Alexeis Garcia-Perez, Mark Paul Sallos and Pattanapong Tiwasing
This research addresses the relationships between the current, dynamic organisational cyber risk climate, organisational cybersecurity performance and changes in cybersecurity…
Abstract
Purpose
This research addresses the relationships between the current, dynamic organisational cyber risk climate, organisational cybersecurity performance and changes in cybersecurity investments, with an aim to address the hostile epistemic climate for intellectual capital management presented by the dynamics of cybersecurity as a phenomenon.
Design/methodology/approach
Expanding on the views of digital security and resilience as a knowledge problem, the research looks at cybersecurity as a critical capability within organisations, particularly relevant in critical infrastructure sectors. The problem is studied from the perspective of 400 C-level executives from critical infrastructure sectors across the UK. Data collected at the peak of the coronavirus disease 2019 (COVID-19) pandemic, a time when critical infrastructure organisations have been under a significant strain due to an increase in cybersecurity incidents, were analysed using partial least square structural equation modelling.
Findings
The research found a significant correlation between the board's perception of a change in their cybersecurity risk climate and patterns of both the development of cybersecurity management capabilities and cybersecurity investments. The authors also found that a positive correlation exists between the efforts placed by critical infrastructure organisations in cybersecurity training and the changes in investment in their cybersecurity, particularly in relation to their intellectual capital development efforts.
Originality/value
To the best of the authors’ knowledge, this is the first paper that explores the board's perception of cybersecurity in critical infrastructure organisations both from the intellectual capital perspective and in the dynamic cyber risk climate derived from the COVID-19 crisis. The authors’ findings expand on the growing perception of cybersecurity as a knowledge problem, and thus inform future research and practice in the domain of intellectual capital management and its role in supporting the cybersecurity and digital resilience of business and society.
Details
Keywords
Mark Paul Sallos, Alexeis Garcia-Perez, Denise Bedford and Beatrice Orlando
The purpose of this paper is to frame organisational cybersecurity through a strategic lens, as a function of an interplay of pragmatism, inference, holism and adaptation. The…
Abstract
Purpose
The purpose of this paper is to frame organisational cybersecurity through a strategic lens, as a function of an interplay of pragmatism, inference, holism and adaptation. The authors address the hostile epistemic climate for intellectual capital management presented by the dynamics of cybersecurity as a phenomenon. The drivers of this hostility are identified and their implications for research and practice are discussed.
Design/methodology/approach
The philosophical foundations of cybersecurity in its relation with strategy, knowledge and intellectual capital are explored through a review of the literature as a mechanism to contribute to the emerging theoretical underpinnings of the cybersecurity domain.
Findings
This conceptual paper argues that a knowledge-based perspective can serve as the necessary platform for a phenomenon-based view of organisational cybersecurity, given its multi-disciplinary nature.
Research limitations/implications
By recognising the knowledge-related vectors, mechanisms and tendencies at play, a novel perspective on the topic can be developed: cybersecurity as a “knowledge problem”. In order to facilitate such a perspective, the paper proposes an emergent epistemology, rooted in systems thinking and pragmatism.
Practical implications
In practice, the knowledge-problem narrative can underpin the development of new organisational support constructs and systems. These can address the distinctiveness of the strategic challenges that cybersecurity poses for the growing operational reliance on intellectual capital.
Originality/value
The research narrative presents a novel knowledge-based analysis of organisational cybersecurity, with significant implications for both interdisciplinary research in the field, and practice.
Details
Keywords
Mark-Paul Sallos, Alexeis Garcia Perez and Anca Bocanet
The drive for digitalisation has increased the scope of cyber threats which can exploit the growing footprint of information and communication technology infrastructure supporting…
Abstract
Purpose
The drive for digitalisation has increased the scope of cyber threats which can exploit the growing footprint of information and communication technology infrastructure supporting modern societies. Despite substantial interest and efforts in researching and building organisational cyber resilience, the resulting body of work is heterogeneous and has yet to reach maturity. This paper aims to address the gap in the conceptualisation of cyber resilience in academic and practice-oriented grey literature.
Design/methodology/approach
In this conceptual paper, we firstly seek to explore the available foundations of resilience as a construct and consider how these can be applied to organisational cybersecurity. To that aim, this study employs a targeted literature review approach, incorporating systematic elements to ensure rigour. Literature was identified through comprehensive searches in key academic databases, reference chaining and expert recommendations. Articles were selected based on relevance and contribution to the field, resulting in a thematic analysis to identify gaps and propose a heuristic model for cyber resilience. With this approach, we aim to position the emerging view of cyber resilience relative to risk analysis, while highlighting its domain of “conceptual comparative advantage” – the types of applications it is best suited to address. Finally, a high-level heuristic model for cyber resilience is proposed, which functions across the relevant policy, strategy and operational dimensions while also considering its relationship with cyber risk management.
Findings
A conceptual model for organisational cyber resilience is proposed which helps position and frame research contributions in this domain relative to risk analysis, highlighting its domain of comparative advantage. The model integrates policy, strategy and operational dimensions, in a manner conducive to bridging foundations and applications of the concept of cyber risk management. The proposed model provides a critical point of reference to evaluate individual models, frameworks and tools.
Originality/value
This paper is a pioneering effort to overcome the current gaps between conceptual and practical views of cyber resilience. It proposes a new, risk-aligned view of the concept of cyber resilience and provides a structural foundation for further research and practice in the field.