0000-0002-3631-2626 (P. Bednar); 0000-0002-7149-3354 (C. Welch); 0000-0003-2981-6516 (M. Sadok) © 2023 Copyright for this paper by its authors.

Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).

CEUR Workshop Proceedings (CEUR-WS.org) At one time, organizational management was viewed by researchers as a challenge of bringing together optimal resources in order to achieve some predefined objectives [ 38, 36 ]. However, in more recent times, it has been recognized rather as an exercise in maintaining or enhancing the organization’s position amid the various forces operating upon it from its environment [ 39, 11, 12, 7 ]. An organization can be viewed as an open system in which many human and non-human elements interact [ 6, 11, 14, 20 ]. At every level, organizational actors will be making sense of their situations while interacting and co-creating their contextually- dependent roles. Many and varied norms and objectives will emerge in different parts/levels of the organization [ 6, 11 ]. While it would be possible to conceive of professional, business activities as constituting a system to be served by another system of technical resources, such a mental model is inadequate in practice as a reflection of organizational life as it is lived. Clearly, design of any serving system would depend upon the conception of a system to be served [ 6, 7, 10 ]. When such a system is itself perceived as continually (re-) creating itself in response to evolving contextual dependencies, it follows that coevolution of these two perceived systems would be imperative [ 3, 4, 7 ]. Once this is accepted, the shift to a sociotechnical mental model is essential, i.e. one in which organizational systems are viewed as emerging through interactions among actors in their professional roles, and using relevant technologies, within an organization’s social and organizational context [ 15, 24, 34 ].

It has long been recognized that the apparent epistemological divide between business organization and an associated information system represents a false dichotomy [ 20 ]. In the age of M-commerce, and as we move from Industry 4.0 into the realms of Industry 5.0, in which products are routinely customised to individual client requirements, and sales must address a target market of one, most managers would recognize that digital resources are fundamental to the business [ 8 ]. Yet even today, when the overwhelming majority of organizations depend upon both connectivity and instant availability of data, the perception persists that developing and managing these resources is best left to technical experts.

For many years, researchers have been pointing out that IT services are only useful in conjunction with embedded competences of staff throughout the organization [ 27 ] and that attention needs to be paid to whole work systems in which communication and information technologies will be situated [ 31 ]. Recognition does emerge among researchers in technical spheres that challenges extend beyond their domain. For instance, research relating to digital innovation may acknowledge that attention must also be paid to process innovation [ 26 ]. However, this continues to ignore the indivisible relationship between design of any technological system and its system for use [ 25 ]. The pervasive nature of digital resources in the current age has led to a change in focus from innovation projects to ‘digital transformation’, which goes some way to signposting a more holistic perspective. Jiang [ 19 ], for example, suggests moving from a project-based to a programme-based approach to transformation, and points out the pitfalls when moving from strategic to operational levels of attention that management may become fragmented between different areas of an organization. When dealing with external threats to business prosperity, resilience may depend upon a whole system view. For instance, in a study of resilience following the recent pandemic, Saleh Al-Omoush, Simón-Moya, & SendraGarcía [ 33 ] suggest that: “Achieving e-business proactiveness requires investment in social capital and collaborative knowledge creation to respond to … crises” (2020, p.286).

ISO/IEC 27032:2023 defines cybersecurity as the protection of privacy, integrity, and accessibility of data information in Cyberspace, a complex environment, resulting from the interaction of people, software, and services on the Internet by means of technology devices and networks connected to it. Efforts to ensure the security of an information system in use may be seen as an instance of intentional organizational change, where that change is both endemic and continuous. The system must be designed so that the variety in its behaviour can match the variety in its environment [ 5 ], and this will itself be in a state of continuous change. The multiple dimensions of connectivity, which transcend traditional organizational boundaries, will mean that the system for use of any information technology must be designed to be flexible and responsive to evolving threats. There is no opportunity to stand back and consider how best to tackle particular issues, as situations move on quickly and delay may be disastrous. It must, instead, be possible for human and technological aspects of the system to coevolve to meet new challenges, as both work patterns and environmental threats change. In this way, the need for proactive, as well as reactive security measures can be anticipated [ 30 ].

There are many forces outside the boundary of an organizational system that challenge its ongoing stability and prosperity. In recent decades, these challenges have included a rise in cybercrime and other types of cyber loss. This could mean security or data breaches, attacks by hackers, employee errors, industrial espionage, and ransomware. Such cyber incidents are becoming increasingly prevalent and costly, and are the inverse image of the increasing dependence upon connectivity and digital transformations of organizations. Business continuity and sustainability may be threatened by these threats, and reputation damage may be very costly. The Allianz Risk Barometer for 2023 [ 1 ], which consults risk managers in some 94 countries, highlights business interruption and supply chain disruption, together with cyber incidents as the top areas of concern in business, with 34% of votes each, reflecting the importance of the digital economy. Moreover, the consequences of cyber incidents may not be limited to financial loss, as the recent data breach relating to the Police Service for Northern Ireland has illustrated [ 18 ].

