logo SBA

ETD

Digital archive of theses discussed at the University of Pisa

 

Thesis etd-04022024-163746


Thesis type
Tesi di dottorato di ricerca
Author
NERI, MARTINA
URN
etd-04022024-163746
Thesis title
Uncovering the cyber side of organizational resilience. A conceptual development and a Small and Medium Enterprises investigation
Academic discipline
SECS-P/10
Course of study
ECONOMIA AZIENDALE E MANAGEMENT
Supervisors
tutor Prof. Niccolini, Federico
supervisore Prof. Virili, Francesco
Keywords
  • cyber organizational resilience
  • cybersecurity
  • organizational resilience
  • small and medium enterprises.
Graduation session start date
11/04/2024
Availability
Withheld
Release date
11/04/2064
Summary
Understanding and investigating organizational resilience (OR) should be interpreted as an essential facet of nowadays research. This is particularly true when confronted with the array of high-impact, even disruptive, events that organizations experience worldwide (e.g., COVID-19). Thus, a capacity for resilience is needed for organizations that want to overcome challenging conditions (Bouaziz and Hachicha, 2018).
Although been widely discussed, unresolved gaps surround the concept of organizational resilience. As an example, a missing univocal conceptual development and the “resilience to what?” debate (Hepfer and Lawrence, 2022). Nowadays, a new research domain is intended to focus on the cyber side of OR. The cyber organizational resilience (cyber-OR) challenge is a growing and evolving issue due to the large number of cyber threats affecting organizations of all sizes (WEF, 2022; Verizon Report, 2022). The current research on cyber resilience (CR), is mainly discussed in the engineering research domain and the technical focus is prevalent. However, since cybersecurity nowadays involves almost every organizational dimension, organization science is a new, yet promising field (Telay and Klein, 2021).
This dissertation focuses on cyber-OR as a construct that allows organizations, especially the small ones, to adopt a proactive approach when confronted with a cyber-attack. The research context of this dissertation is that of Italian and Swiss Small and Medium Enterprises (SMEs).
From a practical perspective, the SME count worldwide leads to a predicted approximated amount of 332.99 million SMEs worldwide in 2021 (Statista, 2023). Indeed, most enterprises in Italy and Switzerland are small ones (respectively 95.2% and 99.7 %) (ISTAT, 2023; OECD, 2022). This opens a ground for the analysis and discussion of a critical component of these country’s economic structure.
From the cybersecurity perspective, “small businesses are three times more likely to be targeted by cybercriminals than larger companies” (Segal, 2021, p. 1). The Italian and Swiss landscape has no exception with a rise in cyber-attacks, especially those included in the social engineering categories (CLUSIT, 2023; SRI, 2022). Additionally, SMEs are widely recognized for their limited access to resources, lack of cybersecurity specialists and training, and an optimistic risk appraisal (Gafni and Levy, 2023; Renaud and Weir, 2016).
However, the SME context is under-researched and various scholars have pointed it as a fruitful and necessary research avenue (Annarelli and Nonino, 2016; Pal et al., 2014), especially in the cyber domain (Sukumar et al., 2023; Wilson et al., 2022). An investigation of SMEs thus fits into a research gap in both OR and cybersecurity.
Both the Italian and Switzerland context stands as useful to understanding the cyber-OR concept due to the above-mentioned factors. Moreover, the Switzerland context stands as a contribute of the visiting period at the “Centre Universitaire d’Informatique” at the University of Geneva.
According to the above discussion, the main research question of this dissertation is: What is the current level of cyber-OR in SMEs?

Cyber-OR is a new, yet promising construct that is however highly fragmented and a consensus is far from being reached. In this sense, there is a need to extend and complement the existing literature on OR considering the cyber-attack as a triggering event.
Thus, a systematic literature review was developed following Jesson et al. (2011) prescriptions to ensure methodological rigor, transparency, and reproducibility. The analysis focused on a final set of 127 papers, of which 45 dealt with cyber-OR and 82 with OR. The analysis leads to the identification of OR and CR key features thus to the identification of both redundant and inconsistent themes in the literature. Overall, the results informed the development of an integrative conceptual framework on cyber-OR, thus adopting a complementarity-oriented approach. Moreover, the analysis leads to a novel and comprehensive conceptualization of cyber-OR (i.e., organizational resilience in the context of cyber-attacks and cybersecurity). Consistent with the literature review results, cyber-OR is defined in this research as a multifaceted concept that includes three stages, namely anticipation and preparation, response and withstand, and recover and learn. All three stages and related constructs and features are causally linked, thus emerging as functional to an effective overall level of cyber-OR. This perspective reinforces the idea of cyber-OR as a feedback process.

