of Recommendations, Assessment, Development and Evaluations (GRADE) guidelines that establish rules for the development of scientific recommendations ( 1 – 5 ). This systematic review guidance is based predominantly on clinical studies, where randomized controlled trials (RCTs) are the gold standard. For that reason, a separate group of researchers has designed the Navigation Guide, specific to environmental health studies that are often observational ( 6 , 7 ). To date, systematic review guidelines (GRADE, PRISMA, PRISMA-P, and Navigation Guide) remove case reports/studies and case series (human subjects research with no control group) from consideration in systematic reviews, in part due to the challenges in evaluating the internal validity of these kinds of study designs. We hypothesize, however, that under certain circumstances, such as in rare acute poisonings, or preliminary reports of new drugs, some case reports and case series may contribute relevant knowledge that would be informative to systematic review recommendations. This is particularly important in clinical settings, where such evidence could potentially change our understanding of the screening, presentation, and potential treatment of rare conditions, such as poisoning from obscure toxins. The Cochrane Collaboration handbook states that “ for some rare or delayed adverse outcomes only case series or case-control studies may be available. Non-randomized studies of interventions with some study design features that are more susceptible to bias may be acceptable for evaluation of serious adverse events in the absence of better evidence, but the risk of bias must still be assessed and reported ” ( 8 ). In addition, the Cochrane Adverse Effects group has shown that case studies may be the best settings in which to observe adverse effects, especially when they are rare and acute ( 9 ). We believe that there may be an effective way to consider case reports/studies and case series in systematic reviews, specifically by developing specific criteria for their inclusion and accounting for their inherent bias.
We propose here a systematic review protocol that has been specifically developed to consider the inclusion and integration of case reports/studies and case series. Our main objective is to create a protocol that is an adaptation of the Navigation Guide ( 6 , 10 ) that presents methodology to examine high quality case reports/studies and case series through cogent inclusion and exclusion criteria. This methodology is in concordance with the Cochrane Methods for Adverse Effects for scoping reviews ( 11 ).
This protocol was prepared in accordance with the usual structured methodology for systematic reviews (PRISMA, PRISMA-P, and Navigation guide) ( 3 – 7 , 10 ). The protocol will be registered on an appropriate website, such as one of the following:
(i) The International Prospective Register of Systematic Reviews (PROSPERO) database ( https://www.crd.york.ac.uk/PROSPERO/ ) is an international database of prospectively registered systematic reviews in health and social welfare, public health, education, crime, justice, and international development, where there is a health-related outcome. It aims to provide a comprehensive listing of systematic reviews registered at inception to help avoid duplication and reduce opportunity for reporting bias by enabling comparison of the completed review with what was planned in the protocol. PROSPERO accepts registrations for systematic reviews, rapid reviews, and umbrella reviews. Key elements of the review protocol are permanently recorded and stored.
(ii) The Open Science Framework (OSF) platform ( https://osf.io/ ) is a free, open, and integrated platform that facilitates open collaboration in research science. It allows for the management and sharing of research project at all stages of research for broad dissemination. It also enables capture of different aspects and products of the research lifecycle, from the development of a research idea, through the design of a study, the storage and analysis of collected data, to the writing and publication of reports or research articles.
(iii) The Research Registry (RR) database ( https://www.researchregistry.com/ ) is a one-stop repository for the registration of all types of research studies, from “first-in-man” case reports/studies to observational/interventional studies to systematic reviews and meta-analyses. The goal is to ensure that every study involving human participants is registered in accordance with the 2013 Declaration of Helsinki. The RR enables prospective or retrospective registrations of studies, including those types of studies that cannot be registered in existing registries. It specifically publishes systematic reviews and meta-analyses and does not register case reports/studies that are not first-in-man or animal studies.
Any significant future changes to the protocol resulting from knowledge gained during the development stages of this project will be documented in detail and a rationale for all changes will be proposed and reported in PROSPERO, OSF, or RR.
The overall protocol will differentiate itself from other known methodologies, by defining two independent teams of reviewers: a classical team and a case team. The classical team will review studies with control groups and an acceptable comparison group (case reports/studies and case series will be excluded). In effect, this team will conduct a more traditional systematic review where evidence from case reports/studies and case series are not considered. The case team will review classical studies, case reports, and case series. This case team will act as a comparison group to identify differences in systematic review conclusions due to the inclusion of evidence from case reports/studies and case series. Both teams will identify studies that meet specified inclusion criteria, conduct separate analyses and risk of bias evaluations, along with overall quality assessments, and syntheses of strengths of evidence. Each team will be blinded to the results of the other team throughout the process. Upon completion of the systematic review, results from each team will be presented, evaluated, and compared.
Patient and Public Involvement
No patient involved.
Studies will be selected according to the criteria outlined below.
Studies of any design reported in any translatable language to English by online programs (e.g., Google Translate) will be included at the beginning. These studies will span interventional studies with control groups (Randomized Controlled Trials: RCTs), as well as observational studies with and without exposed groups. All observational studies will be eligible for inclusion in accordance with the objectives of this systematic review. Thereafter, only the case team will include cases reports/studies and case series, as specified in their search strategy. The case team will include a separate section for human subjects research that has been conducted with no control groups.
Type of Population
All types of studies examining the general adult human population or healthy adult humans will be included. Studies that involve both adults and children will also be included if data for adults are reported separately. Animal studies will be excluded for the methodological purpose of this (case reports/studies and case series) protocol given that the framework for systematic reviews in toxicology already adequately retrieves this type of toxin data on animals.
Studies of any design will be included if they fulfill all the eligibility criteria. To be integrated into the overall body of evidence, cases reports/studies and case series must meet pre-defined criteria indicating that they are well-documented, scientifically rigorous, and follow ethical practices, under the CARE guidelines (for Ca se Re ports) ( 12 , 13 ) and the Joanna Briggs Institute (JBI) Critical Appraisal Checklist for Case reports/studies and for Case Series ( 14 , 15 ) that classify case reports/studies in terms of completeness, transparency and data analysis. Studies that were conducted using unethical practices will be excluded.
Type of Exposure/Intervention
Either the prescribed treatment or described exposure to a chemical substance (toxin/toxicant) will be detailed here.
Type of Comparators
In this protocol we plan to compare two review methodologies: one will include and the other will exclude high quality case reports/studies and case series; these two review methodologies will be compared. The comparator will be (the presence or absence of) an available control group that has been specified and is acceptable scientifically and ethically.
Type of Outcomes
The outcome of mortality or morbidity related to the toxicological exposure, will be detailed here.
Information Sources and Search Strategy
There will be no design, date or language limitations applied to the search strategy. A systematic search in electronic academic databases, electronic grey literature, organizational websites, and internet search engines will be performed. We will search at least the following major databases:
- Electronic academic databases : Pubmed, Web of Sciences, Toxline, Poisondex, and databases specific to case reports/studies and case series (e.g., PMC, Scopus, Medline) ( 13 )
- Electronic grey literature databases : OpenGrey ( http://www.opengrey.eu/ ), grey literature Report ( http://greylit.org/ )
- Organizational websites : AHRQ Patient Safety Network ( https://psnet.ahrq.gov/webmm ), World Health Organization ( www.who.int )
- Internet search engines : Google ( https://www.google.com/ ), GoogleScholar ( https://scholar.google.com/ ).
Following a systematic search in all the databases above, each of the two independent teams of reviewers (the classical team and the case team) will, respectively, upload separately and in accordance with the eligibility criteria, the literature search results to the systematic review management software, “Covidence,” a primary screening and data extraction tool ( 16 ).
All study records identified during the search will be downloaded and duplicate records will be identified and deleted. Thereafter, two research team members will independently screen the titles and abstracts (step 1) and then the full texts (step 2) of potentially relevant studies for inclusion. If necessary, information will be requested from the publication authors to resolve questions about eligibility. Finally, any disagreements that may potentially exist between the two research team members will be resolved first by discussion and then by consulting a third research team member for arbitration.
If a study record identified during the search was authored by a reviewing research team member, or that team member participated in the identified study, that study record will be re-assigned to another reviewing team member.
Data Collection Process, Items Included, and Prioritization if Needed
All reviewing team members will use standardized forms or software (e.g., Covidence), and each review member will independently extract the data from included studies. If possible, the extracted data will be synthesized numerically. To ensure consistency across reviewers, calibration exercises (reviewer training) will be conducted prior to starting the reviews. Extracted information will include the minimum study characteristics (study authors, study year, study country, participants, intervention/exposure, outcome), study design (summary of study design, comparator, models used, and effect estimate measure) and study context (e.g., data on simultaneous exposure to other risk factors that would be relevant contributors to morbidity or mortality). As specified in the section on study records, a third review team member will resolve any conflicts that arise during data extraction that are not resolved by consensus between the two initial data extractors.
Data on potential conflict of interest for included studies, as well as financial disclosures and funding sources, will also be extracted. If no financial statement or conflict of interest declaration is available, the names of the authors will be searched in other studies published within the previous 36 months and in other publicly available declarations of interests, for funding information ( 17 , 18 ).
Risk of Bias Assessment
To assess the risk of bias within included studies, the internal validity of potential studies will be assessed by using the Navigation Guide tool ( 6 , 19 ), which covers nine domains of bias for human studies: (a) source population representation; (b) blinding; (c) exposure or intervention assessment; (d) outcome assessment; (e) confounding; (f) incomplete outcome data; (g) selective outcome reporting; (h) conflict of interest; and (i) other sources of bias. For each section of the tool, the procedures undertaken for each study will be described and the risk of bias will be rated as “ low risk”; “probably low risk”; “probably risk”; “high risk”; or “not applicable.” Risk of bias on the levels of the individual study and the entire body of evidence will be assessed. Most of the text from these instructions and criteria for judging risk of bias has been adopted verbatim or adapted from one of the latest Navigation Guide systematic reviews used by WHO/ILO ( 6 , 19 , 20 ).
For case reports/studies and case series, the text from these instructions and criteria for judging risk of bias has been adopted verbatim or adapted from one of the latest Navigation Guide systematic reviews ( 21 ), and is given in Supplementary Material . Specific criteria are listed below. To ensure consistency across reviewers, calibration exercises (reviewer training) will be conducted prior to starting the risk of bias assessments for case reports/studies and case series.
Are the Study Groups at Risk of Not Representing Their Source Populations in a Manner That Might Introduce Selection Bias?
The source population is viewed as the population for which study investigators are targeting their study question of interest.
Examples of considerations for this risk of bias domain include: (1) the context of the case report; (2) level of detail reported for participant inclusion/exclusion (including details from previously published papers referenced in the article), with inclusion of all relevant consecutive patients in the considered period; ( 14 , 15 ) (3) exclusion rates, attrition rates and reasons.
Were Exposure/Intervention (Toxic, Treatment) Assessment Methods Lacking Accuracy?
The following list of considerations represents a collection of factors proposed by experts in various fields that may potentially influence the internal validity of the exposure assessment in a systematic manner (not those that may randomly affect overall study results). These should be interpreted only as suggested considerations and should not be viewed as scoring or a checklist . Considering there are no controls in such designs, this should be evaluated carefully to be sure the report really contributes to the actual knowledge .
List of Considerations :
Possible sources of exposure assessment metrics:
1) Identification of the exposure
2) Dose evaluation
3) Toxicological values
4) Clinical effects *
5) Biological effects *
6) Treatments given (dose, timing, route)
* Some clinical and biological effects might be related to exposure
For each, overall considerations include:
1) What is the quality of the source of the metric being used?
2) Is the exposure measured in the study a surrogate for the exposure?
3) What was the temporal coverage (i.e., short or long-term exposure)?
4) Did the analysis account for prediction uncertainty?
5) How was missing data accounted for, and any data imputations incorporated?
6) Were sensitivity analyses performed?
Were Outcome Assessment Methods Lacking Accuracy?
This item is similar to actual Navigation guidelines that require an assessment of the accuracy of the measured outcome.
Was Potential Confounding Inadequately Incorporated?
This is a very important issue for case reports/studies and case series. Case reports/studies and case series do not include controls and so, to be considered in a systematic review, these types of studies will need to be well-documented with respect to treatment or other contextual factors that may explain or influence the outcome. Prior to initiating the study screening, review team members should collectively generate a list of potential confounders that are based on expert opinion and knowledge gathered from the scientific literature:
Tier I: Important confounders
• Other associated treatment (i.e., intoxication, insufficient dose, history, or context)
• Medical history
Tier II: Other potentially important confounders and effect modifiers:
• Age, sex, country.
Were Incomplete Outcome Data Inadequately Addressed?
This item is similar to actual Navigation Guide instructions, though it may be very unlikely that outcome data would be incomplete in published case reports/studies and case series.
Does the Study Report Appear to Have Selective Outcome Reporting?
This item is similar to actual Navigation Guide instructions, though it may be very unlikely that there would be selective outcome reporting in published case reports/studies and case series.
Did the Study Receive Any Support From a Company, Study Author, or Other Entity Having a Financial Interest?
This item is similar to actual Navigation Guide instructions.
Did the Study Appear to Have Other Problems That Could Put It at a Risk of Bias?
Data synthesis criteria and summary measures if feasible.
Meta-analyses will be conducted using a random-effects model if studies are sufficiently homogeneous in terms of design and comparator. For dichotomous outcomes, effects of associations will be determined by using risk ratios (RR) or odds ratios (OR) with 95% confidence intervals (CI). Continuous outcomes will be analyzed using weighted mean differences (with 95% CI) or standardized mean differences (with 95% CI) if different measurement scales are used. Skewed data and non-quantitative data will be presented descriptively. Where data are missing, a request will be made to the original authors of the study to obtain the relevant missing data. If these data cannot be obtained, an imputation method will be performed. The statistical heterogeneity of the studies using the Chi Squared test (significance level: 0.1) and I 2 statistic (0–40%: might not be important; 30–60%: may represent moderate heterogeneity; 50–90%: may represent substantial heterogeneity; 75–100%: considerable heterogeneity). If there is heterogeneity, an attempt will be made to explain the source of this heterogeneity through a subgroup or sensitivity analysis.
Finally, the meta-analysis will be conducted in the latest version of the statistical software RevMan. The Mantel-Haenszel method will be used for the fixed effects model if tests of heterogeneity are not significant. If statistical heterogeneity is observed ( I 2 ≥ 50% or p < 0.1), the random effects model will be chosen. If quantitative synthesis is not feasible (e.g., if heterogeneity exists), a meta-analysis will not be performed and a narrative, qualitative summary of the study findings will be done.
Separate analyses will be conducted for the studies that contain control groups using expected mortality/morbidity, in order to include them in the quantitative synthesis of case reports/studies and case series.
If quantitative synthesis is not appropriate, a systematic narrative synthesis will be provided with information presented in the text and tables to summarize and explain the characteristics and findings of the included studies. The narrative synthesis will explore the relationship and findings both within and between the included studies.
Possible Additional Analyses
If feasible, subgroup analyses will be used to explore possible sources of heterogeneity, if there is evidence for differences in effect estimates by country, study design, or patient characteristics (e.g., sex and age). In addition, sensitivity analysis will be performed to explore the source of heterogeneity as for example, published vs. unpublished data, full-text publications vs. abstracts, risk of bias (by omitting studies that are judged to be at high risk of bias).
Overall Quality of Evidence Assessment
The quality of evidence will be assessed using an adapted version of the Evidence Quality Assessment Tool in the Navigation Guide. This tool is based on the GRADE approach ( 1 ). The assessment will be conducted by two teams, again blinded to each other, one that has the results of the case reports/studies and case series/control synthesis, the other without.
Data synthesis will be conducted independently by the classical and case teams. Evidence ratings will start at “high” for randomized control studies, “moderate” for observational studies, and “low” for case reports/studies and case series . It is important to be clear that sufficient levels of evidence cannot be achieved without study comparators. With regards to case reports/studies and case series, we classify these as starting at the lowest point of evidence and therefore we cannot consider evidence higher than low for these kinds of studies. Complete instructions for making quality of evidence judgments are presented in Supplementary Material .
Synthesis of Strength of Evidence
The standard Navigation Guide methodology will be applied to rate the strength of recommendations. The classical and case teams, blinded to the results from each other during the process, will independently assess the strength of evidence. The evidence quality ratings will be translated into strength of evidence for each population based on a combination of four criteria: (a) Quality of body of evidence; (b) Direction of effect; (c) Confidence in effect; and (d) Other compelling attributes of the data that may influence certainty. The ratings for strength of evidence will be “sufficient evidence of harmfulness,” “limited of harmfulness,” “inadequate of harmfulness” and “evidence of lack of harmfulness.”
Once we complete the synthesis of case reports/studies and case series, findings of this separate evidence stream will only be considered if RCTs and observational studies are not available. They will not be used to upgrade or downgrade the strength of other evidence streams.
To the best of our knowledge, this protocol is one of the first to specifically address the incorporation of case reports/studies and case series in a systematic review ( 9 ). The protocol was adapted from the Navigation Guide with the intent of integrating the case reports/studies and case series in systematic review recommendations, while following traditional systematic review methodology to the greatest extent possible. To be included, these case report/studies and case series will need to be well-documented, scientifically rigorous, and follow ethical practices. In addition, we believe that some case reports/studies and case series might bring relevant knowledge that should be considered in systematic review recommendations when data from RCT's and observational studies are not available, especially when even a small number of studies report an important and possibly causal association in an epidemic or a side effect of a newly marketed medicine. Our methodology will be the first to effectively incorporate case reports/studies and case series in systematic reviews that synthesize evidence for clinicians, researchers, and drug developers. These types of studies will be incorporated mostly through paper selection and risk of bias assessments. In addition, we will conduct meta-analyses if the eligible studies provide sufficient data.
This protocol has limitations related primarily to the constraints of case reports/studies and case series. These are descriptive studies. In addition, a case series is subject to selection bias because the clinician or researcher selects the cases themselves and may represent outliers in clinical practice. Furthermore, this kind of study does not have a control group, so it is not possible to compare what happens to other people who do not have the disease or receive treatment. These sources of bias mean that reported results may not be generalizable to a larger patient population and therefore cannot generate information on incidences or prevalence rates and ratios ( 22 , 23 ). However, it is important to note that promoting the need to synthesize these types of studies (case reports/studies and case series) in a formal systematic review, should not deter or delay immediate action from being taken when a few small studies report a plausible causal association between exposure and disease, such as, in the event of an epidemic or a side effect of a newly marketed medicine ( 23 ). In this study protocol, we will not consider animal studies that might give relevant toxicological information because we are focusing on study areas where a paucity of information exists. Finally, we must note that, case reports/studies and case series do not provide independent proof, and therefore, the findings of this separate evidence stream (case reports/studies and case series) will only be considered if evidence from RCTs and observational studies is not available. Case reports/studies and case series will not be used to upgrade or downgrade the strength of other evidence streams. In any case, it is very important to remember that these kinds of studies (case reports/studies and case series) are there to quickly alert agencies of the need to take immediate action to prevent further harm.
Despite these limitations, case reports/studies and case series are a first line of evidence because they are where new issues and ideas emerge (hypothesis-generating) and can contribute to a change in clinical practice ( 23 – 25 ). We therefore believe that data from case reports/studies and case series, when synthesized and presented with completeness and transparency, may provide important details that are relevant to systematic review recommendations.
AD and GS the protocol study was designed. JL, TW, and DM reviewed. MF, ALG, RV, NC, CB, GLR, MD, ML, and AN significant improvement was made. AN and AD wrote the manuscript. GS improved the language. All authors reviewed and commented on the final manuscript, read and approved the final manuscript to be published.
This project was supported by the French Pays de la Loire region and Angers Loire Métropole, University of Angers and Centre Hospitalo-Universitaire CHU Angers. The project is entitled TEC-TOP (no award/grant number).
Conflict of Interest
The authors declare that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.
All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors and the reviewers. Any product that may be evaluated in this article, or claim that may be made by its manufacturer, is not guaranteed or endorsed by the publisher.
