Cyber resilience has emerged as a complementary concept to cybersecurity, expanding the traditional predictand-protect paradigm to include business continuity and adaptive capacities. However, much of the literature remains normative, emphasizing what organizations should do, rather than analyzing what cyber resilience looks like in practice. This paper presents a theoretical framework for analyzing cyber resilience in organizations. Drawing on resilience theory and socio-technical systems theory, the framework identifies four interdependent capabilities-anticipate, withstand, recover, and adapt-and uses the principle of joint optimization to examine how technical and social elements interact within and across these capabilities. The framework was developed using a concept analysis method and is designed to be applied to empirical data, such as interviews or case studies. Its key contribution is to enable structured analysis of how resilience manifests, and how diferent capabilities compensate for one another depending on the system's state. We argue that the organization is constantly evolving and changing, meaning that observations are of a temporary system state that has already begun to change. However, analyzing snapshots of the system's capabilities can help identify areas for improvement. Future research can apply the framework to understand the mechanisms underlying cyber resilience.
Cyber resilience has emerged as a complementary concept to cybersecurity, ofering a broader
perspective on how organizations prepare for and respond to digital threats. With the rise of complex and
persistent cyber threats, some limitations in traditional cybersecurity approaches have become visible.
One such limitation is the tendency to assess risks only at a technical level, estimating, for example,
a server’s vulnerability without fully understanding the operational consequences of system failure
[
CEUR Workshop
ISSN1613-0073
Despite the growing attention to cyber resilience within politics, industry, and research, there remains
a lack of structured, theory-informed approaches to analyze the behaviors and responses that promote
resilience in organizations during cyber incidents. While many cyber resilience frameworks exist, most
adopt a normative stance, defining what resilience should look like, rather than capturing how it is
promoted in practice. This normativity often fails to recognize the ambiguity in resilience-related
situations found in reality [
The concept of resilience, originating in physics and material science, describes how systems respond
to external disturbances or stress. It was initially used to characterize the ability of materials to absorb
energy and return to their original shape. Over time, the concept has been adopted across various
disciplines—including ecology, psychology, engineering, economics, and, more recently, cybersecurity,
each adapting the term to suit diferent system behaviors and contexts [
Holling [
Organizational cyber resilience ought to be viewed through the lens of ecological systems, as this
provides a more realistic and flexible conceptual foundation for cyber resilience than the engineering
model. While engineering resilience builds on the idea of a closed system perspective with clear
boundaries and predictable ways of recovery, an organization is an open system continuously being
shaped by its interaction with the environment. An organization’s survival depends on its relation to
external and internal actors and conditions [
An organization can have cybersecurity without being cyber resilient, but it cannot be cyber resilient
without cybersecurity [
Resilience can be understood to operate across two dimensions: planned and adaptive resilience
[
To explore how resilience may be understood and analyzed, it is helpful to consider four core capabilities:
anticipate, withstand, recover, and adapt. These capabilities are not drawn from a single unified definition
but recur across literature on cyber resilience, system resilience, and crisis response [
• Anticipate refers to the organization’s ability to recognize and prepare for potential disruptions.
This might involve formal activities such as risk assessments, scenario planning, or technical monitoring, but also includes informal practices like cultivating situational awareness, encouraging knowledge sharing, or drawing on intuition based on experience. • Withstand is the ability to absorb and contain the efects of disruption without losing core functionality. It includes technical protections and social and organizational factors such as team cohesion, trusted leadership, and the ability to make decisions under stress. • Recover focuses on restoring function after a disruption. This may involve structured processes such as incident response, system restoration, and more improvised eforts like sensemaking, re-prioritization, and mobilizing internal networks to stabilize operations. • Adapt is about making longer-term changes based on lessons learned. It can include refining processes, updating policies, restructuring systems, or shifting organizational norms. Adaptation may be incremental or transformational, often based on insights gained during recovery.
