Computers & Industrial Engineering 149 (2020) 106829

Contents lists available at ScienceDirect

Computers & Industrial Engineering

journal homepage: www.elsevier.com/locate/caie

Understanding the management of cyber resilient systems

Alessandro Annarelli , Fabio Nonino , Giulia Palombi *
Department of Computer, Control and Management Engineering, Sapienza University of Rome, Rome, Italy

A R T I C L E I N F O A B S T R A C T

Keywords: The digital age characterizes the 21-century by the widespread and conscious use of Information Technology,
Resilience originating the need for organizations to protect one of the most critical and valuable resources: information.
Cyber security Cyber security was born to protect information systems from cyber-attacks. Organizational resilience refers to the
Cyber resilient systems
ability of a system to adapt to a change: a very contemporary concept that is finding more and more importance
Cyber resilience framework
Multiple case study
in our continuously changing society, assuming also a greater relevance in the cyber context. Therefore, the
ability of organizations to react to cyber-attacks and to evolve to a new robustness after successful outbreaks
recalls the concept of resilience and brings to the evolution of this concept into that of cyber resilience. In order
to offer a deep insight on the management of cyber resilient systems and to propose a Managerial Cyber
Resilience Framework, clarifying the role of context in the correct selection and implementation of different tools
and practices, we conducted an exploratory multiple case study analysis in six companies operating in three
different industries: consultancy, public administration and banking. The results provide interesting managerial
actions to undertake for the management of cyber resilient systems also in consideration of specific contextual
factors.

1. Introduction operations in both expected conditions and unexpected conditions

Nowadays, according to complexity and level of digitalization of its
business and to value offered to social and economic context, every
organization has an IT system and the necessity of cyber security tools
for protecting information and digitalized processes from fraud attempts
and acts of vandalism (Von Solms & Van Niekerk, 2013). Cyber-attacks
consist of any action taken by individuals or organizations to undermine
the functions of information systems, infrastructures or computer
network or personal electronic devices trough crimes (Kawanaka, Mat­
sumaru, & Rokugawa, 2014). These actions are, for example, hacking,
bombing, cutting, infecting. They are a real and significant danger for
many countries, their citizens, businesses and the economy in general
and can be fronted by the implementation of a so-called cyber resilient
system (Wang & Lu, 2013).
The ability to react to these attacks and to design and implement a
more robust organization recalls the concept of resilience, known in
physics as the assumption of sustaining crashes without breaking. In
management sciences, resilience is defined as the ability of an organi­
zation to adapt to unexpected disruptive changes or the intrinsic ca­
pacity of a system to modify its functioning before, during and after a
disruptive change or a trouble, for being able to continue the necessary
(Wieland & Wallenburg, 2013).
Several methods confuse or do not discriminate resilience, i.e. the
ability to resist and recover quickly from unknown and known threats,
with the risk, i.e. the product between the probability of an adverse
event and the extent of the resulting damage (Kaplan & Garrick, 1981;
Soni, Jain, & Kumar, 2014). Nevertheless, often, organizations do not
recognize the threat until it occurs; therefore, the complexity of cyber
systems and cyber threats requires the integration of the risk manage­
ment process and the resilience management process.
Taking the theoretical background on previous researches on cyber
resilience management models as a starting point, this study aims to
contribute explaining how to manage cyber resilient systems taking into
account the business context. More concretely, to comprehend how
companies should correctly align the managerial actions and practices in
a set of logical steps for enhancing cyber security resilience. Gathering
the data using a structured exploratory study based on six exemplary
case studies, we aimed at giving some clarifications on how can com­
panies effectively introduce and implement cyber resilient system and
how different contexts influence companies’ the management of cyber
resilient systems in a Managerial Cyber Resilience Framework.
The paper is organized as follows. The second section contains the

* Corresponding author.
E-mail addresses: [email protected] (A. Annarelli), [email protected] (F. Nonino), [email protected] (G. Palombi).

https://doi.org/10.1016/j.cie.2020.106829
Received 28 January 2020; Received in revised form 1 September 2020; Accepted 3 September 2020
Available online 8 September 2020
0360-8352/© 2020 Elsevier Ltd. All rights reserved.
A. Annarelli et al. Computers & Industrial Engineering 149 (2020) 106829

