Conceptualising Adaptive Cyber Risk Management: Complexity, Rationality and Knowledge

Abstract

The increasing reliance of organisations on ICT-enabled interconnectivity for value creation has redefined the boundaries and attributes of potential security vulnerabilities (i.e. causal intricacy, scope, non-locality and non-linearity). Cybersecurity presents an epistemic climate that is distinctly hostile due to its domain-specific dynamics, complexity, dichotomous objectives, and effect on behavioural tendencies. Within the thesis, the local manifestation of these dynamics is described as a heuristic – a ‘knowledge problem’. This epistemic hostility hinders efforts to address and pre-empt the emerging threat of cybersecurity incidents in a manner that is proportional and contextually appropriate. The research argues that the degree of epistemic hostility faced by organisations, and its underpinning systemic and behavioural mechanisms, are inadequately represented in common inference-based constructs, like risk frameworks, which guide organisational practice, resulting in a ‘context-construct gap’. Throughout the thesis, these premises are deconstructed, explored and addressed in three dimensions: a literature based, theoretical analysis focused on the interaction between risk, complex systems, and ‘rationality’; an empirical, critical realist case study which explores and calibrates the postulated explanatory mechanisms in an illustrative real-world context; and a prescriptive formulation of an Adaptive Cyber Risk Management framework based on the theoretical and empirical findings of the study. The contribution includes a potential avenue for further cross-disciplinary enquiry into organisational cybersecurity management through the ‘knowledge-problem’ heuristic, which explores the pragmatic barriers to inference-based adaptation efforts. In addition, the Adaptive Cyber Risk Management framework proposes a conceptual logic to mitigate against the issues raised by the theoretical and empirical analysis, which include deep uncertainty, actor and decision maker bias, limited situational awareness, and systemic communication/coordination difficulties.

Date of Award	Sept 2020
Original language	English
Awarding Institution	Coventry University
Supervisor	Alexeis Garcia-Perez (Supervisor) & Esin Yoruk (Supervisor)