This study examines how socio-technical design elements in information security exercises can promote learning in Norwegian municipalities facing significant competence gaps in information security. Drawing on interviews with participants (n=8) from IT and crisis management teams in four Norwegian municipalities one year after participants attended a combined crisis management and information security exercise, we employ thematic analysis to examine learning outcomes through a socio-technical lens that includes culture, structure, methods, and machines. Our findings indicate that the exercise design successfully facilitated double loop learning in particular. Evidence of single-loop learning was also found throughout our socio-technical analysis framework. Evidence of triple-loop learning (organizational transformation) was more limited, but present in structural changes implemented in two of four participating organizations and reflections on inter-municipal cooperation and organizational resilience. The findings indicate that socio-technical exercise design particularly strengthened cultural awareness of information security priorities and exposed structural gaps between IT-teams and crisis
management teams. This study extends Østby and Kowalski’s[
Norway’s national cybersecurity strategy emphasizes the role of exercises, stating that both public and
private entities should prioritize contingency exercises in relation to critical digital infrastructure[
Previous studies have shown that while participants in exercises learn from the learning objects
introduced in exercise directives and scenarios[
ISSN1613-0073
does not contribute to triple-loop learning and therefore does not appear to trigger necessary changes
(transformation) in organizations[
After the introduction, we present the background for the exercises and relevant studies of information security exercises. We thereby provide our theoretical foundations for developing the analysis framework for the study. The study’s methodology is presented in the Method section. Findings are then presented, structured according to our proposed socio-technical and organizational learning analysis framework. Finally, we conclude and suggest future research based on some of this study’s limitations.
In this section we present the exercise design and framework, before we present theoretical foundations on socio-technical systems, and organizational learning.
This study is a part of a research project conducted over a period of 2 years, initiated by previous studies
on single, double and triple-loop-learning artifacts in full-scale cyber-security exercises[
The exercises were prepared for[
Full-scale exercises are the most complex operations-based type of exercises, and they involve
elements of real-time resource mobilization across multiple organizations to test crisis management
capabilities and validate emergency response procedures[
The implementation and operational aspects of in the municipality exercises consisted of: 1. A socio-technical maturity investigation within each municipality and interviews with potential participants to exhale desired exercise goals within each municipality. 2. Development of a cyber-range test-bed to be able to train on 4 main technical issues – 1) Surveillance – and action upon alarms, 2) Isolation, 3) search in logs, and 4) firewall-administration. The test-bed were developed to be as similar to a security-zone divided municipality systemarchitecture as possible, though only 4 applications were used compared to a normal environment with approximately 250 applications and systems. 3. Preparation of an exercise directive and a time-lined dynamic scenario with step-by-step sociotechnical learning objectives and backward design socio-technical learning activities in lectures before the exercises, and in instructions and timeouts/lectures within the exercises. 4. Walk-through with the instructors and EXCON-teams beforehand the exercises (instructors and EXCON-team played ‘the world’ and adapted actions and decisions done in the municipalities into the played scenario) for them to be in line with intended learning activities especially prepared for the municipality at hand. 5. Execution of the exercises. 6. Group evaluation of the exercise.
All of the operational aspects explained above were prepared with socio-technical approaches.
Our study builds on an established theoretical foundation that combines socio-technical systems
theory with organizational learning frameworks, specifically developed for information security
contexts[
In this study we have structured our research and findings into a socio-technical approach as developed
by Kowalski[
Figure 1 provides an overview of the two subsystems and the four components that are interconnected,
as illustrated through arrows which point back and forth between all elements. The interconnectedness
in Kowalski’s[
Triple-loop learning theory is a concept from organizational learning literature. As presented by
Medema, Wals, and Adamowski[
Single-loop learning occurs when organizations refine techniques and methods to achieve better
results within the boundaries of current organizational paradigms[15, p. 26]. Double-loop learning
moves beyond technical refinements to examine whether organizational objectives, assumptions, norms,
and policies should be revised[15, p. 27]. Triple-loop learning has been conceptualized not only in
terms of cognitive transformation (meta-learning), but also as learning that can enable structural and
governance transformation[
Østby and Kowalski[
Figure 2 visualizes the pathways and outcomes of single-, double-, and triple-loop learning adapted
to the context of information security exercises from a figure by Medema et al.[ 15, p.28]. Figure 2
presents how each learning level builds upon the previous while addressing increasingly fundamental
organizational questions[
This study builds on socio-technical analysis as an approach through which we examine how exercise
design elements facilitate learning across the three learning levels and the four socio-technical
components[
Behind this study is the larger question of whether and how transformative learning could be achieved through socio-technical design of information security exercises. More specifically, this study asks the research question RQ1: To what extent do socio-technical information security exercises facilitate organizational transformation through multi-level learning in municipal organizations?
By examining the specific experiences reported by participants in socio-technical information
security exercises as described by Østby and colleagues[
Eight semi-structured interviews were conducted in March and April 2025, approximately one year after the exercises took place in 2024. This timing allowed participants to reflect on more long-term organizational impacts while still maintaining memories of the exercise process and the exercise experience itself.
Interview candidates from the four participating municipalities were contacted, making an efort to recruit one interview subject from the IT team, and one interview subject from the crisis management team. Adjustments were made as we prioritized interviewing two representatives from each municipality in cases where we were unable to recruit participants from both of the teams. The interview subjects had all participated in the exercises, either as part of an EXCON-team, or as a member of the municipal IT- or crisis management team. See table 1 for an overview of interview subjects according to which municipality they worked in and which exercise team they participated in.
All interviews were conducted and transcribed in Norwegian by the first author of this study. The semi-structured interview guide contained open-ended reflection questions, provided in translation (from Norwegian to English) in Appendix A. Interview questions were relatively open-ended and focused on participants’ experiences during the exercise, learning outcomes, and whether or not they had experienced any subsequent organizational changes. Interviews lasted 30-60 minutes and were conducted via video conferencing to accommodate participants’ schedules and geographical distribution (in-person interviews were ofered as an equally available option, but all participants requested video conference interviews).
Translation of the interview transcription was conducted in conjunction with our reported findings, where it is relevant to demonstrate such quotes and excerpts. As a privacy measure, full transcripts will not be published, and the study provides excerpts from the interviews rather than full transcripts. We will not reference the quotes and excerpts to the participant overview, as this could also potentially identify participants. Privacy protection measures were also taken during the interview and transcription process. These measures were important in order to reassure the subjects that they could report their experiences honestly and openly to the research project.
Measures were taken to analyze data in a way that separated the role of the principal investigator of the research project and the contributing author who also participated in the exercise project itself; Interviews were performed and transcribed solely by the first author, and the data set was kept separately. The two final authors have seen and discussed the data set and coding with the first author.
