The Global Risk Institute provided funding for the research and the preparation of this paper. The author is an independent contributor to the Global Risk Institute. He is solely responsible for the content of the article.
Over the past 25 years, cyber-risks have morphed from mere annoyances into potentially catastrophic events that can threaten the survival of technology-dependent organizations. A number of financial authorities have started to consider cyber-risks as a source of systemic risk to the financial system.
In such a hostile digital environment, cyber security controls that are deemed adequate at a given time may quickly be overwhelmed and defeated by unexpected cyber-risks. Cyber-resilience, which reflects “the ability to continuously deliver the intended outcome despite adverse cyber events” (Björk et al., 2015: 312), then becomes critical to ensure organizational survival in the face of cyber-shocks.
The emerging literature on cyber-resilience originates primarily from the field of computer science, where the main research questions have been to identify the engineering features that can make cyber systems more robust and the metrics that can be used to evaluate this capacity to endure. But a more holistic approach is also needed, to understand what types of preparations, responses, recovery and adaptation activities are undertaken to enhance an organization’s cyber-resilience.
Using qualitative data collected among a sample of 44 cyber security professionals from 28 financial sector organizations in 5 geographies (Canada, the UK, the US, France and the Netherlands), this research describes the measures enabling cyber-resilience in the financial sector. The general objective is to learn from those who implement cyber-resilience on a daily basis what works, what does not, and what are their main constraints.
For financial institutions, the three most salient dimensions associated with cyber-resilience practices are the uncertainty inherent to the nature of cyber-risks and the sense attributed to them, the effectiveness of the organizational strategies used to prepare for and mitigate cyber-attacks, and the adaptive outcomes that result from these incidents.
Sensemaking, cyber-risks and the instability of decision-making processes
Responding to risks requires an understanding of what is happening. In contexts like those of cyber-risks where ‘newness’ abounds, framings that make sense of events need to be developed immediately in environments of uncertainty, crisis and urgency. Various barriers impede the application of sensemaking processes to cyber-risks and constrain cyber-resilience practices.
- The first barrier is related to the features that differentiate cyber-risks from more conventional forms of risk. Sensemaking processes are scrambled by the dynamic nature of cyber-risks that are ‘manufactured’ by adversaries. The dynamic nature of cyber-risks can destabilize sensemaking processes at the different stages of an adverse event. Fairly minor incidents can quickly escalate. Additionally, Cyber-risks generate risk-cascades that can very quickly amplify a crisis;
- The second source of tension originates from the contested rationalities of the operational requirements of a business, on one hand, and cyber-resilience, on the other hand;
- The third source of sensemaking tension originates from regulators, whose oversight activities generate geographical and temporal pressures.
Organizational practices of cyber-resilience
Participants often used the “muscle memory” analogy to convey the principles that guided their cyber-resilience practices. They emphasized the development of general resources and practices that can adjust nimbly to adverse events.
This process generally starts with a comprehensive mapping of the critical functions that a financial institution must recover. The mapping is not limited to internal processes but must also extend to third parties.
The outcomes of these assessments are then combined with intelligence about the threat landscape to design scenarios and response playbooks. Playbooks take time to develop and can involve several rounds of consultation and testing. Several respondents warned against an over-reliance on playbooks, which cannot possibly anticipate all the surprises encountered in real-life incidents.
Two technical features usually associated with cyber-resilient systems are redundancy and diversity. While redundancy refers to the availability of multiple instances of a particular resource, diversity references the existence of heterogeneous resources that can be deployed to minimize exposure to a single type of risk.
The importance of the human factor as a source of cyber-resilience was highlighted. Personal traits that were particularly useful in people who played a central role in cyber-resilience include higher-than-average curiosity, creativity and flexibility. They are comfortable with imperfect decision-making environments and are not prone to the “startle effect”. They are good communicators and good listeners.
Almost all participating organizations conduct simulations and tabletop exercises that try to recreate the conditions of a cyber attack as realistically as possible so that employees across a broad range of functions can familiarize themselves with existing playbooks and practice response and recovery protocols.
The professionals we interviewed relied on dense internal and external organizational networks to improve the speed and effectiveness of communication flows. Internally, this implies embedding security workers inside business units to better understand their culture or establishing ‘fusion centres’. Awareness campaigns and ‘ambassador programs’ can also contribute to the creation of internal networks that can be activated in times of crisis.
External networks play a crucial role in organizational cyber-resilience. Many participants extolled the virtues of information sharing as one of the most effective strategies to stop cyber attacks. The external networks conducive to effective information sharing blend informal and formal structures. To fully benefit from these external resources, trust is of central importance.
Learning to Adapt
The ultimate goal of resilience is not mere survival until the next crisis, but also adaptation to a dynamic environment to reach a new state of equilibrium. Three different forms of adaptation were associated with major adverse events.
- The first form of adaptation is voluntary and reflects the learning that takes place after a surprising incident or after a routine incident that was handled poorly;
- The second form of adaptation is guided by cyber security standards and their cyber-resilience components;
- The third form of adaptation is forced and involves the regulatory activity to which financial institutions are subjected.
Cyber-resilience appears to be highly contextual and depends on a variety of unique factors such as the size, history, business culture, international footprint, IT priorities, regulatory environment, and leadership style of each organization. There is no ideal cyber-resilience framework, only customized and tailored practices that deliver improved levels of reliability and survivability. One challenge to the cyber-resilience of financial institutions that can seriously hinder preparedness and crisis management capacities is caused by individual and collective cognitive biases. Cyber security professionals have not yet integrated these heuristic traps into their risk-management models, despite growing evidence that they can precipitate errors of judgement and undermine the resilience of organizations.