This master thesis is an explorative study of organizational aspects of cyber threat management in a private ICT-company. The study has sought to address the theoretical concepts of critical infrastructure, wicked problems and resilience in order to answer the problem statement: “How do private ICT-suppliers perceive and define their role in protecting critical infrastructure?”
I have studied a single case, a private ICT-company entitled XX, to answer the chosen problem statement. The chosen method was a qualitative method with the use of data triangulation of interviews, survey and document analysis. The purpose was to understand organisational aspects of cyber threat management. My role was to understand what was meaningful for the actors at the blunt end (top-level management) and the sharp end (employees at technical and operational level). The application of abductive logic was chosen to answer the research questions of this thesis. The actor’s “world” was interpreted by me based on their knowledge and understanding of how things are, which is applicable to the epistemological constructionism approach. Analysis was conducted using themed questions for coding purposes.
The main analytical take away is that in the case of XX, they perceive and define their role as being a critical supplier of cyber security to their customers. Making sure their customers can operate fully, XX perceives themselves as a contributing factor to national security. Still, the company is not prioritizing protection of national security in their company strategies.
I conclude that, in the case of XX, they are having a broad and traditional understanding of cyber threats which results in a few internal misunderstandings on how to manage the cyber threats. How the company perceive their societal responsibility is reflected internally on how they organise their own security. Based on the main contradictions, the company inhabits different types of uncertainty that needs to be managed for the company to be more resilient and to fully be able to be perceived as a high reliability organisation. They also need to prioritize the use of networking societies and knowledge sharing to broaden how the internal organisation perceive cyber threats.
In the case of XX, they construct themselves as a private company with a traditional risk-adaptation. But show instead a combination of risk- and uncertainty-adaptation, which illustrate that the company in practice have a resilience management approach. With the existing focus of uncertainty on operational and tactical level, in the case of XX, they should be able to measure resilience. This is something the company need to pinpoint in the organisation and the adaptation needs to be strategically incorporated at top-level management. A resilience-adaptation is dependent on how the top-level management will go about to measure accurate resilience and uncertainty in the organisation.