As Thompson[17, p. 1411] notes, research in the social sciences can be broadly divided among deductive
(theory-testing), inductive (exploratory and interpretive), and abductive (theory-refining or iterative
between theory and data) research designs. According to Thompson[
We selected Thompson’s abductive approach[
8. Write-up of the findings is presented in section 4 of this study.
Our interview study demonstrates that the socio-technical system elements in the exercises facilitated multi-loop learning. We argue that the exercises’ comprehensive approach could ensure that the organization not only addresses immediate issues but can also drive deeper, long-term improvements related to information security readiness. Examples of both successful and unsuccessful outcomes are demonstrated and discussed in relation to the exercise design when we report our findings in the following.
Since the study’s analysis framework is quite extensive, we present all the themes in a table format in Table 2. The table shows an overview of all themes in accordance with the learning-loop level and the socio-technical component in question for each theme, and could be used for reference when one reads through the findings.
In the following findings, we present each one of these themes, relating them to the learning-loop level and the socio-technical component. To keep the presentation of findings as concise and brief as possible, we include cross-references to concrete citations of participants’ statements for each of the themes rather than to include the participant statements in the text itself.
In summary, we found that single-loop learning was facilitated by technical skill development, procedural refinements - particularly if the organization had prepared for the exercise - and scenario elements that provided opportunities for operational problem-solving.
We found three main single-loop learning themes related to the socio-technical culture component, each of which we will explain below.
Theme 1: Openness about shortcomings in the current information security maturity level in the organization Several participants indicated an attitude towards to learn as they directly or indirectly expressed that they believed it is important to be honest and open about the information security maturity level in the organization. One interview subject explicitly described this as a prerequisite for learning (see excerpt A1 B.1). Two participants expressed similar attitudes when their organization’s preparations for the exercise were discussed (see excerpts A2 B.1, and A3 B.1). That same strategy was not representative for all municipalities, but an undertone of openness about shortcomings was present. One participant conveyed that they used the exercise as leverage to further their work while they still downplayed their security preparedness level (see excerpt A4 B.1). We interpret this finding as not necessarily a consequence of the exercise, but rather a sign of an existing culture of honesty and openness that contributed to participation in the exercise with an attitude of openness to change.
Theme 2: Exercise participation as routine duty and acceptance of training as necessary Most participants indicated that their organizations generally had an attitude towards information security and participating in the exercise as obligatory and necessary duty. One participant articulated this through expectations that everyone should attend (see excerpt A6 B.1). However, our analysis showed this awareness was reported to remain surface-level for some, with security still perceived as burdensome by one of the interview subject’s colleagues (see excerpt A5 B.1).
Theme 3: Raised awareness of cyber- and information security incidents The culture of awareness and participation seemed to encourage incremental behavioral changes. Interview subjects indicated these changes as positive, but also somewhat limited in their potential for deeper changes (see excerpts A7 B.1, and A8 B.1). Another interview subject also expressed doubts that one exercise could make deeper changes (see excerpt A9 B.1). A third participant had a slightly more optimistic view, and saw the exercise as part of an incremental process (see excerpt A10 B.1).
At the structure level, we saw that the preparations before the exercises, the lessons immediately before the exercise, and to some extent the exercise itself provided participants with opportunities to expand their knowledge of organizational roles and responsibilities in crisis management. Our analysis identified one key theme that indicated single-loop learning in the socio-technical structure component.
Theme 4: Understand who does what during information security crises Our analysis showed that IT teams typically operate outside normal crisis management structures (see excerpt B1 B.2). The observation that IT teams were not usually part of crisis management could also be seen from descriptions of their advisory role (see excerpt B2 B.2). One participant reported that colleagues had achieved what we interpret as single-loop learning about structure in an information security crisis, but they had not necessarily proceeded to double-loop and/or triple-loop learning (see excerpt B3 B.2).
Participants reported that the exercise helped solidify existing procedures and methods. We found one theme that indicated such incremental changes took place during and after the exercises.
Theme 5: Procedural improvements after the exercise - review of existing security policies and documentation. We find examples of incremental method changes described by participants (see excerpts C1 B.3, and C2 B.3). Another participant indicated awareness of needed plan revisions that remained work in progress one year after the exercise (see excerpt C3 B.3). Learning on this level can seem limited if we only consider single-loop aspects, but we also found that single-loop learning can point towards elements of double- and triple-loop learning themes. In one case, improvement on incident response plans sparked regional cooperation to make further improvements (see excerpt C4 B.3).
The exercises provided a test bed environment that allowed personnel to use specific crisis management tools relevant in crisis situations. The municipalities who participated requested these concrete tools to both learn system usage and test organizational adaptation. This was part of the exercise goals and user-focused approach presented in the background section.
Another technical aspect was the Norwegian Cyber Range’s contribution of a live virtual technical platform for IT teams. This platform developed significantly as the exercises progressed, and lead diferent municipalities to report very diferent experiences. The exercise IT platform included generic servers, fictitious information systems, and network setup with monitoring tools for live events.
Participants reported some technical improvements after the exercise. It was also pointed out that there was a need for single-loop learning in other parts of municipal organizations, not just technical skills development in the IT-teams. We found three themes that belong to this learning level and socio-technical component.
Theme 6: Technical skill development as a motivator to attend exercises All participants suggested that the exercise provided opportunities to learn a new crisis management system tool recently acquired by the Norwegian municipal sector (see excerpt D1 B.4). A participant reflected on motivation to test the tool (see excerpt D2 B.4). One municipality experienced system unavailability during their exercise, reported by the participant in a way which demonstrated the importance of the tool training as a motivation (see excerpt D3 B.4). Similar disappointment appeared regarding the live technical platform (see excerpt D4 B.4). The technical platform provided mixed results. One participants expressed value in hands-on experience (see excerpt D6 B.4), while another found the unfamiliar platform less successful for IT staf learning (see excerpt D7 B.4). One participant reflected on tool focus potentially interfering with deeper scenario learning (see excerpt D5 B.4).
Theme 7: Technical improvements after the exercise: Technical problem solutions require an organization that understands the need to implement them Post-exercise improvements demonstrated increased concrete understanding (see excerpt D8 B.4), but these suggestions were mostly given as short and often generalized remarks (see excerpt D9 B.4). Our interpretation of this finding was that the dialog-based oral qualitative interview method may be less appropriate to capture detailed technical single-loop learning instances.
Our findings indicate that the information security exercise design was successful to facilitate doubleloop learning, and found evidence of double-loop learning to a larger degree than single-loop learning. This might also potentially be attributed to our observation that the qualitative interview methodology does not facilitate a very thorough and detailed report of many small instances of incremental single-loop learning very well.