However, as Perozzo, Zaghloul and Ravarini [ 28 ] point out in relation to SMEs, organizations can struggle to achieve a satisfactory level of readiness to address cyber issues. While many recognize that everyone involved has a role to play in cybersecurity, and experts providing advice may suggest a sociotechnical approach, attention still seems to focus on technologies and technical expertise. McEvoy and Kowalski [ 22 ] suggest that problems arise because of ‘degradation in working practices over time’ (p.48) and offer an ethnographic approach that maps cybersecurity threats against ‘poor working practices’. However, there may be a danger here that actors struggle to identify which are the ‘poor’ practices involved, and by the time an ethnographic analysis has been completed to produce a relevant map, both the internal and external environments of the organization have changed again.

Cybersecurity policies will need to be derived which are clear to all and adaptable in use to meet on-going challenges. While any organization will, of course, require appropriate technological tools to protect its vital systems, these will be unlikely to be efficacious unless they are embedded in sound organizational routines and practices, and understood by all. Just as organizational systems must coevolve, so too must policies be derived in consideration of the many, varied, and contextually dependent professional roles in which actors are engaged, and with their active involvement [ 31 ]. Ghelani [ 16 ] conducted a qualitative study among Korean businesses to determine how businesses approached information security policy. The results showed an overwhelming focus on preventive measures. He goes on to suggest that a management perspective, rather than an exclusively IT viewpoint, could aid businesses in adopting new organizational practices and change management activities. Lee [ 21 ] suggests that investment in cyber risk management could take a four-layered approach: • a cyber ecosystem layer to build an understanding of the external environment; • a cyberinfrastructure layer to evaluate organization, internal actors, and existing cyber technologies; • a cyber risk assessment layer to focus on assessment of risks; and • a cyber performance layer to conduct specific cyber security activities.

However, crucially, he suggests that: “All the four layers are strongly intertwined and referenced to the cyber risk management framework, so that a holistic cyber risk management is achieved” (2021, p.28).

Organizations need to embrace good system design and effective management practices in order to address cybersecurity challenges successfully. We suggest that this is best achieved by adopting a sociotechnical perspective to design of work systems, using appropriate tools and techniques [ 8, 40 ]. It is the interactions among engaged actors on an ongoing basis, forming a complex, open system, that co-creates and re-creates what is recognizable as ‘organization’ [ 6, 7, 8 ].

By considering business professionals’ own understandings of their contextually dependent work roles, security measures can be related to actual, everyday professional practice. By involving all relevant stakeholders in developing sound practices, cyber security risks may be identified, assessed and mitigated and a culture of security awareness can be promoted [ 32 ]. Security practice will therefore be meaningful to stakeholders, who will see it as part of their own zones of responsibility and not as something to be left to remote IT ‘experts’ [ 31 ]. Engagement and participation by professionals at all levels is needed to promote design of systems that are not only user-friendly, but genuinely supportive of meaningful use in context. Principles for good sociotechnical design should be considered at all stages and levels, whenever desirable change is contemplated. Where change is endemic and continuous, these principles become imperative. Flexible systems that are adaptable in use can deal with security contingencies without generating unintended consequences, or requiring professionals to engage with ad hoc “workarounds” to enable them to complete their work.

Reflecting upon the issues set out above, a study was conducted, which was designed to illuminate actual experiences of actors in real-world organizations in relation to cyber security.

The study undertaken is an exploratory study, conducted from an interpretive stance. This means that it was not intended to test any particular hypothesis, or to uncover any statistically significant or generalizable conclusions, but rather to shed light on actual, experienced practices within a sample of real-world organizations. The reported results may, of course, be used to generate further investigations into any patterns that appear to emerge. Spratley (1980), cited in Robson [ 29 ], illustrates the distinction between exploratory and positivist forms of inquiry by analogy with the roles of petroleum engineers and pioneers. The former begin their inquiries with careful study of geological maps to identify areas likely to have gas or oil below ground. They then go on to carry out detailed surveys to ‘find’ these resources they suspected to be there. This is a positivist stance. Pioneers, in contrast, go out to discover the terrain. They take a path, retrace their steps, take another, and so on until they come upon interesting features, such as a wood or a lake. They take frequent compass readings, note prominent landmarks, and record observations. The result is a better conception of the nature of the area than they had before.

