“[Strategic Planning] is not a box of tricks, a bundle of techniques. It is analytical thinking and commitment of resources to action. Many techniques may be used in the process – but, then again, none may be needed.” (Drucker, 1973,1974) 1

The Socio-Technical Digital Transformation Design

Approach for Security The socio-technical approach is adding a broad perspective to security including not only technical solutions and external risks, but also taking the social factors of security into consideration (Kowalski, 1994) . Peoples ability to understand and accept the additional complexity driven by security is increasingly vital to the enterprise: “The capacity of people to deal with technical and organizational complexity and find meaning and satisfaction working in these systems lags the capacity of organizations to create digitally enabled work systems that technically should work—if only humans can be trained to understand, embrace, and be able to operate effectively and thrive within them” (Scheiber, 2017) Digital transformation of business is driving the appearance of new threats to the enterprise. Security can no longer be perceived as protecting assets from the outside, since tight interdependence across multiple complex entities blurs the border between what is inside and what should be kept outside: “The tight technical interdependence across complex organizations means that errors in one location may cause service disruptions, delays, and even shut-downs in others” (Kerstetter, 2017) The digital socio-technical design approach (Winby & Albers Mohrman, 2018) is suggesting adding strategic planning tools to the socio-technical design model in order to create a strategy driven approach. From a security perspective, this would imply an approach with the combination of a well-known socio-technical security model combined with a commonly used tool for strategic planning. 2

Selecting the model and tools There are many alternative tools and models that could be used for a digital socio-technical security approach. It is outside of scope of this paper to find the optimal combination but as guidance the following adapted the S.M.A.R.T. checklist for Goals (Doran, 1981) summarizes the “design criteria” used:

Well known. Selecting model and tool with accepted use and terminology.

Results should be easily qualifiable and comparable.

Ease of use. Understandable across a wide set of audience with disparate background, not drawing unnecessary attention from the subject. Area (R)ealistic (T)imely

The models should not claim to prescribe or control but aim for strategic guidance, influence and support understanding.

To quote Sheryl Sandberg “Done is better than perfect”. Quick turn-around time to a useful result. The Capability Maturity Model (CMM) was first described by Humphrey (Humphrey, et al., 1987) using five different maturity levels. The work is generally perceived as originating from Nolan’s stage theory (Nolan, 1973) . The model has recently gained popularity with usage in several international standards (ISO/IEC, u.d.) and adaptions by commercial actors like ISACA (ISACA, 2012) , its subsidiary CMMI Institute (CMMI Institute, 2019) among others. A Google search on the term “Capability Maturity Model” results in more than 26MM hits. (April 2019) Maturity models can be both descriptive and prescriptive (Berghaus & Back, 2016) . In Cobit 5 (ISACA, 2012) the model used both to describe the current status of the enterprise and later to set a desired target level (and track changes). Note that the highest level is not always the desired one due to high cost compared with reduced risk. Example of maturity levels for process maturity with an additional level “0” for nonexisting (ISACA, 2012) :

Ad-hoc Repeatable Defined Process Managed and Measurable

Optimized To conclude, the CMM is one of the most widely used models to measure and prescribe maturity in general and particularly in IT and IT-related processes. SWOT Analysis and TOWS Strategies as a Tool for Strategic

Planning The SWOT Analysis is ”[…] a useful tool for reviewing a firm’s competitive position.” (Sammut-Bonnici & Galea, 2014) and consist of a simple 4-box matrix to assess the enterprise internal (S)trength, (W)eakness and external (O)pportunities, (T)hreats. The model has no official creator but is generally known to be first used by the SRI International in the 1960-70 (Humphrey, 2005) . A Google search on “SWOT Analysis” gives over 48MM hits (April 2019) . The TOWS matrix (Weihrich, 1982) creates a suggested path from the SWOT analysis to a generic set of four main business strategies: Focusing on the weakness of the organization and the treats. This is an avoidance strategy. Use as a core strategy for a business it typically results in merger or liquidation since being in business is taking risk.

Focusing on the opportunities in the market by quickly acquiring capabilities either by acquisition or internal build up.

Focusing on using the company strength to reduce an external threat. This could be by using an internal R&D knowledge to prepare for a shift in the market, replacing a current product.

Focus on maximizing existing strength to (continue) to harvest a market opportunity. Sometimes referred to as a “Fat Cat” strategy. The SWOT and accompanying TOWS model continues to be very popular and practitioners favor it since it is easy to explain and use to a wide set of audience when taking a collaborative approach to strategy (Seebohm, 2014) .

Our proposed Combined Approach A Socio-Technical Capability Model We propose a CMM that use dimensions that covers both social and technological aspects of security. As an example, we have created dimensions based on various best practice including SBC (Kowalski, 1994) . The below table shows these dimensions and some sample questions for illustration:

• • • • • • • • • • • • • • •

Does the company understand the culture in the country? Does the company promote the company culture? Is there a company “Code of conduct” and how is it promoted? Does the company see regulation as a business driver or a business inhibitor? Does the company see the regulations as risks or opportunities? Does the company make money on laws and regulations? Is there a policy for information security? Is there a policy for Architecture? Is there a policy for Code of Conduct? Is the operational management based on ITIL or other frameworks? Is operational management part of company strategy? Are there routines for recovery? Are there automated controls over computers and software used? Is there automated backup and restore of our information?

Are there technical installations to protect our data? • Internal state of the socio-technical security posture • Competitors (perceived) position The SWOT model implicitly assumes that one is stronger or weaker compared to a baseline. The analysis can be done without explicitly describing this the baseline, but with the risk for tacit bias. By explicitly stating the baseline the purpose of the SWOT is more clearly described. Example of baselines that could be used would be external cyber threat capabilities or customers/users’ general expectations on security capability.

Based on the result of the CMM assessment, the SWOT can be populated.

(S)trength (W)eakness (O)pportunity (T)hreat

Relationship When the internal socio-technical security posture is stronger than the competitors.

When the internal socio-technical security posture is weaker than the competitors.

When the baseline is lower than the internal socio-technical security posture.

When the baseline is higher than the internal socio-technical security posture. The SWOT is then converted to generic TOWS strategies for security. Note that depending on the choice of baseline and CMM dimensions the specific strategy will look different.

(maxi-maxi)

Comment Security strategy focusing decisions on minimize weakness and threats. (This is probably the most common security strategy) Security strategy minimizing weakness and focusing on security related opportunities.

Security strategy leveraging existing strength and focus on external threats.

Security strategy leveraging existing strength and focus on external security related opportunities.

CMMI at:

Institute home page. [Online] https://cmmiinstitute.com/ 8. ISO/IEC, n.d. ISO/IEC 15504,21827, s.l.: s.n.