Our thematic analysis of participants’ reflections revealed questioning of fundamental cultural assumptions about information security priorities and organizational responsibilities after the exercise. While some questioning processes appear to have been ongoing within the organizations, the exercise seemed to have provided a shared experiential context that crystallized and accelerated ongoing cultural negotiations. We found three main themes which indicated this in our analysis.
Theme 8: Question assumptions about security investment Several participants described ongoing organizational tensions around security investments that the exercise helped bring into focus. These negotiations appear to have occurred both before and after the exercise, but participants suggested that the shared experience provided new leverage for discussions. One IT manager described persistent challenges with resource allocation (see excerpt E1 B.5). The same participant emphasized that political decision-makers continued to face dificult value-based tradeofs (see excerpt E2 B.5).
Participants attributed varying degrees of change to the exercise’s impact. One participant explicitly connected the exercise to a shift in organizational priorities while also pointing to multiple contributing factors (see excerpt E3 B.5). This suggested that while economic allocation challenges continued to be an issue, the exercise contributed to an environment where some of the arguments for security investment found more receptive audiences.
Theme 9: Challenge the view of information security as primarily an IT-team concern Participants identified existing organizational dynamics where information security was treated as a technical specialty isolated from broader organizational concerns. The exercise provided practical experience that reinforced ongoing eforts to broaden security responsibility across organizations. One participant articulated this, and emphasized that everyone contributes to the organizational information security vulnerability (see excerpt E4 B.5). The exercise appeared to have provided concrete experiences that highlighted limitations of narrow approaches. One participant described pre-existing dynamics of persons outside of the IT-team seeing IT as dificult to understand (see excerpt E5 B.5). IT managers described persistent organizational challenges even after increased awareness (see excerpts E6 B.5,and E7 B.5).
Theme 10: Reconsider the adequacy of traditional crisis preparedness approaches Participants reflected on contrasts between their exercise experience and traditional paper-based exercises. These reflections suggest ongoing questioning of existing preparedness approaches that the exercise likely helped clarify rather than initiate. One participant compared approaches (see excerpt E8 B.5). The interactive and dynamic experience provided a reference point to evaluate existing approaches (see excerpt E9 B.5).
Our analysis showed that the exercise revealed assumptions behind organizational interfaces and decision-making hierarchies in information security crisis handling that participants began to question. The exercises exposed problematic aspects of organizational design and collaboration between and within teams. Rather than to simply identify communication breakdowns, participants recognized that existing structural arrangements were inadequate to manage information security crises efectively. We found one overarching theme in our analysis that pointed towards this.
Theme 11: Question organizational assumptions about crisis management structures and information flow between IT and crisis management teams Participants observed that conventional crisis management structures, which they reported worked efectively for traditional municipal incidents, proved inadequate for information security crises. This recognition led them to question basic assumptions about how crisis management should be organized in these types of crises. One participant detailed how their normal crisis management approach completely broke down during the exercise (see excerpt F1 B.6). The same participant reflected on why this structural breakdown occurred and touched on fundamental questions about crisis management decision-making (see excerpt F2 B.6). Another participant confirmed similar structural challenges (see excerpt F3 B.6). The recognition that information security crises require diferent organizational capabilities led to structural innovations for two of the four municipalities. One participant described implementation of new information lfow systems (see excerpt F4 B.6). A central insight was that information security incidents requires a diferent structure of cooperation that handles the interface between technical expertise and crisis management decision-making (see excerpt F5 B.6).
Our analysis showed that the exercise revealed assumptions behind crisis management methodologies and procedures that participants then began to question. Participation exposed problematic aspects of how information security crises are approached compared to traditional municipal incidents. Several municipalities presented that they had implemented new methods and procedures as direct results of their exercise experiences. Rather than simply improving within existing procedures, participants recognized that their approach to IT incidents was inadequate and required new frameworks for crisis handling. We found three double-loop learning related themes relevant to this socio-technical component in our analysis.
Theme 12: Reconsider tempo and time management in crisis response Participants observed that conventional crisis management methodologies, which rely on structured meeting cycles and deliberate decision-making processes, proved dificult to apply because of information security crisis pace. This recognition led to questions about how crisis management should be temporally organized. One participant detailed how their normal methodological approach completely broke down during the exercise (see excerpt G1 B.7). Another participant reflected on why traditional methodological time frames were inadequate as mental models for information security crises (see excerpt G2 B.7). A diferent participant expressed similar reflections on timeline uniqueness (see excerpt G3 B.7).
This temporal challenge led participants to reflect upon their meeting schedules and decision-making speed. The uniqueness of tempo is not only related to fast start-up phases as several participants emphasized how information security crises difer fundamentally from traditional crises in stretching out over time after the initial phases of crises (see excerpt G4 B.7). The same participant also explicitly recognized the need for longer-term resilience planning (see excerpt G5 B.7).
Theme 13: Adoption of new communication protocols between technical and crisis management levels Participants recognized that existing communication methods were inadequate to bridge the technical-management gap in information security incidents. This led them to question what constitutes efective crisis communication methods. One participant described the communication challenge between IT-team members that understands the technology and the crisis management members that usually do not possess any technical understanding of IT systems (see excerpt G6 B.7). The exercise demonstrated both necessity and dificulty of this communication challenge, with stress afecting communication quality (see excerpt G7 B.7). Several participants reflected that fixing these problems and adopting better procedures for handling communication between IT teams and crisis management is crucial as not doing so can lead to loss of capacity in technical crisis handling (see excerpt G8 B.7). The main practical solution to the communication issues reported during the exercise was adopting a top-down situational brief template provided the EXCON-team (see excerpt G9 B.7).
Theme 14: Reinforce frameworks for business impact analysis and prioritization Some participants recognized that existing methods to determine priorities in crisis situations were inadequate for IT incidents. One participant articulated this methodological gap (see excerpt G10 B.7). The exercise revealed that without systematic business impact analysis methodologies that engaged with the entire organization, the IT team and crisis managers could not efectively prioritize responses. One participant described how they reinforced their prioritization framework after the exercise (see excerpt G11 B.7). Another participant realized that while the formal terminology for business impact analysis did not stick, the experience that prioritization is crucial to have in place before eventual crises was still a lesson learned (see excerpt G12 B.7). This can also be seen as a comment on communication, illustrating the participant’s practical approach where substantial work on crisis preparedness occurred even without formal terminology use.
Double-loop learning through the socio-technical lens of machines revealed a shift in how participating municipalities understand their relationship with technology and technical capacity in crises. Participants expressed questions about underlying assumptions having to do with technical preparedness, resource allocation, and organizational capabilities in terms of technical information security preparedness. The exercise prompted participants to re-examine whether their current technical infrastructure and stafing models were adequate to handle cyber security incidents. These findings were part of two themes.