Table 1
Main works on the management of cyber resilient systems.
Author (year) Objectives Main findings Contextual
Factors

Katsumata et al. To propose a proactive approach that builds protective and Cyber Security Risk Management (CSRM): a systematic approach for • Industry
(2010) resilient mechanisms to provide greater assurance to the assessing system security risk • Infrastructure
organizational information system
Steen and Aven To understand how risk can be assessed and treated to enhance The basic ideas of resilience engineering can be supported by the (A, –
(2011) resilience engineering C, U) risk perspective
Bodeau and To investigate how to evolve architectures, cyber resources, Cyber Resiliency Engineering Framework –
Graubart (2011) and operational processes to provide cost-effective cyber
resiliency
Burstein et al. (2012) To diagnose an attack, to quickly switch to calculated backup Strategic and tactical resiliency against threats to ubiquitous systems • Infrastructure
actions and predict downstream events by the attackers to make model (STRATUS)
the functions resilient to those attacks
Linkov, Eisenberg, To provide recommendations for resilience metrics Resilient Matrix Framework –
Bates, et al. (2013)
Linkov, Eisenberg, To provide the metrics recommended by Linkov, Eisenberg, Resilient Metrics –
Plourde et al. Bates, et al. (2013)
(2013)
Collier et al. (2014) To show how risk-based standards can move beyond risk A risk-based cyber security framework • Infrastructure
assessment to create systems that are more resilient to dynamic
threats
DiMase et al. (2015) To provide an holistic analysis of the health status of the cyber- Cyber Physical Systems Security Framework (CPSS) • Infrastructure
physical security
Boyes (2015) To detail the cyber security attributes that affect cyber Three main clusters affecting cyber resilience are identified • Infrastructure
resilience
Davis (2015) Building cyber-resilience into supply chains He identifies factors affecting the ability of an acquirer to protect its –
information using a simplified supply chain model
Jensen (2015) Cyber-resilience for the efficient functioning of the maritime Three principal tools are recommended: • Industry
industry 1) informational campaigns • Infrastructure
2) pressure from customers
3) “cyber premiums” on insurance policies
Sharkov (2016) To design a roadmap for the cyber-security national strategy The implementation of the so-called “CIA triad” and the • Industry
measurement of knowledge of risks and threats: “Known”, • Ownership
“Unknown knowns” and “Unknown unknowns”
Tran et al. (2016) To combat a zero-day malware attacks Cyber Resilience Recovery Model (CRRM) –
Gisladottir et al. To demonstrate the effects of under- and overregulation on Development of a model of corporate cyber network under attack, • Infrastructure
(2017) organizations’ resilience in front of insiders’ threats embedding cyber security human factors and organizations’ • Ownership
regulatory context.
Rohmeyer et al. To test Capability Effectiveness for Architectural Resiliency in Complete cyber resilience tests, based on the principles of cyber war- • Infrastructure
(2017) Financial Systems gaming to involve all corporate domains, have the potential to • Industry
increase knowledge, improve resilience and make its improvement
measurable
Koelemeijer (2018) To enhance the cyber resilience of critical infrastructures The study provides a basis for the correction functioning of adaptive • Infrastructure
through an evaluation methodology based on assurance cases systems by automatically generating and reviewing assurance cases
Carayannis et al. To outline the anatomy an ambidextrous approach to cyber Multistage approach under a 7Ps stage gate model. • Industry
(2019) security • Society
• Ownership
Caron (2019) To highlight the potential of cyber-testing techniques in Cyber-testing techniques are providing insight in the effectiveness of • Infrastructure
assessing the effectiveness of cyber-security controls and the actual implementation of cyber-security control and concise
obtaining audit evidence input for cyber-risk management and improvement
recommendations
Ganin et al. (2020) To develop a method to evaluate the resilience effects of Resilience and efficiency are not necessarily correlated. By balancing • Industry
Intelligent Transportation Systems on a metropolitan area resilience and smartness within systems, transportation systems can • Infrastructure
increase the likelihood that systems maintain functionality without
compromising significant efficiency, especially during disruptions