The Supplementary Material for this article can be found online at: https://www.frontiersin.org/articles/10.3389/fmed.2021.708380/full#supplementary-material
1. Guyatt GH, Oxman AD, Vist GE, Kunz R, Falck-Ytter Y, Alonso-Coello P, et al. GRADE: an emerging consensus on rating quality of evidence and strength of recommendations. BMJ. (2008) 336:924–6. doi: 10.1136/bmj.39489.470347.AD
PubMed Abstract | CrossRef Full Text | Google Scholar
2. Higgins JPT, Thomas J, Chandler J, Cumpston M, Li T, Page MJ, et al. (editors). Cochrane Handbook for Systematic Reviews of Interventions version 6.1 (updated September 2020) . Cochrane (2020). Available online at: www.training.cochrane.org/handbook
3. Liberati A, Altman DG, Tetzlaff J, Mulrow C, Gøtzsche PC, Ioannidis JP, et al. The PRISMA statement for reporting systematic reviews and meta-analyses of studies that evaluate health care interventions: explanation and elaboration. J Clin Epidemiol. (2009) 62:e1–34. doi: 10.1016/j.jclinepi.2009.06.006
4. Moher D, Shamseer L, Clarke M, Ghersi D, Liberati A, Petticrew M, et al. Preferred reporting items for systematic review and meta-analysis protocols (PRISMA-P) 2015 statement. Syst Rev. (2015) 4:1. doi: 10.1186/2046-4053-4-1
5. Shamseer L, Moher D, Clarke M, Ghersi D, Liberati A, Petticrew M, et al. Preferred reporting items for systematic review and meta-analysis protocols (PRISMA-P) 2015 : elaboration and explanation. BMJ . (2015) 350:g7647. doi: 10.1136/bmj.g7647
PubMed Abstract | CrossRef Full Text
6. Woodruff TJ, Sutton P, Navigation Guide Work Group. An evidence-based medicine methodology to bridge the gap between clinical and environmental health sciences. Health Aff (Millwood). (2011) 30:931–7. doi: 10.1377/hlthaff.2010.1219
7. Woodruff TJ, Sutton P. The Navigation Guide systematic review methodology: a rigorous and transparent method for translating environmental health science into better health outcomes. Environ Health Perspect. (2014) 122:1007–14. doi: 10.1289/ehp.1307175
8. Reeves BC, Deeks JJ, Higgins JPT, Shea B, Tugwell P, Wells GA. Chapter 24: Including non-randomized studies on intervention effects. In: Higgins JPT, Thomas J, Chandler J, Cumpston M, Li T, Page MJ, Welch VA, editors. Cochrane Handbook for Systematic Reviews of Interventions version 6.1 (updated September 2020). Cochrane (2020). Available online at: www.training.cochrane.org/handbook
9. Loke YK, Price D, Herxheimer A, the Cochrane Adverse Effects Methods Group. Systematic reviews of adverse effects: framework for a structured approach. BMC Med Res Methodol. (2007) 7:32. doi: 10.1186/1471-2288-7-32
10. Lam J, Koustas E, Sutton P, Johnson PI, Atchley DS, Sen S, et al. The Navigation Guide - evidence-based medicine meets environmental health: integration of animal and human evidence for PFOA effects on fetal growth. Environ Health Perspect. (2014) 122:1040–51. doi: 10.1289/ehp.1307923
11. Peryer G, Golder S, Junqueira DR, Vohra S, Loke YK. Chapter 19: Adverse effects. In: Higgins JPT, Thomas J, Chandler J, Cumpston M, Li T, Page MJ, Welch VA, editors. Cochrane Handbook for Systematic Reviews of Interventions version 6.1 (updated September 2020) . Cochrane (2020). Available online at: www.training.cochrane.org/handbook
12. Gagnier JJ, Kienle G, Altman DG, Moher D, Sox H, Riley D, et al. The CARE guidelines: consensus-based clinical case reporting guideline development. J Med Case Rep. (2013) 7:223. doi: 10.1186/1752-1947-7-223
13. Riley DS, Barber MS, Kienle GS, Aronson JK, von Schoen-Angerer T, Tugwell P, et al. CARE guidelines for case reports: explanation and elaboration document. J Clin Epidemiol. (2017) 89:218–35. doi: 10.1016/j.jclinepi.2017.04.026
14. Moola S, Munn Z, Tufanaru C, Aromataris E, Sears K, Sfetcu R, et al. Chapter 7: Systematic reviews of etiology and risk. In: Aromataris E, Munn Z, editors. JBI Manual for Evidence Synthesis. JBI (2020). doi: 10.46658/JBIMES-20-08. Available online at: https://synthesismanual.jbi.global
CrossRef Full Text
15. Munn Z, Barker TH, Moola S, Tufanaru C, Stern C, McArthur A, et al. Methodological quality of case series studies: an introduction to the JBI critical appraisal tool. JBI Evidence Synthesis. (2020) 18:2127–33. doi: 10.11124/JBISRIR-D-19-00099
16. Covidence systematic review software, V.H.I. Covidence Systematic Review Software , V.H.I. Melbourne, CA. Available online at: www.covidence.org ; https://support.covidence.org/help/how-can-i-cite-covidence
17. Drazen JM, de Leeuw PW, Laine C, Mulrow C, DeAngelis CD, Frizelle FA, et al. Toward More Uniform Conflict Disclosures: The Updated ICMJE Conflict of Interest Reporting Form. JAMA. (2010) 304:212. doi: 10.1001/jama.2010.918
18. Drazen JM, Weyden MBVD, Sahni P, Rosenberg J, Marusic A, Laine C, et al. Uniform Format for Disclosure of Competing Interests in ICMJE Journals. N Engl J Med. (2009) 361:1896–7. doi: 10.1056/NEJMe0909052
19. Johnson PI, Sutton P, Atchley DS, Koustas E, Lam J, Sen S, et al. The navigation guide—evidence-based medicine meets environmental health: systematic review of human evidence for PFOA effects on fetal growth. Environ Health Perspect. (2014) 122:1028–39. doi: 10.1289/ehp.1307893
20. Descatha A, Sembajwe G, Baer M, Boccuni F, Di Tecco C, Duret C, et al. WHO/ILO work-related burden of disease and injury: protocol for systematic reviews of exposure to long working hours and of the effect of exposure to long working hours on stroke. Environ Int. (2018) 119:366–78. doi: 10.1016/j.envint.2018.06.016
21. Lam J, Lanphear BP, Bellinger D, Axelrad DA, McPartland J, Sutton P, et al. Developmental PBDE exposure and IQ/ADHD in childhood: a systematic review and meta-analysis. Environ Health Perspect. (2017) 125:086001. doi: 10.1289/EHP1632
22. Hay JE, Wiesner RH, Shorter RG, LaRusso NF, Baldus WP. Primary sclerosing cholangitis and celiac disease. Ann Intern Med. (1988) 109:713–7. doi: 10.7326/0003-4819-109-9-713
23. Nissen T, Wynn R. The clinical case report: a review of its merits and limitations. BMC Res Notes. (2014) 7:264. doi: 10.1186/1756-0500-7-264
24. Buonfrate D, Requena-Mendez A, Angheben A, Muñoz J, Gobbi F, Van Den Ende J, et al. Severe strongyloidiasis: a systematic review of case reports. BMC Infect Dis. (2013) 13:78. doi: 10.1186/1471-2334-13-78
25. Graham R, Mancher M, Wolman DM, Greenfield S, Steinberg E, Committee on Standards for Developing Trustworthy Clinical Practice Guidelines, et al. Clinical Practice Guidelines We Can Trust . Washington, D.C.: National Academies Press (2011).
Keywords: toxicology, epidemiology, public health, protocol, systematic review, case reports/studies, case series
Citation: Nambiema A, Sembajwe G, Lam J, Woodruff T, Mandrioli D, Chartres N, Fadel M, Le Guillou A, Valter R, Deguigne M, Legeay M, Bruneau C, Le Roux G and Descatha A (2021) A Protocol for the Use of Case Reports/Studies and Case Series in Systematic Reviews for Clinical Toxicology. Front. Med. 8:708380. doi: 10.3389/fmed.2021.708380
Received: 19 May 2021; Accepted: 11 August 2021; Published: 06 September 2021.
Copyright © 2021 Nambiema, Sembajwe, Lam, Woodruff, Mandrioli, Chartres, Fadel, Le Guillou, Valter, Deguigne, Legeay, Bruneau, Le Roux and Descatha. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY) . The use, distribution or reproduction in other forums is permitted, provided the original author(s) and the copyright owner(s) are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.
*Correspondence: Aboubakari Nambiema, email@example.com ; orcid.org/0000-0002-4258-3764
Writing a Case Report
This page is intended for medical students, residents or others who do not have much experience with case reports, but are planning on writing one.
What is a case report? A medical case report, also known as a case study, is a detailed description of a clinical encounter with a patient. The most important aspect of a case report, i.e. the reason you would go to the trouble of writing one, is that the case is sufficiently unique, rare or interesting such that other medical professionals will learn something from it.
Case reports are commonly of the following categories :
- Rare diseases
- Unusual presentation of disease
- Unexpected events
- Unusual combination of diseases or conditions
- Difficult or inconclusive diagnosis
- Treatment or management challenges
- Personal impact
- Observations that shed new light on a disease or condition
- Anatomical variations
It is important that you recognize what is unique or interesting about your case, and this must be described clearly in the case report.
Case reports generally take the format of :
2. Case presentation
3. Observations and investigation
Does a case report require IRB approval?
Case reports typically discuss a single patient. If this is true for your case report, then it most likely does not require IRB approval because it not considered research. If you have more than one patient, your study could qualify as a Case Series, which would require IRB review. If you have questions, you chould check your local IRB's guidelines on reviewing case reports.
Are there other rules for writing a case report?
First, you will be collecting protected health information, thus HIPAA applies to case reports. Spectrum Health has created a very helpful guidance document for case reports, which you can see here: Case Report Guidance - Spectrum Health
While this guidance document was created by Spectrum Health, the rules and regulations outlined could apply to any case report. This includes answering questions like: Do I need written HIPAA authorization to publish a case report? When do I need IRB review of a case report? What qualifies as a patient identifier?
How do I get started?
1. We STRONGLY encourage you to consult the CARE Guidelines, which provide guidance on writing case reports - https://www.care-statement.org/
Specifically, the checklist - https://www.care-statement.org/checklist - which explains exactly the information you should collect and include in your case report.
2. Identify a case. If you are a medical student, you may not yet have the clinical expertise to determine if a specific case is worth writing up. If so, you must seek the help of a clinician. It is common for students to ask attendings or residents if they have any interesting cases that can be used for a case report.
3. Select a journal or two to which you think you will submit the case report. Journals often have specific requirements for publishing case reports, which could include a requirement for informed consent, a letter or statement from the IRB and other things. Journals may also charge publication fees (see Is it free to publish? below)
4. Obtain informed consent from the patient (see " Do I have to obtain informed consent from the patient? " below). Journals may have their own informed consent form that they would like you to use, so please look for this when selecting a journal.
Once you've identified the case, selected an appropriate journal(s), and considered informed consent, you can collect the required information to write the case report.
How do I write a case report?
Once you identify a case and have learned what information to include in the case report, try to find a previously published case report. Finding published case reports in a similar field will provide examples to guide you through the process of writing a case report.
One journal you can consult is BMJ Case Reports . MSU has an institutional fellowship with BMJ Case Reports which allows MSU faculty, staff and students to publish in this journal for free. See this page for a link to the journal and more information on publishing- https://lib.msu.edu/medicalwriting_publishing/
There are numerous other journals where you can find published case reports to help guide you in your writing.
Do I have to obtain informed consent from the patient?
The CARE guidelines recommend obtaining informed consent from patients for all case reports. Our recommendation is to obtain informed consent from the patient. Although not technically required, especially if the case report does not include any identifying information, some journals require informed consent for all case reports before publishing. The CARE guidelines recommend obtaining informed consent AND the patient's perspective on the treatment/outcome (if possible). Please consider this as well.
If required, it is recommended you obtain informed consent before the case report is written.
An example of a case report consent form can be found on the BMJ Case Reports website, which you can access via the MSU library page - https://casereports.bmj.com/ . Go to "Instructions for Authors" and then "Patient Consent" to find the consent form they use. You can create a similar form to obtain consent from your patient. If you have identified a journal already, please consult their requirements and determine if they have a specific consent form they would like you to use.
Once you have written a draft of the case report, you should seek feedback on your writing, from experts in the field if possible, or from those who have written case reports before.
Selecting a journal
Aside from BMJ Case Reports mentioned above, there are many, many journals out there who publish medical case reports. Ask your mentor if they have a journal they would like to use. If you need to select on your own, here are some strategies:
1. Do a PubMed search. https://pubmed.ncbi.nlm.nih.gov/
a. Do a search for a topic, disease or other feature of your case report
b. When the results appear, on the left side of the page is a limiter for "article type". Case reports are an article type to which you can limit your search results. If you don't see that option on the left, click "additional filters".
c. Review the case reports that come up and see what journals they are published in.
2. Use JANE - https://jane.biosemantics.org/
3. Check with specialty societies. Many specialty societies are affiliated with one or more journal, which can be reviewed for ones that match your needs
4. Search through individual publisher journal lists. Elsevier publishes many different medical research journals, and they have a journal finder, much like JANE ( https://journalfinder.elsevier.com/ ). This is exclusive to Elsevier journals. There are many other publishers of medical journals for review, including Springer, Dove Press, BMJ, BMC, Wiley, Sage, Nature and many others.
Is it free to publish ?
Be aware that it may not be free to publish your case report. Many journals charge publication fees. Of note, many open access journals charge author fees of thousands of dollars. Other journals have smaller page charges (i.e. $60 per page), and still others will publish for free, with an "open access option". It is best practice to check the journal's Info for Authors section or Author Center to determine what the cost is to publish. MSU-CHM does NOT have funds to support publication costs, so this is an important step if you do not want to pay out of pocket for publishing
*A more thorough discussion on finding a journal, publication costs, predatory journals and other publication-related issues can be found here: https://research.chm.msu.edu/students-residents/finding-a-journal
Gagnier JJ, Kienle G, Altman DG, Moher D, Sox H, Riley D. 2013. The CARE guidelines: Consensus-based clinical case reporting guideline development. Glob Adv Health Med . 2:38-43. doi: 10.7453/gahmj.2013.008
Riley DS, Barber MS, Kienle GS, AronsonJK, von Schoen-Angerer T, Tugwell P, Kiene H, Helfand M, Altman DG, Sox H, Werthmann PG, Moher D, Rison RA, Shamseer L, Koch CA, Sun GH, Hanaway P, Sudak NL, Kaszkin-Bettag M, Carpenter JE, Gagnier JJ. 2017. CARE guidelines for case reports: explanation and elaboration document . J Clin Epidemiol . 89:218-234. doi: 10.1016/j.jclinepi.2017.04.026
Guidelines to writing a clinical case report. 2017. Heart Views . 18:104-105. doi: 10.4103/1995-705X.217857
Ortega-Loubon C, Culquichicon C, Correa R. The importance of writing and publishing case reports during medical education. 2017. Cureus. 9:e1964. doi: 10.7759/cureus.1964
Writing and publishing a useful and interesting case report. 2019. BMJ Case Reports. https://casereports.bmj.com/pages/wp-content/uploads/sites/69/2019/04/How-to-write-a-Case-Report-DIGITAL.pdf
Camm CF. Writing an excellent case report: EHJ Case Reports , Case of the Year 2019. 2020. European Heart Jounrnal. 41:1230-1231. https://doi.org/10.1093/eurheartj/ehaa176
*content developed by Mark Trottier, PhD
All You Wanted to Know About How to Write a Case Study
What do you study in your college? If you are a psychology, sociology, or anthropology student, we bet you might be familiar with what a case study is. This research method is used to study a certain person, group, or situation. In this guide from our dissertation writing service , you will learn how to write a case study professionally, from researching to citing sources properly. Also, we will explore different types of case studies and show you examples — so that you won’t have any other questions left.
What Is a Case Study?
A case study is a subcategory of research design which investigates problems and offers solutions. Case studies can range from academic research studies to corporate promotional tools trying to sell an idea—their scope is quite vast.
What Is the Difference Between a Research Paper and a Case Study?
While research papers turn the reader’s attention to a certain problem, case studies go even further. Case study guidelines require students to pay attention to details, examining issues closely and in-depth using different research methods. For example, case studies may be used to examine court cases if you study Law, or a patient's health history if you study Medicine. Case studies are also used in Marketing, which are thorough, empirically supported analysis of a good or service's performance. Well-designed case studies can be valuable for prospective customers as they can identify and solve the potential customers pain point.
Case studies involve a lot of storytelling – they usually examine particular cases for a person or a group of people. This method of research is very helpful, as it is very practical and can give a lot of hands-on information. Most commonly, the length of the case study is about 500-900 words, which is much less than the length of an average research paper.
The structure of a case study is very similar to storytelling. It has a protagonist or main character, which in your case is actually a problem you are trying to solve. You can use the system of 3 Acts to make it a compelling story. It should have an introduction, rising action, a climax where transformation occurs, falling action, and a solution.
Here is a rough formula for you to use in your case study:
Problem (Act I): > Solution (Act II) > Result (Act III) > Conclusion.
Types of Case Studies
The purpose of a case study is to provide detailed reports on an event, an institution, a place, future customers, or pretty much anything. There are a few common types of case study, but the type depends on the topic. The following are the most common domains where case studies are needed:
- Historical case studies are great to learn from. Historical events have a multitude of source info offering different perspectives. There are always modern parallels where these perspectives can be applied, compared, and thoroughly analyzed.
- Problem-oriented case studies are usually used for solving problems. These are often assigned as theoretical situations where you need to immerse yourself in the situation to examine it. Imagine you’re working for a startup and you’ve just noticed a significant flaw in your product’s design. Before taking it to the senior manager, you want to do a comprehensive study on the issue and provide solutions. On a greater scale, problem-oriented case studies are a vital part of relevant socio-economic discussions.
- Cumulative case studies collect information and offer comparisons. In business, case studies are often used to tell people about the value of a product.
- Critical case studies explore the causes and effects of a certain case.
- Illustrative case studies describe certain events, investigating outcomes and lessons learned.
Need a compelling case study? EssayPro has got you covered. Our experts are ready to provide you with detailed, insightful case studies that capture the essence of real-world scenarios. Elevate your academic work with our professional assistance.
Case Study Format
The case study format is typically made up of eight parts:
- Executive Summary. Explain what you will examine in the case study. Write an overview of the field you’re researching. Make a thesis statement and sum up the results of your observation in a maximum of 2 sentences.
- Background. Provide background information and the most relevant facts. Isolate the issues.
- Case Evaluation. Isolate the sections of the study you want to focus on. In it, explain why something is working or is not working.
- Proposed Solutions. Offer realistic ways to solve what isn’t working or how to improve its current condition. Explain why these solutions work by offering testable evidence.
- Conclusion. Summarize the main points from the case evaluations and proposed solutions. 6. Recommendations. Talk about the strategy that you should choose. Explain why this choice is the most appropriate.
- Implementation. Explain how to put the specific strategies into action.
- References. Provide all the citations.
How to Write a Case Study
Let's discover how to write a case study.
Setting Up the Research
When writing a case study, remember that research should always come first. Reading many different sources and analyzing other points of view will help you come up with more creative solutions. You can also conduct an actual interview to thoroughly investigate the customer story that you'll need for your case study. Including all of the necessary research, writing a case study may take some time. The research process involves doing the following:
- Define your objective. Explain the reason why you’re presenting your subject. Figure out where you will feature your case study; whether it is written, on video, shown as an infographic, streamed as a podcast, etc.
- Determine who will be the right candidate for your case study. Get permission, quotes, and other features that will make your case study effective. Get in touch with your candidate to see if they approve of being part of your work. Study that candidate’s situation and note down what caused it.
- Identify which various consequences could result from the situation. Follow these guidelines on how to start a case study: surf the net to find some general information you might find useful.
- Make a list of credible sources and examine them. Seek out important facts and highlight problems. Always write down your ideas and make sure to brainstorm.
- Focus on several key issues – why they exist, and how they impact your research subject. Think of several unique solutions. Draw from class discussions, readings, and personal experience. When writing a case study, focus on the best solution and explore it in depth. After having all your research in place, writing a case study will be easy. You may first want to check the rubric and criteria of your assignment for the correct case study structure.
Read Also: 'CREDIBLE SOURCES: WHAT ARE THEY?'
Although your instructor might be looking at slightly different criteria, every case study rubric essentially has the same standards. Your professor will want you to exhibit 8 different outcomes:
- Correctly identify the concepts, theories, and practices in the discipline.
- Identify the relevant theories and principles associated with the particular study.
- Evaluate legal and ethical principles and apply them to your decision-making.
- Recognize the global importance and contribution of your case.
- Construct a coherent summary and explanation of the study.
- Demonstrate analytical and critical-thinking skills.
- Explain the interrelationships between the environment and nature.
- Integrate theory and practice of the discipline within the analysis.
Need Case Study DONE FAST?
Pick a topic, tell us your requirements and get your paper on time.
Case Study Outline
Let's look at the structure of an outline based on the issue of the alcoholic addiction of 30 people.
- Statement of the issue: Alcoholism is a disease rather than a weakness of character.
- Presentation of the problem: Alcoholism is affecting more than 14 million people in the USA, which makes it the third most common mental illness there.
- Explanation of the terms: In the past, alcoholism was commonly referred to as alcohol dependence or alcohol addiction. Alcoholism is now the more severe stage of this addiction in the disorder spectrum.
- Hypotheses: Drinking in excess can lead to the use of other drugs.
- Importance of your story: How the information you present can help people with their addictions.
- Background of the story: Include an explanation of why you chose this topic.
- Presentation of analysis and data: Describe the criteria for choosing 30 candidates, the structure of the interview, and the outcomes.
- Strong argument 1: ex. X% of candidates dealing with anxiety and depression...
- Strong argument 2: ex. X amount of people started drinking by their mid-teens.
- Strong argument 3: ex. X% of respondents’ parents had issues with alcohol.
- Concluding statement: I have researched if alcoholism is a disease and found out that…
- Recommendations: Ways and actions for preventing alcohol use.