Based on the systematic literature review, qualitative exploratory research has been performed on the cyber-OR tools and practices implemented by Italian SMEs. Moreover, consistent with the above-mentioned SME discussion, this investigation focuses on the hindering factors faced while dealing with cybersecurity and how this affects them while implementing cyber-OR features. This study employed semi-structured interviews as a research methodology. Interviews took place during 2022 in a time range of 4 months. Each interview was administered to SMEs key informants upon permission to participate in the research and lasted an average time of 45 minutes. Theoretical saturation and information redundancy (Glaser and Strauss, 1967; Onwuegbuzie and Collins, 2007) have been reached leading to 31 interviews.
Semi-structured interviews have been then analyzed by thematic analysis following Braun and Clarke’s (2006) prescriptions alongside provisional and open coding (Boyatzis, 1998; Miles et al., 2014; Saldaña, 2021). This investigation allows for an initial assessment of cyber-OR tools and practices implemented by SMEs, as well as an understanding of whether hindering factors affect them from engaging in a cyber-OR approach and related implementation. All results considered, Italian SMEs lack in implementing cyber-OR tools and practices, especially the learning ones. Moreover, three main hindering factors have been identified (i.e., lack of awareness, budget and resource scarcity, and small organization size) as affecting cyber-OR.

Driven by the main research question, the literature review, and qualitative investigation results, a quantitative study was performed. The working hypothesis behind this proposal assumes that the organizational learning capabilities (OLCs) impact both OR and cyber-OR. Moreover, this study aimed at assessing the scores obtained in OR and cyber-OR, additionally dividing the sample into two categories, namely organizations that suffered a cyber-attack and those that had not.
An online distributed survey was disseminated via institutional contact to Swiss SMEs. The survey was based on previous studies and employed validated measures. The survey was back-translated (Brislin, 1970) from English to French language. Additionally, the survey was sent out to an expert panel to assess content validity. A five-point Likert scale (Likert, 1932) was employed for each item, which allows to stay consistent with previous literature on the employed measurement (Prayag et al., 2018; Shuaib et al., 2022; Sobaih et al., 2021; Camison and Puig-Denia, 2016).
Data analysis was based on partial least square structural equation modeling (PLS-SEM) which has been depicted as flexible in handling different model setups and dealing with relatively small sample sizes (Hair et al., 2022). Additionally, using PLS-SEM allows one to stay consistent with previous research which involved the same variables employed in this study (Jerez-Gómez et al., 2019; Prayag et al., 2018; Wang et al., 2022; Yahia Marzouk and Jin, 2022).
Results demonstrate a higher score in the evaluation of the OR measurement. However, a higher score was obtained from SMEs that suffered a cyber-attack, thus suggesting a change in their attitude after being victims of cybercrime. The hypothesis testing confirms the theoretically acknowledged (Duchek, 2020; Pal et al., 2014; Trim and Lee, 2022; Tsen et al., 2022) role of OLC in prompting OR and its cyber side.

All results considered, SMEs lack in implanting cyber-OR tools and practices. This is especially true for the learning ones. The results from the quantitative and qualitative analysis align in several aspects. The lack of post-event practices displayed by Italian SMEs and the higher score obtained from SMEs who suffered a cyber-attack, further reinforce the idea of undergoing a cyber-incident as a stimulus to practice implementation. The lack of a cybersecurity expert in Italian SMEs aligns with the lowest score obtained from Swiss SMEs in the cyber-OR governance section.

All considered the focus on cyber-OR, the SME context, and the OLCs hypothesis testing stands as a contribution in the knowledge domain since the concepts are still under-researched and an empirical validation is in need. The conceptual development of the cyber-OR concept is offered as a knowledge advancement, thus addressing the need for a thorough examination of the cyber side of OR (Bagheri and Ridley, 2017; Dalal et al., 2022). From a theoretical perspective, this study enriches the literature concerning OR and the newly established construct of cyber-OR.
The low research focus on the SME context constitutes a valuable contribution to the research domain. The emphasis on SMEs allows proposing that, in light of the results and analysis of the hindering factors, SMEs need a specific path to achieve resilience, especially its cyber side.
The quantitative contribution further confirms the fundamental role of OLCs in shaping OR and its cyber counterpart (i.e., cyber-OR). Although being widely discussed from a theoretical perspective (Vogus and Sutcliffe, 2003; Vogus and Sutcliffe, 2007) its empirical investigation is still under-researched (Orth and Schuldis, 2020). Additionally, it contributes to theory via the use of the WEF index to assess cyber-OR. Indeed, this measure has been proven statistically valuable in assessing cyber-OR. The “resilience to what?” issue in OR conceptualizations also reflect on measurement instruments which according to Cutter (2016) are still in need of properly differentiating the to what and for whom issues of resilience.
From a managerial perspective, this dissertation sheds light on the specific cyber-OR features that could be employed by managers as a roadmap. Additionally, the hindering factors identification could allow effective countermeasures to mitigate their effect. The OLCs investigations serve as a solid base for the development of enhancing practices.