theoretical background about the concepts of cyber resilience and the
main models for the cyber resilience based on risk and resilience;
further, we formalize the emerging research gap about missing link
among contextual factors and cyber resilient systems’ implementation
and we define the research question. The third section (methods) de­
scribes the research methodology, a multiple case studies analysis, and
the research protocol. The fourth section (results) contains the
descriptive analysis of the cases and the last one (discussion and
conclusion) discuss our results and report a Managerial Cyber Resilience
Framework, summarizing contributions and research limitations,
together with possible future research directions.
2. Theoretical background and research questions
2.1. Cyber resilience
In the interconnected digital world, cyber resilience is a condition for
continuous existence and competitive advantage, so the trend is towards
adopting resilient strategies and operations to ensure success when
operating in a hyper-connected system. Attention paid by companies to
resilience is not only vital for the sustainability and growth of their
business models but also a source of competitive advantage. In order to
survive and guarantee longevity, companies must be constantly
evolving, being able to adapt quickly, reacting to the ever-changing
environment and, above all, they should have the ability to recover
quickly from unforeseen events. Resilience of cyber-systems or cyber-
physical systems is essential to maintain trust and privacy by

2
A. Annarelli et al.
mitigating security risks, protecting customers and providing them with
better and safer services (Knowles, Prince, Hutchison, Disso, & Jones,
2015).
Two features belong to a resilient system: (1) robustness against the
predictable attacks and (2) ability to come back to a safe state if an
attack has been successful, without regressing (Rogers, Apeh, &
Richardson, 2016). This is the ability of the system to adapt, to reduce
the probability of having to deal with sudden disturbances and having to
resist their spread, maintaining control over structures and functions,
and being ready to recover and respond with immediate and effective
reactive plans to overwhelm the disturbance and restore to a robust state
of operations.
Roege et al. (2017) propose a distinction between safety and resil­
ience: the first one focusses on the protection of systems from threats or
events, while the second one is the ability to prepare and adapt to
changing conditions, to resist and to recover quickly from interruptions.
In detail, resilience includes the ability to resist and recover from
intentional attacks, accidents, threats and natural disasters. Cyber
resilience requires the integration of the risk management process and
the resilience management process (Collier et al., 2014). Risk manage­
ment selects and prioritizes potential measures to prevent or mitigate
impacts, whereas resilience seeks to improve the system’s inherent
ability to respond to inevitable changes, both long and short, thus
adopting a time perspective. “Improving a system’s resilience offers
significant advantages in managing risk; improving the resilience of a
system constitutes an integral part of the risk management process”
(Haimes, 2009: 500). “Successful implementation of these mechanisms
will depend on the integration of risk- and resilience-based management
in an adaptive framework” (Collier et al., 2014: 70). Indeed, a vision
based on risk management focuses on prevention or protection against
intrusions (avoiding risk) or on mitigating the negative consequences of
an event. Differently, an approach based on resilience is concerned with
ensuring the continuity of functions and critical services and continu­
ously improving the overall context. Linkov and Trump (2019) suggest
that the two approaches have to be considered as complementary, as the
benefits deriving from one can directly affect the working of the other.
2.2. Management of cyber resilient systems
An organizational system, inherently complex and multi-faceted, in
order to be considered resilient must maintain operations under attack
or failure, while being able to reconfigure and/or recover its attributes,
and eventually restore the original state (Bishop, Carvalho, Ford, &
Mayron, 2011). A resilient system can be described and summarized by
mean of four key attributes, namely capacity, flexibility, tolerance and
cohesion (Kott and Linkov, 2019; SEBoK, 2017).
Despite research on cyber systems witnessed an important develop­
ment throughout the years, aspects related to security (and therefore
resilience) of cyber systems still represent an open issue, gaining also
more importance in relationships with the rising developments of cloud-
based systems (Mourtzis & Vlachou, 2016). For example, there are
studies focused on the context of manufacturing SME providing cloud-
based approaches for process planning (Mourtzis, Vlachou, Xantho­
poulos, Givehchi, & Wang, 2016) and for the monitoring of
