key: cord-0064659-cylzzpzp
authors: Groenendaal, Jelle; Helsloot, Ira
title: Cyber resilience during the COVID‐19 pandemic crisis: A case study
date: 2021-05-01
journal: nan
DOI: 10.1111/1468-5973.12360
sha: 0ec9b9e9bc7b6bb190bc3de5b0e90d3aff6c075f
doc_id: 64659
cord_uid: cylzzpzp

The outbreak of the COVID‐19 pandemic crisis around the world and the resulting unprecedented measures taken by governments required organizations to quickly adopt new ways of (remotely) working. At face value, this would suggest a higher vulnerability for cyber threats. This research note analyses how a global financial institution dealt with this challenge by using Hollnagel's four abilities for resilient performance as a theoretical lens. Semi‐structured in‐depth interviews with eleven key actors were conducted. Three findings stand out. First, the interviews suggest that the organization performed cyber resiliently in the sense that the number of incidents and impact were not significantly higher. Second, the interviews show that all four abilities of resilience were formally developed prior to the COVID‐19 outbreak, but rarely resulted in anticipatory adjustment. Third, the interviews indicate that the ability to respond contributed most to the organization's cyber resilience during the pandemic crisis. To conclude, our research note raises the question to what extent the four potentials should be developed beforehand in order to perform resiliently during crises.

The outbreak of the COVID-19 pandemic crisis around the world and the resulting unprecedented measures taken by governments are having a significant impact on our society at large. Organizations were forced to quickly adopt new ways of remotely working, utilizing new systems for communication and altered practices to meet social distancing requirements and modified work patterns (Dwivedi et al., 2020; Herath & Herath, 2020; Wirth, 2020) . The first studies on this indicate that the outbreak of COVID-19 have made organizations become more vulnerable to cyber threats. On the one hand, cyber threats and incidents have reported to rise as a result of a shift in crime opportunities from offline to online environments (Buil-Gil et al., 2020; Lallie et al., 2020) . On the other hand, the sudden and rushed response to the pandemic crisis has created major cyber security gaps in organizations (Škiljić, 2020) . Organizations were forced to quickly allow employees to work from home, without necessarily considering the cyber security implications on their ICT, employees and organization (Abukari & Bankas, 2020; Dwivedi et al., 2020; Wirth, 2020) .

In this research note, we analyse how a global financial institution (GFI) dealt with this challenge. More specifically, we study how the pandemic crisis affected the ability of the GFI to remain cyber resilient, that is the ability of the organization to securely continue and adapt its required digital operations under both expected and unexpected conditions including adverse cyber events (c.f. Björck et al., 2015) . According to Kott and Linkov (2021: 80) the key notion of cyber resilience is acceptance of cyber compromise as a likely event, and the organization suffers as a result; the focus is on the organization's ability to recover and adapt, and not just resist. Cyber resilience, the authors continue, characterizes what happens after an adverse event, and requires preparedness for both known and unknown threats. In our research we use Hollnagel's four potentials of resilient performance -that is, the potential to anticipate, monitor, respond and learn -as a theoretical lens. Our aim is to contribute to the current literature on cyber resilience, which, although quickly

The outbreak of the COVID-19 pandemic crisis around the world and the resulting unprecedented measures taken by governments required organizations to quickly adopt new ways of (remotely) working. At face value, this would suggest a higher vulnerability for cyber threats. This research note analyses how a global financial institution dealt with this challenge by using Hollnagel's four abilities for resilient performance as a theoretical lens. Semi-structured in-depth interviews with eleven key actors were conducted. Three findings stand out. First, the interviews suggest that the organization performed cyber resiliently in the sense that the number of incidents and impact were not significantly higher. Second, the interviews show that all four abilities of resilience were formally developed prior to the COVID-19 outbreak, but rarely resulted in anticipatory adjustment. Third, the interviews indicate that the ability to respond contributed most to the organization's cyber resilience during the pandemic crisis. To conclude, our research note raises the question to what extent the four potentials should be developed beforehand in order to perform resiliently during crises.

corona, COVID-19, cyber, cyber security, resilience, threats, vulnerability emerging, contains relatively few empirical case studies (see e.g., Barasa et al., 2018 for resilience case studies in other sectors). In addition, our research adds to the emerging literature on the implications of a 'black swan' event 1 for the cyber security of organizations.