Theme 15: Organizational reality versus technical ambitions: To address the gap between desired and achievable technical competence Exercises highlighted existing organizational realities that influence municipalities’ strategic decisions about technical capacity. Participants reflected on challenges to maintain specialized cyber security competence in-house (see excerpt H1 B.8). These structural limitations shaped how municipalities approached technical security goals (see excerpt H2 B.8). The realization of these constraints in technical competency and/or capacity led all the municipalities to develop strategic models that acknowledged organizational limitations while still pursuing security objectives through alternative means. The means varied across the municipalities, but all remarked on increased attention towards external partnerships and collaborative arrangements.
Theme 16: Re-conceptualization of technical capacity and strengthen strategic external partnerships For three municipalities, the exercises seemed to provide leverage to revise how the municipalities should handle information security incidents which lead to strategic shifts to implement external partnership agreements (see excerpt H3 B.8). This realization led to concrete strategic changes, with municipalities establishing formal partnerships that went beyond ad-hoc arrangements (see excerpt H4 B.8). One participant elaborated on this shift in technical information security strategy (see excerpt H5 B.8). Traditional models of municipal self-reliance in technical matters were questioned, which led to revised and new frameworks for crisis management that incorporated external expertise as a strategic component rather than an emergency fallback. Participants mostly did not attribute direct, causal connections between these changes and the exercise, but all reported exercises in general, and to some degree this particular exercise, as important pieces of the overall picture that led them to make these needed strategic shifts.
We found that attendance at the exercises created conditions to question fundamental assumptions and attitudes within the municipality, especially within the socio-technical components of structure and methods. For the components culture and machines, we view our findings as moving towards triple-loop learning rather than the more clear cases of triple-loop learning.
In our analysis, we identified two cultural themes in participants’ reflections that show that to attend the exercise facilitated to re-consider fundamental organizational values and identity. We found two themes that we can see as moving towards such triple-loop learning.
Theme 17: Core value dilemma: To deliver services to citizens and to ensure information security posture When we analyzed the interview data, we observed that the participants engaged with tensions between core objectives to 1)deliver services to citizens and 2)to build long-term information security resilience. This represents a value conflict that goes beyond operational concerns to awareness of what municipalities exist to do. Participants articulated immediate human consequences when systems fail (see excerpt I1 B.9). This perspective could imply that participants constructed their organizational identity around serving citizens, particularly vulnerable populations, which makes it dificult to invest resources in preventive security measures that might not have any immediate or visible benefits. Tensions can become pronounced given resource constraints (see excerpt I2 B.9).
Theme 18: To understand the value of local knowledge in crisis situations One participant
constructed local expertise and creative problem-solving capacity as essential organizational resources
in crises. This suggests potential questioning of hierarchical knowledge structures and formal authority,
and moving toward to value distributed expertise and tacit knowledge throughout organizations
(see excerpts I3 B.9,and I4 B.9). Such a perspectives could indicate potential shifts from formal
rolebased authority to competency-based leadership during crises, suggesting deeper questions about
organizational structure and decision-making processes. This theme was however not prevalent in
other interviews.
Our analysis revealed that two of four municipalities went beyond questioning assumptions to actually
implement fundamental structural transformations within their information security crisis organization
structures. According to our theoretical framework (see presentation of [
Theme 19: Organizational transformation through creation of new structural roles and decision-making procedures Two municipalities implemented concrete structural innovations that represented organizational transformation. These changes went beyond improving communication to create entirely new organizational arrangements and formalized roles. One participant described their municipality’s structural solution (see excerpt J1 B.10). The same participant elaborated on new information flow systems (see excerpt J2 B.10). One participant from the other municipality that implemented structural changes confirmed the necessity of such intermediary roles (see excerpt J3 B.10). These structural changes represented organizational transformation in that they created new formal roles, changed decision-making procedures, and established new governance structures for crisis management. While two municipalities achieved this level of structural transformation, the other two remained at the double-loop level.
Theme 20: To raise the level of work beyond the single municipality Our analysis identified that participants questioned whether single-municipality scope was suficient to meet today’s information security challenges. This questioning touches on municipal autonomy and self-suficiency that have historically defined Norwegian local government (see excerpts J4 B.10, and J5 B.10). Participants do not report this as a result of exercises, but rather as a piece of the larger picture that led to innovative exercises being planned and implemented.
Our socio-technical analysis uncovered two themes from participants’ understanding of crisis management approaches that could suggest triple-loop learning to somewhat diferent degrees.
Theme 21: Crisis management requires adaptive thinking beyond standard procedure Conceptualizing crisis management to require adaptive thinking beyond standard procedures may be seen as moving towards triple-loop learning. It is not that plans and documents are not important, but crisis situations are often found to resist standardization and predictability (see excerpt K1 B.11). This understanding implies potential philosophical shifts to embrace uncertainty and value adaptive capacity over rigid planning.
Theme 22: Meta-reflections on exercise methodology and full-scale exercises as learning approaches During interviews, participants reflected on how crisis management training should be designed and delivered. This represented meta-learning about exercises as learning approaches, where participants reflected not just on what they learned, but on how they learned and how such learning should be structured, and as such this constitutes triple loop learning as defined in our theoretical framework (see section 2.3 of this paper). Most participants discussed problems with traditional lecturebased preparation methods (see excerpt K2 B.11). As an alternative, several participants recognized the need for diferentiated learning approaches, especially considering municipal capacity challenges (see excerpt K3 B.11). One participant highlighted the need to design training content for audiences with difering technical expertise levels (see excerpt K4 B.11). Another participant was less critical of the lecture content and format, but suggested such pre-requisite knowledge should come earlier in preparation (see excerpt K5 B.11).
The importance of immersion and physical separation from daily work emerged as another insight of reflexive learning-on-learning (see excerpts K6 B.11, and K7 B.11). Another participant confirmed the efectiveness of the immersive approach (see excerpt K8 B.11). Some indicated that exercise scenarios needed to create appropriate stress levels to be efective (see excerpt K9 B.11). Participants also reflected on the importance of proper preparation and clarity about exercise objectives (see excerpt K10 B.11). Some participants reflected on whether their technological philosophy aligned with the kind of organization they are or need to become. Our analysis identified two main themes in how participants understood technology’s role in organizational identity and strategy, which we interpret as moving the organizations toward triple-loop learning.
Theme 23: Recognition of the necessity of external technical partnerships We observed that participants articulated fundamental limitations to maintain internal technical capacity, which led to strategic acceptance of external dependencies. This recognition challenged assumptions about municipal self-suficiency in the technical domain (see excerpts L1 B.12, and L2 B.12).
