Organisational Cyber Resilience: Management Perspectives
DOI:
https://doi.org/10.3127/ajis.v27i0.4183Keywords:
Organisational cyber resilience, universities, senior IT managers, business managers, cyberthreatAbstract
As cyberthreats pose strategic risk, both IT and business management awareness are critical for effective organisational decision making. Many cyber system failures arise from organisational, and not technical issues. This study investigates senior manager awareness of organisational cyber resilience, using case study method. The Cyber Resilience Matrix is used as a theoretical framework to communicate the multifaceted meaning of cyber resilience. This study examines whether the multilayered nature of cyber resilience is understood by both managerial levels to include the periods before and after cyber incidents. As the higher education sector faces complex cyber challenges, research data were gathered from two Australian universities. Analysis found the two management groups differed in their resilience approach. The authors posit that principles-based cyber policies contribute to an organisational view of cyber resilience. The engineering resilience approach, accompanied by a non-bureaucratic organisational structure, was preferred by IT managers. Business managers favoured an ecological approach with a vertical organisational structure. Both managerial groups emphasised the period before cyber crisis when compared to after cyber incidents. This research contributes to the limited theoretical development in the field and attempts to shift the focus from cyber security to cyber resilience.
References
ABC News. (2020). Scott Morrison's 'urgent' hacking warning shot shows Australia won't shy away from China's cyber attacks. Retrieved from https://www.abc.net.au/news/2020-06-20/why-australia-acted-on-china-hacking-cyber-attack-scott-morrison/12376700
Ahmad, A., Johnson, C., & Storer, T. (2015). An Investigation on Organisation Cyber Resilience International Journal of Computer, Electrical, Automation, Control and Information Engineering, 9, 1661-1666. Retrieved from http://www.waset.org/publications/10002012
Al-Surmi, A., Cao, G., & Duan, Y. (2020). The impact of aligning business, IT, and marketing strategies on firm performance. Industrial Marketing Management, 84, 39-49.
Alberts, D. S., Garstka, J. J., & Stein, F. P. (2000). Network Centric Warfare: Developing and Leveraging Information Superiority. Assistant Secretary of Defense (C3I/Command Control Research Program) Washington DC.
Annarelli, A., Nonino, F., & Palombi, G. (2020). Understanding the management of cyber resilient systems. Computers & Industrial Engineering, 149, 106829.
Antikainen, J. (2014). Model for national cybersecurity resilience and situation awareness improvement: An information quality–centric approach leveraging fusion of established practitioner and academic disciplines. (Master Degree). Jamk University of Applied Science, Retrieved from
https://www.theseus.fi/bitstream/handle/10024/86179/opinnaytetyo_%20Jani%20Antikainen.pdf?sequence=3
Appiah, G., Amankwah-Amoah, J., & Liu, Y.-L. (2020). Organizational Architecture, Resilience, and Cyberattacks. IEEE Transactions on Engineering Management.
Armstrong, C. P., & Sambamurthy, V. (1999). Information technology assimilation in firms: The influence of senior leadership and IT infrastructures. Information Systems Research, 10(4), 304-327.
Austin, G. (2018). How Australian universities can get better at cyber security. Retrieved from https://theconversation.com/how-australian-universities-can-get-better-at-cyber-security-99587#republish
Bagheri, S. (2020), Investigating Organisational Aspects of Cyber Resilience in Large Organisations, PhD thesis, University of Tasmania, Tasmania, Australia.
Bagheri, S., & Ridley, G. (2017). Organisational cyber resilience: research opportunities. Paper presented at the Proceedings of the 28th Australasian Conference on Information Systems (ACIS2017), Hobart, Australia.
Bei, H. (2019). Problems of cybersecurity in the context of becoming and development of the new economy. Collection of scientific works of the International Scientific Conference "Competitiveness and Innovation in the Knowledge Economy", XXI Edition, September 27-28, 2019, Chisinau, Moldova, e-ISBN 978-9975-75-968-7.
