Organisational Cyber Resilience: Management Perspectives

Abstract

As cyberthreats pose strategic risk, both IT and business management awareness are critical for effective organisational decision making. Many cyber system failures arise from organisational, and not technical issues. This study investigates senior manager awareness of organisational cyber resilience, using case study method. The Cyber Resilience Matrix is used as a theoretical framework to communicate the multifaceted meaning of cyber resilience. This study examines whether the multilayered nature of cyber resilience is understood by both managerial levels to include the periods before and after cyber incidents. As the higher education sector faces complex cyber challenges, research data were gathered from two Australian universities. Analysis found the two management groups differed in their resilience approach. The authors posit that principles-based cyber policies contribute to an organisational view of cyber resilience. The engineering resilience approach, accompanied by a non-bureaucratic organisational structure, was preferred by IT managers. Business managers favoured an ecological approach with a vertical organisational structure. Both managerial groups emphasised the period before cyber crisis when compared to after cyber incidents. This research contributes to the limited theoretical development in the field and attempts to shift the focus from cyber security to cyber resilience.