The Tensions of Cyber-Resilience: From Sensemaking to Practice
27 Pages Posted: 20 Sep 2022
The growing sophistication, frequency and severity of cyberattacks targeting all sectors highlight their inevitability and the impossibility of completely protecting the integrity of critical computer systems. In this context, cyber-resilience offers an attractive alternative to the existing cybersecurity paradigm. We define cyber-resilience as the capacity to withstand, recover from and adapt to the external shocks caused by cyber risks. This article seeks to provide a broader organizational understanding of cyber-resilience and the tensions associated with its implementation, using financial institutions as a case study. We apply Weick’s (1995) sensemaking framework to examine four foundational tensions of cyber-resilience: a definitional tension, an environmental tension, an internal tension, and a regulatory tension. We then document how these tensions are embedded in cyber-resilience practices at the preparatory, response and adaptive stages. We rely on qualitative data from a sample of 58 cybersecurity professionals in the financial sector – a particularly exposed field – to uncover these tensions and how they reverberate across cyber-resilience practices.
Keywords: cyber-resilience, risk management, cyber-risks, sensemaking, regulation, standardization
Suggested Citation: Suggested Citation