References
Annarelli, A., & Nonino, F. (2016). Strategic and operational management of organizational resilience: Current state of research and future directions. Omega, 62, 1–18. https://doi.org/10.1016/j.omega.2015.08.004
Bagheri, S., & Ridley, G. (2017). Organisational cyber resilience: Research opportunities. ACIS2017: Australasian Conference on Information Systems, 1–10. https://www.acis2017.org/program/conference-program/conference-proceeding/
Bouaziz, F., & Hachicha, Z. S. (2018). Strategic human resource management practices and organizational resilience. Journal of Management Development, 37(10), 537- 551. https://doi.org/10.1108/JMD-11-2017-0358
Boyatzis, R.E. (1998), Transforming Qualitative Information: Thematic Analysis and Code Development, SAGE Publications, Thousand Oaks.
Braun, V. and Clarke, V. (2006). Using thematic analysis in psychology. Qualitative Research in Psychology, 3(2), 77-101.
Brislin, R. W. (1970). Back-translation for cross-cultural research. Journal of Cross-Cultural Psychology, 1(3), 185–216. https://doi.org/10.1177/ 135910457000100301
Camison, C., & Puig-Denia, A. (2016). Are quality management practices enough to improve process innovation? International Journal of Production Research, 54(10), 2875–2894. https://doi.org/10.1080/00207543.2015.1113326
CLUSIT (2023). Rapporto CLSUIT 2023 sulla sicurezza ICT in Italia. Available at: https://clusit.it/rapporto-clusit/
Dalal, R. S., Howard, D. J., Bennett, R. J., Posey, C., Zaccaro, S. J., & Brummel, B. J. (2022). Organizational science and cybersecurity: abundant opportunities for research at the interface. Journal of Business and Psychology, 37(1), 1-29. https://doi.org/10.1007/s10869-021-09732-9
Dalal, R. S., Howard, D. J., Bennett, R. J., Posey, C., Zaccaro, S. J., & Brummel, B. J. (2022). Organizational science and cybersecurity: abundant opportunities for research at the interface. Journal of Business and Psychology, 37(1), 1-29. https://doi.org/10.1007/s10869-021-09732-9
Duchek, S. (2020). Organizational resilience: A capability-based conceptualization. Business Research, 13(1), 215-246. https://doi.org/10.1007/s40685-019-0085-7
Glaser, B., & Strauss, A. (1967). The Discovery of Grounded Theory: Strategies for Qualitative Research. Mill Valley, CA: Sociology Press.
Hair, J. F., Hult, G. T. M., Ringle, C. M., & Sarstedt, M. (2022). A primer on partial least squares structural equation modeling (PLS-SEM) (3rd ed.). Thousand Oaks, CA: Sage.
Hepfer, M., & Lawrence, T. B. (2022). The Heterogeneity of Organizational Resilience: Exploring functional, operational and strategic resilience. Organization Theory, 3(1), 1-29. https://doi.org/10.1177/26317877221074701
Italian National Statistical Institute (ISTAT), (2022). Annuario Statistico Italiano. Available at: https://www.istat.it/it/archivio/277962
Jerez-Gomez, P., Céspedes-Lorente, J., & Valle-Cabrera, R. (2005). Organizational learning capability: a proposal of measurement. Journal of Business Research, 58(6), 715-725. 10.1016/j.jbusres.2003.11.002
Jesson, J., Matheson, L., & Lacey, F. M. (2011). Doing your literature review: Traditional and systematic techniques. Evaluation & Research in Education, 24(3), 219-221. 10.1080/09500790.2011.581509
Likert, R. (1932). A technique for the measurement of attitudes. Archives of Psychology, 55.
Miles, M.B., Huberman, A.M. and Saldana, J. (2014), Qualitative Data Analysis: A Methods Sourcebook. Sage, London.
OECD (2023), Enterprises by business size (indicator). doi: 10.1787/31d5eeaf-en (Accessed on 04 August 2023)
Onwuegbuzie, A. J., & Collins, K. M. (2007). A Typology of Mixed Methods Sampling Designs in Social Science Research. The Qualitative Report, 12(2), 281-316. https://doi.org/10.46743/2160-3715/2007.1638
Orth, D., & Schuldis, P. M. (2021). Organizational learning and unlearning capabilities for resilience during COVID-19. The Learning Organization, 28(6), 509–522. https://doi.org/10.1108/TLO-07-2020-0130
Pal, R., Torstensson, H., & Mattila, H. (2014). Antecedents of organizational resilience in economic crises—an empirical study of Swedish textile and clothing SMEs. International Journal of Production Economics, 147, 410-428. 10.1016/j.ijpe.2013.02.031