Bellini, E., & Marrone, S. (2020). Towards a novel conceptualization of Cyber Resilience. Paper presented at the 2020 IEEE World Congress on Services (SERVICES).
Béné, C., Newsham, A., Davies, M., Ulrichs, M., & Godfrey‐Wood, R. (2014). Resilience, poverty and development. Journal of International Development, 26(5), 598-623.
Berg, B. L. (2004). Qualitative Research Methods for the Social Sciences (Vol. 5): Pearson Boston, MA.
Bergeron, F., Raymond, L., & Rivard, S. (2004). Ideal patterns of strategic alignment and business performance. Information & Management, 41(8), 1003-1020.
Berkes, F., Colding, J., & Folke, C. (2008). Navigating social-ecological systems: building resilience for complexity and change: Cambridge University Press.
Bernabe, J. B., & Skarmeta, A. (2019). Introducing the Challenges in Cybersecurity and Privacy-The European Research Landscape. Challenges in Cybersecurity and Privacy-the European Research Landscape, River Publishers Series in Security and Digital Forensics, 1-21.
Bernard, R. (2007). Information Lifecycle Security Risk Assessment: A tool for closing security gaps. Computers & Security, 26(1), 26-30.
Björck, F., Henkel, M., Stirna, J., & Zdravkovic, J. (2015). Cyber Resilience–Fundamentals for a Definition. In New Contributions in Information Systems and Technologies (pp. 311-316): Springer.
Borys, S. (2019). The ANU hack came down to a single email—here’s what we know. Retrieved from
Buchmann, R. A., Polini, A., Johansson, B., & Karagiannis, D. (2020). Perspectives in Business Informatics Research: 19th International Conference on Business Informatics Research, BIR 2020, Vienna, Austria, September 21–23, 2020, Proceedings (Vol. 398): Springer Nature.
Burgemeestre, B., Hulstijn, J., & Tan, Y.-H. (2009). Rule-based versus Principle-based Regulatory Compliance. Paper presented at the JURIX.
Carias, J. F., Labaka, L., Sarriegi, J. M., & Hernantes, J. (2018). An Approach to the Modeling of Cyber Resilience Management. Paper presented at the 2018 Global Internet of Things Summit (GIoTS).
Cavelty, M. (2007). Critical information infrastructure: vulnerabilities, threats and responses. Paper presented at the Disarmament Forum (Vol. 3, pp. 15-22). UNIDIR.
Chapman, J., Chinnaswamy, A., & Garcia-Perez, A. (2018). The severity of cyber attacks on education and research institutions: A function of their security posture. Paper presented at the Proceedings of the13th International Conference on Cyber Warfare and Security (ICCWS 2018), Washington DC. USA.
Cobo, A., Vanti, A. A., & Rocha, R. (2014). A fuzzy multicriteria approach for it governance evaluation. JISTEM-Journal of Information Systems and Technology Management, 11, 257-276.
Colombo, R. (2020). On the escalation from Cyber Incidents to Cyber Crises. Master's thesis, University of Twente.
Conklin, W. A., & Kohnke, A. (2018). Cyber Resilience: An Essential new Paradigm for Ensuring National Survival. Paper presented at the Proceedings of the 13th International Conference on Cyber Warfare and Security (ICCWS 2018), Washington DC. USA.
Conklin, W. A., & Shoemaker, D. (2017). Cyber-Resilience: Seven Steps for Institutional Survival. EDPACS, 55(2), 14-22. Retrieved from
http://www.tandfonline.com/doi/abs/10.1080/07366981.2017.1289026
Craigen, D., Diakun-Thibault, N., & Purse, R. (2014). Defining Cybersecurity. Technology Innovation Management Review, 4 (10): 13–21. In (Vol. 4, pp. 13–21).
Davis, J. I., Libicki, M. C., Johnson, S. E., Kumar, J., Watson, M., & Karode, A. (2016). A Framework for Programming and Budgeting for Cybersecurity. Retrieved from RAND Corporation, Santa Monica, CA, US.