Writing a Case Study Draft
After you’ve done your case study research and written the outline, it’s time to focus on the draft. In a draft, you have to develop and write your case study by using: the data which you collected throughout the research, interviews, and the analysis processes that were undertaken. Follow these rules for the draft:
- Your draft should contain at least 4 sections: an introduction; a body where you should include background information, an explanation of why you decided to do this case study, and a presentation of your main findings; a conclusion where you present data; and references.
- In the introduction, you should set the pace very clearly. You can even raise a question or quote someone you interviewed in the research phase. It must provide adequate background information on the topic. The background may include analyses of previous studies on your topic. Include the aim of your case here as well. Think of it as a thesis statement. The aim must describe the purpose of your work—presenting the issues that you want to tackle. Include background information, such as photos or videos you used when doing the research.
- Describe your unique research process, whether it was through interviews, observations, academic journals, etc. The next point includes providing the results of your research. Tell the audience what you found out. Why is this important, and what could be learned from it? Discuss the real implications of the problem and its significance in the world.
- Include quotes and data (such as findings, percentages, and awards). This will add a personal touch and better credibility to the case you present. Explain what results you find during your interviews in regards to the problem and how it developed. Also, write about solutions which have already been proposed by other people who have already written about this case.
- At the end of your case study, you should offer possible solutions, but don’t worry about solving them yourself.
Use Data to Illustrate Key Points in Your Case Study
Even though your case study is a story, it should be based on evidence. Use as much data as possible to illustrate your point. Without the right data, your case study may appear weak and the readers may not be able to relate to your issue as much as they should. Let's see the examples from essay writing service :
With data: Alcoholism is affecting more than 14 million people in the USA, which makes it the third most common mental illness there. Without data: A lot of people suffer from alcoholism in the United States.
Try to include as many credible sources as possible. You may have terms or sources that could be hard for other cultures to understand. If this is the case, you should include them in the appendix or Notes for the Instructor or Professor.
Finalizing the Draft: Checklist
After you finish drafting your case study, polish it up by answering these ‘ask yourself’ questions and think about how to end your case study:
- Check that you follow the correct case study format, also in regards to text formatting.
- Check that your work is consistent with its referencing and citation style.
- Micro-editing — check for grammar and spelling issues.
- Macro-editing — does ‘the big picture’ come across to the reader? Is there enough raw data, such as real-life examples or personal experiences? Have you made your data collection process completely transparent? Does your analysis provide a clear conclusion, allowing for further research and practice?
Problems to avoid:
- Overgeneralization – Do not go into further research that deviates from the main problem.
- Failure to Document Limitations – Just as you have to clearly state the limitations of a general research study, you must describe the specific limitations inherent in the subject of analysis.
- Failure to Extrapolate All Possible Implications – Just as you don't want to over-generalize from your case study findings, you also have to be thorough in the consideration of all possible outcomes or recommendations derived from your findings.
You can always buy an essay on our site. Just leave a request ' do my homework ' and we'll help asap.
How to Create a Title Page and Cite a Case Study
Let's see how to create an awesome title page.
Your title page depends on the prescribed citation format. The title page should include:
- A title that attracts some attention and describes your study
- The title should have the words “case study” in it
- The title should range between 5-9 words in length
- Your name and contact information
- Your finished paper should be only 500 to 1,500 words in length. With this type of assignment, write effectively and avoid fluff.
Here is a template for the APA and MLA format title page:
There are some cases when you need to cite someone else's study in your own one – therefore, you need to master how to cite a case study. A case study is like a research paper when it comes to citations. You can cite it like you cite a book, depending on what style you need.
Citation Example in MLA Hill, Linda, Tarun Khanna, and Emily A. Stecker. HCL Technologies. Boston: Harvard Business Publishing, 2008. Print.
Citation Example in APA Hill, L., Khanna, T., & Stecker, E. A. (2008). HCL Technologies. Boston: Harvard Business Publishing.
Citation Example in Chicago Hill, Linda, Tarun Khanna, and Emily A. Stecker. HCL Technologies.
Case Study Examples
To give you an idea of a professional case study example, we gathered and linked some below.
Eastman Kodak Case Study
Case Study Example: Audi Trains Mexican Autoworkers in Germany
To conclude, a case study is one of the best methods of getting an overview of what happened to a person, a group, or a situation in practice. It allows you to have an in-depth glance at the real-life problems that businesses, healthcare industry, criminal justice, etc. may face. This insight helps us look at such situations in a different light. This is because we see scenarios that we otherwise would not, without necessarily being there. If you need custom essays , try our research paper writing services .
Get Help Form Qualified Writers
Crafting a case study is not easy. You might want to write one of high quality, but you don’t have the time or expertise. If you’re having trouble with your case study, help with essay request - we'll help. EssayPro writers have read and written countless case studies and are experts in endless disciplines. Request essay writing, editing, or proofreading assistance from our custom case study writing service , and all of your worries will be gone.
Don't Know Where to Start?
Crafting a case study is not easy. You might want to write one of high quality, but you don’t have the time or expertise. Request essay writing, editing, or proofreading assistance from our writing service.
Writing A Case Study
A Complete Case Study Writing Guide With Examples
Published on: Jun 14, 2019
Last updated on: Nov 24, 2023
People also read
Simple Case Study Format for Students to Follow
Understand the Types of Case Study Here
Brilliant Case Study Examples and Templates For Your Help
Share this article
Many writers find themselves grappling with the challenge of crafting persuasive and engaging case studies.
The process can be overwhelming, leaving them unsure where to begin or how to structure their study effectively. And, without a clear plan, it's tough to show the value and impact in a convincing way.
But don’t worry!
In this blog, we'll guide you through a systematic process, offering step-by-step instructions on crafting a compelling case study.
Along the way, we'll share valuable tips and illustrative examples to enhance your understanding. So, let’s get started.
On This Page On This Page -->
What is a Case Study?
A case study is a detailed analysis and examination of a particular subject, situation, or phenomenon. It involves comprehensive research to gain a deep understanding of the context and variables involved.
Typically used in academic, business, and marketing settings, case studies aim to explore real-life scenarios, providing insights into challenges, solutions, and outcomes. They serve as valuable tools for learning, decision-making, and showcasing success stories.
Tough Essay Due? Hire Tough Writers!
Types of Case Studies
Case studies come in various forms, each tailored to address specific objectives and areas of interest. Here are some of the main types of case studies :
- Illustrative Case Studies: These focus on describing a particular situation or event, providing a detailed account to enhance understanding.
- Exploratory Case Studies: Aimed at investigating an issue and generating initial insights, these studies are particularly useful when exploring new or complex topics.
- Explanatory Case Studies: These delve into the cause-and-effect relationships within a given scenario, aiming to explain why certain outcomes occurred.
- Intrinsic Case Studies: Concentrating on a specific case that holds intrinsic value, these studies explore the unique qualities of the subject itself.
- Instrumental Case Studies: These are conducted to understand a broader issue and use the specific case as a means to gain insights into the larger context.
- Collective Case Studies: Involving the study of multiple cases, this type allows for comparisons and contrasts, offering a more comprehensive view of a phenomenon or problem.
How To Write a Case Study - 9 Steps
Crafting an effective case study involves a structured approach to ensure clarity, engagement, and relevance.
Here's a step-by-step guide on how to write a compelling case study:
Step 1: Define Your Objective
Before diving into the writing process, clearly define the purpose of your case study. Identify the key questions you want to answer and the specific goals you aim to achieve.
Whether it's to showcase a successful project, analyze a problem, or demonstrate the effectiveness of a solution, a well-defined objective sets the foundation for a focused and impactful case study.
Step 2: Conduct Thorough Research
Gather all relevant information and data related to your chosen case. This may include interviews, surveys, documentation, and statistical data.
Ensure that your research is comprehensive, covering all aspects of the case to provide a well-rounded and accurate portrayal.
The more thorough your research, the stronger your case study's foundation will be.
Step 3: Introduction: Set the Stage
Begin your case study with a compelling introduction that grabs the reader's attention. Clearly state the subject and the primary issue or challenge faced.
Engage your audience by setting the stage for the narrative, creating intrigue, and highlighting the significance of the case.
Step 4: Present the Background Information
Provide context by presenting the background information of the case. Explore relevant history, industry trends, and any other factors that contribute to a deeper understanding of the situation.
This section sets the stage for readers, allowing them to comprehend the broader context before delving into the specifics of the case.
Step 5: Outline the Challenges Faced
Identify and articulate the challenges or problems encountered in the case. Clearly define the obstacles that needed to be overcome, emphasizing their significance.
This section sets the stakes for your audience and prepares them for the subsequent exploration of solutions.
Step 6: Detail the Solutions Implemented
Describe the strategies, actions, or solutions applied to address the challenges outlined. Be specific about the decision-making process, the rationale behind the chosen solutions, and any alternatives considered.
This part of the case study demonstrates problem-solving skills and showcases the effectiveness of the implemented measures.
Paper Due? Why Suffer? That's our Job!
Step 7: Showcase Measurable Results
Present tangible outcomes and results achieved as a direct consequence of the implemented solutions. Use data, metrics, and success stories to quantify the impact.
Whether it's increased revenue, improved efficiency, or positive customer feedback, measurable results add credibility and validation to your case study.
Step 8: Include Engaging Visuals
Enhance the readability and visual appeal of your case study by incorporating relevant visuals such as charts, graphs, images, and infographics.
Visual elements not only break up the text but also provide a clearer representation of data and key points, making your case study more engaging and accessible.
Step 9: Provide a Compelling Conclusion
Wrap up your case study with a strong and conclusive summary. Revisit the initial objectives, recap key findings, and emphasize the overall success or significance of the case.
This section should leave a lasting impression on your readers, reinforcing the value of the presented information.
Case Study Methods
The methods employed in case study writing are diverse and flexible, catering to the unique characteristics of each case. Here are common methods used in case study writing:
Conducting one-on-one or group interviews with individuals involved in the case to gather firsthand information, perspectives, and insights.
Directly observing the subject or situation to collect data on behaviors, interactions, and contextual details.
- Document Analysis
Examining existing documents, records, reports, and other written materials relevant to the case to gather information and insights.
- Surveys and Questionnaires
Distributing structured surveys or questionnaires to relevant stakeholders to collect quantitative data on specific aspects of the case.
- Participant Observation
Combining direct observation with active participation in the activities or events related to the case to gain an insider's perspective.
Using multiple methods (e.g., interviews, observation, and document analysis) to cross-verify and validate the findings, enhancing the study's reliability.
Immersing the researcher in the subject's environment over an extended period, focusing on understanding the cultural context and social dynamics.
Case Study Format
Effectively presenting your case study is as crucial as the content itself. Follow these formatting guidelines to ensure clarity and engagement:
- Opt for fonts that are easy to read, such as Arial, Calibri, or Times New Roman.
- Maintain a consistent font size, typically 12 points for the body text.
- Aim for double-line spacing to maintain clarity and prevent overwhelming the reader with too much text.
- Utilize bullet points to present information in a concise and easily scannable format.
- Use numbered lists when presenting a sequence of steps or a chronological order of events.
- Bold or italicize key phrases or important terms to draw attention to critical points.
- Use underline sparingly, as it can sometimes be distracting in digital formats.
- Choose the left alignment style.
- Use hierarchy to distinguish between different levels of headings, making it easy for readers to navigate.
If you're still having trouble organizing your case study, check out this blog on case study format for helpful insights.
Case Study Examples
If you want to understand how to write a case study, examples are a fantastic way to learn. That's why we've gathered a collection of intriguing case study examples for you to review before you begin writing.
Case Study Research Example
Case Study Template
Case Study Introduction Example
Amazon Case Study Example
Business Case Study Example
APA Format Case Study Example
Psychology Case Study Example
Medical Case Study Example
UX Case Study Example
Looking for more examples? Check out our blog on case study examples for your inspiration!
Benefits and Limitations of Case Studies
Case studies are a versatile and in-depth research method, providing a nuanced understanding of complex phenomena.
However, like any research approach, case studies come with their set of benefits and limitations. Some of them are given below:
Tips for Writing an Effective Case Study
Here are some important tips for writing a good case study:
- Clearly articulate specific, measurable research questions aligned with your objectives.
- Identify whether your case study is exploratory, explanatory, intrinsic, or instrumental.
- Choose a case that aligns with your research questions, whether it involves an individual case or a group of people through multiple case studies.
- Explore the option of conducting multiple case studies to enhance the breadth and depth of your findings.
- Present a structured format with clear sections, ensuring readability and alignment with the type of research.
- Clearly define the significance of the problem or challenge addressed in your case study, tying it back to your research questions.
- Collect and include quantitative and qualitative data to support your analysis and address the identified research questions.
- Provide sufficient detail without overwhelming your audience, ensuring a comprehensive yet concise presentation.
- Emphasize how your findings can be practically applied to real-world situations, linking back to your research objectives.
- Acknowledge and transparently address any limitations in your study, ensuring a comprehensive and unbiased approach.
To sum it up, creating a good case study involves careful thinking to share valuable insights and keep your audience interested.
Stick to basics like having clear questions and understanding your research type. Choose the right case and keep things organized and balanced.
Remember, your case study should tackle a problem, use relevant data, and show how it can be applied in real life. Be honest about any limitations, and finish with a clear call-to-action to encourage further exploration.
However, if you are having issues understanding how to write a case study, it is best to hire the professionals. Hiring a paper writing service online will ensure that you will get best grades on your essay without any stress of a deadline.
So be sure to check out case study writing service online and stay up to the mark with your grades.
Frequently Asked Questions
What is the purpose of a case study.
The objective of a case study is to do intensive research on a specific matter, such as individuals or communities. It's often used for academic purposes where you want the reader to know all factors involved in your subject while also understanding the processes at play.
What are the sources of a case study?
Some common sources of a case study include:
- Archival records
- Direct observations and encounters
- Participant observation
- Facts and statistics
- Physical artifacts
What is the sample size of a case study?
A normally acceptable size of a case study is 30-50. However, the final number depends on the scope of your study and the on-ground demographic realities.
Barbara P (Literature, Marketing)
Dr. Barbara is a highly experienced writer and author who holds a Ph.D. degree in public health from an Ivy League school. She has worked in the medical field for many years, conducting extensive research on various health topics. Her writing has been featured in several top-tier publications.
Paper Due? Why Suffer? That’s our Job!
We value your privacy
Website Data Collection
Are you sure you want to cancel?
Your preferences have not been saved.
Featured Clinical Reviews
- Oral Antiplatelet Therapy After Acute Coronary Syndrome: A Review JAMA Review April 20, 2021
- Diagnosis and Management of Stable Angina: A Review JAMA Review May 4, 2021
- Download PDF
- Share Twitter Facebook Email LinkedIn
Effects of the Million Hearts Model on Myocardial Infarctions, Strokes, and Medicare Spending : A Randomized Clinical Trial
- 1 Mathematica, Washington, DC
- 2 Mathematica, Cambridge, Massachusetts
- 3 Department of Medicine, Sidney Kimmel Medical College at Thomas Jefferson University, Philadelphia, Pennsylvania
- 4 RAND Corporation, Santa Monica, California
- 5 Mathematica, Oakland, California
- 6 University of Colorado School of Medicine, Denver
- 7 Mathematica, Chicago, Illinois
- 8 RAND Corporation, Arlington, Virginia
- 9 Center for Medicare and Medicaid Innovation, Centers for Medicare & Medicaid Services, Baltimore, Maryland
- Editorial Million Hearts Cardiovascular Disease Risk Reduction Model Gabriel S. Tajeu, DrPH, MPH; Karen Joynt Maddox, MD, MPH; LaPrincess C. Brewer, MD, MPH JAMA
- Viewpoint Million Hearts 2022—Steps Needed for Cardiovascular Disease Prevention Janet S. Wright, MD; Hilary K. Wall, MPH; Matthew D. Ritchey, PT, DPT, OCS, MPH JAMA
- Original Investigation Effect of the Million Hearts Cardiovascular Disease Risk Reduction Model on Initiating and Intensifying Medications G. Greg Peterson, PhD, MPA; Jia Pu, PhD, MA; David J. Magid, MD, MPH; Linda Barterian, MPP, MPH; Keith Kranker, PhD; Michael Barna, MA; Leslie Conwell, PhD, MHS; Adam Rose, MD, MSc; Laura Blue, PhD, MA; Amanda Markovitz, ScD, MPH; Nancy McCall, ScD, SM; Patricia Markovich, PhD JAMA Cardiology
Question Did the Million Hearts Model, which encouraged and paid for cardiovascular risk assessment and reduction, reduce the incidence of first-time myocardial infarctions and strokes or Medicare spending among Medicare beneficiaries aged 40 to 79 years?
Findings The model reduced the probability of a first-time myocardial infarction or stroke over 5 years by 0.3 percentage points among people at high or medium risk for these events, without statistically significant changes in Medicare spending.
Meaning The commitment of health care organizations to cardiovascular risk assessment and follow-up, coupled with payments for risk assessment and reduction, reduced myocardial infarction and stroke rates. Results support guideline recommendations for cardiovascular risk assessment.
Importance The Million Hearts Model paid health care organizations to assess and reduce cardiovascular disease (CVD) risk. Model effects on long-term outcomes are unknown.
Objective To estimate model effects on first-time myocardial infarctions (MIs) and strokes and Medicare spending over a period up to 5 years.
Design, Setting, and Participants This pragmatic cluster-randomized trial ran from 2017 to 2021, with organizations assigned to a model intervention group or standard care control group. Randomized organizations included 516 US-based primary care and specialty practices, health centers, and hospital-based outpatient clinics participating voluntarily. Of these organizations, 342 entered patients into the study population, which included Medicare fee-for-service beneficiaries aged 40 to 79 years with no previous MI or stroke and with high or medium CVD risk (a 10-year predicted probability of MI or stroke [ie, CVD risk score] ≥15%) in 2017-2018.
Intervention Organizations agreed to perform guideline-concordant care, including routine CVD risk assessment and cardiovascular care management for high-risk patients. The Centers for Medicare & Medicaid Services paid organizations to calculate CVD risk scores for Medicare fee-for-service beneficiaries. CMS further rewarded organizations for reducing risk among high-risk beneficiaries (CVD risk score ≥30%).
Main Outcomes and Measures Outcomes included first-time CVD events (MIs, strokes, and transient ischemic attacks) identified in Medicare claims, combined first-time CVD events from claims and CVD deaths (coronary heart disease or cerebrovascular disease deaths) identified using the National Death Index, and Medicare Parts A and B spending for CVD events and overall. Outcomes were measured through 2021.
Results High- and medium-risk model intervention beneficiaries (n = 130 578) and standard care control beneficiaries (n = 88 286) were similar in age (median age, 72-73 y), sex (58%-59% men), race (7%-8% Black), and baseline CVD risk score (median, 24%). The probability of a first-time CVD event within 5 years was 0.3 percentage points lower for intervention beneficiaries than control beneficiaries (3.3% relative effect; adjusted hazard ratio [HR], 0.97 [90% CI, 0.93-1.00]; P = .09). The 5-year probability of combined first-time CVD events and CVD deaths was 0.4 percentage points lower in the intervention group (4.2% relative effect; HR, 0.96 [90% CI, 0.93-0.99]; P = .02). Medicare spending for CVD events was similar between the groups (effect estimate, −$1.83 per beneficiary per month [90% CI, −$3.97 to −$0.30]; P = .16), as was overall Medicare spending including model payments (effect estimate, $2.11 per beneficiary per month [90% CI, −$16.66 to $20.89]; P = .85).
Conclusions and Relevance The Million Hearts Model, which encouraged and paid for CVD risk assessment and reduction, reduced first-time MIs and strokes. Results support guidelines to use risk scores for CVD primary prevention.
Trial Registration ClinicalTrials.gov Identifier: NCT04047147
- Editorial Million Hearts Cardiovascular Disease Risk Reduction Model JAMA
Read More About
Blue L , Kranker K , Markovitz AR, et al. Effects of the Million Hearts Model on Myocardial Infarctions, Strokes, and Medicare Spending : A Randomized Clinical Trial . JAMA. 2023;330(15):1437–1447. doi:10.1001/jama.2023.19597
Artificial Intelligence Resource Center
Cardiology in JAMA : Read the Latest
Browse and subscribe to JAMA Network podcasts!
Others Also Liked
Select your interests.
Customize your JAMA Network experience by selecting one or more topics from the list below.