Theme 24: Cloud distribution as a security strategy Our analysis did not supply ample evidence of this, however one participant discussed cloud strategy as a technical approach towards reaching information security resilience that is needed for the municipality (see excerpt B.12).
This study demonstrates that well-designed socio-technical exercises ofer a promising approach to address municipal information security challenges. The socio-technical exercise design was particularly successful in facilitation of double-loop learning across all municipalities that participated in an exercise. Evidence was found across all four socio-technical components culture, structure, methods, and machines, when participants questioned fundamental assumptions about security investment, organizational responsibilities, and crisis management approaches. This represents the study’s strongest ifnding regarding the exercises’ capacity to promote deeper organizational learning.
On the triple-loop learning level, our analysis revealed that two of the four municipalities achieved
triple-loop learning in the structural dimension, implementing fundamental organizational
transformations including new formal roles, changed decision-making procedures, and/or new governance
structures for crisis management in information security crises. These findings address our research
question about organizational transformation and challenges previous research[
Evidence of single-loop learning was found across all socio-technical components, but we see the need to revise the research design to potentially capture more detailed evidence of single-loop learning. Relevant to single-loop learning, articipants signaled a need to adapt the exercise concept further to align with municipal organizational needs, particularly regarding technical skills development and procedural improvements.
The study contributes to socio-technical research in information security as it demonstrates that
exercise design can systematically address both technical competence development, and
organizational transformation needs. The integration of Mumford’s socio-technical design principles[
Our study has shown that well-designed exercises can contribute to build the municipal information
security capabilities envisioned in Norwegian national strategy[
This study is based on qualitative interviews with eight participants, and is not expected to be representative for all participants in the exercises. The limited sample size constrains the generalizability of ifndings.
The qualitative interview methodology did not facilitate very detailed reports of instances of singleloop learning, and this may have resulted in under-representation of technical skill development and procedural improvements that occurred through the exercises. Future studies could incorporate a broader mix of methods to provide further validation of single-loop learning findings. A combination of qualitative interviews with quantitative measures of organizational change, document analysis of policy modifications, and observational studies of actual crisis response could provide more comprehensive evidence of learning outcomes.
The uneven achievement of triple-loop learning across municipalities represents both a limitation of current exercise design and an important opportunity for future research to understand and address the conditions necessary for consistent organizational transformation through socio-technical information security exercises.
The study is limited to Norwegian municipalities with specific cultural, legal, and organizational contexts that may not transfer to other national or organizational settings. Norwegian municipality structures, crisis management frameworks, and information security governance may difer significantly from those in other countries. Comparative studies across diferent organizational types and cultural contexts could further improve socio-technical exercise design principles.
While participants reported organizational changes following the exercises, establishing direct causal relationships between exercise participation and specific organizational transformations remains challenging. Multiple factors influence municipal information security development, and our study does not claim to definitively isolate any of the exercises’ specific contribution to observed changes. Research into how exercise-based learning integrates with other organizational development approaches and factors (training programs, policy development, technology implementation) could inform comprehensive capacity-building strategies. Research that extends beyond one-year follow-up could capture longer-term organizational transformation processes and assess the persistence of learning outcomes over time.
Cost-benefit analyses could examine resource investment versus organizational learning outcomes, and this could inform municipal decision-making about exercise participation and help optimize resource allocation for information security capacity and preparedness development.
During the preparation of this work, the authors used Microsoft Copilot, Claude, and to a lesser degree Writeful and ChatGPT, in order to: Brainstorm ideas for, and the outline of, the paper. Copilot and Claude was also used to provide and compare diferent examples of phrasing, varied word use (thesaurus), correct spelling and grammar, and provide feedback on text. Claude was used to format and edit text in LaTeX, and to assist translation from Norwegian to English. After using these tools/services, the authors reviewed and edited the content as needed and take full responsibility for the publication’s content.
A. Interview guide 1. Is there anything you remember particularly well now, that has stuck with you from the exercise? 2. Was there anything that you and/or your colleagues learned a lot from? (before/during/after) 3. Was there anything you/your colleagues remember as negative in connection with the exercise? (before/during/after) 4. Do you feel that the exercise was an important measure for the municipality to implement? 5. Did you experience increased support/engagement from the municipality’s management after the exercise? 6. In what ways do you think the exercise may have contributed? For how long? Etc. 7. Do you believe that the exercise had a lasting efect on your and your colleagues’ understanding and handling of information security in the municipality? 8. In what ways? 9. Why/why not? 10. Do you feel that the exercise changed attitudes toward information security? 11. In what way? Do you have examples? For instance: Is information security valued to a greater extent? Has there been greater understanding of/knowledge about information security? 12. Have you and possibly your group changed anything in the way you handle information security (preventive and incidents) after the 2024 exercise? 13. If yes: Can you give examples? (Keywords: Actions) 14. If no: What do you think is the reason that you haven’t changed anything? Not relevant/not possible/etc. 15. Do you think that the exercise may have contributed to prioritizing information security financially and/or in terms of capacity (human resources) to a greater extent than before? 16. Conclusion: Is there anything you would like to add or elaborate on/clarify regarding what we have discussed?
This appendix contains interview excerpts referenced in the Findings section. All excerpts have been translated from Norwegian to English by the authors.
Excerpt A1: ”Yes, I think that sharing the situation is important. That’s where we are, and if we are to improve, we must dare to be honest, actually.”
Excerpt A2: ”We should not boast that we were very good beforehand. We conducted the exercise without doing any major preparations. We were actually quite aware, those of us who were involved, that that’s where we were. There was no reason to prettify it.”
Excerpt A3: ”We had no major preparations for the exercise. Because the goal was to find out: Where are we? The only thing we had, we had read through what [consultant] had written before. And we were aware that we had inadequate documentation. We were aware that we didn’t have good enough plans.”
Excerpt A4: ”There was a significant efort beforehand to try to establish a plan framework that wasn’t there. We can start right there. And in that area, it was probably elevated quite a few notches in advance. So in that sense it was good that the exercise was announced, because then we actually managed to put at least a small plan framework in place.”
Excerpt A5: ”It’s not so efective, because... I had an old colleague who has been retired for many years. He said: ’Security is just hassle and hindrance, you know.’ Because it often created extra work. Either because a solution had to be set up, or because it wasn’t straightforward for the user. It was perhaps an extra obstacle, an extra password, a PIN code. (...) And then you think such small things are dificult if they don’t provide anything concrete.”
