How cybersecurity managers anticipate an adverse event

I'm presenting the outcome of my MSc research on how people in strategic cybersecurity roles develop the anticipation of an adverse event, so that the organisation maintains safe operation. The ability to anticipate a changing shape of threats and to prepare to respond to future challenges is strongly connected to adaptation. My research is done as part of the MSc in Human Factors and System Safety at Lund University (Sweden), it is informed by the fields of human factors, Joint Cognitive Systems and Resilience Engineering, connecting them with the topics of cybersecurity and human performance.

With the ever-increasing interconnectedness and digitalisation, in 2024 it is perhaps a truism to say that cybersecurity as a domain is very important. Ramifications are tangible in the real world, examples are plenty.

To thwart attacks effectively, organisations and their cybersecurity managers are required to develop a view of possible futures, foresee actions of the threat actors and deploy defences against them in advance.

While a cybersecurity department in an organisation might have many roles, - analyst, engineer, architect, - the focus of my research is on the role of a cybersecurity manager or a CISO. I'm focussed on the anticipatory practices of people in these roles, as they have an extended time horizon, and make strategic decisions.

Such human performance is rarely studied in cybersecurity.

I define anticipation as the process of using the future in the present, using it in today's decision-making. Anticipation is distinguished from forecasting, as by itself it does not lead to action or decision-making.

Prior research suggests that the highest potential for progress in the attacker-defender interplay might be in the broader research, involving social and collaborative factors.

My research looks at managerial anticipation and decision-making in a broader context of organisational and professional life.

The research is based on the interviews with cybersecurity managers from Australia, Netherlands, US, UK, and Singapore. The experience of the participants is situated in an array of industries: internet and software services, manufacturing, banking, consulting, insurance, and utilities.

The research has developed shared patterns of meaning and themes of what makes sense for people to do in their roles in order to anticipate an adverse event, given the pressures from the changing shape of threats, time horizon and the limited resources of their organisations.

Finally, the research suggests what can be done to help people in strategic roles to cope with complexity and enhance their anticipatory performance.