Do Cybersecurity Exercises Benefit an Individual or Organizational Learning?
Maersk, the world’s largest shipping container company, faced a cyberattack in 2017. According to some estimates, a Maersk ship, which can carry up to 20,000 containers as once, will port somewhere across the globe every 15 minutes (Walton, 2022). On this day, the cyberattack forced Maersk to shut down all operations, costing the company $250 million and $300 million. Companies down the supply chain also lost millions of dollars due to this cybersecurity incident (Capano, 2021).
This case is just one example of the current business reality in which almost all companies have built their processes and operations on digital information systems. Like Maersk, companies face vulnerabilities as systems interface with digital systems that are operated or used by other organizations.
In the digital era, businesses rely on information systems to serve as a platform and core of business operations. The vulnerabilities typical to digital systems also apply to many nations’ critical infrastructures and operations. Information and communication technologies (ICTs) serve as an enabler of modern society’s business operations, which can challenge organizations due to their rapid digital advancements. It is, therefore, crucial for organizations to keep pace with technological developments and exploit new technologies while managing threats. Organizations must manage their own environment and the effects of the network due to the highly networked ecosystem structure. Cybersecurity professionals must be able to manage a complex environment that includes evolving technologies, internal and external processes within the organization, and human interactions (Lindsay et al., 2003).
Organizations should focus on continuous skills and knowledge development to adapt to an ever-changing environment. Team members must be diligent and reactive in their response to internal and external triggers (Luecke, 2003). The development of individual competencies should also transfer into the organization’s capabilities. In changing digital environments that face threats, organizations cannot simply react to real-time change. Instead, they must actively increase their capacities to predict the need for capacity development within their teams.
Prior research explored the development of individual competencies through cybersecurity exercises (e.g., Ferguson et al., 2014; Karjalainen & Ojala, 2022; Pham et al., 2016; Vykopal et al., 2017). However, there is a lack of knowledge on the impact of cybersecurity exercises on organizational learning or an understanding of the features and mechanisms that enhance or hinder organizational learning. This deficiency underlines the rationality of the present study. The resource-intensive exercises should urge participating organizations to ask questions about the extent to which the competence development of individuals is turned into the competence of the organization. Subsequently, organizations should question the processes or features that hinder or advance organizational learning.
Argyris (2002) defined organizational learning as “a process of detecting and correcting error” and error as “any feature of knowledge or knowing that inhibits learning” (p. 116). In other words, in this approach, organizational learning is not an accumulation of knowledge. Instead, it occurs when barriers that hinder learning are identified and removed. The organizational learning process also requires changes in organizational knowledge (Schulz, 2017). Revisions are needed in practices and ways of thinking that impact the performance of the organization (Chiva et al., 2014).
In the process of learning, the mismatch diminishes between actual and intended actions. The actions are more likely to have intended consequences (Argyris, 2002). Robinson (2002) emphasized the problem-solving aspect of the process of organizational learning. Her study used universities and their problem-solving practices in student recruitment and enrollment efforts to show how organizations depend on their capacities and capabilities to solve problems and improve practices.
Finally, during the organizational learning process, organizations must adapt to their environments (Huber & Glick, 1993). In doing so, they must actively develop and respond to environments that support their successful performance (Robinson, 2001).
These approaches are important for cybersecurity-related issues in organizations. Organizations solve many problems related to cyberthreats or, as in the present study, problems related to the competence development of a workforce. Organizations must adapt to, create, and respond to environments in which the threats take place. They must also pay attention to environments in which they collaborate with other organizations. Furthermore, organizations must manage processes of knowledge accumulation and processes of detecting and correcting errors.
The present study examines organizational learning processes in the context of cybersecurity exercises. This is achieved by examining how the participants perceived the exercises as a means and opportunity to revise processes like knowledge management and problem solving. Organizations must develop working environments that support organizational maturity in cybersecurity.
This issue is examined with three research questions:
- 1.
Whose actions or knowledge changes due to cybersecurity exercises. How do they change?
- 2.
What challenges do the participants experience when putting what they have learned into practice within their organizations?
- 3.
Are there cybersecurity-related features in the exercises that appear to support or challenge organizational knowledge creation?
The first two questions guide the composition of the semi-structured interview questions. The analysis was inductive. The third question was created after becoming more acquainted with the data and exposing the results of the first two questions about organizational learning theories.
The researchers found that the organizational knowledge creation process is essential for organizations that send their personnel to commercial training to become more competent in facing cyber incidents. In organizational knowledge creation, individuals’ tacit knowledge is transferred into explicit knowledge. It is then turned into the tacit knowledge of an organization (e.g., Basten & Haamann, 2018; Martínez & Ruiz, 2006; Nonaka, 1994; Nonaka & Konno, 1998). Furthermore, by exposing the results to conceptions of single- and double-loop learning (Argyris, 2002, 2004; Argyris & Schön, 1978, 1996), it was noted that organizational learning in cybersecurity exercises is structured with laws and company policies that set the framework for organizational development.
After introducing the context and theoretical background of the study, this article presents the qualitative methodology and thematic analysis. The results section corresponds to the research questions. The first two research questions are organized around thematic analysis. The third research question is ordered according to secondary analysis and organizational theories. The discussion recaps the key results and presents the implications of the study.