Excerpt A6: ”And top management must be absolutely clear and explicit that this is something we should prioritize. And I think that in our exercise, even though this was announced well in advance, there were some who didn’t participate in the entire exercise. It’s clear that this diminishes the whole exercise for us as an organization. Then you don’t get as much benefit from it, I think.”
Excerpt A7: ”So in that sense, there has been focus on it. It’s easier to talk about security in the systems after that exercise. Yes, but if we do that, like: -Security first! -Yes, yes, you’re right about that! You know, things like that. Such positive things are absolutely good, but...how quickly they understand their systems... I mean, it’s quite a scenario.”
Excerpt A8: ”So overall, I think they started with a little experience that this was... Wow, it was extensive, right? So that if something happens, then it’s critical. And especially in IT, because it goes so fast. (...) So the engagement was perhaps that... -Oh, what a job we in ICT got. -Oh, my God, what you have to keep track of! And things like that. But how long it lasted, that’s another matter. Because it’s back to everyday work afterwards.”
Excerpt A9: ”It has had an awareness-raising efect. It definitely has. They understand a bit more when we start to talk about loss of telecommunications, loss of power. It makes it a bit more recognizable, because we have sort of deep-dived a bit into the problem of absence of our electronic systems. But whether they have any greater and deeper understanding of information security, or the problem we ran with [the exercise?], I’m a bit uncertain about.”
Excerpt A10: ”And to have such types of exercises as exercise tools contributes to a very significant awareness regarding which levels the diferent people should work at, where they should be, and what competence is required of each individual to fulfill their role. Both within the crisis management team optimally, but also between the diferent teams that we use when there’s an ICT incident. It was enormously useful for us, and it has been one of the most important work tools to move forward with that work.”
Excerpt B1: ”IT here has never had... I mean. We’re not part of the emergency preparedness group. So: We get called in when there’s a crisis, but we don’t document anywhere. Or: We document, but we don’t document in the old emergency preparedness system.”
Excerpt B2: ”The main answer generally is that the crisis management team is not all-knowing, and the crisis management team is completely dependent on good advice from those who actually know. That is, those who have their boots on the ground, and those who have expertise in the area.”
Excerpt B3: ”For example, with the security organization, which was formally decided, but which we have had many discussions about afterwards regarding responsibilities and tasks and how we should do it, internal control and such things. And we haven’t reached our goal there, but we have had some discussions. And often it’s discussions that are needed to perhaps move it forward. But for me, sitting close to it, I naturally want there to be even more focus to get greater progress. Because when there are lots of discussions and we don’t always end the discussion with some clear, definite answers, we feel a bit like: Yes, then a year passes quickly.”
Excerpt C1: ”I think some have reflected a bit on exactly... I mean, have made some small moves in their organization. Thought about how you should communicate, established alternative communication forms, and such things.”
Excerpt C2: ”And we have also gotten even better plan frameworks with action cards and so on. We have... We have been better trained in using [Crisis Management System] and all that IT support around crises.”
Excerpt C3: ”Execution has not turned out to be the biggest challenge, it seems, for what we have had of both exercises and situations. But what concerns emergency preparedness plans, plan frameworks, so that it becomes somewhat seamless in the organization. That one must work even more with that. That still stands.”
Excerpt C4: ”This has also resulted in a completely new ICT incident response plan, with privacy sections, which was actually implemented this year, which has accomplished quite a lot in terms of organization, information flow, governance. We are still working to refine it, and we actually have a larger project to perhaps do it on a regional level. We have applied for funding to carry it out, but we are the guinea pig ourselves now.”
Excerpt D1: ”The crisis management exercise specifically came right after the introduction of [crisis management tool] as a new system, at least for us to use. And really put the finger on many of the challenges that we both have had and actually have with the use of the system.”
Excerpt D2: ”I think such a system is valuable in order to have everything in one place. That you have everything you need there. But then there’s also a need to learn and understand the system.”
Excerpt D3: ”And (...) we used [crisis management tool] for the first time. It crashed. It didn’t work for the first two and a half hours. We had a backup solution available, in the form of Excel sheets and PowerPoints to get things logged and run meetings, but that wasn’t optimal.”
Excerpt D4: ”Yes, organizationally, I think the exercise seemed well-facilitated, well-planned, wellorganized. But technically, there were things that didn’t work.”
Excerpt D5: ”It was a completely new tool for everyone to use right then and there. And I do think that, for the sake of the incident, it was a bit unfortunate, because the ICT incident, as an ICT incident, was extremely relevant — both then, and is still now. And I felt that the system, both now and back then, takes away the focus from the actual incident. And that’s important when we train. At least I try to remind myself of that—that we need to practice just as much on the incident itself, not just the system tool. And that’s a bit dificult, because when you don’t have the system tool, the foundation of the system tool, in place, it’s hard to lift your gaze to the incident.”
Excerpt D6: ”OK, I take down the internet line, I do this, right, and then it’s: Oh! Then there’s a lot of other work I have to think about. I have to inform management, I have to... you know, things like that. It doesn’t become that: ’Yes, [Name], do you have anything from IT?’ In tabletop exercises, where they sit and write with pen and paper, right, it doesn’t become...here you get involved in a diferent way. You sit with your PC, you sit with screens, you sit with tools, whether you knew them or not.”
Excerpt D7: ”The technical part of the exercise was non-ideal, but we were still able to learn. Everyone was included, even though the platform was completely unfamiliar to all our IT staf. They had gotten, I’d say, a crash course in it, and didn’t really have the benefit that I had hoped IT staf would get. They became kind of supporting players to the crisis management that actually got the most benefit from the exercise.”
Excerpt D8: ”We’ve tightened up tremendously on what kind of access you have and don’t have. We’ve tightened the use of administrators, that is...use of shared administrator-accounts have been cut down so that...those who are system administrators use multi-factor authentication.”
Excerpt D9: ”And we have of course continued to work at the system level as well as in relation to [crisis management tool].”
Excerpt E1: ”We have to pay licenses, we have to pay for that security solution... We don’t have that in our budgets yet. That’s something we work to provide - or, that I constantly bring up in meetings with the security leader.”
Excerpt E2: ”It’s not certain they say yes to it. Even though the politicians also see this with security, they can have completely diferent priorities in terms of: OK. Should we close a school, or should we... You know.”
Excerpt E3: ”There’s no doubt that [the nearby municipalities’ incidents], combined with that the municipal director, mayor and the rest of the crisis management...joined the [exercise] and gained increased competence around it, has made it easier for me to get resources prioritized within IT security.”
Excerpt E4: ”Everyone contributes to create vulnerability. So it’s important to reach them so that the basic rules we want to have are known by everyone.”
