Strategy and organisational cybersecurity: a knowledge-problem perspective

Purpose The purpose of this paper is to frame organisational cybersecurity through a strategic lens, as a function of an interplay of pragmatism, inference, holism and adaptation. The authors address the hostile epistemic climate for intellectual capital management presented by the dynamics of cybersecurity as a phenomenon. The drivers of this hostility are identified and their implications for research and practice are discussed. Design/methodology/approach The philosophical foundations of cybersecurity in its relation with strategy, knowledge and intellectual capital are explored through a review of the literature as a mechanism to contribute to the emerging theoretical underpinnings of the cybersecurity domain. Findings This conceptual paper argues that a knowledge-based perspective can serve as the necessary platform for a phenomenon-based view of organisational cybersecurity, given its multi-disciplinary nature. Research limitations/implications By recognising the knowledge-related vectors, mechanisms and tendencies at play, a novel perspective on the topic can be developed: cybersecurity as a “knowledge problem”. In order to facilitate such a perspective, the paper proposes an emergent epistemology, rooted in systems thinking and pragmatism. Practical implications In practice, the knowledge-problem narrative can underpin the development of new organisational support constructs and systems. These can address the distinctiveness of the strategic challenges that cybersecurity poses for the growing operational reliance on intellectual capital. Originality/value The research narrative presents a novel knowledge-based analysis of organisational cybersecurity, with significant implications for both interdisciplinary research in the field, and practice.

[1]  S. Gould,et al.  Exaptation—a Missing Term in the Science of Form , 1982, Paleobiology.

[2]  S. Zahra,et al.  Absorptive Capacity: A Review, Reconceptualization, and Extension , 2002 .

[3]  M. Feldman,et al.  Niche construction, biological evolution, and cultural change , 2000, Behavioral and Brain Sciences.

[4]  T. D. Wilson,et al.  The nonsense of knowledge management , 2002, Inf. Res..

[5]  Thomas C. Powell,et al.  The Philosophy of Strategy , 2002 .

[6]  G. Gigerenzer On Narrow Norms and Vague Heuristics: A Reply to Kahneman and Tversky (1996) , 1996 .

[7]  J. March Rationality, foolishness, and adaptive intelligence , 2006 .

[8]  James Baldwin,et al.  Complexity and the limits to learning , 2007 .

[9]  Pascale Carayon,et al.  Human and organizational factors in computer and information security: Pathways to vulnerabilities , 2009, Comput. Secur..

[10]  Sumana Sharma,et al.  IS RISK ANALYSIS: A CHAOS THEORETIC PERSPECTIVE , 2009 .

[11]  Laura Maruster,et al.  Knowledge claim evaluation: a fundamental issue for knowledge management , 2010, J. Knowl. Manag..

[12]  Bernd Carsten Stahl,et al.  The professionalisation of information security: Perspectives of UK practitioners , 2015, Comput. Secur..

[13]  Daniel T. Kuehl,et al.  From Cyberspace to Cyberpower: Defining the Problem , 2009 .

[14]  Ulrik Franke,et al.  Cyber situational awareness - A systematic review of the literature , 2014, Comput. Secur..

[15]  Hind Benbya,et al.  Toward a complexity theory of information systems development , 2006, Inf. Technol. People.

[16]  Philip Bromiley,et al.  Assessing the dynamic capabilities view: spare change, everyone? , 2009 .

[17]  J. Guthrie,et al.  Reflections and projections: A decade of Intellectual Capital Accounting Research , 2012 .

[18]  Yacov Y Haimes Systems-based guiding principles for risk modeling, planning, assessment, management, and communication. , 2012, Risk analysis : an official publication of the Society for Risk Analysis.

[19]  Sm Tisdale,et al.  Cybersecurity: Challenges From a Systems, Complexity, Knowledge Management and Business Intelligence Perspective. , 2015 .

[20]  D. Kahneman,et al.  Representativeness revisited: Attribute substitution in intuitive judgment. , 2002 .

[21]  John Dumay,et al.  Guest editorial : The third stage of IC : towards a new IC future and beyond , 2013 .

[22]  John Dumay,et al.  Intellectual capital research: a critical examination of the third stage , 2013 .

[23]  Nick Bontis,et al.  The knowledge-based view of the firm and its theoretical precursor , 2006 .

[24]  R. Steiner,et al.  The Three Worlds , 2011 .

[25]  Kathleen M. Eisenhardt,et al.  DYNAMIC CAPABILITIES, WHAT ARE THEY? , 2000 .

[26]  Ian Reid,et al.  Complexity science , 2002, BMJ : British Medical Journal.

[27]  Robert Kaiser,et al.  The birth of cyberwar , 2015 .

[28]  John Dumay,et al.  Breaching intellectual capital: critical reflections on Big Data security , 2018, Meditari Accountancy Research.

[29]  D. Neef Managing corporate risk through better knowledge management , 2005 .

[30]  J. Brown,et al.  Knowledge and Organization: A Social-Practice Perspective , 2001 .