- Academic Medicine
- Acid Base, Electrolytes, Fluids
- Allergy and Clinical Immunology
- Art and Images in Psychiatry
- Assisted Reproduction
- Bleeding and Transfusion
- Caring for the Critically Ill Patient
- Challenges in Clinical Electrocardiography
- Climate and Health
- Clinical Challenge
- Clinical Decision Support
- Clinical Implications of Basic Neuroscience
- Clinical Pharmacy and Pharmacology
- Complementary and Alternative Medicine
- Consensus Statements
- Coronavirus (COVID-19)
- Critical Care Medicine
- Cultural Competency
- Dental Medicine
- Diabetes and Endocrinology
- Diagnostic Test Interpretation
- Drug Development
- Electronic Health Records
- Emergency Medicine
- End of Life
- Environmental Health
- Equity, Diversity, and Inclusion
- Facial Plastic Surgery
- Gastroenterology and Hepatology
- Genetics and Genomics
- Genomics and Precision Health
- Global Health
- Guide to Statistics and Methods
- Hair Disorders
- Health Care Delivery Models
- Health Care Economics, Insurance, Payment
- Health Care Quality
- Health Care Reform
- Health Care Safety
- Health Care Workforce
- Health Disparities
- Health Inequities
- Health Informatics
- Health Policy
- History of Medicine
- Images in Neurology
- Implementation Science
- Infectious Diseases
- Innovations in Health Care Delivery
- JAMA Infographic
- Law and Medicine
- Leading Change
- Less is More
- LGBTQIA Medicine
- Lifestyle Behaviors
- Medical Coding
- Medical Devices and Equipment
- Medical Education
- Medical Education and Training
- Medical Journals and Publishing
- Mobile Health and Telemedicine
- Narrative Medicine
- Neuroscience and Psychiatry
- Notable Notes
- Nutrition, Obesity, Exercise
- Obstetrics and Gynecology
- Occupational Health
- Pain Medicine
- Pathology and Laboratory Medicine
- Patient Care
- Patient Information
- Performance Improvement
- Performance Measures
- Perioperative Care and Consultation
- Pharmacy and Clinical Pharmacology
- Physical Medicine and Rehabilitation
- Physical Therapy
- Physician Leadership
- Population Health
- Professional Well-being
- Psychiatry and Behavioral Health
- Public Health
- Pulmonary Medicine
- Regulatory Agencies
- Research, Methods, Statistics
- Risk Management
- Scientific Discovery and the Future of Medicine
- Shared Decision Making and Communication
- Sleep Medicine
- Sports Medicine
- Stem Cell Transplantation
- Substance Use and Addiction Medicine
- Surgical Innovation
- Surgical Pearls
- Teachable Moment
- Technology and Finance
- The Art of JAMA
- The Arts and Medicine
- The Rational Clinical Examination
- Tobacco and e-Cigarettes
- Translational Medicine
- Trauma and Injury
- Treatment Adherence
- Users' Guide to the Medical Literature
- Venous Thromboembolism
- Veterans Health
- Women's Health
- Workflow and Process
- Wound Care, Infection, Healing
- Register for email alerts with links to free full-text articles
- Access PDFs of free articles
- Manage your interests
- Save searches and receive search alerts
44+ SAMPLE Case Reports in PDF | MS Word
Case reports | ms word, 44+ sample case reports, what is a case report, benefits of a case report, components of a case report, how to create a case study report, what constitutes a case report, are case studies useful, are case reports supported by evidence.
Medical Case Report
Rubella Syndrome Case Report
Sample Case Report Format
Formal Case Report
Checklist for Case Report
Clinical Examination Case Report
Simple Case Report
Neuropathy Case Report
Basic Case Report
Evidence-Based Case Report
Case Report Format
Case Investigation Report
Case Reports Checklist for Headache
Medical Case Study Report
Disease Case Report
Case Report Submission Form
Case Submission Report
Case Report Worksheet
Leggioellosis Case Report
Consent Form for Case Report
Individual Case Report
Regional Workshop on Case Report
Communicable Disease Case Report
Murder Case Report
Detective Case Report
Case Policy Report
Case Report Requirements Template
Summary of All Case Report
Patient Case Report
Journal Case Report
Case Report Form
Covid-19 Case Report
Case Studies Report
Business Case Report
Varicella Case Report
Case Study Report Format
Academic Case Report
Confidential Case Report
Animal Disease Case Report
Directors Case Report
Standard Case Report
Unusual Case Report
Printable Case Report
Case Data Report
Hepatities Case Report
- Adherence to government regulations
- Cost savings for businesses
- Increasing lead generation
- Additional customer closures
- Written Case Study – Consider creating this case study as an ebook and converting it to a PDF that can be downloaded. Then, before readers can download the material, ask them to fill out a form on a landing page, allowing this case study to generate leads for your company.
- Infographic Case Study- Use an infographic’s long, vertical structure to tell your success story from top to bottom. As you proceed along with the infographic, use larger text and Gantt charts to underline significant KPIs that demonstrate your client’s performance while working with you.
- Podcast Case Study- Podcasts allow you to have an open and honest conversation with your client. This form of a case study will appear more authentic and personable to your audience, as they will understand that your cooperation with your client was a true success.
- Video Case Study- Make arrangements to meet with the client and conduct an interview. From your potential client’s perspective, seeing the subject speak about the service you offered them in person can go a long way.
- Product Expertise- It’s preferable to choose a consumer who is familiar with the logistics of your product or service. That way, they will effectively communicate the value of what you have to offer to potential clients.
- Exceptional Results- Clients who have seen the best results will provide the most compelling case studies. If they’ve seen an exceptional return on investment from your product or service, they’re more likely to convey the enthusiasm you want prospects to feel as well. This step includes selecting clients who have achieved unexpected success with your product or service. When you’ve delivered positive results to non-traditional customers — in industries with which you’re not typically associated, for example — it can help dispel prospects’ doubts.
- Recognizable Names- While small businesses can have compelling stories, more prominent or well-known brands lend credibility to yours. Indeed, 89% of consumers prefer to purchase from a brand they recognize over a competitor, especially if they follow the brand on social media.
Share This Post on Your Network
You may also like these articles, 25+ sample weekly construction report in ms word.
Navigating the dynamic world of construction requires keen attention to detail and systematic updates. A Weekly Construction Report serves as a pulse check, capturing the project's rhythm and progress.…
20+ SAMPLE Nursing Report in PDF
Caring for other people really takes courage and perseverance. Our world as of now is facing circumstances that are beyond nurses’ capability, but they still choose their profession over…
browse by categories
- Terms & Conditions
- Business Essentials
- Leadership & Management
- Credential of Leadership, Impact, and Management in Business (CLIMB)
- Entrepreneurship & Innovation
- *New* Marketing
- Finance & Accounting
- Business in Society
- For Organizations
- Support Portal
- Media Coverage
- Founding Donors
- Leadership Team
- Harvard Business School →
- HBS Online →
- Business Insights →
Harvard Business School Online's Business Insights Blog provides the career insights you need to achieve your goals and gain confidence in your business skills.
- Career Development
- Earning Your MBA
- News & Events
- Staff Spotlight
- Student Profiles
- Work-Life Balance
- Alternative Investments
- Business Analytics
- Business Strategy
- Design Thinking and Innovation
- Digital Marketing Strategy
- Disruptive Strategy
- Economics for Managers
- Entrepreneurship Essentials
- Financial Accounting
- Global Business
- Launching Tech Ventures
- Leadership Principles
- Leadership, Ethics, and Corporate Accountability
- Leading with Finance
- Management Essentials
- Negotiation Mastery
- Organizational Leadership
- Power and Influence for Positive Impact
- Strategy Execution
- Sustainable Business Strategy
- Sustainable Investing
5 Benefits of Learning Through the Case Study Method
- 28 Nov 2023
While several factors make HBS Online unique —including a global Community and real-world outcomes —active learning through the case study method rises to the top.
In a 2023 City Square Associates survey, 74 percent of HBS Online learners who also took a course from another provider said HBS Online’s case method and real-world examples were better by comparison.
Here’s a primer on the case method, five benefits you could gain, and how to experience it for yourself.
Access your free e-book today.
What Is the Harvard Business School Case Study Method?
The case study method , or case method , is a learning technique in which you’re presented with a real-world business challenge and asked how you’d solve it. After working through it yourself and with peers, you’re told how the scenario played out.
HBS pioneered the case method in 1922. Shortly before, in 1921, the first case was written.
“How do you go into an ambiguous situation and get to the bottom of it?” says HBS Professor Jan Rivkin, former senior associate dean and chair of HBS's master of business administration (MBA) program, in a video about the case method . “That skill—the skill of figuring out a course of inquiry to choose a course of action—that skill is as relevant today as it was in 1921.”
Originally developed for the in-person MBA classroom, HBS Online adapted the case method into an engaging, interactive online learning experience in 2014.
In HBS Online courses , you learn about each case from the business professional who experienced it. After reviewing their videos, you’re prompted to take their perspective and explain how you’d handle their situation.
You then get to read peers’ responses, “star” them, and comment to further the discussion. Afterward, you learn how the professional handled it and their key takeaways.
HBS Online’s adaptation of the case method incorporates the famed HBS “cold call,” in which you’re called on at random to make a decision without time to prepare.
“Learning came to life!” said Sheneka Balogun , chief administration officer and chief of staff at LeMoyne-Owen College, of her experience taking the Credential of Readiness (CORe) program . “The videos from the professors, the interactive cold calls where you were randomly selected to participate, and the case studies that enhanced and often captured the essence of objectives and learning goals were all embedded in each module. This made learning fun, engaging, and student-friendly.”
If you’re considering taking a course that leverages the case study method, here are five benefits you could experience.
5 Benefits of Learning Through Case Studies
1. take new perspectives.
The case method prompts you to consider a scenario from another person’s perspective. To work through the situation and come up with a solution, you must consider their circumstances, limitations, risk tolerance, stakeholders, resources, and potential consequences to assess how to respond.
Taking on new perspectives not only can help you navigate your own challenges but also others’. Putting yourself in someone else’s situation to understand their motivations and needs can go a long way when collaborating with stakeholders.
2. Hone Your Decision-Making Skills
Another skill you can build is the ability to make decisions effectively . The case study method forces you to use limited information to decide how to handle a problem—just like in the real world.
Throughout your career, you’ll need to make difficult decisions with incomplete or imperfect information—and sometimes, you won’t feel qualified to do so. Learning through the case method allows you to practice this skill in a low-stakes environment. When facing a real challenge, you’ll be better prepared to think quickly, collaborate with others, and present and defend your solution.
3. Become More Open-Minded
As you collaborate with peers on responses, it becomes clear that not everyone solves problems the same way. Exposing yourself to various approaches and perspectives can help you become a more open-minded professional.
When you’re part of a diverse group of learners from around the world, your experiences, cultures, and backgrounds contribute to a range of opinions on each case.
On the HBS Online course platform, you’re prompted to view and comment on others’ responses, and discussion is encouraged. This practice of considering others’ perspectives can make you more receptive in your career.
“You’d be surprised at how much you can learn from your peers,” said Ratnaditya Jonnalagadda , a software engineer who took CORe.
In addition to interacting with peers in the course platform, Jonnalagadda was part of the HBS Online Community , where he networked with other professionals and continued discussions sparked by course content.
“You get to understand your peers better, and students share examples of businesses implementing a concept from a module you just learned,” Jonnalagadda said. “It’s a very good way to cement the concepts in one's mind.”
4. Enhance Your Curiosity
One byproduct of taking on different perspectives is that it enables you to picture yourself in various roles, industries, and business functions.
“Each case offers an opportunity for students to see what resonates with them, what excites them, what bores them, which role they could imagine inhabiting in their careers,” says former HBS Dean Nitin Nohria in the Harvard Business Review . “Cases stimulate curiosity about the range of opportunities in the world and the many ways that students can make a difference as leaders.”
Through the case method, you can “try on” roles you may not have considered and feel more prepared to change or advance your career .
5. Build Your Self-Confidence
Finally, learning through the case study method can build your confidence. Each time you assume a business leader’s perspective, aim to solve a new challenge, and express and defend your opinions and decisions to peers, you prepare to do the same in your career.
According to a 2022 City Square Associates survey , 84 percent of HBS Online learners report feeling more confident making business decisions after taking a course.
“Self-confidence is difficult to teach or coach, but the case study method seems to instill it in people,” Nohria says in the Harvard Business Review . “There may well be other ways of learning these meta-skills, such as the repeated experience gained through practice or guidance from a gifted coach. However, under the direction of a masterful teacher, the case method can engage students and help them develop powerful meta-skills like no other form of teaching.”
How to Experience the Case Study Method
If the case method seems like a good fit for your learning style, experience it for yourself by taking an HBS Online course. Offerings span seven subject areas, including:
- Business essentials
- Leadership and management
- Entrepreneurship and innovation
- Finance and accounting
- Business in society
No matter which course or credential program you choose, you’ll examine case studies from real business professionals, work through their challenges alongside peers, and gain valuable insights to apply to your career.
Are you interested in discovering how HBS Online can help advance your career? Explore our course catalog and download our free guide —complete with interactive workbook sections—to determine if online learning is right for you and which course to take.
About the Author
ASD Cyber Threat Report 2022-2023
This rating relates to the complexity of the advice and information provided on the page.
Content written for
- ASD's Cyber Threat Report 2022-2023 7.67MB .pdf
- Fact Sheets - Businesses & Organisations - 2022-2023 190KB .pdf
- Fact sheets - Critical Infrastructure - 2022-2023 172KB .pdf
- Fact Sheets - Individuals - 2022-2023 173KB .pdf
I am pleased to present the Annual Cyber Threat Report 2022–23 developed by the Australian Signals Directorate (ASD).
As the Defence Strategic Review made clear, in the post-Second World War period Australia was protected by its geography and the limited ability of other nations in the region to project combat power. In the current strategic era, Australia’s geographic advantages have been eroded as more countries have enhanced their ability to project combat power across greater ranges, including through the rapid development of cyber capabilities.
Australia’s region, the Indo-Pacific, is also now seeing growing competition on multiple levels – economic, military, strategic and diplomatic – framed by competing values and narratives.
In this context, Australian governments, critical infrastructure, businesses and households continue to be the target of malicious cyber actors. This report illustrates that both state and non-state actors continue to show the intent and capability to compromise Australia’s networks. It also highlights the added complexity posed by emerging technologies such as artificial intelligence.
The report demonstrates the persistent threat that state cyber capabilities pose to Australia. This threat extends beyond cyber espionage campaigns to disruptive activities against Australia’s essential services. The report also confirms that the borderless and multi-billion dollar cybercrime industry continues to cause significant harm to Australia, with Australians remaining an attractive target for cybercriminal syndicates around the world.
Through case studies, the report demonstrates the persistence and tenacity of these cyber actors. It shows that these adversaries constantly test vulnerabilities in Australia’s cyber ecosystem and employ a range of techniques to evade Australia’s cyber defences.
The threat environment characterised in this report underscores the importance of ASD’s work in defending Australia’s security and prosperity. It also reinforces the significance of the Australian Government’s investment in ASD’s cyber and intelligence capabilities under Project REDSPICE (Resilience, Effects, Defence, Space, Intelligence, Cyber, Enablers).
It is clear we must maintain an enduring focus on cyber security in Australia. The Australian Government is committed to leading our nation’s efforts to bolster our cyber resilience.
We also know that the best cyber defences are founded on genuine partnerships between and across the public and private sectors. The development of this report, which draws on insights from across the Commonwealth Government, our international partners, Australian industry and the community, is a testament to this collaboration.
This report presents a clear picture of the cyber threat landscape we face and is a vital part of Australia’s collective efforts to enhance our cyber resilience.
The Hon Richard Marles, MP Deputy Prime Minister and Minister for Defence
About ASD’s ACSC
ASD’s Australian Cyber Security Centre (ACSC) is the Australian Government’s technical authority on cyber security. The ACSC brings together capabilities to improve Australia’s national cyber resilience and its services include:
- the Australian Cyber Security Hotline, which is contactable 24 hours a day, 7 days a week, via 1300 CYBER1 (1300 292 371)
- publishing alerts, technical advice, advisories and notifications on significant cyber security threats
- cyber threat monitoring and intelligence sharing with partners, including through the Cyber Threat Intelligence Sharing (CTIS) platform
- helping Australian entities respond to cyber security incidents
- exercises and uplift activities to enhance the cyber security resilience of Australian entities
- supporting collaboration between over 110,000 Australian organisations and individuals on cyber security issues through ASD’s Cyber Security Partnership Program.
The most effective cyber security is collaborative and partnerships are key to this work. ASD thanks all of the organisations that contributed to this report. This includes Australian local, state, territory and federal government agencies, and industry partners.
Malicious cyber activity continued to pose a risk to Australia’s security and prosperity in the FY 2022-23. A range of malicious cyber actors showed the intent and capability needed to compromise vital systems, and Australian networks were regularly targeted by both opportunistic and more deliberate malicious cyber activity.
ASD responded to over 1,100 cyber security incidents from Australian entities. Separately, nearly 94,000 reports were made to law enforcement through ReportCyber – around one every 6 minutes.
ASD identified a number of key cyber security trends in FY 2022–23:
State actors focused on critical infrastructure – data theft and disruption of business.
Globally, government and critical infrastructure networks were targeted by state cyber actors as part of ongoing information-gathering campaigns or disruption activities. The AUKUS partnership, with its focus on nuclear submarines and other advanced military capabilities, is likely a target for state actors looking to steal intellectual property for their own military programs. Cyber operations are increasingly the preferred vector for state actors to conduct espionage and foreign interference.
In 2022–23, ASD joined international partners to call out Russia’s Federal Security Service’s use of ‘Snake’ malware for cyber espionage, and also highlighted activity associated with a People’s Republic of China state-sponsored cyber actor that used ‘living-off-the-land’ techniques to compromise critical infrastructure organisations.
Australian critical infrastructure was targeted via increasingly interconnected systems .
Operational technology connected to the internet and into corporate networks has provided opportunities for malicious cyber actors to attack these systems. In 2022–23, ASD responded to 143 cyber security incidents related to critical infrastructure.
Cybercriminals continued to adapt tactics to extract maximum payment from victims.
Cybercriminals constantly evolved their operations against Australian organisations, fuelled by a global industry of access brokers and extortionists. ASD responded to 127 extortion-related incidents: 118 of these incidents involved ransomware or other forms of restriction to systems, files or accounts. Business email compromise remained a key vector to conduct cybercrime. Ransomware also remained a highly destructive cybercrime type, as did hacktivists’ denial-of-service attacks, impacting organisations’ business operations.
Data breaches impacted many Australians .
Significant data breaches resulted in millions of Australians having their information stolen and leaked on the dark web.
One in 5 critical vulnerabilities was exploited within 48 hours.
This was despite patching or mitigation advice being available. Malicious cyber actors used these critical flaws to cause significant incidents and compromise networks, aided by inadequate patching.
Cyber security is increasingly challenged by complex ICT supply chains and advances in fields such as artificial intelligence. To boost cyber security, Australia must consider not only technical controls such as ASD’s Essential Eight, but also growing a positive cyber-secure culture across business and the community. This includes prioritising secure-by-design and secure-by-default products during both development (vendors) and procurement (customers).
ASD’s first year of REDSPICE increased cyber threat intelligence sharing, the uplift of critical infrastructure, and an enhanced 24/7 national incident response capability.
Genuine partnerships across both the public and private sectors have remained essential to Australia’s cyber resilience; and ASD’s Cyber Security Partnership Program has grown to include over 110,000 organisations and individuals.
Year in review
What asd saw.
Average cost of cybercrime per report, up 14 per cent
- small business: $46,000
- medium business: $97,200
- large business: $71,600.
Nearly 94,000 cybercrime reports, up 23 per cent
- on average a report every 6 minutes
- an increase from 1 report every 7 minutes.
Answered over 33,000 calls to the Australian Cyber Security Hotline, up 32 per cent
- on average 90 calls per day
- an increase from 69 calls per day.
Top 3 cybercrime types for individuals
- identity fraud
- online banking fraud
- online shopping fraud.
Top 3 cybercrime types for business
- email compromise
- business email compromise (BEC) fraud
- online banking fraud.
Publicly reported common vulnerabilities and exposures (CVEs) increased 20 per cent.
What ASD did
- Responded to over 1,100 cyber security incidents , similar to last year.
- 10 per cent of all incidents responded to included ransomware , similar to last year.
- Notified 158 entities of ransomware activity on their networks, compared to 148 last year, roughly a 7 per cent increase.
- Australian Protective Domain Name System blocked over 67 million malicious domain requests, up 176 per cent.
- Domain Takedown Service blocked over 127,000 attacks against Australian servers, up 336 per cent.
- Cyber Threat Intelligence Sharing partners grew by 688 per cent to over 250 partners.
- issued 103 High-priority Operational Taskings, up 110 per cent
- distributed around 4,900 reports to approximately 1,360 organisations, up 16 per cent and 32 per cent respectively.
- 3 CI-UPs completed covering 6 CI assets
- 3 CI-UPs in progress
- 20 CI-UP Info Packs sent
- 5 CI-UP workshops held.
- Notified 7 critical infrastructure entities of suspicious cyber activity , up from 5 last year.
- Published or updated 34 PROTECT and Information Security Manual (ISM) guidance publications .
- Published 64 alerts, advisories, incident and insight reports on cyber.gov.au and the Partnership Portal.
- Individual Partners up 24 per cent
- Business Partners up 37 per cent
- Network Partners up 29 per cent.
- Led 20 cyber security exercises involving over 75 organisations to strengthen Australia’s cyber resilience.
- Briefed board members and company directors covering 33 per cent of the ASX200.
ASD is able to build a national cyber threat picture, in part due to the timely and rich reporting of cyber security incidents by members of the public and Australian business. This aggregation of cyber security incident data enables ASD to inform threat mitigation advice with the latest trends and threats posed by malicious cyber actors. Any degradation in the quantity or quality of information reported to ASD harms cyber security outcomes. Information reported to ASD is anonymised prior to it being communicated to the community.