Excerpt E5: ”ICT has always been like this, I think, because it’s a bit complex. There was a manager who said to me: ’All the invoices I get from you I just approve, because I understand nothing about what’s written on the invoices.’”
Excerpt E6: ”And then I have told them that I’m not going to do this every single month. You have a job to do yourselves. And I’m not the boss, I’m not the municipal director, so I haven’t pursued it any more than some small reminders here and there.”
Excerpt E7: ”It shouldn’t take long for management to sit down after a BIA analysis. Because that’s the most important, and that’s the most important, second most important... To sit down and make priority lists at the application system level... That’s holistic work that must be done, which is not just ICT...ninety percent here is actually how the municipality has arranged to make those plans. And ICT shouldn’t do that. ICT owns the operational part. And the operational security tasks. And they shouldn’t decide that, no, that system is more important than that [other] system. ICT cannot decide that.”
Excerpt E8: ”I think paper exercises often become a bit too superficial. There [at this particular exercise,] you had to go into more detail, as long as everyone was involved and played along.”
Excerpt E9: ”You don’t get your pulse up in a paper exercise...I think to have a platform...where you can practice in a safe environment...does something to your feelings, and it does something that you take back to your own organization.”
Excerpt F1: ”Normal structure in this group is that we have a startup meeting, we get a shared situational understanding, we delegate tasks. We take a break until the next meeting, define the next time. We work with tasks and information gathering. New meeting. Shared situational update. Where are we now? What’s happening now? Round the table with those afected. We continue building situation pictures. Identify measures. Define a new meeting, have a work period and so on. The way I experienced the exercise, it became one long meeting. That is, we actually didn’t get to work.”
Excerpt F2: ”My observation is that the topic and the seriousness of the topic made people lose their heads a bit. So, the calm that we normally have in such handling, which I’ve now seen several examples of, wasn’t there. I thought it was very interesting.”
Excerpt F3: ”Now our exercise was a bit of a slow starter. We used awfully long time in the beginning, and we actually used all of day 1 on the startup meeting.”
Excerpt F4: ”That’s one thing I saw that was perhaps the weakest, then. It was the information flow. And we’ve now handled that by implementing - we use [the crisis management tool] with separate logs. Where they can actually send over information. (...) They get small drips of information, which are selected, and which they choose to send over. Instead of a doomsday prophet that comes in and gives a lecture, where people don’t catch all aspects and details because they get it orally and not in writing.”
Excerpt F5: ”Crisis management, even though there are many competent municipal managers within their areas, doesn’t have detailed knowledge and grassroots competence, so to speak. Should we pull out the internet cable, or should we leave it in? That’s such a concrete question that we’re absolutely dependent on good advice from IT. What is the consequence if we leave it in, and what is the consequence if we take the chance that it should still be there. And then, the interaction between crisis management and IT is especially important. We didn’t have that day one, we had it day two. But that is about structure in the implementation of crisis management. Where we day two had a status meeting every hour, where IT was involved. And otherwise IT basically worked in the data room.”
Excerpt G1: ”Normal structure in this group is that we have a startup meeting, we get a shared situational understanding, we delegate tasks. We take a break until the next meeting, define the next time. We work with tasks and information gathering. New meeting. Shared situational update. Where are we now? What’s happening now? Round the table with those afected. We continue building situation pictures. Identify measures. Define a new meeting, have a work period and so on. The way I experienced the exercise, it became one long meeting. That is, we actually didn’t get to work.”
Excerpt G2: ”I think they experienced that the crisis unfolded at a faster pace than what they were used to handle. At least the way they normally handle things, those are things like floods, pandemics, right? Things that develop more slowly, but over longer time.”
Excerpt G3: ”I think also that some have reflected that time is important. I think that we who work in public organizations don’t always... Things should be evaluated and it should be considered. If you have an incident, then time is essential, and no incident rolls as fast as a cyber incident.”
Excerpt G4: ”For there is that time aspect with incidents that have to do with information security, or ICT security, or for that matter cyber. It is so difuse, it can take so long. It is not certain you see any immediate efect. It is so, that the one who carries it out, he sits and observes and waits for responses, to get confirmation that what they have done actually works. So it’s a bit like that. That time aspect is not understood. They are used to a flood: In the course of 24 hours I have information control, and in the course of 72 hours the situation is over. They forget that time aspect. It’s dificult to get them to understand that this is something we might have to endure for months.”
Excerpt G5: ”We see that when we do exercises – or, from studies and training: That you must have an anchoring in management beyond top management, if you are to be able to have any robustness when unwanted incidents occur... We must think even more about somewhat long-term situations, and how you do that with stafing plans, so that you manage to stand in it. For an exercise, it ends when the exercise is ifnished. But we see from experience, where it has happened, that it can go on for weeks and months.”
Excerpt G6: ”The fact that to manage, for the technical people to communicate in a way that is technically correct, but at the same time provide a picture of cause and efect... I think maybe that’s challenging. For this crisis management, they understand intuitively when you talk about a flood, that you must set up a wall there, or that a bridge has collapsed. These are very physical things, so we’re used to visualize that. But if you talk about a WAN-link being down, or a hard disk, or a single server... Those are things that – you might as well have talked about components in an engine under the hood.”
Excerpt G7: ”Yes, and it’s also a thing that the more stress you are under, the less time (...) you also use to weigh your words. And that’s the problem, that those who sit on the other side, the receivers, are hypersensitive to what I call those words that help maximize the crisis. Yes, they are very receptive, but maybe without hearing the whole message.”
Excerpt G8: ”So, we experienced afterwards, at least especially when we started to evaluate it, that [the person] who is responsible for IT spent far too much time to inform the crisis management and answer the crisis management’s questions instead of actually work on fixing the incident.”
Excerpt G9: ”And then there’s this thing about... How technical can you say something in such situations? That’s why it was very good help with that PowerPoint brief that I got help with from [name]. (...) It almost says: Don’t talk technically, right? Because people are very good at talking technically, right? But, no! ’That is down. Things don’t work. We’re working on the matter. That doesn’t work, that doesn’t work, that works.’ I mean, simple and straightforward. So that [brief template] must be a great help, in that sense, when you’re going to first have a small brief for management.”
Excerpt G10: ”I clearly state that I can do a little, but how should I make an escalation plan when I don’t know how important that system is, right? (...) Because you make it based on: Oh, if we are hit here, that results in that, and that results in that...”
Excerpt G11: ”We have picked out 13 systems that are priority to restore if everything goes black. And then we have simultaneously said that system 14 and beyond, we don’t care about that, we’ll manage without that. But care system, journal system within care, among others, we must have that. We must know who should receive care during the day, and which medicines they should have, and who we should visit. But it’s maybe not equally necessary that the chimney sweeper knows who [s/he] should travel to and sweep the chimney for that day.”