Organizations are best understood as socio-technical systems, meaning they are composed of both
technical and social elements that interact to shape system behaviour [22]. A socio-technical system
(STS) consists of two interdependent elements: the technical and the social. The technical element
includes infrastructures, supporting artefacts, and digital systems, while the social element comprises
people, roles, norms, and work practices. These elements are interconnected and should not be viewed
as separate or isolated; they function as part of a larger whole [23]. STS are made up of humans
using technology to carry out tasks within an organization to achieve defined objectives [ 24]. The
social dimension aims to design work environments and organizational structures considering people’s
psychological needs. It is not just about doing the job eficiently, but about people: doing meaningful
work, feeling a sense of belonging to the group or organization, and feeling responsible for what they
do. The purpose of the technical dimension is to provide the organization with technologies enabling
it to achieve its goals [25]. Understanding the technical and social diferences is central to how we
think about cyber resilience. Resilience is not something that resides in a technical solution or an
individual. Instead, it emerges from how social and technical elements work together to respond to
disruption [
Joint optimization is a central principle of socio-technical systems theory. It suggests that a system’s social and technical parts must be co-developed to create sustainable system performance. If an organization aims to improve functions or eficiency through isolated changes in technology or social factors, it will create an imbalance. Technology and humans afect each other, and it is in the interaction between these that the actual functioning of the system is shaped. Therefore, it is suggested that a system cannot be understood or enhanced if the interdependent relationship of the components is ignored [22]. Technology shapes how people work, while people’s behaviours, habits, and needs influence technology. For example, suppose an organization introduces an advanced cybersecurity software without considering how the business operates or providing support to understand it, there is a risk that it will be used incorrectly or not at all. Similarly, a strong security culture is insuficient if the technical measures that support secure behaviour are missing. For the system to work, technology and human factors must evolve in tandem and with each other [26]. Joint optimization means designing and managing a system’s social and technical elements in parallel, so they support each other and work together to achieve overall system performance.
The research approach is based on Näsi [27]’s concept analysis model, as presented in Nuopponen [28], which outlines four interrelated phases. First, a knowledge foundation is established through a literature review. Second, relevant concepts are distinguished from related or overlapping terms (external analysis). Third, the internal structure and relationships of the selected concepts are examined (internal analysis). Finally, conclusions are drawn in the form of a structured framework intended to support empirical analysis. The process began with a review of the literature on cyber resilience. We noted that most contributions are normative in nature and ofer limited solutions for analyzing what organizations do in practice. To address this, we traced the conceptual roots of cyber resilience in resilience theory, identifying two main perspectives: engineering and ecological. We chose the ecological perspective as our main perspective to frame resilience as a dynamic property of open systems. We then returned to the cyber resilience literature and identified four commonly cited capabilities: anticipate, withstand, recover, and adapt. These capabilities form the foundation of the framework. To analyze how these capabilities manifest in practice, we introduced snapshots, temporary representations of the system’s state before, during, or after a disruption. Each snapshot allows for examination of which capabilities were active and how they interacted. Finally, we applied socio-technical systems theory to assess the alignment between technical and social components within each capability. The principle of joint optimization was used to identify potential imbalances. The outcome is an analytical framework intended for use in empirical case studies.
The analytical framework brings together two perspectives: organization as a socio-technical system
and resilience as an emergent property of that system. In this framework, the organization is understood
as an open, dynamic system that consists of independent social and technical components. Drawing on
the ecological systems thinking, resilience is conceptualized not as returning to a fixed equilibrium, but
as the system’s ability to remain functional within or across diferent states of stability or “basins of
attraction” [
To capture how resilience is manifested over time, the framework uses the concept of “snapshots”, discrete analytical moments. To analyze an incident includes identifying what the organization did before, during, and after the disruption. At each stage, diferent resilience capabilities may be utilized or emphasized; diferent states are shown in Figure 2. For example, in a stable state, its anticipatory capabilities, such as risk assessment, crisis management plans, or protective actions, are likely to be visible before a disruption. These are aimed at preserving a desired state. Other capabilities emerge when the situation changes, such as during an attack. Withstand and recover become more central as the organization works to contain the disruption and restore core functionality. By breaking the timeline of an incident into analytical moments, we can observe how resilience is not constant, but shifts depending on the system’s state and the nature of the threat. This structure supports a nuanced analysis of how these capabilities work in practice and provides a foundation to examine the socio-technical balance within each capability.