This research note is organized as follows. First, we briefly discuss Hollnagel's theory of resilience. Second, we give insight into the methodology of our research. Third, we present the findings which have been compressed in order to comply with the format of a research note. To conclude, we discuss the implications of our findings for theory and practice.

There are different viewpoints that can be used to study resilience (e.g., Hynes, Trump, Love, Kirman, et al., 2020; Groenendaal & Helsloot, 2020; Kott & Linkov, 2021) .

In our study, we decided to use the theory developed by Hollnagel (2011) . The reason why we used this perspective in our research is threefold. First, Hollnagel's view on resilience is widely accepted in the literature on organizational resilience and has previously been applied to the cyber security domain (e.g., Van der Kleij & Leukfeldt, 2019). Second, a major advantage of Hollnagel's approach is that it provides a lens through which resilient performance can be observed and assessed. It should be noted here that researchers have only recently begun to investigate how resilience can be quantitatively measured (e.g., Kott & Linkov, 2021 ) and therefore we rely on qualitative approaches to measure cyber resilience. The third reason is that we discovered that elements of Hollnagel's approach are being used in practice. As an example, the European Central Bank (ECB) has published guidance on cyber resilience for financial market infrastructures which includes several expectations regarding the development of the four potentials which can be traced back to the cyber resilience framework that the ECB is using (ECB, 2018) .

In Hollnagel's (2011 Hollnagel's ( , 2017 view, resilience is a characteristic of how an organization performs and not a quality that the organization as such possesses. According to Hollnagel (2017) , resilient performance means that the organization is able to continue its required operations under both expected and unexpected conditions by adjusting its functions prior to, during or following certain events (e.g., changes, disturbances and opportunities).

The key characteristic of resilient performance is the ability of the organization to adjust how it functions. According to Hollnagel (2011 Hollnagel ( , 2017 , adjustments can be made either after something has happened (reactive, responding to feedback) or before something happens (anticipatory or proactive, directed by assumptions about the future). In practice, both types of adjustment are likely to be happening in organizations. Hollnagel (2017) stresses that reactive adjustments are most common, but do not guarantee the continuity of the organization. For instance, organizations that do not anticipate an economic downturn and operate with tight margins have few opportunities to cope with setbacks during a recession. Proactive adjustment implies that the system changes to meet future demands that are expected. This also includes changing from a state of normal operation to a state of heightened readiness before something happens (Hollnagel, 2017) . In this state of heightened readiness, resources are allocated to match the needs of the expected event and special functions may be activated.

According to Hollnagel (2011) and others (Leveson, 2016; Woods, 2015) , organizations need to develop four abilities that are required to achieve a resilient performance: the ability to anticipate, monitor, respond and learn.

▪ The ability to anticipate means being able to anticipate developments further into the future. This can be potential disruptions, new requirements, constraints or novel opportunities (Hollnagel, 2017) . According to Chuang et al., (2020) , the ability to look ahead and to consider future events, conditions, threats and opportunities is a competitive and (evolutionary) advantage.

▪ The ability to monitor considers how well the organization can detect changes to work conditions and the indicators used to keep track of what happens in the internal and external environment (Chuang et al., 2020) . According to Hollnagel (2017) , monitoring must cover an organization's own performance as well as what happens in the operating (external) environment.

▪ The ability to respond entails knowing what to do and being able to timely and effectively respond to what happens (Hollnagel, 2017) .

This includes responding to regular and irregular changes, disruptions and opportunities by activating prepared actions, adjusting the current way of working and/or inventing new modes of operating (Chuang et al., 2020) .

▪ The ability to learn means knowing what has happened and being able to learn from experience (Hollnagel, 2011) . According to Hollnagel (2017) , learning the right lessons from the right experience is key. This includes single-loop learning from specific experiences (i.e., trying to understand why certain objectives are not met) and double-loop learning (i.e., challenging the objectives themselves, seeking for the underlying causes) (Hollnagel, 2011; Chuang et al., 2020) .

Importantly, Hollnagel (2017) recognizes that having developed the four potentials does not necessarily result in a resilient performance when needed for example during a crisis. He states that an organization that has developed them will be more likely to perform in a way that is resilient than one that has not. And an organization that completely lacks the potentials, he adds, will be incapable of resilient performance (Hollnagel, 2017) .

Our research entails a case study of a GFI. The GFI provides financial (e.g. insurance) services and products to customers around the world. The GFI -and this applies more broadly to the entire financial sector -is rapidly transforming into a technology business. The vast majority of interaction between customers at the GFI is through digital channels. As a consequence, cyber security has become of strategic importance for this GFI.

