Conceptualising Adaptive Cyber Risk Management: Complexity, Rationality and Knowledge

  • Mark Sallos

    Student thesis: Doctoral ThesisDoctor of Philosophy


    The increasing reliance of organisations on ICT-enabled interconnectivity for value creation has redefined the boundaries and attributes of potential security vulnerabilities (i.e. causal intricacy, scope, non-locality and non-linearity). Cybersecurity presents an epistemic climate that is distinctly hostile due to its domain-specific dynamics, complexity, dichotomous objectives, and effect on behavioural tendencies. Within the thesis, the local manifestation of these dynamics is described as a heuristic – a ‘knowledge problem’. This epistemic hostility hinders efforts to address and pre-empt the emerging threat of cybersecurity incidents in a manner that is proportional and contextually appropriate. The research argues that the degree of epistemic hostility faced by organisations, and its underpinning systemic and behavioural mechanisms, are inadequately represented in common inference-based constructs, like risk frameworks, which guide organisational practice, resulting in a ‘context-construct gap’. Throughout the thesis, these premises are deconstructed, explored and addressed in three dimensions: a literature based, theoretical analysis focused on the interaction between risk, complex systems, and ‘rationality’; an empirical, critical realist case study which explores and calibrates the postulated explanatory mechanisms in an illustrative real-world context; and a prescriptive formulation of an Adaptive Cyber Risk Management framework based on the theoretical and empirical findings of the study. The contribution includes a potential avenue for further cross-disciplinary enquiry into organisational cybersecurity management through the ‘knowledge-problem’ heuristic, which explores the pragmatic barriers to inference-based adaptation efforts. In addition, the Adaptive Cyber Risk Management framework proposes a conceptual logic to mitigate against the issues raised by the theoretical and empirical analysis, which include deep uncertainty, actor and decision maker bias, limited situational awareness, and systemic communication/coordination difficulties.
    Date of AwardSep 2020
    Original languageEnglish
    Awarding Institution
    • Coventry University
    SupervisorAlexeis Garcia-Perez (Supervisor) & Esin Yoruk (Supervisor)

    Cite this