Within each capability, the framework allows for analysis on the degree of alignment between the social and technical components using the principle of joint optimization. Joint optimization does not mean that we are aiming for a consistent 50/50 distribution of social and technical components, but rather to find a state where the social and technical elements are mutually supportive and proportionate to the needs of the situation [22]. To clarify, some situations might refer to balance as a highly technical solution supported by a minimal social component, such as training or understanding how to operate it. Other situations might require a social component to dominate, while the technical tool is supportive. Imbalance occurs when one dimension is overdeveloped or overloaded without suficient support from the other [26]. For instance, an organization is recovering from an ongoing cyberattack and has deployed an advanced backup system to restore data. However, if staf are unsure how to access or activate the system under pressure, or if communication between IT and operational teams is unclear, the recovery process may stall. In this case, the technical component is strong. Still, the lack of social support, such as training, clear roles, or communication routines, creates an imbalance that weakens the overall recovery capability. This places pressure on one part of the system, weakening the overall capability. By identifying these imbalances in the diferent phases of an incident, the analysis can show where resilience is constrained not by a lack of efort but by a lack of integration. Joint optimization is, therefore, not the result but a diagnostic measure for evaluating the efectiveness and coherence of each capability within the socio-technical system.
To illustrate cyber resilience, we utilize the basin of attraction model (see figure 2). The basin of
attraction stems from ecological resilience theory and is commonly used to visualize how systems
respond to disturbances [31]. In this analogy, the ball represents the organization and its position in
the current operational state, and the basin walls symbolize the organization’s resistance to change.
The steepness of the basin walls illustrates an organization’s ability to absorb disruption. With a
shallow basin, even a moderate disruption could afect the organization, and disturbances can afect
and unbalance its current state. From this perspective, resilience is not only about resisting change but
also about the system’s ability to maintain a position and adapt and change into a new position when
facing a disruptive change [
Working with cyber resilience requires shifting between an open and a closed system perspective.
An open system perspective views the organization as dynamic, constantly interacting with and shaped
by its environment. It acknowledges the organization’s system-of-systems nature, where internal
subsystems are interlinked and influenced by external factors such as political, economic, ecological,
societal, and technological. In contrast, a closed system perspective treats the system as temporarily
bounded and stable, enabling analysis and targeted intervention [
In each case, the analysis considers what was done and how these actions were supported technically and socially. If a technical backup system was in place but no one knew how to activate it, this would indicate an imbalance under the recover capability. Conversely, if recovery eforts were coordinated efectively between IT and operational staf, it might suggest a high degree of joint optimization. This way, the framework supports a structured, socio-technical interpretation of resilience-in-practice without reducing it to checklists or static maturity models.
To demonstrate how the framework can be applied, Table 1 presents an example based on a hypothetical incident. The example shows how observed or reported actions during diferent phases of an incident can be categorized under the four core capabilities. Each entry is then assessed based on whether it reflects a technical, social, or socio-technical response, followed by an interpretation of how well joint optimization is achieved. This allows for a structured analysis of strengths and imbalances in how resilience is enacted across the socio-technical system.
Using the analytical framework, we expect to gain a better understanding of the activities in the four capabilities enabling cyber resilience in organizations, taking one step towards operationalization. This includes evaluating the relationship between the capabilities and whether they are supported by a socio-technical balance of people and technology, or if resilience is constrained by misalignment.
This paper set out to address a gap in the cyber resilience literature. While the concept has gained widespread attention, it is often treated normatively, with limited tools for analyzing what organizations do to be resilient in practice. Our motivation has shifted focus from what resilience should look like to how it is enacted within organizations. We address the research question: How can cyber resilience be analytically framed and assessed to reflect its emergent, socio-technical, and behavioral characteristics during cyber disruptions? by developing an analytical framework grounded in resilience theory and socio-technical systems thinking. The framework identifies four core capabilities: anticipate, withstand, recover, and adapt, and provides a structure for analyzing how these capabilities are activated across diferent system states. By incorporating the principle of joint optimization, the framework also highlights how technical and social components shape the efectiveness of each capability.
Future research could apply this framework to empirical case material to further assess its usefulness and refine its components. Doing so could support a deeper understanding of how cyber resilience is operationalized within real-world contexts. We hope this framework will support researchers and practitioners alike in making cyber resilience more observable and actionable.