manufacturing equipment (Tapoglou et al., 2015), and an internet of
things-based monitoring system for shop-floor control (Mourtzis, Milas,
& Vlachou, 2018).
Several authors have proposed over the years methods for creating
resilient systems for cyber security. Table 1 summarizes the main works
on the management of cyber resilient systems to highlight actions
needed and contextual factors.
From the analysis of papers reported in the table, three contextual
factors recur: infrastructure, industry and ownership.
The infrastructure can be critical or non-critical. Critical infrastruc­
ture represents an asset, a system or a part that is essential for main­
taining vital functions, health, safety, security, economic or social
3
Computers & Industrial Engineering 149 (2020) 106829
wellbeing of people, whose disruption or destruction would have a
significant impact (Linkov & Trump, 2020).
The industry, i.e. the sector in which the organization is embedded,
received great importance in determining managerial actions to un­
dertake. One of the main contextual factors (function of the industry) is
to be customer-oriented or consumer-oriented: in the first case, mana­
gerial actions are meant also to ensure cyber security of client companies
(mostly common in business-to-business markets), while in the second
case activities and actions are aimed at securing only the company and
its private clients (business-to-consumers markets). Therefore, the set of
required managerial actions to ensure cyber security varies in the two
cases, and also according to specific criticalities of business models and
types of clients (Kott and Linkov, 2019).
The last contextual factor is the ownership: public and private or­
ganizations could undertake different managerial actions. The main
differences between public and private organizations’ investment
strategy are drivers (regulations for the public organizations and client/
supplier demands for the private ones) and the information resources
(mainly standards for public organizations and stakeholder re­
quirements for the private ones) (Rowe & Gallaher, 2006).
Risk management can be a good starting point to create a resilient
cyber system considering disruptive risks. Disruptive risks, as well as
recovery and reaction strategies, can be categorized by the type of action
and the way of thinking they imply (Ribeiro & Barbosa-Povoa, 2018).
Reducing the probability of facing sudden disturbances, resist the spread
of disturbances by maintaining control over structures and functions,
and recover and respond by immediate and effective reactive plans to
transcend the disturbance and restore to a robust state of operations
(Kamalahmadi & Parast, 2016).
Katsumata, Hemenway, and Gavins (2010) propose a proactive
approach that builds protective and resilient mechanisms to provide
greater assurance to the organizational information system. This
approach is called Cyber Security Risk Management (CSRM). CSRM
starts with the NIST methodology, which includes three processes: risk
assessment, risk mitigation and monitoring/control, extending to a four-
step process that includes an initial phase of risk management planning.
The evaluation process establishes the risk baseline; the mitigation
process uses a cost-benefit analysis to evaluate potential additional
countermeasures that reduce risk; the CSRM risk monitoring and control
process provides a method of “monitoring of identified risks, monitoring
of residual risks, identification of new risks, execution of risk mitigation
plans and assessment of their effectiveness”. It also includes feedback
cycles to allow a continuous process of risk assessment, mitigation and
monitoring.
Steen and Aven (2011) in order to enhance resilience engineering,
suggest the use of a risk perspective different from the most popular one.
In this case, probability is replaced by uncertainty. The (A; C; U) risk
perspective in fact takes in consideration event A, consequence C and
uncertainty U. Collier et al. (2013) in their risk-based cyber security
framework show how risk-based standards can move beyond risk
assessment to create systems that are more resilient to dynamic threats.
According to Jensen (2015), cyber-resilience for the efficient func­
tioning of the maritime industry should improve the risk management
approach implemented by the introduction of the following guidelines:
1) informational campaigns directed at the maritime companies in terms
of the cyber-risks they face; 2) pressure from customers who are made
increasingly aware of the risk to their cargo in cases where maritime
companies lack cyber-defenses; and finally 3) “cyber premiums” on in­
surance policies that reflect the degree to which maritime companies
adhere to the voluntary guidelines.
Fundamentally, possible strategies for resilience can be divided into
two categories, proactive or reactive, (Hohenstein, Feisel, Hartmann, &
Giunipero, 2015) even if a third one is more focused on the anticipation
and awareness of events (Kott, Wang, Erbacher, 2015). On one hand
resilience is the simple ability to rebound from adverse situations and to
