The growing sophistication, frequency and severity of cyberattacks targeting all sectors highlight their inevitability and the impossibility of completely protecting the integrity of critical computer systems. In this context, cyber-resilience offers an attractive alternative to the existing cybersecurity paradigm. We define cyber-resilience as the capacity to withstand, recover from and adapt to the external shocks caused by cyber-risks. This article seeks to provide a broader organizational understanding of cyber-resilience and the tensions associated with its implementation. We apply Weick's (1995) sensemaking framework to examine four foundational tensions of cyber-resilience: a definitional tension, an environmental tension, an internal tension, and a regulatory tension. We then document how these tensions are embedded in cyber-resilience practices at the preparatory, response and adaptive stages. We rely on qualitative data from a sample of 58 cybersecurity professionals to uncover these tensions and how they reverberate across cyber-resilience practices.
DOCUMENT
In case of a major cyber incident, organizations usually rely on external providers of Cyber Incident Response (CIR) services. CIR consultants operate in a dynamic and constantly changing environment in which they must actively engage in information management and problem solving while adapting to complex circumstances. In this challenging environment CIR consultants need to make critical decisions about what to advise clients that are impacted by a major cyber incident. Despite its relevance, CIR decision making is an understudied topic. The objective of this preliminary investigation is therefore to understand what decision-making strategies experienced CIR consultants use during challenging incidents and to offer suggestions for training and decision-aiding. A general understanding of operational decision making under pressure, uncertainty, and high stakes was established by reviewing the body of knowledge known as Naturalistic Decision Making (NDM). The general conclusion of NDM research is that experts usually make adequate decisions based on (fast) recognition of the situation and applying the most obvious (default) response pattern that has worked in similar situations in the past. In exceptional situations, however, this way of recognition-primed decision-making results in suboptimal decisions as experts are likely to miss conflicting cues once the situation is quickly recognized under pressure. Understanding the default response pattern and the rare occasions in which this response pattern could be ineffective is therefore key for improving and aiding cyber incident response decision making. Therefore, we interviewed six experienced CIR consultants and used the critical decision method (CDM) to learn how they made decisions under challenging conditions. The main conclusion is that the default response pattern for CIR consultants during cyber breaches is to reduce uncertainty as much as possible by gathering and investigating data and thus delay decision making about eradication until the investigation is completed. According to the respondents, this strategy usually works well and provides the most assurance that the threat actor can be completely removed from the network. However, the majority of respondents could recall at least one case in which this strategy (in hindsight) resulted in unnecessary theft of data or damage. Interestingly, this finding is strikingly different from other operational decision-making domains such as the military, police and fire service in which there is a general tendency to act rapidly instead of searching for more information. The main advice is that training and decision aiding of (novice) cyber incident responders should be aimed at the following: (a) make cyber incident responders aware of how recognition-primed decision making works; (b) discuss the default response strategy that typically works well in several scenarios; (c) explain the exception and how the exception can be recognized; (d) provide alternative response strategies that work better in exceptional situations.
DOCUMENT
Entrepreneurs are likely to be victims of ransomware. Previous studies have found that entrepreneurs tend to adopt few preventive measures, thereby increasing their chances of victimization. Due to a lack of research, however, not much is known about why entrepreneurs lack self-protective behaviors and how they can be encouraged to change said behaviors. Therefore, the purpose of this study is to explain, by means of an extended model of the Protection Motivation Theory (PMT), the motivation for entrepreneurs using protective measures against ransomware in the future. The data for our study were collected thanks to a questionnaire that was answered by 1,020 Dutch entrepreneurs with up to 250 employees. Our Structural Equation Modelling (SEM) analysis revealed that entrepreneurs are more likely to take preventive measures against ransomware if they perceive the risk of ransomware as severe (perceived severity), if they perceive their company as being vulnerable (perceived vulnerability), if they are concerned about the risks (affective response), and if they think that the people and companies around them expect them to apply preventive measures (subjective norms). However, if entrepreneurs think that they are capable of handling the risk (self-efficacy) and are convinced that their adopted preventive measures are effective (response efficacy), they are less likely to take preventive measures. Furthermore, for entrepreneurs that outsource IT security, the significant effect of perceived vulnerability and subjective norms disappears. The likelihood of entrepreneurs protecting their business against ransomware is thus influenced by a complex interplay of various motivational factors and is partly dependent on the business’ characteristics. Based on these findings, we will discuss security professionals’ prospects for increasing the cyber resilience of entrepreneurs, thus preventing cybercrime victimization.
DOCUMENT