Dewar, R. S. (2017). Active Cyber Defense. Retrieved from Center for Security Studies (CSS), ETH Zurich: https://doi.org/10.3929/ethz-b-000169631
Dupont, B. (2019). The cyber-resilience of financial institutions: significance and applicability. Journal of Cybersecurity (Oxford), 5 (1), 1-17.
Dutta, A., & McCrohan, K. (2002). Management's role in information security in a cyber economy. California Management Review, 45(1), 67-87. Retrieved from http://journals.sagepub.com/doi/pdf/10.2307/41166154
Feist, G. J. (2006). The development of scientific talent in Westinghouse finalists and members of the National Academy of Sciences. Journal of Adult Development, 13(1), 23-35.
Ferdinand, J. (2015). Building organisational cyber resilience: A strategic knowledge-based view of cyber security management. Journal of Business Continuity & Emergency Planning, 9(2), 185-195.
Fitzgerald, T. (2007). Clarifying the roles of information security: 13 questions the CEO, CIO, and CISO must ask each other. Information Systems Security, 16(5), 257-263.
Fox-Lent, C., Bates, M., & Linkov, I. (2015). A matrix approach to community resilience assessment: An illustrative case at Rockaway Peninsula. Environment Systems and Decisions, 35(2), 209-218.
Gisladottir, V., Ganin, A. A., Keisler, J. M., Kepner, J., & Linkov, I. (2016). Resilience of Cyber Systems with Over‐and Underregulation. Risk Analysis, 37(9), 1644–1651.
Goodman, PS., & Haisley, E. (2007). Social comparison processes in an organisational context: New directions. Organisational Behavior and Human Decision Processes, 102(1), 109-125.
Hambleton, R. K., Brennan, R. L., Brown, W., Dodd, B., Forsyth, R. A., Mehrens, W. A., . . . Linden, W. J. (2000). A response to “setting reasonable and useful performance standards” in the national academy of science’grading the nations report card. Educational Measurement: Issues and Practice, 19(2), 5-14.
Hausken, K. (2020). Cyber resilience in firms, organizations and societies. Internet of Things, 11, 100204.
Holling, C. (1996). Engineering resilience versus ecological resilience. Engineering within Ecological Constraints, 31(1996), 32.
Hult, F., & Sivanesan, G. (2014). What good cyber resilience looks like. Journal of Business Continuity & Emergency Planning, 7(2), 112-125.
Johnson, A. M. (2009). Business and security executives views of information security investment drivers: Results from a delphi study. Journal of Information Privacy and Security, 5(1), 3-27.
Kott, A., & Linkov, I. (2021). To improve cyber resilience, measure it. arXiv preprint arXiv:2102.09455.
Le, N. T., & Hoang, D. B. (2017). Capability Maturity Model and Metrics Framework for Cyber Cloud Security. Scalable Computing: Practice and Experience, 18(4), 277-290. doi:10.12694/scpe.v18i4.1329
Ligo, A., Kott, A. & Linkov, I. (2021). How to Measure Cyber Resilience of an Autonomour Agent: Approaches and Challenges, IEEE Engineering Management Review, 1-12.
Linkov, I., Eisenberg, D., Plourde, K., Seager, T., Allen, J., & Kott, A. (2013b). Resilience metrics for cyber systems. Environment Systems & Decisions, 33(4), 471-476. doi:http://dx.doi.org/10.1007/s10669-013-9485-y
Linkov, I., Senberg, D., Bates, M., Chang, D., Convertino, M., Allen, JH., Flynn, SE., & Seager, T. (2013a). Measurable Resilience for Actionable Policy. Environmental Science & Technology, 47(18), 10108-10110. doi:10.1021/es403443n
Linkov, I., & Trump, B. (2019). The Science and Practice of Resilience, Cham: Springer International Publishing.