While preparing this work, the author(s) used ChatGPT and Grammarly to check grammar and spelling. After using these tools, the author(s) reviewed and edited the content as needed and take full responsibility for the publication’s content. [18] S. Hosseini, K. Barker, J. E. Ramirez-Marquez, A review of definitions and measures of system resilience, Reliability Engineering & System Safety 145 (2016) 47–61. URL: https://www.sciencedirect. com/science/article/pii/S0951832015002483. doi:10.1016/j.ress.2015.08.006. [19] T. Williams, D. Gruber, K. Sutclife, D. Shepherd, E. Y. Zhao, Organizational Response to Adversity: Fusing Crisis Management and Resilience Research Streams, The Academy of Management Annals 11 (2017). doi:10.5465/annals.2015.0134. [20] T. Panagiotis, R. Holfeldt, M. Koraeus, B. Uckan, R. Gavrila, G. Makrodimitris, Report on cybercrisis cooperation and management., Technical Report, Publications Ofice, LU, 2014. URL: https: //data.europa.eu/doi/10.2824/34669. [21] F. Björck, M. Henkel, J. Stirna, J. Zdravkovic, Cyber Resilience – Fundamentals for a Definition, Advances in Intelligent Systems and Computing 353 (2015) 311–316. doi:10.1007/ 978-3-319-16486-1_31. [22] G. Baxter, I. Sommerville, Socio-technical systems: From design methods to systems engineering, Interacting with Computers 23 (2011) 4–17. URL: https://academic.oup.com/iwc/article-lookup/ doi/10.1016/j.intcom.2010.07.003. doi:10.1016/j.intcom.2010.07.003. [23] B. Whitworth, A Brief Introduction to Sociotechnical Systems:, in: M. Khosrow-Pour, D.B.A. (Ed.), Encyclopedia of Information Science and Technology, Second Edition, IGI Global, 2009, pp. 394–400. URL: http://services.igi-global.com/resolvedoi/resolve.aspx?doi=10.4018/978-1-60566-026-4.ch066. doi:10.4018/978-1-60566-026-4.ch066. [24] R. P. Bostrom, J. S. Heinen, MIS Problems and Failures: A Socio-Technical Perspective. Part I: The Causes, MIS Quarterly 1 (1977) 17–32. URL: https://www.jstor.org/stable/248710. doi:10.2307/ 248710, publisher: Management Information Systems Research Center, University of Minnesota. [25] S. H. Appelbaum, Socio‐technical systems theory: an intervention strategy for organizational development, Management Decision 35 (1997) 452–463. URL: https://doi.org/10.1108/00251749710173823. doi:10.1108/00251749710173823, publisher: MCB UP Ltd. [26] M. Malatji, S. Von Solms, A. Marnewick, Socio-technical systems cybersecurity framework, Information & Computer Security 27 (2019) 233–272. URL: https://www.emerald.com/insight/ content/doi/10.1108/ICS-03-2018-0031/full/html. doi:10.1108/ICS-03-2018-0031. [27] J. Näsi, Ajatuksia käsiteanalyysista ja sen käytöstä yrityksen taloustieteessä, Yrityksen taloustieteen ja yksityisoikeuden laitoksen julkaisuja: Tutkielmia ja raportteja, Tampereen yliopisto, 1980. URL: https://books.google.se/books?id=eX1cAAAACAAJ. [28] A. Nuopponen, Methods of concept analysis-tools for systematic concept analysis (part 3 of 3), LSP Journal-Language for special purposes, professional communication, knowledge management and cognition 2 (2011). [29] S. Andersson, E. Bergström, M. Lundgren, K. Bernsmed, G. Bour, Information security risk management tools in the air trafic management domain: what are practitioners’ needs?, Information Security Journal: A Global Perspective (2025) 1–18. [30] H. Fujita, S. Yoshida, K. Suzuki, H. Toju, Alternative stable states of microbiome structure and soil ecosystem functions, Environmental Microbiome 20 (2025) 28. URL: https://doi.org/10.1186/ s40793-025-00688-4. doi:10.1186/s40793-025-00688-4. [31] D. Briske, A. Illius, J. Anderies, Nonequilibrium Ecology and Resilience Theory, 2017, pp. 197–227. doi:10.1007/978-3-319-46709-2_6.