ASD categorises each incident it responds to on a scale of Category 1 (C1), the most severe, to Category 6 (C6), the least severe. Incidents are categorised on severity of effect, extent of compromise, and significance of the organisation.
The number of C2 incidents rose from 2 in FY 2021–22 to 5 in FY 2022–23. This includes significant data breaches involving cybercriminals exfiltrating data from critical infrastructure for the purposes of financial gain.
Cyber security incidents are consistent with last financial year, with around 15 per cent of all incidents being categorised C3 or above. Of the C3 incidents, over 30 per cent related to organisations self-identifying as critical infrastructure, with transport (21 per cent), energy (17 per cent), and higher education and research (17 per cent) the most affected sectors.
The most common C3 incident type was compromised assets, network or infrastructure (23 per cent), followed by data breaches (19 per cent) and ransomware (14 per cent). Common activities leading to C3 incidents included exploitation of public–facing applications (20 per cent) and phishing (17 per cent).
Almost a quarter (24 per cent) of C3 incidents involved a tipper, where ASD notified the affected organisations of suspicious activity.
While reports of low-level malicious attacks are often categorised as unsuccessful, reports of unsuccessful activity are still indicative of continual targeting of Australian entities.
Cyber security incidents by sector
Compared to 2021–22, the information media and telecommunications sector fell out of the top 5 reporting sectors.
Government sectors and regulated critical infrastructure have reporting obligations, which may explain the relatively high reporting rate for these sectors compared with others.
ASD categorises sectors following the Australian and New Zealand Standard Industrial Classification (ANZSIC) Divisions from the Australian Bureau of Statistics. The public safety and administration division encompasses several sectors including federal, state, territory and local governments, public order and safety services, and Defence.
Table 3 : The top 10 reporting sectors
Chapter 1: Exploitation
- Half of vulnerabilities were exploited within 2 weeks of a patch, or of mitigation advice being released, highlighting the risks entities take by not promptly patching.
- Patching vulnerabilities in internet-facing services should occur within 2 weeks, or 48 hours if an exploit exists.
- Vulnerable internet-facing devices and applications are convenient targets for malicious cyber actors. In addition to patching, unnecessary internet-facing services should be disabled.
Vulnerable and exposed
As Australians integrate more technology into their lives and businesses, the number of possible weak points or vectors for malicious cyber actors to exploit – known as the attack surface – grows. The larger the attack surface, the harder it is to defend. Malicious cyber actors often exploit security weaknesses found in ICT, known as common vulnerabilities and exposures (CVEs), to break into systems, steal data, or even take complete control over a system.
The number of published CVEs has been steadily on the rise. The US National Vulnerability Database published 19,379 CVEs in FY 2020–21, 24,266 CVEs in FY 2021–22, and 29,019 CVEs in FY 2022–23.
To identify the rates at which CVEs were exploited after a patch or mitigation was made available, ASD analysed 60 CVEs covering 1 July 2020 to 28 February 2023. The analysis found around 82 per cent of vulnerabilities had an attack vector of ‘network’ under the Common Vulnerability Scoring Scheme. This indicates that malicious actors prefer vulnerabilities that are remotely exploitable and are present on internet-facing or edge devices. Exploitation of these vulnerabilities allows malicious actors to pivot into internal networks. The analysis also found:
- 1 in 5 vulnerabilities was exploited within 48 hours of a patch or mitigation advice being released
- half of the vulnerabilities were exploited within 2 weeks of a patch or mitigation advice being released
- 2 in 5 vulnerabilities were exploited more than one month after a patch or mitigation advice was released.
Despite more than 90 per cent of CVEs having a patch or mitigation advice available within 2 weeks of public disclosure, 50 per cent of the CVEs were still exploited more than 2 weeks after that patch or mitigation advice was published. This highlights the risk entities carry when not patching promptly. These risks are heightened when a proof-of-concept code is available and shared online, as malicious cyber actors can leverage this code for use in automated tools, lowering the barrier for exploitation.
ASD observed that Log4Shell (CVE-2021-44228) and ProxyLogon (CVE-2021-26855) were by far the most commonly exploited vulnerabilities throughout the analysis period, with these 2 vulnerabilities representing 29 per cent of all CVE-related incidents.
CVEs do not have an expiration date. In one instance, ASD observed that malicious cyber actors successfully exploited an unpatched 7-year-old CVE. Additionally, ASD still receives periodic reports of WannaCry malware – 6 years after its release – which is likely due to old, infected legacy machines being powered on and connected to networks. Incidents like this highlight the importance of patching as soon as possible, and also demonstrate the long tail of risks that unpatched and legacy systems can pose to entities.
During 2022–23, ASD published many alerts warning Australians of vulnerabilities, such as the critical remote code execution vulnerability in Fortinet devices (CVE-2022-40684), and a high-severity vulnerability present in Microsoft Outlook for Windows (CVE-2023-23397). ASD also published a joint Five-Eyes advisory detailing the top 12 CVEs most frequently and routinely exploited by malicious cyber actors for the 2022 calendar year.
To help mitigate vulnerabilities, ASD recommends all entities patch, update or otherwise mitigate vulnerabilities in online services and internet-facing devices within 48 hours when vulnerabilities are assessed as critical by vendors or when working exploits exist. Otherwise, vulnerabilities should be patched, updated or otherwise mitigated within 2 weeks. Entities with limited cyber security expertise who are unable to patch rapidly should consider using a reputable cloud service provider or managed service provider that can help ensure timely patching.
ASD acknowledges not all entities may be able to immediately patch, update or apply mitigations for vulnerabilities due to high-availability business requirements or system limitations. In such cases, entities should consider compensating controls like disabling unnecessary internet-facing services, strengthening access controls, enforcing network separation, and closely monitoring systems for anomalous activity. Entities should ensure decision makers understand the level of risk they hold and the potential consequences should their systems or data be compromised as a result of a malicious actor exploiting unmitigated vulnerabilities.
Further patching advice can be found in ASD’s Assessing Vulnerabilities and Applying Patches guide.
In addition to patching, effective cyber security hygiene is vital. At cyber.gov.au, ASD has published a range of easy-to-understand advice and guides tailored for individuals, small and medium business, enterprises, and critical infrastructure providers.
All Australians should:
- enable multi-factor authentication (MFA) for online services where available
- use long, unique passphrases for every account if MFA is not available, particularly for services like email and banking (password managers can assist with such activities)
- turn on automatic updates for all software – do not ignore installation prompts
- regularly back up important files and device configuration settings
- be alert for phishing messages and scams
- sign up for the ASD’s free Alert Service
- report cybercrime to ReportCyber.
Australian organisations should also:
- only use reputable cloud service providers and managed service providers that implement appropriate cyber security measures
- regularly test cyber security detection, incident response, business continuity and disaster recovery plans
- review the cyber security posture of remote workers, including their use of communication, collaboration and business productivity software
- train staff on cyber security matters, in particular how to recognise scams and phishing attempts
- implement relevant guidance from ASD’s Essential Eight Maturity Model, Strategies to Mitigate Cyber Security Incidents and Information Security Manual
- join ASD’s Cyber Security Partnership Program
- report cybercrime and cyber security incidents to ReportCyber.
Case study 1: Malicious cyber actors exploit devices 2 years after patch
On 24 May 2019, Fortinet, a US vendor that creates cyber security products, released a security advisory and accompanying patch for CVE-2018-13379, which was a severe vulnerability that required immediate patching.
On 2 April 2021, the US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory on the exploitation of Fortinet FortiOS vulnerabilities, which indicated advanced persistent threat (APT) groups were scanning devices for CVE-2018-13379 and likely to gain access to multiple government, commercial, and technology services networks.
On 3 April 2021, ASD released an alert reminding organisations that APT groups had been observed exploiting CVE-2018-13379. Later, in September 2021, ASD received a report of a successful exploitation of CVE-2018-13379 against an Australian entity. Despite being vulnerable for more than 2 years, the victim’s device had not been patched.
While it is difficult to ascertain how widely Fortinet devices are used globally, researchers identified around 50,000 targets that remained vulnerable 2 years after the patch was released. This number is so significant that it was added to CISA’s Top Routinely Exploited Vulnerabilities list.
The primary mitigation against these attacks is to patch vulnerabilities as soon as possible. If patching is not immediately possible, the entity should consider removing internet access from Fortinet devices until other mitigations can be implemented.
Case study 2: A network compromise at the Shire of Serpentine Jarrahdale
The rural Shire of Serpentine Jarrahdale, 45 kilometres from the Perth CBD, may seem an unlikely place for malicious cyber activity to unfold. But, in early 2023, the Shire experienced a network compromise. Shire ICT Manager Matthew Younger said the malicious cyber actor took advantage of a public-facing system. ‘We’re quite diligent with our patching, but unfortunately we missed an update to our remote work server,’ Mr Younger said.
Before taking immediate remediation action, the Shire’s ICT team held a conference call with ASD to discuss the best way to manage the compromise, and Mr Younger said ASD’s help was first-class. ‘We put a perimeter around the compromised server, checked for lateral movement, and gathered evidence to work out what happened. Everything we found led back to the importance of the Essential Eight.’
ASD also sent an incident responder to help the Shire’s ICT team capture virtual machine snapshots and log data. ASD handles incident data with strict confidentiality, and such data helps its analysts understand how cyber security incidents occur and produces intelligence to help build the national cyber threat picture and to prevent further attacks.
Mr Younger said that after the compromise, the Shire doubled-down on its efforts to implement ASD’s Essential Eight. ‘We enforced passphrases, we improved our information security policies, and we improved our user security training. We also validated our controls through penetration testing and phishing exercises.’
Mr Younger credits much of the Shire’s success to its agile leadership who, with limited resources, foster the right security culture to both respond to cyber threats and implement mitigations.
BIG-IP refers to a suite of products from cyber security vendor F5, which includes firewall and application delivery solutions. On 1 July 2020, F5 released a security advisory detailing a critical vulnerability in their BIG-IP Traffic Management User Interface (TMUI). Within 48 hours of patch release, security researchers discovered malicious cyber actors scanning for and exploiting unpatched devices.
The Essential Eight
ASD’s Essential Eight are some of the most effective cyber security mitigation strategies, and includes:
ASD uses its cyber threat intelligence to ensure its cyber security advice is contemporary and actionable. ASD’s advice is not formed in a silo. Feedback from partners across government and industry, such as how cyber security mitigations are implemented within organisations, is important. Feedback helps ASD update advice like the Essential Eight.
More information on the Essential Eight, including the Essential Eight Assessment Process Guide and Essential Eight Maturity Model Frequently Asked Questions , can be found at cyber.gov.au.
Chapter 2: Critical infrastructure
- During FY 2022–23, Australian critical infrastructure networks regularly experienced both targeted and opportunistic malicious cyber activity. Activity against these networks is likely to increase as networks grow in size and complexity.
- Malicious cyber actors can steal or encrypt data, or gain insider knowledge for profit or competitive advantage. Some actors may attempt to degrade or disrupt services and these incidents can have cascading impacts.
- Designing robust cyber security measures for operational technology environments is vital to protect the safety, availability, integrity and confidentiality of essential services. Secure-by-design and secure‑by-default products should be a priority.
Actors target critical infrastructure for many reasons
Critical infrastructure assets and networks are attractive targets for malicious cyber activity as these assets need to hold sensitive information, maintain essential services, and often have high levels of connectivity with other organisations and critical infrastructure sectors.
A cyber incident can result in a range of impacts to critical services. For instance, the disruption of an electricity grid could cause a region to lose power. Without power, a hospital may lose access to patient records and struggle to function, internet services may be down and affect communications and payment systems, or water supply could be impacted.
Globally, a broad range of malicious cyber actors, including state actors, cybercriminals and issue‑motivated groups, have demonstrated the intent and the capability to target critical infrastructure. Malicious cyber actors may target critical infrastructure for a range of reasons. For example, they may:
- attempt to degrade or disrupt services, such as through denial-of-service (DoS) attacks, which can have a significant impact on service providers and their customers
- steal or encrypt data or gain insider knowledge for profit or competitive advantage
- preposition themselves on systems by installing malware, in anticipation of future disruptive or destructive cyber operations, potentially years in advance
- covertly seek sensitive information through cyber espionage to advance strategic aims.
Critical infrastructure can be targeted by the mass scanning of networks for both old and new vulnerabilities. In February 2023, an Italian energy and water provider was affected by ransomware. While there was no indication the water or energy supply was affected, it reportedly took 4 days to restore systems like information databases. Italy’s National Cybersecurity Agency publicly noted the ransomware attack targeted older and unpatched software, exploiting a 2-year-old vulnerability.
Critical infrastructure is a target globally
During 2022–23, critical infrastructure networks around the world continued to be targeted, causing impacts on network operators and those relying on critical services. In the latter half of 2022, the French health system reportedly sustained a number of cyber incidents. One hospital fell victim to a ransomware incident, resulting in the cancellation of some surgical operations and forcing patients to be transferred to other hospitals. The hospital’s computer systems had to be shut down to isolate the attack.
Russia’s war on Ukraine has continued to demonstrate that critical infrastructure is viewed as a target for disruptive and destructive cyber operations during times of conflict. Malicious cyber actors have targeted and disrupted hospitals, airports, railways, telecommunication providers, energy utilities, and financial institutions across Europe. Destructive malware was also used against critical infrastructure in Ukraine.
In September 2022 and May 2023, ASD and its international partners published advisories highlighting that state actors were targeting multiple US critical infrastructure sectors, and strongly encouraged Australian entities to review their networks for signs of malicious activity. More details about these advisories is in the state actor chapter .
Australian critical infrastructure is impacted
Australian critical infrastructure networks regularly experienced both targeted and opportunistic malicious cyber activity. During 2022–23, ASD responded to 143 incidents reported by entities who self-identified as critical infrastructure, an increase from the 95 incidents reported in 2021–22. The vast majority of these incidents were low-level malicious attacks or isolated compromises.
The main cyber security incident types affecting Australian critical infrastructure were:
- compromised account or credentials
- compromised asset, network or infrastructure
These incident types accounted for approximately 57 per cent of the incidents affecting critical infrastructure for 2022–23. Other more prominent incident types were data breaches followed by malware infection.
ASD encourages critical infrastructure entities to report anomalous activity early and not wait until malicious activity reaches the threshold for a mandatory report. Reporting helps piece together a picture of the cyber threat landscape, and informs ASD’s cyber security alerts and advisories for the benefit of all Australian entities.
Critical infrastructure networks have a broad attack surface
The interconnected nature of critical infrastructure networks, and the third parties in their ICT supply chain, increases the attack surface for many entities. This includes remote access and management solutions, which are increasingly present in critical infrastructure networks.
Operational technology (OT) and connected systems, including corporate networks, will likely be of enduring interest to malicious cyber actors. OT can be targeted to access a corporate network and vice versa, potentially allowing malicious cyber actors to move laterally through systems to reach their target. Even when OT is not directly targeted, attacks on connected corporate networks can disrupt the operation of critical infrastructure providers.
Systems where software or hardware are not up to date with the latest security mitigations are vulnerable to exploitation, particularly when these systems are exposed to the internet. ICT supply chain and managed service providers are another avenue malicious cyber actors can exploit.
Explainer 1: Operational technology
OT makes up those systems that detect or cause a direct change to the physical environment through the monitoring or control of devices, processes, and events. OT is predominantly used to describe industrial control systems (ICS), which include supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS).
Australian critical infrastructure providers often operate over large geographical areas and require interconnection between dispersed OT environments. Separately, remote access to OT environments from corporate IT environments and the internet has become standard operating procedure. Remote access allows engineers and technicians to remotely manage and configure the OT environment. However, this interconnection or remote access requires an internet connection, which creates additional cyber security risks to OT environments.
In April 2023, irrigation systems in Israel were reportedly disrupted when the ICS supporting the automated water controllers were compromised. Israel’s National Cyber Organisation was able to warn many farmers to disconnect their remote control option for the irrigation systems, so the disruption was minimal. Being able to disconnect from remote control also highlights the value of a manual override mechanism in some instances.
Next-generation OT is expected to contain built-in remote access and security features, which could address some of the issues related to remote access and internet exposure. ASD continues to advise entities to prioritise secure-by-design and secure-by-default products in procurements, and take a risk-based approach to managing risks associated with new technologies or providers. Good cyber security practices will be particularly important during a transition to new technologies.
At cyber.gov.au, ASD has published a range of cyber security guides for OT and ICS, and also principles and approaches to secure-by-design and default.
In focus: food and grocery sector
The food and grocery sector covers a broad supply chain including processing, packaging, importing, and distributing food and groceries. Food and grocery manufacturing is Australia’s largest manufacturing sector, comprising over 16,000 businesses and representing around 32 per cent of all manufacturing jobs. Food and grocery organisations are an attractive target for malicious cyber actors as this sector’s provision of essential supplies has little tolerance for disruption.
The sector’s complex supply chains and growing online sales mean food and grocery organisations have a large attack surface. The sector is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems. Additionally, many entities in this sector hold sensitive data that may be of value to malicious cyber actors, such as personal information or intellectual property.
Like other manufacturing entities, food and grocery organisations have increasingly adopted just-in-time inventory and delivery chains in pursuit of greater efficiency and reduced waste. This means the food and grocery sector is also vulnerable if a supplier is affected by a cyber incident that disrupts services.
Large entities in this sector may be targeted based on the view that they can be extorted for large sums of money. Smaller entities may be perceived as having lower cyber security maturity, and may be used to access more lucrative targets in their supply chain. Malicious cyber actors may seek to remain undetected on systems to establish a secure foothold and then move to other systems within a business to exfiltrate data or maintain a presence for future malicious activity.
A cyberattack against entities in this sector could have significant impacts for both the victim organisation and its customers. For example, a ransomware attack that locks systems could halt production and delivery, rendering a business unable to fulfil its orders. The second order impacts of this could be costly – including lost revenue, or lost confidence from business partners and customers alike.
Early detection of malicious activity is vital for mitigating cyber threats. It can take time to discover a compromised network or system, so robust and regular monitoring is essential. Likewise, practised incident response plans and playbooks should form part of broader corporate and cyber plans to aid remediation and minimise the impact of a compromise. Entities in this sector should seek secure-by-design and secure‑by-default products wherever possible to boost their cyber security posture.
A comprehensive list of resources for critical infrastructure is available at cyber.gov.au, including guidance for cyber incident response and business continuity plans.
Case study 3: Global food distributor held to ransom
In February 2023, Dole – one of the world’s largest producers and distributors of fruit and vegetables – was a victim of a ransomware incident, resulting in a shut down of its systems throughout North America. Other reported impacts included some product shortages, a limited impact on operations, and theft of company data – including some employee information. While Dole acted swiftly to minimise the impacts of the incident, it still reported USD $10.5 million in direct costs, and faced reputational damage.
Explainer 2: Effective separation
Separating network segments can help to isolate critical network elements from the internet or other less sensitive parts of a network. This strategy can make it significantly more difficult for malicious cyber actors to access an organisation’s most sensitive data, and can aid cyber threat detection.
In 2022–23, ASD observed that effective separation through network segmentation and firewall policies prevented malware from impacting an Australian critical infrastructure provider. Additionally, through effective separation an Australian critical infrastructure provider prevented the deployment of malware from a contractor’s USB drive onto their OT environment.
Network separation is more than just a logical or physical design decision: it should also consider where system administration and management services are placed. Often, the corporate IT network is separated from the OT environment, because the corporate IT network is usually seen as having a higher risk of compromise due to its internet connectivity and services like email and web browsing.
However, if a malicious cyber actor compromises the corporate IT network and gains greater access privileges, then the corporate IT firewall may no longer provide the desired level of protection for the OT environment. This similarly applies if the Active Directory (AD) Domain for the OT environment is inside an AD Forest administered from the corporate IT network.
Critical infrastructure operators should regularly assess the risk of insufficient separation of system administrative and management role assignments. For example, in scenarios where the virtualisation of OT infrastructure or components is managed by privileged accounts from a corporate domain, if the corporate environment was to become compromised then the OT environment would potentially be impacted and those necessary privileged IT accounts may not be accessible.
Case study 4: Horizon Power working with ASD
Western Australian energy provider Horizon Power distributes electricity across the largest geographical catchment of any Australian energy provider – around 2.3 million square kilometres, or roughly an area 4 times bigger than France. It operates a diverse range of OT and ICT infrastructure to manage around 8,300 kilometres of transmission lines and deliver power to more than 45,000 customers.
In early 2023, Horizon Power partnered with ASD to conduct a range of activities to help examine and test its cyber security posture and controls. Horizon Power’s security team worked side-by-side with ASD’s experts to help improve threat detection, security event triage and response; practice forensic artefact collection; and enhance security communication across the enterprise. The activities have helped to improve both the speed and the quality with which Horizon Power can respond to and manage cyber incidents, including sharing cyber threat intelligence with ASD.
Horizon Power Senior Technology Manager Jeff Campbell said engaging ASD was easy, there were clear objectives, and the network assessments were excellent. ‘Long past are the days of holding cards to our chest. Sharing information is really important across multiple industries and sectors. To improve security, you need to find out what you don’t know.’