Prayag, G., Chowdhury, M., Spector, S., & Orchiston, C. (2018). Organizational resilience and financial performance. Annals of Tourism Research, 73, 193-196. 10.1016/j.annals.2018.06.006
Renaud, K., & Weir, G. R. S. (2016). Cybersecurity and the unbearability of uncertainty. IEEE. https://doi.org/10.1109/CCC.2016.29
Saldaña, J. (2021). The coding manual for qualitative researchers. London: SAGE.
Segal, E. (2021), “Small businesses are more frequent targets of cyberattacks than larger companies: new report”, Forbes, available at: www.forbes.com/sites/edwardsegal/2022/03/30/cyber-criminals/ (accessed 31 January 2023).
Shuaib, K. M., & He, Z. (2022). Mediating effect of organisational learning and moderating role of organisational culture on the relationship between total quality management and innovation among manufacturing companies in Nigeria. Total Quality Management & Business Excellence, 1-36. 10.1080/14783363.2022.2138313
Sobaih, A. E. E., Elshaer, I., Hasanein, A. M., & Abdelaziz, A. S. (2021). Responses to COVID-19: The role of performance in the relationship between small hospitality enterprises’ resilience and sustainable tourism development. International Journal of Hospitality Management, 94, 102824. https://doi.org/10.1016/j.ijhm.2020.102824
Statista (2023, June 7). Estimated number of small and medium sized enterprises (SMEs) worldwide from 2000 to 2021. https://www.statista.com/statistics/1261592/global-smes/#:~:text=Number%20of%20SMEs%20worldwide%202000%2D2021&text=There%20were%20estimated%20to%20be,in%20the%20provided%20time%20period.
Sukumar, A., Mahdiraji, H. A., & Jafari-Sadeghi, V. (2023). Cyber risk assessment in small and medium-sized enterprises: A multilevel decision-making approach for small e-tailors. Risk Analysis, 1-17. https://doi.org/10.1111/risa.14092
Swiss Re Institute (2022). Cyber insurance: strengthening resilience for the digital transformation. Available at: https://www.swissre.com/institute/research/topics-and-risk-dialogues/digital-business-model-and-cyber-risk/cyber-insurance-strengthening-resilience.html
Tejay, G., & Klein, G. (2021). Organizational cybersecurity journal editorial introduction. Organizational Cybersecurity Journal: Practice, Process and People, 1(1), //doi.org/10.1108/OCJ-09-2021-017
Trim, P. R. J., & Lee, Y.-I. (2021). The Global Cyber Security Model: Counteracting Cyber Attacks through a Resilient Partnership Arrangement. Big Data and Cognitive Computing, 5(3), Article 3. https://doi.org/10.3390/bdcc5030032
Tsen, E., Ko, R. K. L., & Slapnicar, S. (2022). An exploratory study of organizational cyber resilience, its precursors and outcomes. Journal of Organizational Computing and Electronic Commerce, 32(2), 153–174. https://doi.org/10.1080/10919392.2022.2068906
Verizon (2022). 2020 Data breach investigations report. Retrived: March, 25, 2023, from https://www.verizon.com/business/resources/reports/dbir/
Vogus, T. J. & Sutcliffe, K. M. (2003). Organizing for resilience. Positive organizational scholarship: Foundations of a new discipline. In K.S. Cameron, J.E. Dutton, & R.E. Quinn (Eds.), Positive organizational scholarship: Foundations of a new Discipline (pp. 94-110). San Francisco: Berrett-Koehler Publisher.
Vogus, T. J., & Sutcliffe, K. M. (2007, October). Organizational resilience: towards a theory and research agenda (pp.3418-3422). Proceedings of IEEE international conference on systems, man and cybernetics. NJ, USA: IEEE.
Wang, D., Zhao, X., & Zhang, K. (2022). Factors affecting organizational resilience in megaprojects: A leader–employee perspective. Engineering, Construction and Architectural Management, ahead-of-print(ahead-of-print). https://doi.org/10.1108/ECAM-01-2022-0049
Wilson, M., McDonald, S., Button, D. and McGarry, K. (2022). It won’t happen to me: surveying SME attitudes to cyber-security. Journal of Computer Information Systems, 63(2), 1-13, doi: 10.1080/08874417.2022.2067791.
World Economic Forum (2022). Global Risk Report. Available at: https://www.weforum.org/reports/global-risks-report-2022/
YahiaMarzouk, Y., & Jin, J. (2022). An integrative framework for building organizational resilience through environmental scanning: A view of organizational information processing theory. Management Research Review, 46(7), 1016–1042. https://doi.org/10.1108/MRR-11-2021-0790
File