In taking a critical, interpretive stance, the team recognize that respondents’ accounts of their experiences are not simple reflections of an objective reality. They, and the inquirers, are part of the arena of inquiry and co-creators of the inquiry process, and the conversation that emerges. The inquiry intrudes into participants’ private worlds of experience and takes place within their individual work contexts. It is necessary to bear these points in mind and also to consider the double hermeneutic involved in any inquiry into human experience – the subject is interpreting the inquirer, and vice versa (Hammersley and Atkinson, 1983, cited in [ 37 ]). A critical stance means that the team needs to question assumptions made, about process and about results obtained [ 25 ].

The study made use of instruments from the Sociotechnical Toolbox [ 40 ], which were used as the basis for a semi-structured interview protocol. (NB the instruments in the toolbox cover a range of areas and issues besides cybersecurity, but these are beyond the scope of the current paper). The interviews were intended to take the form of guided conversations. The initial questions, some open-ended and some closed, were intended to elicit a response that could then be followed up in a conversational manner to draw out participants’ own views of their experiences and practice. Participants were, in many cases, interviewed more than once following reflection upon their responses. The semi-structured nature of the protocol was advantageous in helping to promote consistency among the approach of different interviewers, but was not to be regarded as a survey.

Sampling was undertaken on a convenience model. The team of investigators was diverse in background and employment, and therefore interview participants were drawn from a range of companies in which the team members had contacts from their own professional and social networks. The companies therefore varied in size, from large multinational corporations to small local businesses, in sphere of business – including both public and private sector organizations, and in all geographic location, though almost all were UK based. The interviewees were all employees from non-IT professions, who, according to their own description, handle sensitive data and therefore, should take security considerations into account while doing their job.

Since the study presented here is qualitative and interpretative in character, the numbers set out are intended only to display transparency and to support a discussion related to patterns disclosed.

Interviews were conducted with 471 employees from 259 different organizations, drawn from both private and public sectors. Each one of the individual employees were interviewed more than once, over a period of five to six months, each interview lasted between 30 minutes to 1 hour. The discussion in this paper is based on two subject areas, Sociotechnical and Cybersecurity (including Systemic Sustainability).

In this paper, we explore findings related to a subset of a few emerging areas of concern.

The challenges this paper seeks to highlight are concerned with engagement by all interested participants with the context and impetus of change. Implementation of cybersecurity practices is an example of an IS and organizational change which is intended to directly impact on, influence, and change, the real-world work system that the employee is engaged with. As such it is also a prime example of a sociotechnical IS and IT project. The literature of IS has been littered with case instances of failure in information technology projects and the difficulties of bringing projects to a ‘successful’ conclusion [ 4, 6, 25 ]. Many solutions have also been presented in the past, but the problem persists. The very concept of a ‘project’ and the expectation of a ‘conclusion’ may lie at the heart of these failures. Technological solutions cannot be developed in isolation from people who will use them, in contexts that are real, ongoing, complex and ‘messy’. Amarilli, van den Hooff and van Vliet [ 3 ] highlight the complex coevolution dynamics involved in successful use of IT resources, and call for a sociotechnical approach. Organizational transformation involves changing every aspect of the system. It is not possible to change one aspect alone without this impacting on the whole [ 10,12 ]. Attempts to make unilateral changes to technological elements in a work system are likely to result in unintended consequences [ 17 ].

A sociotechnical perspective does not, of itself, lead either to successful change or systems experienced as useful. Savageta, Geissdoerfera, Kharrazib and Evans [ 35 ] discuss their extensive literature review on sociotechnical systems change and sustainability, saying that “The analysis of sociotechnical systems often implies the ultimate idea that there are mutually reinforcing and highly institutionalised processes in sociotechnical regimes. This makes it difficult for sustainable innovations to succeed against the existing unsustainable alternatives, consequently constraining radical structural changes.”

It is suggested that when business is conceived as organized activity among people, a transformation process can best be seen as an emergent learning process, whereby exploration and (co)understanding of contextual dependencies are supported by appropriate socio-technical tools and techniques [ 8 ]. As March [ 23 ] pointed out, technological change involves trading off exploration of new possibilities with exploration of old certainties in organizational learning. In relation to sociotechnical systems design, relevance of contextual analysis is emphasised, i.e. exploring human and technical dependencies together in the context of an evolving organizational environment.

As Ciborra and Willcocks [ 13 ] highlighted, a situated perspective is needed, calling for methods of inquiry which capture the inner lives of actors: minds and hearts. Without such an approach it is difficult to see any significant evidence of any increase in cybersecurity in practice.