Mr Campbell said having ASD onsite helped to test many assumptions about the company’s network security, like its segmentation practices and vulnerability management. 'The engagement highlighted the importance of getting visibility over systems, and also helped to demonstrate that effective cyber security is vital to helping mitigate business risks.'
Learn more about the open, collaborative partnership between Horizon Power and the Australian Signals Directorate that enabled Horizon Power to bolster its cyber security controls.
Building cyber resilience in critical infrastructure
Malicious cyber activity against Australian critical infrastructure is likely to increase as networks grow in size and complexity. Critical infrastructure organisations can do many things to reduce the attack surface, secure systems, and protect sensitive data to help ensure Australia’s essential services remain resilient. Such as:
- Follow best practice cyber security, like ASD’s Essential Eight, or equivalent framework as required for a critical infrastructure risk-management program.
- Thoroughly understand networks, map them, and maintain an asset registry to help manage devices on all networks, including OT. Consider the security capabilities available on devices as part of routine architecture and asset review, and the most secure approach to hard-coded passwords.
- Scrutinise the organisation’s ICT supply chain vulnerabilities and risks.
- Prioritise secure-by-design or secure-by-default products. Consider the security controls of any new software, hardware, or OT before it is purchased, and understand vendor support for future patches and ongoing security costs. Build cyber security costs into budgets for the entire lifecycle of the product, including the product’s replacement.
- Understand what is necessary to keep critical services operating and protect these systems as a priority. Ensure OT and IT systems can be, or are, segmented to ensure the service is able to operate during a cyber incident.
- Treat a cyber incident as a ‘when’ not ‘if’ scenario in risk and business continuity planning, and regularly practice cyber incident response plans.
- Maintain open communication with ASD. ASD has a number of programs to support critical infrastructure, including cyber uplift activities and cyber threat intelligence sharing.
- Follow ASD’s cyber security publications tailored for critical infrastructure entities available at cyber.gov.au.
Explainer 3: The Trusted Information Sharing Network
The Department of Home Affairs’ Trusted Information Sharing Network (TISN) takes an all-hazards approach to help build security and resilience for organisations within the Australian critical infrastructure community. To rapidly and flexibly address current and future threats to Australia’s security, the TISN allows for all levels of government and industry to connect and collaborate.
Since launching the TISN platform in 2022, the network has been vital in amplifying key messages and information to members, facilitating sector group meetings and contributing to the weekly Community of Interest meetings to inform members of current data breaches, cyber threats, and technical advice available from ASD.
Explainer 4: Resilience in financial services
CPS 230 Operational Risk Management
Events of recent years have demonstrated the critical importance of financial institutions being able to manage and respond to operational risks, evident for example in the challenges of the COVID-19 pandemic, technology risks and natural disasters. Sound operational risk management is fundamental to financial safety and system stability.
To ensure that all APRA-regulated entities in Australia are well placed to manage operational risk and respond to business disruptions when they inevitably occur, on 17 July 2023, APRA released the new Prudential Standard CPS 230 Operational Risk Management (CPS 230).
CPS 230 encompasses operational risk controls and monitoring, business continuity planning and the management of third-party service providers. The aim of the standard is to:
- strengthen operational risk management with new requirements to address weaknesses that have been identified in existing practices of APRA-regulated entities. This includes requirements to maintain and test internal controls to ensure they are effective in managing key operational risks
- improve business continuity planning to ensure that APRA-regulated entities are ready to respond to severe business disruptions, and maintain critical operations such as payments, settlements, fund administration and claims processing. It is important that all APRA regulated entities are able to adapt processes and systems to continue to operate in the event of a disruption and set clear tolerances for the maximum level of disruption they are willing to accept for critical operations
- enhance third-party risk management by extending requirements to cover all material service providers that APRA-regulated entities rely upon for critical operations or that expose them to material operational risk, rather than just those that have been outsourced.
The new standard also aims to ensure that APRA-regulated entities are well positioned to meet the challenges of rapid change in the industry and in technology more generally.
CPS 234 Information Security
As part of APRA’s Cyber Security Strategy, all regulated entities are required to engage an independent auditor to perform an assessment against CPS 234, APRA’s Information Security Prudential Standard. This is the largest assessment of its kind conducted by APRA.
By the end of 2023, more than 300 banks, insurers and superannuation trustees will have completed their assessment. Early insights, from the assessments completed so far, have identified a number of common weaknesses across the industry, including:
- incomplete identification and classification for critical and sensitive information assets
- limited assessment of third-party information security capability
- inadequate definition and execution of control testing programs
- incident response plans not regularly reviewed or tested
- limited internal audit review of information security controls
- inconsistent reporting of material incidents and control weaknesses to APRA in a timely manner.
A summary of these findings, along with guidance to address gaps, have been shared in a recent APRA Insight Article – Cyber Security Stocktake Exposes Gaps. Entities are encouraged to review the common weaknesses identified and incorporate relevant strategies and plans to address shortfalls in their own cyber security controls, governance policies and practices. APRA will continue to work with entities that do not sufficiently meet CPS 234 requirements, to lift the benchmark for cyber resilience across the financial services industry.
Chapter 3: State actors
- State cyber actors will likely continue to target government and critical infrastructure, as well as connected systems and their supply chains as part of ongoing cyber espionage and information‑gathering campaigns. They do not just want state secrets; businesses also hold valuable and sensitive information.
- Some state actors are willing to use cyber capabilities to destabilise and disrupt systems and infrastructure. They may preposition on networks of strategic value for future malicious activities.
- Government and industry partnerships are vital in boosting national cyber security and resilience against cyberattacks by state actors.
The global and regional strategic environment continues to deteriorate, which is reflected in the observable activities of some state actors in cyberspace. In this context, these actors are increasingly using cyber operations as the preferred vector to build their geopolitical competitive edge, whether it is to support their economies or to underpin operations that challenge the sovereignty of others. In the Australian Security Intelligence Organisation’s Annual Report 2021–22, espionage and foreign interference was noted to have supplanted terrorism as Australia’s principal security concern.
Some states are willing to use cyber capabilities to destabilise or disrupt economic, political and social systems. Some also target critical infrastructure or networks of strategic value with the aim of coercion or prepositioning on a network for future disruptive activity.
State actors have an enduring interest in obtaining information to develop a detailed understanding of Australians and exploit this for their advantage. While government information is an attractive target for state actors seeking strategic insights into Australia’s national policy and decisions, many Australian businesses also hold sensitive and valuable data such as proprietary information, research, and personal information. Unlike cybercriminals who may post stolen data in public forums, state actors usually try to keep their activities covert – seeking to remain unnoticed, both when they are on an entity’s network and after a compromise.
State actors use various tools and techniques
In some cases, state actors may develop bespoke tools and techniques to fulfil their operational aims. In May 2023, ASD released a joint cyber security advisory with its international partners on the Snake implant – a cyber espionage tool designed and used by Russia’s Federal Security Service (FSB) for long-term intelligence collection on high-priority targets around the globe. Shortly after, Australia co-badged another joint cyber security advisory with international partners that outlined malicious cyber activity associated with a People’s Republic of China (PRC) state-sponsored cyber actor.
Case study 5: Advisory – People’s Republic of China state-sponsored cyber activity
[Go to advisory]
In May 2023, ASD joined international partners in highlighting a recently discovered cluster of activity associated with a PRC state-sponsored cyber actor, also known as Volt Typhoon. The campaign involved ‘living-off-the-land’ techniques – using built-in operating tools to help blend in with normal system and network activities. Private sector partners identified that this activity affected networks across US critical infrastructure sectors. However, the same techniques could be applied against critical infrastructure sectors worldwide, including in Australia.
ASD published the People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection advisory on cyber.gov.au and hosted numerous events to brief its Network Partners. For help to implement the advisory – call 1300 CYBER1 ( 1300 292 371 ).
Even when state actors have access to more advanced capabilities, they can use common tools and techniques to avoid the discovery of their best capabilities. For example, state actors continue to use relatively well-known tactics, such as exploiting unpatched or misconfigured systems and spear phishing.
The threat of state actor cyber operations is very real
State actors will likely continue to target government and critical infrastructure, as well as connected systems and their supply chains, as part of ongoing cyber espionage and information-gathering campaigns. Significant disruptive and destructive activities could occur if there were a major deterioration in Australia’s geopolitical environment. It is clear that preventative cyber security measures – such as implementing cyber security essentials, information-sharing and national cyber cooperation – are by far the best ways to help secure Australian networks.
In focus: Russia’s war on Ukraine
Cyber operations have been used alongside more conventional military activities during Russia’s war on Ukraine. Both Russia and Ukraine have faced many cyberattacks that impacted their societies, with extensive targeting of government and critical infrastructure networks.
Cyberattacks that began before the invasion of Ukraine have continued into 2023. Between January 2022 and the first week of February 2023, the Computer Emergency Response Team-Europe (CERT-EU) identified and analysed 806 cyberattacks associated with Russia’s war on Ukraine.
There has been extensive cyber targeting of Ukrainian networks across many sectors, including finance, telecommunications, energy, media, military and government. Ukraine has faced ransomware, denial‑of‑service (DoS) attacks, and mass phishing campaigns against critical infrastructure, government departments, officials and private citizens.
Russia has also been subject to cyber operations. Russian authorities have reported some of its federal agencies’ websites, including its energy ministry, were compromised by unknown attackers in a supply chain attack. Cyberattacks against Russia have tended to target entities related to the government, military, banking, logistics, transport and energy sectors.
Cyberattacks in Europe associated with Russia’s war on Ukraine
Figure 3 : Countries impacted by cyberattacks associated with Russia’s war on Ukraine
Cyber operations have enabled a borderless conflict
Cyber operations associated with Russia’s invasion have affected entities in multiple countries during the first year of the conflict, including the European Parliament, European governments, the Israeli Government, and hospitals in the Netherlands, Germany, Spain, the US, and the UK. Many of these countries have linked the attacks to pro-Russian groups. For example, pro-Russian hacktivists, KillNet, have claimed a number of attacks such as the February 2023 DoS attack on numerous German websites, including those for German airports, public administration bodies, financial sector organisations, and other private companies. Belarus also reported its railway network was disrupted by a cyberattack, allegedly as retaliation for its use in transporting Russian troops. In some cases, Australia–based operations of European organisations have been impacted.
Many cyber actors are involved in the conflict in offence and defence
The mix of state and non-state cyber actors participating in Russia’s war on Ukraine has added to an already complex cyberspace domain. While state actors were on the ‘cyber front’, particularly during the earlier stages of the conflict, there was significant activity by hacktivists from around the globe as the conflict progressed. Regardless of whether a malicious cyber actor was a state, state-sponsored, or a non-state actor acting of their own volition, the scale and frequency of malicious cyber activity during the conflict has challenged cyber defenders on all sides. For example, at least 8 variants of destructive malware were identified in the first 6 weeks of the conflict, including wiper malware designed to erase data or prevent computers from booting.
Both state and non-state cyber actors have been on the offensive and defensive. Ukraine’s networks have been resilient and have largely withstood sustained cyberattacks. Ukraine has said this resilience is due to robust defences developed following previous cyberattacks, as well as partnerships with private sector IT companies. For example, with the support of private companies, Ukrainian government data was migrated to cloud infrastructure, which assured continuity of government services. Private companies also rapidly released threat intelligence, like indicators of compromise, to assist cyber defenders to repel network attacks.
Threat intelligence that might impact Australian entities is obtained by ASD through international partners and shared through cyber.gov.au and ASD’s Cyber Security Partnership Program.
Cyber operations can cause disruption and destruction in conflict
While the conflict remains ongoing, there are many lessons Australia can learn from Russia’s war on Ukraine. The world is witnessing the destructive impact of cyber operations during conflict, or in the pursuit of a state’s national interests, and how a broad range of critical infrastructure can be disrupted as a result of malicious cyber activity. It also demonstrates the impact non-state participants can have in modern conflict. The conflict has exemplified how government and industry partnerships are critical to boosting national cyber security and resilience.
Case study 6: The CTIS community at work – KillNet
The Cyber Threat Intelligence Sharing (CTIS) platform, operated by ASD, was developed with industry, for Australian Government and industry partners to build a comprehensive national threat picture and empower entities to defend their networks. CTIS allows participating entities to share indicators of compromise (IOCs) bilaterally at machine speed. Participating entities can use these IOCs to identify and block activity on their own networks, and share IOCs observed on their own networks with other CTIS partners.
The number of partners using CTIS increased seven-fold over 2022–23:
- in July 2022 there were 32 CTIS partners (18 consuming, 14 contributing)
- in June 2023 there were 252 CTIS partners (165 consuming, 87 contributing)
- by the end of FY 2022–23, CTIS shared 50,436 pieces of cyber threat intelligence
- as of 2023, ASD is progressing a further 313 candidate organisations for on-boarding.
In March 2023, a CTIS partner shared almost 1,000 IP addresses relating to a distributed denial-of-service (DDoS) attack on an Australian organisation. The partner linked the DDoS attack to the malicious cyber actor KillNet, a well-known pro-Russian hacktivist group. Since Russia’s war on Ukraine began, KillNet’s focus had been primarily Europe; however, recent trends suggest a shift to countries abroad, including Australia and its critical infrastructure.
CTIS partner contributions help participants defend their networks, and inform ASD’s understanding of threat actors, their motives and their tactics, techniques, and procedures. This information also helps ASD to identify trends within and across sectors.
For more information on CTIS, visit cyber.gov.au and become a Network Partner. Existing Network Partners can register their interest in accessing CTIS by either clicking on the ‘Register your interest’ button via the ASD Partnership Portal, or by contacting [email protected] .
Chapter 4: Cybercrime
- Profit-driven cybercriminals continually seek new ways to maximise payment and minimise their risk, including by changing their tactics and techniques to mask their actions and extract payment from victims.
- Ransomware remains the most destructive cybercrime threat to Australians, but is not the only cybercrime. Business email compromise (BEC), data theft, and denial-of-service (DoS) continue to impose significant costs on all Australians.
- Building a national culture of cyber literacy, practicing good cyber security hygiene, and remaining vigilant to cybercriminal activity – both at work and at home – will help make it harder for cybercriminals to do business.
Cybercrime is big business and causes harm
Cybercrime is a multibillion-dollar industry that threatens the wellbeing and security of every Australian. Cybercrime covers a range of illegal activities such as data theft or manipulation, extortion, and disruption or destruction of computer-dependant services. In 2022–23, cybercrime impacted millions of Australians, including individuals, businesses and governments. These crimes have caused harm and continue to impose significant costs on all Australians.
The Australian Institute of Criminology (AIC) found, in its Cybercrime in Australia 2023 report, that individual victims and small-to-medium businesses experience a range of harms from cybercrime that extend beyond financial costs, such as impacts to personal health and legal issues. Cybercrime remains significantly underreported in Australia. The AIC’s report revealed that two-thirds of survey respondents had been victims of cybercrime in their lifetimes.
ASD needs community assistance to understand the cyber threat landscape. Australians are encouraged to report cyber security incidents and cybercrime to ReportCyber . ReportCyber is the Australian Government’s online cybercrime reporting tool coordinated by ASD and developed as a national initiative with state and territory police. ReportCyber may link Australians to other Australian Government entities for further support.
Cybercrime in 2022–23
The number of extortion-related cyber security incidents ASD responded to increased by around 8 per cent compared to last financial year.
Over 90 per cent of these incidents involved ransomware or other forms of restriction to systems, files or accounts.
ASD responded to 79 cyber security incidents involving DoS and DDoS , which is more than double the 29 incidents reported to ASD last financial year.
Cybercrime reports by state and territory
Australia’s more populous states continue to report more cybercrime. Queensland and Victoria report disproportionately higher rates of cybercrime relative to their populations. However, the highest average reported losses were by victims in New South Wales (around $32,000 per cybercrime report where a financial loss occurred) and the Australian Capital Territory (around $29,000).
Figure 4: Breakdown of cybercrime reports by jurisdiction for FY 2022–23 Note: Approximately one per cent of reports come from anonymous reporters and other Australian territories. Data has been extracted from live datasets of cybercrime and cyber security reports reported to ASD. As such, the statistics and conclusions in this report are based on point-in-time analysis and assessment.
How criminals monetise access
Profit-driven cybercriminals continually seek new ways to maximise payment and minimise their risk, including by changing their tactics and techniques to mask their actions and extract payment from victims. Their targeting is largely opportunistic but can also be aimed at specific entities or individuals.
The professionalisation of the cybercrime industry means cybercriminals have been able to increase the scale and profitability of their activities. For example, initial access brokers sell their services and accesses to other malicious cyber actors who then use techniques, such as ransomware or data-theft extortion, to target victims. The accessibility of criminal marketplaces has also lowered the bar for entry into cybercrime, which has made cybercrime more accessible to a wide range of actors.
To gain initial access, cybercriminals may send multiple malicious links to a broad list of people (known as a phishing campaign), or scan for unpatched and misconfigured systems. Once they compromise a network, they may seek to move laterally through the network to gain access to higher-value systems, information or targets.
Cybercriminals may draw on a number of techniques to extract payment from victims, including employing multiple techniques at once – known as double or multiple extortion. While ransomware is a well-known technique, cybercriminals can monetise access to compromised data or systems in many different ways. They may scam a business out of money or goods, extort victims in return for decrypting data or non‑publication of data, on-sell compromised data or systems access for profit, or exploit compromised data or systems for future use.
Social engineering: how criminals get a foothold
Social engineering is a way in which cybercriminals can gain unauthorised access to systems or data by manipulating a person. They may do this by creating a sense of urgency or desire to help, or by impersonating a trusted source to convince a victim to click on a malicious link or file, or reveal sensitive information through other means – such as over the phone.
Phishing is one of the most common and effective techniques used by cybercriminals to gain unauthorised access to a computer system or network, and this activity may be indiscriminate or targeted. Once a victim engages with the malicious link or file, they may be prompted to provide personal details, or malware may run on their device to covertly retrieve this information. Cybercriminals may then use this information to steal money or goods, or leverage this information to access other accounts and systems of higher value.
Australians are becoming more aware of techniques dependent on social engineering, like phishing, but more can be done to build resilience:
- think twice before clicking on links from unsolicited correspondence
- verify the legitimacy of suspicious messages with the source via their official website or verified contact information, particularly if it is a request to transfer money or supply sensitive information. Visit the entity’s website directly, rather than via links in emails, SMS or other messaging services
- report unusual activity as quickly as possible to ReportCyber and Scamwatch
- educate staff on corporate-focused social engineering tactics and how to identify risk.
Explainer 5: Common cybercriminal techniques
Phishing is an attempt to trick recipients into clicking on malicious links or attachments to harvest sensitive information, like login details or bank account details, or to facilitate other malicious activity. Spear phishing is more targeted and tailored: cybercriminals may research victims using social media and the internet to craft convincing messages designed to lure specific victims.
Ransomware is a type of extortion that uses malware for data or system encryption. Cybercriminals encrypt data or a system and request payment in return for decryption keys. Ransomware-as-a-Service (RaaS) is a business model between ransomware operators and ransomware buyers known as ‘affiliates’. Affiliates pay a fee to RaaS operators to use their ransomware, which can enable affiliates with little technical knowledge to deploy ransomware attacks.
Data-theft extortion does not require data encryption, but cybercriminals will use extortion tactics such as threatening to expose sensitive data to extract payment. The added threat of reputational damage is intended to pressure a victim into complying with the malicious cyber actor’s demands.
Data theft and on-sale is when data is extracted for use by a cybercriminal for the purpose of on-selling the data (such as personal information, logins or passwords) for further criminal activity, including fraud and financial theft. Some malware known as an ‘infostealer’ can do this job for the cybercriminal.
Business email compromise (BEC) is a form of email fraud. Cybercriminals target organisations and try to scam them out of money or goods by attempting to trick employees into revealing important business information, often by impersonating trusted senders. BEC can also involve a cybercriminal gaining access to a business email address and then sending out spear phishing emails to clients and customers for information or payment.
Denial-of-service (DoS) is designed to disrupt or degrade online services, such as a website. Cybercriminals may direct a large volume of unwanted traffic to consume the victim network’s bandwidth, which limits or prevents legitimate users from accessing the website.
Ransomware is a destructive cybercrime
Ransomware remains the most destructive cybercrime threat in 2022–23 to Australian entities. ASD recorded 118 ransomware incidents – around 10 per cent of all cyber security incidents.
A quarter of the ransomware reports also involved confirmed data exfiltration, also known as ‘double extortion’, where the actor extorts the victim for both data decryption and the non-publication of data. Other ransomware actors claimed to have exfiltrated data, but it is difficult to validate these claims until data exfiltration is confirmed or the legitimacy of leaked data is confirmed.
Ransomware is deliberatively disruptive, and places pressure on victims by encrypting and denying access to files. A ransom, usually in the form of cryptocurrency, is then demanded to restore access. This can inhibit entities, particularly those that rely on computer systems to operate and undertake core business functions.
Customers may also be impacted if they rely on the goods or services from that entity, or if their data is impacted. For example, in January 2023, cybercriminals reportedly compromised the postal service in the UK, encrypting files and disrupting international shipments for weeks. In other instances, ransomware incidents have had cascading impacts, sparking panic buying, fuel shortages, and medical procedure cancellations.