Excerpt G12: ”But that doesn’t mean that nothing has happened in the municipality, because we have had many rounds on... How should we continue to run the municipality if we get a cyber attack? Or if the server goes down, or the Internet goes out? So actually, we have done a lot, discussed a lot, had a lot of focus on it, without using the term. (...) So I haven’t even learned that term myself, the one you used. But to maintain operations in the municipality when the power goes out - we’ve talked a lot about that.”
Excerpt H1: ”We might be able to hire a person, we might be able to pay him for a couple of years, and then he would get bored and leave. Because it’s a very shallow pond, and there are very many fishing lines out there. And such a person will never be somewhere where he’s not challenged. A municipality is unfortunately not that place.”
Excerpt H2: ”What is a long-term challenge, is to achieve an organization that can monitor 24-7... But it’s about being prepared, so that it doesn’t take a long time when there’s an unwanted incident.”
Excerpt H3: ”Yes, because I think an incident with us would quickly be... There are two parts we care about: Finding out what happened? And how we should restore normal operations? With a small ICT department in a small organization, it’s demanding. It’s many of the same people who have to do the job. We would have to bring in external people, immediately, if we had such an incident.”
Excerpt H4: ”I was very happy that we got an agreement with [company name] now. Because one of my big nightmare scenarios was that we had no supplier of support services from any kind of company.”
Excerpt H5: ”The fact that we would have such an exercise initiated that we started to work more strategically with it, and made several plans that we didn’t have initially. It has also resulted in that we now have entered into an agreement with [company name] regarding security monitoring.”
Excerpt I1: ”If we say for example a system like Sosio, which NAV uses, its function is to safeguard the most vulnerable in society. And if that fails, and it doesn’t need to fail for long, it can mean that there are people who don’t get food, who don’t get money. And that will have a social consequence in addition.”
Excerpt I2: ”After two years in a municipality, I have never encountered an organization that has higher workload, fewer resources and is so understafed. And that makes everything a priority... They have to focus to keep their head above water. Simply doing what needs to be solved. Legal requirements trump what would have been nice to implement.”
Excerpt I3: ”That local knowledge and creativity... I can call him, the caretaker, he’s very good at such things. He can take that responsibility. I think that’s a very good thing to have in an emergency situation.”
Excerpt I4: ”That interplay when you have an emergency situation, that is what makes you good or bad, I think. That it is the right people, who know the business well and who know what they can contribute to doing.”
Excerpt J1: ”That’s why we now realized that we must have... We now have an IRT leader, and the IT manager, who communicate between themselves. And then the IT manager must weigh the words that go in, or that is, the information he contributes.”
Excerpt J2: ”That’s one thing I saw that was perhaps the weakest, then. It was the information flow. And we’ve now handled that by implementing - we use [the crisis management tool] with separate logs. Where they can actually send over information. (...) They get small drips of information, which are selected, and which they choose to send over. Instead of a doomsday prophet that comes in and gives a lecture, where people don’t catch all aspects and details because they get it orally and not in writing.”
Excerpt J3: ”I remember that when we established the logging function for the IT group, the connection became better. It was almost completely necessary. (...) So the contact between crisis management and the IT group was dependent on that logging function. And in that way, it became a translator function, or a mediator between the two groups that was completely necessary.”
Excerpt J4: ”I could have liked to see the scope of such an exercise change a bit... But what if we look at what would happen if the region is attacked, the county, or actually the whole country. What then?”
Excerpt J5: ”We are completely dependent on achieving regional cooperation, we wouldn’t have had a chance to manage it alone as a small municipality.”
Excerpt K1: ”Because you have to use some creativity when you’re in a crisis management... Either it’s damage limiting, or to find a solution because things can’t go exactly as they do in daily life.”
Excerpt K2: ”The lectures were actually very good. The problem was that it went right over the heads of everyone who didn’t have special insight into that stuf.”
Excerpt K3: ”This could have been given drip-wise in advance, and preferably better adapted...recorded as webinars, and distributed in advance, that people could watch when it suited them.”
Excerpt K4: ”So there is a huge span in that competence among the course participants. And the setup, that walkthrough, was probably adapted more to experienced data users and people with a smidgen of competence within IT security, and not so much for a municipal director with the overall perspective.”
Excerpt K5: ”I thought that was very useful. There we got...in a way, that was when we got the pegs in place, and got reality-oriented with regard to: What is this about? What are the threats? What is the risk? What are the scenarios? So it was through those lectures that we understood...and maybe... If we had had those lectures... Maybe those lectures should have been in November 23, then I think the preparation phase would have been much, much better.”
Excerpt K6: ”I think it’s very important to get people out of their buildings. That was very good. (...) We struggle to keep the attention of managers. That’s because they drown in work. (...)So to free them from their workplace, that’s alpha and omega to get their attention.”
Excerpt K7: ”(...) I think that might have been one of the key factors for us actually managing it. Also because it’s much easier not to be so disturbed by all sorts of other daily operations. If we had sat here physically at the town hall, and then we would have a fiteen-minute break just to stretch our legs. Then you meet someone in the hallway who wonders about this and that, and then this and that happens, and then it happens so quickly that it becomes fragmented, and then it suddenly doesn’t become so realistic anymore either.”
Excerpt K8: ”It was actually surprisingly easy to live into what was explained as a scenario. So I think it went surprisingly well, and that almost everyone bought into the incident, that it actually had happened.”
Excerpt K9: ”I think exercises... I think there’s a greater danger that exercises can become too calm. You should put yourself in a position to solve a real situation. And if the blood-pump goes a bit faster when it’s real, then it’s not bad that it goes a bit faster when it’s an exercise too. That we get to feel, and get to try out, yes: What do we do then? When we get stressed?”
Excerpt K10: ”I experienced maybe the preparation as... What shall we say, a bit... A bit dificult to take in because I... It wasn’t quite clear to me. We had some tasks, and we had some meetings, and we had something we were supposed to send in, and then... It actually took a very long time before I actually understood, what was it we were prepared for? If we had had that lecture... Maybe those lectures should have been in November 23, then I think the preparation phase would have been much, much better.” Excerpt L1: ”With a small ICT department in a small organization, it’s demanding... We would have to bring in external people, immediately, if we have such an incident. I would never spend time to investigate what had happened. We would have to hire people to do that.”
Excerpt L2: ”We are dependent on external actors... We might be able to hire a person, we might be able to pay him for a couple of years, and then he would get bored and leave. Because it’s a very shallow pond, and there are very many fishing lines out there.”
Excerpt L3: ”We have chosen to spread things in diferent directions... So it’s a strategy to go out to the cloud with most things.”