Loonam, J., Zwiegelaar, J., Kumar, V., & Booth, C. (2020). Cyber-Resiliency for Digital Enterprises: A Strategic Leadership Perspective. IEEE Transactions on Engineering Management.
Luftman, J., Papp, R., & Brier, T. (1999). Enablers and inhibitors of business-IT alignment. Communications of the Association for Information Systems, 1(1), 11.
Lykou, G., Anagnostopoulou, A., & Gritzalis, D. (2018). Implementing cyber-security measures in airports to improve cyber-resilience. Paper presented at the Proceedings of the 2018 Global Internet of Things Summit (GIoTS), Bilbao, Spain.
Marchese, D., Jin, A., Fox-Lent, C. & Linkov, I. (2019). Resilience for Smart Water Systems, Journal of Water Resources Planning and Management, 146(1), 02519002.
McFadzean, E., Ezingeard, J.-N., & Birchall, D. (2007). Perception of risk and the strategic impact of existing IT on information security strategy at board level. Online Information Review, 31(5), 622-660. doi:10.1108/14684520710832333
Merriam, S. B. (2009). Qualitative research: A guide to design and implementation: Revised and expanded from qualitative research and case study applications in education. San Franscisco: Jossey-Bass.
Moallem, A. (2020). HCI for Cybersecurity, Privacy and Trust. Second International Conference, HCI-CPT 2020, Held as Part of the 22nd HCI International Conference, HCII 2020, Copenhagen, Denmark, July 19-24, 2020, Proceedings (Vol. 12210): Springer Nature.
National Academy of Sciences. (2012). Disaster Resilience: A National Imperative Retrieved from https://www.nap.edu/read/13457/chapter/3
Noureddine, M. (2020). Achieving network resiliency using sound theoretical and practical methods. University of Illinois at Urbana-Champaign,
Orozco, J., Tarhini, A., & Tarhini, T. (2015). A framework of IS/business alignment management practices to improve the design of IT Governance architectures. International Journal of Business and Management, 10(4), 1.
Quacquarelli Symonds. (2018, 26 July 2018). Qs University Rankings. Retrieved from https://www.topuniversities.com/
Rainer Jr, R. K., Marshall, T. E., Knapp, K. J., & Montgomery, G. H. (2007). Do information security professionals and business managers view information security issues differently? Information Systems Security, 16(2), 100-108.
Rand, K, Kurth, M., Fleming, C., & Linkov, I. (2019). A resilience matrix approach for measuring and mitigating disaster-induced population displacement, International Journal of Disaster Risk Reduction, 42(18), 101310.
Roege, P. E., Collier, Z. A., Chevardin, V., Chouinard, P., Florin, M.-V., Lambert, J. H., Nielsen, K., Nogal, M. and Todorovic, B. (2017). Bridging the Gap from Cyber Security to Resilience. In Resilience and Risk (pp. 383-414). NATO Science for Peace and Security Series C: Environmental Security: Springer.
Sabev, S. I. (2020). Integrated Approach to Cyber Defence: Human in the Loop. Technical Evaluation Report. Information & Security: An International Journal, 44, 76-92.
Shapiro, S., Keys, B., Chhajer, A., Liu, Z., & Horner, D. (2016). A Framework for Assessing Cyber Resilience. A Report for the World Economic Forum.
Sarkar, A., Wingreen, S., & Cragg, P. (2013). Organisational IS Resilience: a pilot study using Q-methodology. Paper presented at the 24th Australasian Conference on Information Systems (ACIS2013).
Segovia, M., Rubio-Hernan, J., Cavalli, A. R., & Garcia-Alfaro, J. (2020). Cyber-Resilience Evaluation of Cyber-Physical Systems. Paper presented at the 2020 IEEE 19th International Symposium on Network Computing and Applications (NCA).