ASD advises against paying ransoms. Payment following a cybercrime incident does not guarantee that the cybercriminals have not already exfiltrated data for on-sale and future extortion.
ASD’s incident management capabilities provide technical incident response advice and assistance to Australian organisations. Further information can be found in the How the ASD's ACSC Can Help During a Cyber Security Incident guide.
Case study 7: Ransomware in Australia
In late 2022, an Australian education institution was impacted by the Royal ransomware, which is likely associated with Russian-speaking cybercrime actors. Royal ransomware restricts access to corporate files and systems through encryption. Notably, it uses a technique called ‘callback phishing’, which tricks a victim into returning a phone call or opening an email attachment that persuades them to install malicious remote access software.
When the institution detected the ransomware, it shut down some of its IT systems to stop the spread, which resulted in limited service disruption. An investigation revealed that a limited amount of personal information of both students and staff was compromised. The institution notified affected individuals and reminded them to remain vigilant for suspicious emails or communication. The institution also advised all students and staff to reset their passwords and introduced an additional verification process for remote users.
An ICT manager from the institution said downtime from the incident was minimal due to an effective business continuity plan and access to regular backups, which were unaffected by encryption. After the incident, the institution began moving toward more secure data storage methods.
The ICT manager said the incident highlighted how ubiquitous data is in an enterprise environment. ‘There were no crown jewels affected, so to speak. Important data was spread across the network. This incident taught us some lessons in relation to account management, and the regular review and archival of data’.
In January 2023, ASD published to cyber.gov.au the Royal Ransomware Profile , which describes its tactics, techniques and procedures and outlines mitigations. The ransomware profile was informed by cyber threat intelligence that the education institution shared with ASD.
Sectors impacted by ransomware-related cyber security incidents
The professional, scientific and technical services sector reported ransomware-related cyber security incidents most frequently to ReportCyber in 2022–23, followed by the retail trade sector, then the manufacturing sector. These 3 sectors accounted for over 40 per cent of reported ransomware-related cyber security incidents.
Table 5: Top 5 sectors reporting ransomware-related incidents in FY 2022–23 (ReportCyber data)
Entities should consider how a ransomware incident could impact their business and their customers. To help prevent a ransomware attack, it is important to secure devices by turning on multi-factor authentication (MFA), implementing access controls, performing and testing frequent backups, regularly updating devices, and disabling Microsoft Office macros. It is also equally important to practice incident response plans to minimise the impact in the event of a successful ransomware incident.
Business email compromise is lucrative
BEC is an effective and lucrative technique that exploits trust in business processes and relationships for financial gain. Cybercriminals can compromise the genuine email account of a trusted sender, or impersonate a trusted sender, to solicit sensitive information, money or goods from businesses partners, customers or employees.
For example, a cybercriminal may gain access to the email account of a business and send an invoice with new bank account details to a customer of that business. The customer pays the invoice using the fraudulent bank account details provided by the cybercriminal, which is often thousands of dollars. A compromised business may only detect BEC once a customer has paid cybercriminals.
In 2022–23, the total self-reported BEC losses to ReportCyber was almost $80 million. There were over 2,000 reports made to law enforcement through ReportCyber of BEC that led to a financial loss. On average, the financial loss from each BEC incident was over $39,000.
Before replying to requests seeking money or personal information, look out for changes such as a new point-of-contact, email address or bank details. Simple things like calling an existing contact or the trusted sender to verify a request for money or change of payment details can help to prevent BEC.
Explainer 6: Business email compromise advice
Organisations should implement clear policies and procedures for workers to verify and validate requests for payment and sensitive information. Additionally:
- Register additional domain names to prevent typo-squatting – cybercriminals may create misleading domain names based on common typographic errors of a website, hoping its customers do not notice. Further information on Domain Name System Security for Domain Owners is available at cyber.gov.au.
- Set up email authentication protocols business domains – this helps prevent email spoofing attacks so that cybercriminals cannot wear a ‘digital mask’ pretending to be legitimate.
ASD has published the Preventing Business Email Compromise guide to help Australian organisations understand and prevent BEC.
Case study 8: Scams in Australia
In April 2023, the Australian Competition and Consumer Commission (ACCC) released its Targeting Scams report . The report, which compiles data reported to the ACCC’s Scamwatch, ReportCyber, the Australian Financial Crimes Exchange, IDCARE and other government agencies, provides insight into the scams that impacted Australians in 2022. The report also outlines some of the activities by government, law enforcement, the private sector and community to disrupt and prevent scams.
The Targeting Scams report revealed Australians lost over $3 billion to scams in 2022. This is an 80 per cent increase on total losses recorded in 2021.
Investment scams were the highest loss category ($1.5 billion), followed by remote access scams ($229 million) and payment redirection scams ($224 million).
The most reported contact method used by scammers was text message; however, scam phone calls accounted for the highest reported losses. The second highest reported losses were from social media scams.
Older Australians lost more money to scams than other age groups with those aged 65 and over losing $120.7 million, an increase of 47.4 per cent from 2021. First Nations Australians, Australians with disability, and Australians from culturally and linguistically diverse communities each experienced increased losses to scams when compared with data from 2021.
On 1 July 2023, the Government launched the National Anti-Scam Centre. The Anti-Scam Centre will expand on the work of the ACCC’s Scamwatch service and bring together experts from government agencies, the private sector, law enforcement, and consumer groups to make Australia a harder target for scammers.
Hacktivists are using cyberattacks to further their causes
Hacktivism is used to describe a person or group who uses malicious cyber activity to further social or political causes, rather than for financial gain.
These malicious cyber actors, which include issue-motivated groups, are typically less capable, less organised, and less resourced than other types of malicious cyber actors. That said, even rudimentary disruptive activity – such as website defacement, hijacking of official social media accounts, leaking information, or DoS – can cause significant harm, reputational damage, and operational impacts to targeted entities.
Like cybercriminals, hacktivists may leverage malicious tools and services online to gain new capabilities and improve their ability to degrade or disrupt services for their cause.
Case study 9: Australian critical infrastructure targeted by issue-motivated DDoS
In March 2023, ASD became aware of reports of issue-motivated groups (hacktivists) targeting Australian organisations. Open source reporting linked the targeting of over 70 organisations to religiously motivated hacktivists.
The malicious activity commenced on 18 March with the defacement of, and/or DDoS against, the websites and other internet-facing services of small-to-medium businesses. This progressed to DDoS activity targeting the websites of Australian critical infrastructure entities, with multiple hacktivist groups announcing support for the campaign and publishing ‘target lists’ across a variety of platforms.
ASD received several incident reports from organisations experiencing hacktivist activity, including critical infrastructure providers. However, there was no impact on critical infrastructure operations, as only public-facing websites were affected. ASD provided advice and support to organisations, including by identifying IP addresses related to the attacks. ASD also shared indicators of compromise with its Network Partners.
In addition to ASD support, critical infrastructure providers worked closely with commercial incident-response providers and their in-house incident-response teams. One critical infrastructure provider identified through open source research that a second DDoS attack was being planned against their servers.
To prevent this attack, administrators enabled geo-blocking – where traffic from specific geolocations known to be used by the malicious cyber actor were blocked – to limit malicious traffic. This simple tactic helped the organisation avoid a second attack. As a result, the organisation did not suffer from any additional downtime.
ASD urges organisations to report all incidents – even those with minimal impact on operations – to enhance national situational awareness, especially of coordinated malicious activity. Your report to ASD could help prevent or defend against an attack on other Australian networks.
Denial-of-service operations are designed to disrupt
DoS attacks disrupt or degrade online services such as websites and email, and are another tactic used by cybercriminals and hacktivists. This technique causes access or service disruption to the victim, sometimes to pressure them into payment or to highlight a cause.
In these attacks, an online service is overwhelmed by so many illegitimate requests that it loses capacity to serve real users. DoS can also be achieved by hijacking an online service to redirect legitimate users to other services controlled by malicious cyber actors. In some instances, DDoS attacks can use huge numbers of ‘zombie’ computers or bots (hijacked by malware), to direct large volumes of unwanted network traffic to a web service.
ASD recorded 79 DoS and DDoS cyber security incidents in 2022–23, with service availability partly or wholly denied for the victim in 62 of those incidents. The remainder of the incidents had no impact on the victim. Entities who maintained situational awareness of DoS threats and proactively implemented mitigations were reportedly less impacted by subsequent DoS.
Although entities cannot avoid being targeted, they can implement measures to prepare for and reduce the impact of a DoS attack. This includes using DDoS protection services and exercising incident response and business continuity plans.
Defence against cybercrime
Both individuals and organisations can take simple steps to help build their cyber security. Many of these steps can often prevent initial access by cybercriminals.
- enable multi-factor authentication (MFA) for online services when available
- use long unique passphrases for every account if MFA is not available, particularly for services like email and banking (password managers can assist with such activities)
- sign up for ASD’s free Alert Service
- review the cyber security posture of remote workers including their use of communication, collaboration and business productivity software
- implement relevant guidance from ASD’s Essential Eight Maturity Model , Strategies to Mitigate Cyber Security Incidents and Information Security Manual
ASD has published a range of guides at cyber.gov.au to support Australians and Australian organisations in building their cyber resilience, including how to defend against ransomware attacks, and how to detect socially engineered messages, phishing emails and texts.
Chapter 5: Cyber enabled data breaches
- During FY 2022–23, ASD received an increase in data breach reports as millions of Australians had their information compromised through significant data breaches.
- Malicious cyber actors stole data by using valid account credentials or by exploiting internet-facing applications.
- Sensitive data should be deleted or de-identified when it is no longer needed or required. Organisational policies and processes should consider how to protect gathered and generated data.
Data is valuable to malicious cyber actors as data and data flows underpin almost every modern technology and digital service. During 2022–23, millions of Australians had their private information compromised through significant data breaches, and some Australians were exposed to multiple breaches.
A data breach occurs when information is shared with, or is accessed by, an unauthorised person or third party. Isolation and remediation of the breach could cost millions of dollars. The complete recovery cost is hard to quantify, but could include losses due to productivity, legal action and reputational damage. An entity’s customers or staff could experience harm from a data breach if their private information is used by criminals for cyber or other fraud or scams, including identity theft. Protecting data, particularly sensitive personal information, is vital for the safety of the community, the prosperity of business, and the nation’s security.
Explainer 7: Vital data
Organisations should consider what data is vital to their operations, and individuals should consider what data might affect their privacy.
Data can take many forms such as personal information. Personal information includes a broad range of information, or an opinion, that could identify an individual. It can encompass things such as an individual’s name, date of birth, drivers licence or passport details, phone number, home address, health records, credit information, mobile device location history, and voiceprint and facial recognition details.
Other forms of data could include sensitive financial information, corporate emails, intellectual property and research, or strategic business plans. Information associated with network telemetry and endpoint security information, or machine learning models, also generate potentially useful information which can be exploited by malicious cyber actors.
Data breach incidents in Australia
During 2022–23, many data breaches reported to ASD involved cybercriminals stealing customer personal information from organisations to support extortion activities. Organisations should be aware that a data breach could be a precursor to the destruction or encryption of data.
Of the cyber security incidents recorded by ASD during 2022–23, 150 were data breaches, making up around 13 per cent of all incidents. Compared to 2021–22, this is up from 81 data breaches or 7 per cent of all incidents. Data breaches were the third most common incident type in 2022–23, behind compromised infrastructure (15.2 per cent) and compromised credentials (18.8 per cent).
Phishing, a tactic whereby a user is induced to open a malicious email attachment or to visit a compromised website, was commonly used to steal credentials. Malicious cyber actors also obtained credentials from unrelated cyberattacks and breaches. ASD’s incident data showed an extensive network compromise almost always occurred when a malicious cyber actor successfully accessed privileged accounts.
In 2022–23, ASD responded to a number of data breaches that involved common characteristics and intrusion chains. Broadly, these incidents demonstrated either:
- opportunistic intrusions involving a malicious actor exploiting a single internet-facing application or service which contained data. Actors typically used a ‘smash and grab’ technique to steal data directly from this single initial access vector
- complex intrusions involving a malicious actor demonstrating a wider variety of techniques after initial access as they escalated privileges, and moved laterally seeking data to exploit. These intrusions resulted in more extensive network compromise. Generally, incidents where malicious actors successfully compromised privileged accounts also resulted in more complex intrusions and extensive incidents.
Diving deeper into data breaches
ASD conducted a detailed analysis of data breach incidents between 1 November 2021 and 30 October 2022. Analysis revealed the average amount of data reported to have been exfiltrated during a breach was around 120 gigabytes, with the highest reported amount being around 870 gigabytes. Table 6 outlines the top information types exposed during a breach.
Table 6: Types of information stolen in data breaches Note: some incidents included the breach of multiple types of information.
Different types of information may carry different risks. For example, health information is likely to be more sensitive than contact information and will require greater protection. Table 6 indicates contact information was breached most frequently, likely because this type of data is widely collected and has increased exposure.
During the same analysis period, 41 per cent of data breaches involved malicious cyber actors exploiting valid accounts and credentials to access cloud services, local systems, or entire networks. Malicious cyber actors commonly used brute-force attacks to take advantage of simple and re-used passwords to access accounts, or used phishing to obtain credentials.
Around 34 per cent of data breaches involved exploitation of internet-facing applications. Common vulnerabilities and exposures (CVEs) were often exploited, and so was human misconfiguration of devices like unsecured application programming interfaces, or common bugs and flaws in software; for example, insecure direct object references.
To help Australian organisations, the ASD has published the Preventing Web Application Access Control Abuse advisory.
Figure 5 : Anatomy of a data breach
To steal data from an organisation, malicious cyber actors will commonly exploit online services and internet-facing devices, or penetrate a network’s perimeter using stolen or easily guessed credentials. Once inside a network, malicious actors will often attempt to escalate their privileges, move laterally across a network to find data to steal and/or other systems to exploit, and then attempt to exfiltrate data back through the network perimeter.
Stolen data for nefarious use
Different malicious cyber actors have differing motivations for stealing data. For example, cybercriminals may use stolen data, particularly personal information, as a basis for identity theft or to conduct phishing campaigns for financial gain. State actors are also interested in personal information, among other data types, although this is more likely for espionage purposes rather than financial gain. Irrespective of motivation, the impacts of data breaches on victims are actor agnostic – Australians can be exposed to harm and organisations can experience losses.
Data stolen by cybercriminals typically ends up on the dark web marketplaces where it can be shared, bought, and sold by other malicious cyber actors. For example, stolen credentials may end up with initial access brokers who specialise in dealing stolen usernames and passwords. Malicious cyber actors can also piece together seemingly innocuous information like an email address, a date of birth, or a phone number to target someone for spear phishing, fraud, or to leverage that person to gain other privileged accesses and information.
Once exposed, some data can be used in perpetuity for future crime, particularly in cases of identity theft, blackmail, or extortion. A victim’s real name and home address can be difficult to change, unlike stolen credentials which are easily updated.
ASD has also received reports of cyber security incidents in which threat actors claimed to have exfiltrated data; however, subsequent investigations have not identified evidence of exfiltration. While a threat actor’s assertion of data exfiltration may be an attempt to elevate urgency or pressure affected entities, it remains important to thoroughly investigate evidence to support or counter the claim.
Case study 10: Operation GUARDIAN
On 28 September 2022, the Australian Federal Police’s Joint Policing Cybercrime Coordination Centre (JPC3) commenced Operation GUARDIAN to coordinate efforts to protect those at higher risk of financial fraud and identity theft as a result of the Optus data breach.
Since the Optus incident, Operation GUARDIAN has expanded to include the Medibank, MyDeal, Latitude, and the Go-Anywhere data breaches. Some breaches have resulted in the exposure of personal information and sensitive data of Australians.
The purpose of Operation GUARDIAN is to monitor, disrupt and prosecute any person misusing personal information exposed as a result of data breaches. It aims to deter criminals from using data for malicious purposes and to educate the public.
Operation GUARDIAN works with the public and private sectors to search the internet and known criminal online sites to identify exposed personal information and those who are attempting to buy or sell it.
Case study 11: Awareness and impact of data breaches in the Australian community
According to the Office of the Australian Information Commissioner’s Australian Community Attitudes to Privacy Survey (ACAPS) 2023 , three-quarters (74 per cent) of Australians believe that data breaches are one of the biggest privacy risks they face today, and a quarter (27 per cent) said it is the single biggest risk to privacy in 2023.
Almost half (47 per cent) of Australians said they had been told by an organisation that their information was involved in a data breach in the prior year, and a similar proportion (51 per cent) know someone who was affected by a breach.
Three-quarters (76 per cent) of those whose data was involved in a breach said they experienced harm as a result. More than half (52 per cent) reported an increase in scams or spam texts or emails. There were 3 in 10 (29 per cent) who said they had to replace key identity documents, such as drivers licences or passports. Around 1 in 10 experienced significant issues such as emotional or psychological harm (12 per cent), financial or credit fraud (11 per cent) or identity theft (10 per cent).
Nearly half (47 per cent) of Australians said they would close their account or stop using a product or service provided by an organisation that experienced a data breach. However, most Australians are willing to remain with a breached organisation provided that organisation promptly takes action, such as quickly putting steps in place to prevent customers experiencing further harm from the breach (62 per cent) and making improvements to their security practices (61 per cent). Only 12 per cent of Australians said there is nothing an organisation could do that would influence them to stay after a data breach.
There are a range of ways organisations can protect personal information. A quarter (26 per cent) of Australians believe the most important step is for organisations to collect only the information necessary to provide the product or service. Australians view the second most important thing organisations can do is take proactive steps to protect the information they hold (24 per cent).
The OAIC commissioned Lonergan Research to undertake ACAPS 2023. The survey was conducted in March 2023 with a nationally representative sample of 1,916 unique respondents aged 18 and older. To read the full report visit oaic.gov.au/acaps .
Mitigating data breaches
Implementing ASD’s Essential Eight, and the Open Web Application Security Project (OWASP) Top Ten Proactive Controls will help protect data by minimising the risks to systems and networks, online services and internet-facing devices. At least fortnightly, organisations should use an automated method to scan for security vulnerabilities and apply timely patches or mitigations to minimise risks. Other effective controls to help mitigate data breaches include:
- deploy multi-factor authentication (MFA) to mitigate stolen credential abuse
- enforce strong passphrase policy to secure accounts
- block internet-facing services that are not authorised to be internet-facing
- immediately decommission unnecessary systems and services
- configure server applications to run as a separate account with the minimum privileges to mitigate account abuse
- mandate user training to recognise phishing or social engineering attempts.
Encryption can further protect data that is stored or in transit between systems. For example, sensitive data about former customers that must be legally retained should be encrypted and stored offline, inaccessible to the internet. Data communicated between database servers and web servers, especially over the internet, are susceptible to compromise and should be encrypted. Further guidance about how organisations can protect data is contained within ASD’s Information Security Manual .
The most cyber resilient organisations have a well-thought-out and exercised cyber incident response plan that includes a data breach response plan or playbook. A robust plan will help organisations respond to a data breach, rapidly notify relevant organisations and individuals to minimise the risk of harm, restore business operations, comply with relevant obligations, and reduce the costs and potential reputational damage that may result from a breach.
Organisations should include a strategy for communicating with customers in their cyber incident response plan, and consider how to protect customers from, and assist with, the consequences of a breach. For example, organisations can inform their customers whether or not hyperlinks will be used in their communications after a breach – or at all – to help them avoid falling prey to phishing attempts.
ASD has published guidance on cyber.gov.au, like the Guidelines for Database Systems to help organisations enhance database security.
Chapter 6: Cyber resilience
- Cyber resilience is helping to ensure an entity is resistant to cyber threats. For enterprise, this includes organisation-wide cyber risk management and consideration of third-party risks, such as vendors, service providers, and new technologies.
- Artificial intelligence (AI) has great benefits to organisations but also poses security challenges; a risk-based approach to using AI within ICT environments as per other services is recommended.
- Invest in prevention, response and recovery to reduce the impact of a compromise and build the resilience of Australian systems.
- Practice good cyber hygiene at work and at home. Enable multi-factor authentication (MFA), use unique passphrases, enable automatic updates, regularly back up important data, and report suspicious cyber activity.
- Cooperation on a national scale is one of Australia’s greatest advantages against malicious cyber activities. Keep up to date at cyber.gov.au, and engage with ASD’s Cyber Security Partnership Program to help build the nation’s collective cyber resilience.
Digital supply chains increase the attack surface
Most entities have some component of their ICT outsourced to a third party, such as hardware supply, web and data hosting, and software-as-a-service or other enterprise resource planning tools.
According to the Australian Bureau of Statistics’ Characteristics of Australian Business data, during 2021–22, around 85 per cent of Australian businesses used ICT, and 59 per cent used cloud technology. These measures have been trending up year-on-year.
During 2022–23, ASD published a number of alerts warning Australians about vulnerabilities relating to products commonly found in ICT supply chains, like Citrix Gateway and Application Delivery Controller devices. During March 2023, ASD published an alert describing a supply chain compromise affecting multiple versions of the 3CX DesktopApp – a popular voice-over-IP application.
