Investigating organisational aspects of cyber resilience in large organisations

The management of cyber issues has become essential for business success, since the activities of organisations largely depend on information technology and telecommunications. An inverse relationship exists between organisational performance and cyber vulnerability, at a time when organisations report increasing cyber attacks and traditional cybersecurity approaches to prevent cybercrime appear inadequate. Cyber resilience is a new approach to help managers and organisations deal with cyberthreats to business. It is the capacity of a cyber system to perform effectively regardless of the hazards in the business environment. While the technical procedures to mitigate cyber vulnerability are relatively well understood in developing cyber resilience, no comprehensive research has been undertaken to examine organisational approaches to develop cyber resilience. This research study aimed to identify the organisational factors and strategies that contribute to cyber resilience. The study is positioned to inform managerial decision-making and address the lack of academic research into how organisations become cyber resilient. Case study data were gathered from two Australian universities. These universities were chosen, as they are large, complex organisations that emphasise cyber activity, while their open communication culture creates cyber risk. The study adopted a case study approach using qualitative methods and supported by quantitative methods for triangulation. Semi-structured interviews were used, along with three secondary data sources. A total of 39 participants were interviewed from four diverse groups: business managers, IT senior managers, IT middle managers and IT operational staff. Analyses of participant group data were undertaken both within and between the two case studies. This study was underpinned by the Cyber Resilience Matrix (Linkov, Eisenberg, Plourde et al. 2013) as a theoretical framework, which regarded cyber resilience as extending to the periods both before and after a cyber crisis. The findings showed that senior managers need to be aware of their key role in developing cyber resilience in organisations. A conceptual framework was developed from the research results, outlining nine organisational factors and eight strategies to develop organisational cyber resilience across three management stages of cyber crisis (i.e., planning, detecting and recovery/ post-incident). Other findings from this research suggested that the type of organisational structure influences cyber resilience, as a non-bureaucratic decision-making approach at the time of a cyber crisis appears to improve cyber resilience. Limiting the number of principles-based cyber resilience policies was found to help organisations enhance their cyber resilience. A flexible approach to developing cyber resilience strategies was preferred by participants over the consistency approach. Engineering resilience thinking was found to be followed during cybersecurity incident management more than an ecological resilience approach. This study advances understanding of organisational cyber resilience research, and contributes to practice by identifying implications for managers and policymakers to develop a cyber-resilient organisation. As the research findings were derived from two Australian cases studies and largely qualitative work, further research should evaluate the framework and findings developed from this study in other organisational environments