The chief information security office led by the Chief Information Security Officer (CISO) is responsible for (amongst others) cyber and information security as well as digitalized fraud (e.g., phishing attack on customers in which the attacker impersonates the organization).

Semi-structured interviews with eleven respondents from the strategic, tactical and operational layer of the organization were conducted. Table 1 

Based on the interviews, three observations can be drawn about how the GFI has dealt with the challenges arising from the COVID-19 pandemic crisis.

The majority of respondents indicated that the organization has become more vulnerable to cyber threats during the outbreak of the COVID-19 pandemic crisis. ISM1 for instance mentioned that the swift implementation of working from home has led to a major increase of the attack surface. ISM2 noted that working from home resulted in less visibility on endpoints of employees, especially when they are not connected to the corporate network. As a consequence, the respondents note, the organization is more vulnerable to attacks that either uses the endpoint of employees as a stepping stone to penetrate the corporate network or to steal or manipulate data that is stored on that particular endpoint. In addition, FI1, FI2, CIA1, and CIA2 explained that major social events such as COVID-19 provide opportunities for cybercriminals to make phishing attacks more effective as people tend to be more inclined to believe the message of the phisher. Furthermore, CIA1, CIA2 and FIA1 emphasized that the organization has become more vulnerable to insider threats, that is employees with malicious intent. CIA1 explained that usually the majority of insider threats are detected thanks to vigilant colleagues close to the rogue employee. But employees with malicious intent working from home due to are less likely to get caught by other employees.

However, DCISO and CCOPS stressed that incident statistics show that these cyber threats have not materialized. Although the number of phishing attacks increased during the outbreak of COVID-19 and many phishing campaigns were related to the pandemic, the respondents indicated that the actual success rate and damage were only a little higher than average. Standard operating procedures were sufficient to handle these attacks. During the pandemic crisis, the GFI only faced slightly more cyber incidents than a year before. The pandemic crisis has not caused many problems in managing these incidents, also because cyber incident responders were used to work remotely from time to time before COVID-19. In a few cases, when the impact of incidents was (potentially) larger, DCISO, CCOPS and HIR decided to physically meet in the dedicated crisis control room, because physical meetings were perceived to be better for the communication and coordination between IT, security and business.

Interviews with all respondents demonstrated that all the four abilities needed to perform resiliently were present to a certain extent prior to the pandemic crisis.

The GFI has a dedicated cyber threat intelligence unit responsible for the development of a quarterly threat landscape report and the However, these plans were considered to be inapt for the corona crisis as they did not take into account the draconic measures of the government.

DCISO and CCOPS showed that the organization has invested in internal reporting on cyber threats and incidents. Key performance indicators have been established and agreed upon by senior management and used on a daily, weekly or monthly basis to inform operational, tactical and strategic decision-makers. In addition to the reporting by the CISO department, there is also the IT risk department that has a separate reporting line on IT security risks to senior management and regulatory supervisors.

The GFI has several incident management capabilities developed.

For cyber incidents, the GFI has an extensive cyber incident response capability (Security Operations Center) which operates 24/7 according to a follow-the-sun principle. The cyber incident response capability works closely together with the IT incident management organization, which is responsible for responding to IT failures that result in business impact. In case of a major cyber security incident, this IT incident management capability can be used to quickly deploy changes (e.g. patch vulnerable systems, change configuration settings, implement workarounds) within the IT environment. Furthermore, the GFI has developed a BCM capability that is responsible for ensuring that the organization can continue the delivery of services in case of a business disruption. According to BCM1, a quick recovery of services following disruption is ensured by having contingency plans in place and a crisis management organization available to facilitate rapid decision making by senior management.

According to HIR, the majority of cyber incidents are evaluated during cyber incident response team meetings. In addition, for larger incidents there is a formal incident learning process established which includes an evaluation session with all stakeholders involved and the development of lessons learned including root cause analysis and action plan requiring approval from senior management. BCM1

indicated that some departments and entities had gained experience with previous infectious diseases such as the swine flu (2009).

According to BCM1, these experiences have been recorded in at least some of the available pandemic plans.

