STS cybersecurity and resilience frameworks for crisis management in higher education and research sector

Abstract

This thesis examines the cybersecurity challenges and resilience strategies adopted by the Higher Education and Research Sector (HERS) in Australia during the recent major crisis. Specifically, the term “recent major crisis” refers to the COVID-19 pandemic, which significantly disrupted higher education institutions and exposed critical cybersecurity vulnerabilities. Despite numerous studies identifying cybersecurity challenges in times of crisis, empirical investigations into these challenges and the resilience strategies used to mitigate them remain limited, particularly in the Australian context. It has been reported that HERS has worst attacked by these cybersecurity challenges in Australia especially after the recent major crisis. This research addresses this gap using an interpretive qualitative approach, with data collected through semi-structured interviews with cybersecurity experts and senior management from Australian Higher Education Institutions (HEIs) active during the crisis. The qualitative data were analysed using the thematic analysis technique with the SQR NVivo software. A Sociotechnical System (STS) theory approach has been applied. To identify and classify emerging cybersecurity challenges, proposing an extended STS cybersecurity framework. This framework comprises five organisational subsystems—social, technical, political, economic, and environmental—each representing key dimensions of cybersecurity vulnerabilities. For instance, the social subsystem highlights issues arising from human errors and structural weaknesses, while the technical subsystem focuses on faults in hardware, software, and work processes. The political subsystem identifies challenges due to policy and regulatory shortcomings; the economic subsystem explores issues stemming from insufficient national and global legal frameworks, and the environmental subsystem addresses challenges linked to internal and external environmental changes. This framework expands on existing literature by incorporating overlooked factors and emphasising the interdependencies between these subsystems. The study also proposes a resilience framework, integrating organisational learning loops, to explore strategies that HERS has adopted to mitigate the identified cybersecurity challenges across three crisis phases: before, during, and after. The Organisational Learning (OL) framework also maps resilience strategies to single-loop, double-loop, and triple-loop learning. In the resilience framework, before-crisis phase, strategies include crisis management planning and fostering a culture of readiness. The during-crisis phase focuses on absorbing disruptions (single-loop learning), adapting to changes (double-loop learning), and transforming to a stable state (triple-loop learning). The after-crisis phase emphasises monitoring, evaluation, and improvement. A few examples of resilience strategies identified include implementing cybersecurity awareness programs, redefining roles, adopting risk management tools, forging partnerships with external security organisations, introducing policies, and adopting and reconfiguring technologies. These strategies aim to strengthen organisational resilience, address cybersecurity challenges amidst the recent major crisis, and prepare for future disruptions. The thesis has both theoretical and practical contributions, that are useful both for theoretical scholars and practitioners in HERS. This study contributes to the literature on IS by addressing critical gaps in understanding cybersecurity challenges and organisational resilience strategies during major crises. Focusing exclusively on HERS in Australia, it provides an empirical investigation into real-world incidents, identifying and classifying cybersecurity challenges using an extended STS cybersecurity model. The model introduces five organisational subsystems highlighting their interdependencies and offering a comprehensive framework for understanding these challenges. Additionally, the study proposes a resilience framework based on three crisis phases and an organisational learning loop framework to illustrate how HERS prepare for, respond to, and recover from crises. By linking resilience strategies to single-, double-, and triple-loop learning, the study offers novel insights into how HERS adapt and transform during crises, advancing both theoretical and practical knowledge in the fields of cybersecurity and resilience. Practically, this research provides actionable insights for HERS and other sectors to effectively address cybersecurity challenges and implement resilience strategies during crises. The classification of cybersecurity challenges and the identification of resilience strategies serve as a guide for key stakeholders, including cybersecurity departments, strategic managers, and consultants. For instance, the study helps organisations classify cybersecurity challenges by organisational subsystems, enabling targeted interventions to address specific vulnerabilities. Furthermore, the resilience framework supports strategic managers in prioritising resources and managerial efforts to effectively mitigate emerging cybersecurity challenges. Cybersecurity consultants benefit from the cybersecurity STS framework as a tool to navigate cybersecurity challenges during organisational changes, while the resilience framework guides the adoption of strategies to manage unforeseen crises. Ultimately, the research enhances organisational preparedness and resilience, equipping stakeholders to tackle cybersecurity issues more efficiently and effectively.Doctor of Philosoph