While an entity can outsource ICT functions to access specialist skills, increase efficiency, and lower costs, it must still manage and be accountable for cyber security risk. ICT supply chain expansion can increase the attack surface, particularly as there may be varying levels of cyber security maturity among both customers and suppliers.
A malicious cyber actor can compromise numerous victims at scale by targeting a single upstream or third‑party supplier. An ICT supply chain attack comprises 2 attacks: an initial attack on a supplier, and a subsequent attack on its customers. For example, a managed service provider (MSP) might have privileged network access to hundreds of customers or hold huge amounts of sensitive data. After compromising an MSP, a malicious cyber actor could then exploit the MSP’s privileged network accesses, or steal sensitive data to extort its customers directly. This highlights that, while an entity might have leading-edge cyber defences, its security posture will only be as strong as its weakest link, which may be in its ICT supply chain.
To conduct an ICT supply chain attack, malicious cyber actors will commonly abuse misconfigurations in devices and the trust between supplier services and customer networks, conduct phishing attacks, and exploit common vulnerabilities and exposures (CVEs). Figure 6 outlines some of the common adversary goals and techniques associated with ICT supply chain attacks.
Defeating ICT supply chain threats requires effort from both customers and suppliers. The most effective measures combine both business and technical controls conducted at the earliest stage of ICT procurement or development. While a downstream customer may have no influence over their supplier’s security posture, they can improve their own cyber security to help mitigate risks. Suppliers should prioritise the secure-by-design and secure-by-default principles to improve their own product security and therefore their customers’ security.
Customers should clearly state cyber security expectations upfront as part of any contract, such as requiring that a supplier meet particular cyber security standards. Entities should appraise their suppliers of their risk tolerances, and might want to ask how the supplier will demonstrate good security practices, justify their product’s accesses and privileges, and guarantee genuine product delivery. Entities should also consider whether their supplier may be subject to foreign control or interference.
Figure 6 : ICT supply chain threats
Australian organisations face many cyber threats, including from the ICT supply chain. Malicious cyber actors who target upstream suppliers, such as by compromising a cloud host, may be able to impact downstream customers by exploiting the trust between that supplier and its customers. An attacker could then conduct data theft and extortion activities, or other attacks like denial-of-service. An organisation’s cyber security posture is only as strong as its weakest link, which could be an entity in its ICT supply chain.
Mitigating ICT supply chain threats
Organisations can boost their ICT supply chain defences in many ways, including by implementing ASD’s Essential Eight. The most effective technical controls to mitigate risks combine both mitigation and detection techniques, and are supported by a positive organisation-wide cyber secure culture. Some controls for both customers and suppliers include:
- deploy MFA to mitigate stolen credential abuse
- regularly scan for vulnerabilities and update software to minimise risks from vulnerabilities
- segment networks and enforce account management to isolate critical systems
- correctly configure software to minimise security risks
- use network and endpoint detection systems to identify malicious traffic and files
- monitor logon and network logs to detect unusual activity
To help Australian organisations, ASD has published guidance, available at cyber.gov.au such as Identifying Cyber Supply Chain Risks , Cyber Supply Chain Risk Management , Guidelines for Procurement and Outsourcing , and Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default .
Secure-by-design and secure-by-default products
Secure-by-design products are those where the security of the customer is a core business goal, not just a technical feature, and start with that goal in mind before development. Secure-by-default products require little to no configuration changes out of the box to ensure security features are enabled.
Together, these approaches move much of the burden of staying secure to the manufacturers, which reduces the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues at the user end.
Entities are encouraged to prioritise secure-by-design and secure-by-default products in procurement processes, and collaborate with industry peers and manufacturers to help improve upcoming security initiatives in products. Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default , offers further advice to software manufacturers and customers.
Artificial intelligence cyber security challenges
In early 2023, AI tools were among the fastest growing consumer applications globally. Broadly, AI is a collection of methods and tools that enable machines to perform tasks that would ordinarily require human intelligence. AI tools are increasingly being used to augment human activities like sorting large data sets, automating routine tasks, and assisting visual design work.
Machine learning (ML) is a sub-discipline of AI encompassing models that use feedback mechanisms to update model behaviour. ML models are typically used to make classifications and predictions, and to uncover patterns or insights in large data sets that may be impossible for a human to spot.
Over the last 3 years, the practical applications for AI have expanded, the costs have come down, and AI tools are more accessible than ever. Australians already interact frequently with AI, as AI drives internet searching, shopping recommendations, satellite navigation, and can aid complex activities like logistics management, medical diagnosis, and cyber security. AI tools can be used to provide human-like customer responses for help desks or call centres, and can help predict upcoming maintenance for industrial equipment.
While AI has benefited the economy and society, it has also created new challenges and data security risks. As AI becomes increasingly integrated into business environments and ICT infrastructures, additional and potentially unforeseen risks could be introduced. And, like any tool, AI can be misused either inadvertently or deliberately.
In 2022, a medical research collaboration for a pharmaceutical company trained an AI model using ML techniques to catalogue thousands of molecules for therapeutic use while discarding toxic molecules. While the researchers were able to catalogue many beneficial molecules, the researchers also wanted to know how AI could be misused. So they changed the AI model to find toxic rather than safe molecules. Using open source data, their AI model generated over 40,000 potentially lethal molecules in less than 6 hours.
Security researchers have also shown how data sets used for ML can be attacked and ‘poisoned’ with anomalous data to produce misleading outputs. In 2016, Microsoft abruptly ended testing of a chatbot after a subset of its users deliberately provided data containing misinformation and abusive material, resulting in offensive text being produced by the chatbot.
Malicious cyber actors could also use AI tools to augment their activities. For example, a cybercriminal may be able to produce low effort, high quality material for phishing attacks. AI could also be used to create fraudulent deepfake content like voice and video clips, or to create malware. Security researchers have demonstrated with existing technologies that malicious actors could use AI to help orchestrate cyber intrusions.
AI tools may also challenge the protection of sensitive information. For example, AI tools that produce or summarise text may not guarantee data privacy if it is fed sensitive or proprietary information. Additionally, using sensitive information for AI models and ML may contravene privacy laws, policies, or rules in some instances.
As online adversaries can use AI tools, so too can system defenders. AI can sort through large volumes of logs or telemetry data to look for malicious behaviour, identify malware, detect and block exploitation attempts, or derive intelligence insights. AI can also help triage information and automate security tasks, so humans can focus on other problems.
Entities wanting to adopt AI tools should treat them with the same care as any other ICT service, use a risk-based approach to procurement, and consider:
- if the AI tool is secure-by-design and secure-by-default, including its ICT supply chain
- if there are inaccuracies in the AI tool’s model or bias in its algorithms
- how the AI tool will be protected from misuse and interference (including foreign)
- how the AI tool will affect the entity’s privacy and data protection obligations
- how the AI tool will support, rather than outsource, human decision-making
- who is accountable for oversight or if something goes wrong with the AI tool.
Explainer 8: Ethical AI at ASD
In early 2023, ASD published the Ethical AI in ASD statement, which outlines ASD’s framework of ethical principles governing AI usage. This includes:
- lawful and appropriate use of AI consistent with the legislation, policies, processes and frameworks that govern ASD’s functions and protect the privacy of Australian citizens
- enabling human decision-making, allowing our workforce and customers to make informed decisions based on AI system outputs, and to maintain trust in AI systems
- reliable and secure AI, ensuring that technologies continue to meet their intended purpose and remain protected from external interference
- accurate and fair AI mitigating against unintended bias
- accountable, transparent and explainable AI allowing human oversight and control, with clear accountabilities enacted for all stages of the AI development lifecycle, facilitating appropriate and proportionate operations.
Ensuring remote work cyber security
Many organisations rapidly adopted new remote work solutions to support business continuity as a result of the COVID-19 pandemic. The number of Australian companies advertising remote work post-pandemic continues to grow, and it is clear that remote work will be an ongoing feature of many organisations and an expectation of many employees.
Some hastily implemented remote working solutions may not have fully considered cyber security implications. For example, bring-your-own-device policies are popular with organisations, but could introduce additional information management risks to corporate networks if not appropriately managed.
During 2022–23, ASD recorded extensive corporate network breaches that stemmed from employees conducting work from compromised personal devices. In 2022, US company LastPass suffered a data breach due to credentials being stolen via keylogger malware installed on the home computer of one of its employees.
Remote work often relies on employees using their own devices like home computers and internet routers, which usually have limited security features and less secure default settings when compared to enterprise products used in corporate environments. Internal corporate networks could be exposed to the internet directly via a remote employee’s home router, if that home router is misconfigured. Adding to the risks, employees may not regularly update their personal devices or use anti malware software, may access dubious websites or use illegal software, or may have failed to change the default credentials of their devices.
Malicious cyber actors are known to compromise common small-home-office products and internet-of-things devices to steal sensitive information, target corporate networks, or to enslave them into botnets for distributed-denial-of-service (DDoS) attacks.
Organisations should consider how cyber security mitigations for remote solutions are implemented, maintained, and audited. Organisations should also verify that policies are in place to ensure staff know how to securely use systems, and to ensure compliance with legal obligations like the protection of sensitive data.
ASD has published a number of guides at cyber.gov.au including G uidelines for Enterprise Mobility , Remote Working and Secure Mobilit y and Risk Management of Enterprise Mobility (including Bring Your Own Device) .
Explainer 9: Working from home and cybercrime
The Australian Institute of Criminology’s Cybercrime in Australia 2023 report examined whether working from home was a risk factor for cybercrime victimisation. Small-to-medium business owners who transitioned to working from home due to public health measures associated with the COVID-19 pandemic were 1.4 times as likely to be a victim of identity crime and misuse, 1.2 times as likely to be a victim of malware attacks and 1.3 times as likely to be a victim of fraud and scams.
There are various reasons that moving to remote working may have increased the likelihood of cybercrime victims. For a business working remotely, home internet connections may be less secure, devices may no longer be protected by corporate security controls or routine maintenance, and there may be a tendency to store or share sensitive work information on unsecure personal devices.
Cyber security through partnerships
The speed with which cyber threats spread and evolve means that no single entity can effectively defend against all threats in isolation. Cooperation on a national scale is one of Australia’s greatest advantages against malicious cyber activity.
It is vital cyber security incidents are reported to ASD to help build a national cyber threat intelligence picture, which better supports Australian organisations and individuals through informed guidance and mitigation advice. There are many other ways in which Australian organisations can engage with ASD.
ASD’s Cyber Security Partnership Program enables Australian entities to engage with ASD and fellow partners, drawing on collective understanding, experience, skills and capability to lift cyber resilience across the Australian economy. ASD’s Cyber Security Partnership Program is delivered through ASD’s state offices located around Australia.
An ASD Network Partnership is available to organisations with responsibility for the security of a network or networks (either their own or on behalf of customers) as well as academic, research and not-for-profit institutions with an active interest and expertise in cyber security. An ASD Business Partnership is available to those with a valid Australian Business Number. Individuals and families can sign up to the ASD Home Partner Program.
By strengthening our ties with agencies like ASD and broader cyber security partners within the transport and logistics sector, the Toll Group is proud to contribute to building resilient supply chain capability in Australia and around the world. ASD’s partnership, training, and participation in industry forums have been of tremendous value in promoting strong cyber security practices and cooperation across government and critical services, which our teams continue to benefit from. – Toll Group
The National Exercise Program (NEP) helps critical infrastructure and government organisations validate and strengthen Australia’s nationwide cyber security arrangements. The program uses exercises and other readiness activities that target strategic decision-making, operational and technical capabilities, strategic engagement and communications.
The Critical Infrastructure Uplift Program (CI-UP) assists Australian critical infrastructure organisations to improve their resilience against cyberattacks, with a focus on critical infrastructure assets and operational technology environments. As an intelligence-driven program, CI-UP focuses on improving the cyber security of critical infrastructure in a range of areas, including:
- enhancing visibility of malicious cyber activity and awareness of vulnerabilities
- enhancing the ability to contain and respond to an incident
- furthering culture and cyber maturity.
The Cyber Threat Intelligence Sharing Platform (CTIS) shares indicators-of-compromise in real‑time, within a growing community of Australian government and industry partners. CTIS also supports community partners to share their threat intelligence. Co-designed with industry, CTIS alerts security operations centre analysts to threats targeting Australian organisations.
AARNet has been engaged with the CTIS project from its inception and has seen firsthand the value of industry and government partnerships for threat intelligence sharing. By sharing information, the breadth and depth of our visibility of unwanted cyber attention is much greater. – AARnet
The Australian Protective Domain Name System (AUPDNS) is an opt-in security service available to all federal, state and territory government entities to protect infrastructure from known malicious activity. Information from AUPDNS directly assists ASD’s mission to build a national cyber threat picture, which in turn is shared with ASD partners, including individuals, businesses, academia, not-for-profits, and government entities.
The Cyber Hygiene Improvement Programs (CHIPs) track and monitor the cyber security posture of the internet-facing assets of entities at all levels of government. CHIPs also conducts High-priority Operational Tasking (HOT) CHIPs scans when potential cyber threats emerge, such as newly disclosed vulnerabilities. CHIPs builds visibility of security vulnerabilities across governments and provides notifications to system owners.
Figure 7: ASD’s program highlights
Through ASD’s Cyber Security Partnership Program, Australian organisations can draw on the collective understanding, experience and capability of the community to lift Australia’s cyber resilience. ASD Network Partners bring their insights and technical expertise to the community to collaborate on shared threats and opportunities.
Explainer 10: Incident response to stay ahead of adversaries
There is an actor behind every cyber security incident, and each actor will have different intent and capability. For example, state actors are usually focused on long-term goals in opposition to Australia’s national interests, whereas cybercriminals are generally focused on short-term financial gain. Additionally, the techniques different actors use will vary due to their risk appetites for being detected. For example, cybercriminal actions are often ‘loud and public’, as opposed to state actors whose intent is to usually remain undetected for long periods.
Customising the incident response method ensures the best outcome for impacted organisations. For example, during a cyber security incident, ASD can provide immediate incident response advice and assistance to support impacted Australian organisations. ASD can also work closely with commercial incident response partners in support of an incident.
If the incident is likely the result of a state actor, ASD may offer a more detailed approach such as a comprehensive digital forensic technical investigation to ensure comprehensive remediation.
Public communications on an incident may also differ. An immediate public statement may be required in some incidents. However, there is a need to balance public statements with remediation efforts – particularly when a state actor may be involved. If a state actor is responsible, a public statement could cause the actor to ‘lay low’, impacting a defender’s ability to detect the actor – including tradecraft or accesses that may help them to remain on an organisation’s network.
ASD’s tailored approach to incident response is consistent with industry best-practice, and highlights the importance of public–private partnerships to stay ahead of Australia’s cyber adversaries.
ASD’s ACSC Incident Response
ASD’s incident management capabilities provide tailored incident response advice and guidance to Australians impacted by a cyber security incident. ASD is not a law enforcement agency or regulator; however we work closely with these agencies if needed.
Report a cybercrime or cyber security incident
Report at cyber.gov.au/report or call the 24/7 Australian Cyber Security Hotline on 1300 CYBER1 ( 1300 292 371 ).
Cybercrime reports are automatically referred directly to the relevant state or territory law enforcement agency.
Cyber security incidents
All cyber security incidents should be reported to ReportCyber. An incident does not have to be a confirmed compromise to be reported and could include:
- denial-of-service (DoS)
- scanning and reconnaissance
- unauthorised access to network or device
- data exposure, theft or leak
- malicious code/malware
- phishing/spear phishing
- any other irregular cyber activity that causes concern.
For ASD to help you effectively, we may request:
- indicators of compromise
- memory dumps
- disk information
- network traffic captures.
How ASD can help
ASD will provide you with immediate advice and assistance such as:
- tailored information on how to contain and remediate an incident
- advisory products to assist you with your incident response
- linking you with other Australian Government entities that may further support your response such as the Australian Federal Police, or Department of Home Affairs through the National Cyber Security Coordinator and the Cyber Security Response Coordination Unit
- we may also link you to other government partners like IDCare, ScamWatch, or the e-Safety Commissioner.
How your reporting matters
ASD uses information from your report to build our understanding of the cyber threat environment. This understanding assists with the development of new and updated advice, capabilities, techniques and products to better prevent and respond to evolving cyber threats. Some of these products include:
- advisories published on ASD’s Partnership Portal
- alerts published on cyber.gov.au
- quarterly Trends and Insights reports
- the ASD's Cyber Threat Report.
Your confidentiality is paramount
ASD does not share any information provided by you without your express consent. Only information about the incident is captured when you report.
Figure 8: ASD’s support to Australians
During 2022–23, ASD monitored cyber threats across the globe 24 hours a day, 365 days a year, to alert Australians to cyber threats, provide advice, and assist with incident response. ASD’s ACSC is a hub for private and public sector collaboration and information-sharing on cyber security, to prevent and combat threats and minimise harm to Australians.
ASD’s advice and assistance is for the whole economy, including critical infrastructure and systems of national significance, federal, state and local governments, small and medium businesses, academia, not-for-profit organisations and the Australian community.
Cyber resilience for all Australians
The average Australian household has well over a dozen internet-connected devices and this number is growing. The explosion of remote and hybrid work has also seen corporate networks extend into Australian homes. While growing digitisation and virtualisation of services may have improved consumer convenience and boosted business productivity over the last 3 years, it has also increased the cyber risks for Australians.
Every Australian should practice basic cyber security hygiene to help protect themselves from online threats. The most effective cyber defences are also some of the easiest to use and fastest to setup. The top things Australians can do are:
At cyber.gov.au, ASD has published a range of simple how-to guides for all Australians, including children and seniors, that explain how individuals and families can improve their home cyber security.
Australians are encouraged to report cyber security incidents and cybercrime to ReportCyber , or by calling the Australian Cyber Security Hotline on 1300 CYBER1 ( 1300 292 371 ). The hotline is available 24 hours a day, 7 days a week.
Act Now, Stay Secure
ASD provides tailored cyber security guidance to protect Australia against evolving cyber threats. The Act Now, Stay Secure cyber security awareness-raising campaign identified key cyber threats to individuals and small-to-medium businesses, and highlighted ASD advice and tools to help improve the audience’s cyber security posture. Over 2022–23, the campaign:
- reached a potential audience of more than 490,000 Australians and achieved over 11,500 engagements, such as likes, shares, and comments through social media
- was amplified by 170 stakeholders across government, industry, non-profit sectors, and peak body associations, who shared campaign content to their channels
- attracted over 30,000 visitors to the cyber.gov.au website, resulting in nearly 73,000 page views of campaign content and cyber security guidance
- bolstered content delivered at 15 tailored events by ASD state offices.
Monthly cyber security themes were developed to promote planned or new ASD guidance, tools and products to enhance the cyber posture of Australian individuals and small-to-medium businesses. The themes for 2022–23 were:
REDSPICE is the most significant single investment in ASD’s history and will equip ASD to ensure that Australia is best prepared to respond to the strategic environment. Commencing on 1 July 2022, ASD scaled existing services and introduced new intelligence and cyber capabilities to enhance Australia’s cyber defences.
To help achieve this, in FY 2022–23, ASD opened new facilities in Brisbane and Melbourne, and received over 26,000 job applications across Canberra, Melbourne, Brisbane and Perth. ASD also:
- undertook innovative first-of-type ‘cyber hunt’ activities on the most critical government and critical infrastructure networks
- engaged over 175 new customers onto the Cyber Threat Intelligence Sharing platform to improve machine-speed cyber threat intelligence sharing across government and industry
- deployed over 25,000 new host-based sensors to customer networks to build increased visibility of emerging threats to Australia’s most critical systems
- established a secure design and architecture team to provide advice to major government information and communications technology projects
- expanded ASD’s national incident response footprint and 24/7 defence operations capability, including additional upgrades for the Australian Cyber Security Hotline (1300 CYBER 1) and ReportCyber, and a new incident response team in Melbourne
- improved the resilience of critical infrastructure through a number of uplift activities to increase cyber security maturity across Australian industry.
About the contributors
ASD manages or uses a number of unique datasets to produce tailored advice and assistance for Australian organisations and individuals. Not all cybercrimes lead to cyber security incidents, and the statistics in this report are from 2 distinct datasets: cybercrimes reported to law enforcement through ReportCyber, and cyber security incidents responded to by ASD. Data has been extracted from live datasets of cybercrime and cyber security reports reported to ASD. As such, the statistics and conclusions in this report are based on point-in-time analysis and assessment.
Cybercrime and cyber security incidents reported to ASD may not reflect all cyber threats and trends in Australia’s cyber security environment.
ASD encourages the reporting of cyber security incidents and cybercrimes to inform ASD advice and assistance to vulnerable entities, and enhance situational awareness of the national cyber threat environment.
In Australia, the term ‘cybercrime’ is used to describe both:
- Cyber dependent crimes, such as computer intrusions and DoS attacks, directed at computers or other ICTs.
- Cyber enabled crimes, such as online fraud, identity theft and the distribution of child exploitation material, which can increase in their scale and/or reach through the use of computers or other forms of ICTs.
The ASD glossary provides definitions for terms used in this report and other ASD publications and can be viewed at: https://www.cyber.gov.au/learn-basics/view-resources/glossary .