Finally, no respondent could give a concrete example of organizational adjustment in anticipation of the pandemic crisis. Interviews demonstrated a reactive response of the GFI to the unfolding situation. DCISO and BCM1 pointed out that the GFI has started monitoring the pandemic outbreak in China at an early stage (mid-January 2020 were never interrupted or constrained by the outbreak of the crisis. According to these respondents, this was partly due to anticipatory adjustments such as implementing fixed teams to contain the potential spreading of the coronavirus within the team. As another example, FI1 and FI2 noted that a special task force was established to monitor certain fraud threats targeting the organization and/or customers. According to them, this helped to take swift actions following attacks, such as adjusting e-mail configuration settings and initiating targeted awareness campaigns.

In this research note, we briefly analysed how a GFI dealt with the challenges posed by the COVID-19 pandemic crisis by using

Hollnagel's four abilities for a resilient performance as a theoretical lens. Although the pandemic crisis has made the GFI more vulnerable to certain cyber threats, the results of our tentative investigation show that the organization performed resiliently considering the incident statistics and the fact that the organization has responded well to the challenges posed by the pandemic crisis -albeit reactively. The importance of the ability to respond and particularly having the means (e.g., resources) to respond is highlighted in previous research as well. Based on a review of the empirical literature on organizational resilience, Barasa et al., (2018) found that the availability of resources is considered a key enabler of organizational resilience.

When material resources are used strategically, the authors state, organizations can overcome disruption. The authors emphasize that financial resources are also considered necessary to mobilize other needed resources during the crisis. In a similar vein, what we have uncovered in this case reflects an analogy for companies of a wellknown fact when it comes to resilience of individuals; in the end, having money at hand to be able to respond is a factor of greater importance than having put much effort in preparation (Helsloot & Ruitenberg, 2004) .

Furthermore, we agree with Kott and Linkov (2021) that more scholarly effort should be devoted to resilience measurement. For instance, based on their definition of resilience ("cyber resilience refers to the system's ability to recover or regenerate its performance after cyber-attacks produces a degradation of its performance", Linkov & Kott, 2019:5) , cyber resilience can only be measured in case of an attack that significantly impacted the organizational performance. As we did not come across any example of a cyber incident that led to major performance degradation (which also need to be defined and measured), the question can be raised what conclusions about the cyber resilience of the organization can be drawn in this specific case study.

Finally, a limitation of our study is our research design that does not make it possible to generalize the results of our research.

Consequently, we call for more (comparative) case study research on cyber resilience in general and specifically in the context of adverse events such as major cyber-attacks or COVID-19. To conclude, it should be noted here that our tentative investigation only spans the first year of the pandemic crisis, and as the crisis still continues, we recommend researchers to conduct more extensive investigations to understand how cyber resilience of organizations evolve over time.

Should further research, both quantitatively and qualitatively, along the line of this research note come up with similar findings then the formal expectations of for example the ECB that asks for the development of all four potentials come into question.

1 There is a debate in the literature whether the outbreak of COVID-19

pandemic crisis should be considered as a black swan. We hold the opinion that not the pandemic itself but the governmental response to it should be seen as such.

Some cyber security hygienic protocols for teleworkers in COVID-19 pandemic period and beyond

What is resilience and how can it be nurtured? A systematic review of empirical literature on organizational resilience

Cyber resiliencefundamentals for a definition

Cybercrime and shifts in opportunities during COVID-19: a preliminary analysis in the UK

Measurement of resilience potential-development of a resilience assessment grid for emergency departments

Impact of COVID-19 pandemic on information management research and practice: Transforming education, work and life

Cyber resilience oversight expectations for financial market institutions

Frontline command: Reflections on practice and research

Organisational resilience: Shifting from planning-driven business continuity management to anticipated improvisation

Citizen response to disasters: A survey of literature and some practical implications

Coping with the New Normal Imposed by the COVID-19 Pandemic: Lessons for technology management and governance

RAG-The resilience analysis grid. In Resilience engineering in practice. A guidebook

Safety-II in practice: Developing the resilience potentials

Resilient financial systems can soften the next global financial crisis

Bouncing forward: A resilience approach to dealing with COVID-19 and future systemic shocks

To improve cyber resilience, measure it

Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic

Engineering a safer world: Systems thinking applied to safety

Cyber resilience of systems and networks. Risk, Systems and Decisions

Cybersecurity and remote working: Croatia's (non-) response to increased cyber threats

Cyber resilient behavior: Integrating human behavioral models and resilience engineering capabilities into cyber security

Cyberinsights: COVID-19 and what it means for cybersecurity

Four concepts for resilience and the implications for the future of resilience engineering