Ajazaj, IlirjanaKurowski, SebastianFritsch, LotharRoßnagel, HeikoHühnlein, Detlef2017-08-282017-08-282017978-3-88579-671-8This contribution aims at the research question on which observable organizational events occur prior to an information security incident, and how these may relate to the organization. It therefore uses a dataset that was built using Google News, and the list of data breaches from [Mc17] to analyse which organizational events occur most often. It provides a categorization of these events, which were built by using a grounded theory approach. On the other hand, causal chains are constructed by sing the sociologic system theory and constructivism. Both, the causal chains and the organizational event categories are applied together within this contribution to discuss, the likelihood of the causalities of the occurred events. However, events, such as financial gains also exhibit a higher occurrence prior to an information security incident. This contribution is a speculative, yet first approach on this question. Further research will focus on refining the constructed causalities.eninformation security managementsecurity cultureconstructivism1617-5468