[31]  Gerd Gigerenzer,et al.  Homo Heuristicus: Why Biased Minds Make Better Inferences , 2009, Top. Cogn. Sci..

[32]  J. D. Proctor,et al.  The Social Construction of Nature: Relativist Accusations, Pragmatist and Critical Realist Responses , 1998 .

[33]  Thanos Papadopoulos,et al.  Information systems strategy: Past, present, future? , 2012, J. Strateg. Inf. Syst..

[34]  Hind Benbya,et al.  Using coevolutionary and complexity theories to improve IS alignment: a multi-level approach , 2006, J. Inf. Technol..

[35]  G. Gigerenzer,et al.  Risk, Uncertainty, and Heuristics , 2014 .

[36]  Boisot Max Knowledge Management and Complexity , 2011 .

[37]  A. Kianto,et al.  The interaction of intellectual capital assets and knowledge management practices in organizational value creation , 2014 .

[38]  C. S. Holling Understanding the Complexity of Economic, Ecological, and Social Systems , 2001, Ecosystems.

[39]  Atif Ahmad,et al.  Incorporating a knowledge perspective into security risk assessments , 2011 .

[40]  Ingi Runar Edvardsson,et al.  Is knowledge management losing ground? Developments among Icelandic SMEs , 2009 .

[41]  S. Manson Simplifying complexity: a review of complexity theory , 2001 .

[42]  Vesa Peltokorpi,et al.  Objectivity and subjectivity in knowledge management: a review of 20 top articles , 2006 .

[43]  D. S. Clarke Rational acceptance and purpose : an outline of a pragmatist epistemology , 1989 .

[44]  John Dumay A Critical Reflection on the Future of Intellectual Capital: From Reporting to Disclosure , 2016 .

[45]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[46]  M. Naceur Azaiez,et al.  Why Both Game Theory and Reliability Theory Are Important in Defending Infrastructure against Intelligent Attacks , 2009 .

[47]  Bill McKelvey,et al.  What Is Complexity Science? It Is Really Order-Creation Science , 2001 .

[48]  Alan Shiell,et al.  A simple guide to chaos and complexity , 2007, Journal of Epidemiology & Community Health.

[49]  Gary James Jason,et al.  The Logic of Scientific Discovery , 1988 .

[50]  Amir Ziv Information Sharing in Oligopoly: The Truth-Telling Problem , 1993 .

[51]  Louis Anthony Cox,et al.  Confronting Deep Uncertainties in Risk Analysis , 2012, Risk analysis : an official publication of the Society for Risk Analysis.

[52]  Amr Arisha,et al.  Knowledge management and measurement: a critical review , 2013, J. Knowl. Manag..

[53]  J. Dessalles,et al.  Arguing, reasoning, and the interpersonal (cultural) functions of human consciousness , 2011, Behavioral and Brain Sciences.

[54]  C. Gershenson The Implications of Interactions for Science and Philosophy , 2011, 1105.2827.

[55]  Peter M. Allen,et al.  Complexity and limits to knowledge: the importance of uncertainty , 2011 .

[56]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[57]  Christopher Krügel,et al.  Framing Dependencies Introduced by Underground Commoditization , 2015, WEIS.

[58]  Klaus Julisch Understanding and overcoming cyber security anti-patterns , 2013, Comput. Networks.

[59]  Xiangyang Wang,et al.  Organizational unlearning and organizational relearning: a dynamic process of knowledge management , 2013, J. Knowl. Manag..

[60]  S. Maguire,et al.  The SAGE Handbook of Complexity and Management , 2011 .

[61]  Howard Rush,et al.  The cybercrime ecosystem: Online innovation in the shadows? , 2013 .

[62]  A. Tversky,et al.  Judgment under Uncertainty: Heuristics and Biases , 1974, Science.

[63]  Yacov Y. Haimes,et al.  On the Complex Quantification of Risk: Systems‐Based Perspective on Terrorism , 2011, Risk analysis : an official publication of the Society for Risk Analysis.

[64]  Shari Lawrence Pfleeger,et al.  Leveraging behavioral science to mitigate cyber security risk , 2012, Comput. Secur..

[65]  John Wilson,et al.  The "soft" dimension of organizational knowledge transfer , 2005, J. Knowl. Manag..

[66]  Sasha Romanosky,et al.  Examining the costs and causes of cyber incidents , 2016, J. Cybersecur..

[67]  Dan Sperber,et al.  Reasoning as a Social Competence , 2010 .

[68]  Paul Slovic,et al.  Affect, risk, and decision making. , 2005, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[69]  Fahmi Ibrahim,et al.  Unpacking Knowledge Management: Management Fad or Real Business Practice? , 2010 .

[70]  B. Obama Executive Order 13691: Promoting Private Sector Cybersecurity Information Sharing , 2015 .

[71]  Paul W Phister Cyberspace: The Ultimate Complex Adaptive System , 2010 .

[72]  B. Buchanan,et al.  Attributing Cyber Attacks , 2015 .