Strategy and organisational cybersecurity: a knowledge-problem perspective
| Pages | 581-597 |
| DOI | https://doi.org/10.1108/JIC-03-2019-0041 |
| Date | 05 September 2019 |
| Published date | 05 September 2019 |
| Author | Mark Paul Sallos,Alexeis Garcia-Perez,Denise Bedford,Beatrice Orlando |
| Subject Matter | Information & knowledge management |
Strategy and organisational
cybersecurity: a
knowledge-problem perspective
Mark Paul Sallos and Alexeis Garcia-Perez
Centre for Business in Society, Coventry University, Coventry, UK
Denise Bedford
Georgetown University, Washington, District of Columbia, USA, and
Beatrice Orlando
Department of Management, Sapienza University of Rome, Roma, Italy
Abstract
Purpose –The purpose of this paper is to frame organisational cybersecurity through a strategic lens, as a
function of an interplay of pragmatism, inference, holism and adaptation. The authors address the hostile epistemic
climate for intellectual capital management presented by the dynamics of cybersecurity as a phenomenon. The
drivers of this hostility are identified and their implications for research and practice are discussed.
Design/methodology/approach –The philosophical foundations of cybersecurity in its relation with
strategy, knowledge and intellectual capital are explored through a review of the literature as a mechanism to
contribute to the emerging theoretical underpinnings of the cybersecurity domain.
Findings –This conceptual paper argues that a knowledge-based perspective can serve as the necessary
platform for a phenomenon-based view of organisational cybersecurity, given its multi-disciplinary nature.
Research limitations/implications –By recognising the knowledge-related vectors, mechanisms and
tendencies at play, a novel perspective on the topic can be developed: cybersecurity as a “knowledge
problem”. In order to facilitate such a perspective, the paper proposes an emergent epistemology, rooted in
systems thinking and pragmatism.
Practical implications –In practice, the knowledge-problem narrative can underpin the development of
new organisational support constructs and systems. These can address the distinctiveness of the strategic
challenges that cybersecurity poses for the growing operational reliance on intellectual capital.
Originality/value –The research narrative presents a novel knowledge-based analysis of organisational
cybersecurity, with significant implications for both interdisciplinary research in the field, and practice.
Keywords Strategy, Complexity, Epistemology, Intellectual capital, Systems theory, Knowledge-problem,
Cybersecurity theory
Paper type Conceptual paper
1. Introduction
1.1 Information technology and the cybersecurity problem
Since its popularisation, information and communication technology has redefined economic
value creation by enabling businesses to decrease their dependence on tangible assets and
capital, in favour of intellectual capital. This, in turn, has made most markets rely on what
Kuehl (2009)describes as the first man-madedomain. A benefit of exploitingthe cyber domain
is the newfound ability of businesses to leverage its relative absence of temporal and
geographical constraints as an enabler of novel business models. However, an increasingly
meaningful side effect of this reliance lies in the scope of the vulnerability it entails. Cyber
threats can disruptthe security, stability and sustainability of organisations by affecting the
confidentiality, integrity and availability of informational/structural capital. Examples of this
potentialfor disruption and the externalitiesit imposes range from organisational collapse(i.e.
Ashley Madison–Baraniuk, 2015), to the incapacitation of the infrastructures of nation-states
(Kaiser, 2015; Zetter, 2016). Even when discussing the societal effects of cybersecurity,
organisations still present themselves as the core vectors of action, given their dual role of
technology developers and facilitators of its use. Paradoxically, cybersecurity remains a
Journal of Intellectual Capital
Vol. 20 No. 4, 2019
pp. 581-597
© Emerald PublishingLimited
1469-1930
DOI 10.1108/JIC-03-2019-0041
Received 2 March 2019
Revised 16 March 2019
Accepted 4 July 2019
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/1469-1930.htm
581
Strategy and
organisational
cybersecurity
secondary task within most business models, as it provides limited opportunities for
monetisation and value creation –the organisational raison d'être. Given its adversarial
dynamics, cybersecurity strategy is rooted in a metaphorical self-perpetual “war”scenario,
which, unlikeits individual “battles”,cannot be definitively won. In otherwords, cybersecurity
is not a problem that can be “solved”. Furthermore, much like most strategic endeavours,
cybersecurity management exhibits an epistemic core.
1.2 Cybersecurity, knowledge and intellectual capital
“Knowledge”as a construct permeates the cybersecurity and the wider organisational risk
narratives in a number of ways. The link between risk and knowledge has been highlighted
by Neef (2005),who argues that an organisation’s abilityto effectively manage riskis rooted in
its ability to managerelevant knowledge. In relation tocybersecurity, Tisdale (2015) outlines
the need for multi-dimensional approaches which expand the “typical”technical outlook, in
favour of a systems/complexityorientation and a knowledge management foundation.Within
an Information Security (IS) context, Shedden et al. (2011, p. 152) illustrate the importance of
accounting for the risks towards “the cultivation and deploym ent of organisational
knowledge”. Julisch (2013) describes a relationship between knowledge limitations and the
ineffectiveness of a cybersecurity strategy as evidenced by an over-reliance on intuition,
absent security foundations, inadequate governance, or a dependence on static/generic
“knowledge”ofthe context. In a broader context, Kiantoet al. (2014) argue that organisational
value generation based on intellectual capital is inherently moderated by knowledge
management practices. Given that organisational cybersecurity management aims to protect
both intellectual assets and their operationalisation, it fulfils a moderating function for the
value generation process, converging with the domain of knowledge management.
Besides their relatively consistent, complementary message, these papers exhibit
significant epistemological variability as they reflect the dominant themes of their
individual disciplinary settings. This hinders the clarity of this shared narrative, though not
necessarily of the individual papers. The absence of a common interpretation of knowledge
limits the homogeneity of insight and prescriptive utility that can be achieved through a
phenomenon-driven, rather than a discipline driven approach. The former enables studying
organisational cybersecurity as an interplay of technology, people and processes, with a
focus on competitive performance, intellectual capital and sustaining value creation.
Although Intellectual Capital is a well-established and flourishing research topic, it is
still perceived as one that continuously evolves (Guthrie et al., 2012) in response to
changes in the social, economic and technological environment. Defined as “the sum of
everything everybody in a company knows that gives it a competitive edge. Intellectual
capital is intellectual material, knowledge, experience, intellectual property, information
that can be put to use to create value”(Dumay, 2016, p. 169), most scholars acknowledge
the role of intellectual capital in value creation. That means a shift in intellectual capital
research from the organisation to its wider ecosystem, where knowledge and value are
created (Dumay, 2013; Dumay and Garanina, 2013, p. 21). Paradoxically, cybersecurity
risks emerge as a result of –among other factors, the systemic interaction of those
elements that form the organisational ecosystems and which they, in turn, contribute to
shaping, such as the organisation’s internal processes and its modes of competition and
value capture. Subsequently, a solely technical outlook on cybersecurity as a function is
myopic, failing to account for emergent socio-technical organisational mechanisms and
processes involving the organisation’s human, relational and structural capital, which
underpin value generation. This leads us to argue that a knowledge-based view of
cybersecurity and its management would have a direct effect on intellectual capital
management by affecting the dynamics of human, relational, structural, as well as renewal
and trust capital (Kianto et al., 2014).
582
JIC
20,4
To continue reading
Request your trial