Selby, J. (2017). How Can Company Boards Build Trust When Faced By Cybersecurity Risks? Optus Macquarie University Cyber Security Hub, 3. Retrieved from https://www.mq.edu.au/about/about-the-university/offices-and-units/optus-macquarie-university-cyber-security-hub/news2/files/Boards-Building-Trust-Cyber-Security-Hub-John-Selby.pdf
Sepúlveda-Estay, D. A., Sahay, R., Barfod, M. B., & Jensen, C. D. (2020). A systematic review of cyber-resilience assessment frameworks. Computers & Security, 101996.
Sharma, R. (2015). Five ways board members can improve cybersecurity. Journal of Internet Law, 19(4), 11-12.
Sikula, N., Mancillas, J., Linkov, I., & McDonagh, J. (2015). Risk management is not enough: a conceptual model for resilience and adaptation-based vulnerability assessments. Environment Systems & Decisions, 35(2), 219-228. doi:http://dx.doi.org/10.1007/s10669-015-9552-7
Smith, A. E., & Humphreys, M. S. (2006). Evaluation of unsupervised semantic mapping of natural language with Leximancer concept mapping. Behavior Research Methods, 38(2), 262-279.
Soomro, Z. A., Mahmood, H. S., & Javed, A. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215-225.
Stouffer, K., Falco, J., & Scarfone, K. (2011). Guide to industrial control systems (ICS) security. NIST Special Publication, 800(82), 16-16.
Tallon, P. P. (2014). Do you see what I see? The search for consensus among executives’ perceptions of IT business value. European Journal of Information Systems, 23(3), 306-325.
Teo, T. S., & King, W. R. (1997). An assessment of perceptual differences between informants in information systems research. Omega, 25(5), 557-566.
Tisdale, S. M. (2016). Architecting a cybersecurity management framework. Issues in Information Systems, 17(4), 227-236. Retrieved from
http://www.iacis.org/iis/2016/4_iis_2016_227-236.pdf
Trim, P., Jones, N., & Brear, K. (2009). Building organisational resilience through a designed-in security management approach. Journal of Business Continuity & Emergency Planning, 3(4), 345-355.
van der Kleij, R., & Leukfeldt, R. (2019). Cyber resilient behavior: Integrating human behavioral models and resilience engineering capabilities into cyber security. Paper presented at the Proceedings of the International Conference on Applied Human Factors and Ergonomics, Advances in Human Factors in Cybersecurity (AHFE), Washington DC. USA.
Vugrin, E., & Turgeon, J. (2013). Advancing Cyber Resilience Analysis with Performance-Based Metrics from Infrastructure Assessments. International Journal of Secure Software Engineering (IJSSE), 4(1), 75-96.
Wagstaff, K., & Sottile, C. (2015). Cyberattack 101: Why Hackers Are Going After Universities. Retrieved from http://www.nbcnews.com/tech/security/universities-become-targets-hackers-n429821
Wang, N., Liang, H., Zhong, W., Xue, Y., & Xiao, J. (2012). Resource structuring or capability building? An empirical study of the business value of information technology. Journal of Management Information Systems, 29(2), 325-367.
Wells, E., Boden, M., Tseytlin, I & Linkov, I. (2022). Modeling Critical Infrastructure Resilience under Compounding Threats: A systematic literature review. Progress in Disaster Science, 15, 1-15.
White, G. (2009). Strategic, tactical, & operational management security model. Journal of Computer Information Systems, 49(3), 71-75.
Yano, E., de Abreu, W., Gustavsson, P., & Åhlfeldt, R. (2015). A framework to support the development of Cyber Resiliency with Situational Awareness Capability. Paper presented at the Proceedings of the 20th International Command and Control Research and Technology Symposium, Annapolis, MD, USA.
Downloads
Published
How to Cite
Issue
Section
License
AJIS publishes open-access articles distributed under the terms of a Creative Commons Non-Commercial and Attribution License which permits non-commercial use, distribution, and reproduction in any medium, provided the original author and AJIS are credited. All other rights including granting permissions beyond those in the above license remain the property of the author(s).