resume activities quickly and, on the other hand, is the development of
A. Annarelli et al.
new skills, including the ability to keep pace and create new opportu­
nities to deals with unexpected challenges (Abdullah, Noor, & Ibrahim,
2013). Furthermore, organizations can be modelled and represented as
networks, and their structural characteristics can have a non-negligible
impact on resilience attributes (Gisladottir, Ganin, Keisler, Kepner, &
Linkov, 2017).
Tierney and Bruneau (2007) establish four key attributes of resilient
systems: (1) robustness (resisting disruptive forces), (2) redundancy
(meeting the functional requirements with replaceable system ele­
ments), (3) resourcefulness (effectively exploiting resources to diagnose
and solve problems) and (4) speed (recover quickly from an
interruption).
Bodeau and Graubart (2011) propose the Cyber Resiliency Engi­
neering Framework: this framework aims at providing an analysis ori­
ented toward cost-effective cyber resiliency by investigating the
evolution of architectures, cyber resources, and operational processes.
Burstein et al. (2012) propose a model called STRATUS: strategic and
tactical resiliency against threats to ubiquitous systems. This model uses
an overload of computational resources to diagnose an attack, to quickly
switch to calculated backup actions and predict downstream events by
the attackers to make the functions resilient to those attacks. It uses an
ontological model containing missions, components, vulnerability,
reliability levels for hardware and software resources provided with
attack tests, schemes of the attack plan for multi-stage attacks, host and
cluster organization to think about how physical or network proximity
can contribute to the possibility of vulnerability.
The US National Academy of Sciences defined the four attributes of
resilience, i.e. plan/prepare, absorb, recover and adapt. Furthermore,
the NAS incorporated these in the definition provided for resilience,
labelled as “the ability to prepare and plan for, absorb, recover from, and
more successfully adapt to adverse events” (National Academies (US),
2012: p. 16).
Linkov, Eisenberg, Bates, et al. (2013) reconsidered the above at­
tributes (National Academies (US), 2012) to design the resilient matrix
framework. In this matrix, the column indexes are the four attributes,
turned into a four-stage life-cycle model, i.e. plan/prepare, absorb,
recover and adapt, while the rows represent the four domains taken
from Network-Centric Operations doctrine (Alberts & Hayes, 2003) i.e.
physical, information, cognitive and social. Cells in this matrix contain
recommendations for determining resilience metrics. Linkov, Eisenberg,
Plourde et al. (2013) provided these metrics.
Ferdinand (2015) studied how to build and to maintain a state of
cyber resilience in organizations. The focus is on the organizational
learning of the environment both internally and externally and the
ability to exploit opportunities and manage threats in four moments:
monitoring, analysis, decision-making and change. A structure with
dynamic capabilities must present both reactive capacities, necessary to
respond to market changes, and proactive capacities that allow fore­
seeing and creating market changes. The combined use of dynamic ca­
pabilities, i.e. (1) ordinary defensive capabilities, (2) dynamic resilience
capabilities and (3) extraordinary capabilities, leads to increasing levels
of maturity in the area of computer (cyber) resilience.
DiMase, Collier, Heffner, and Linkov (2015) propose the cyber
physical systems security framework (CPSS). According to this frame­
work, the following ten areas of concern enable an holistic analysis of
the health status of the cyber-physical security: (1) Electronic and
physical security, (2) Information assurance (IA) and data security, (3)
Asset management and access control, (4) Life cycle and diminishing
manufacturing sources and material shortages (DMSMS), (5) Anti-
counterfeit and supply chain risk management (SCRM), (6) Software
assurance and application security, (7) Forensics, prognostics, and re­
covery plans, (8) Track and trace, (9) Anti-malicious and anti-tamper,
(10) Information sharing and reporting.
Boyes (2015) details the cyber security attributes that affect cyber
resilience. They are divided in three main clusters: information quality
& validity system configuration (integrity, utility and authenticity);
4
Computers & Industrial Engineering 149 (2020) 106829
controlling access and system operations (confidentiality and posses­
sion) and continuity of operations safety personnel & assets (availabil­
ity/reliability, safety and resilience).
Davis (2015) identifies factors affecting the ability of an acquirer to
protect its information using a simplified supply chain model. These
factors are (1) state cyber security requirements to suppliers using a
common framework and language, (2) integrate cyber security into the
acquirer procurement process (3) devote resource to investigate the
makeup of the supply chain (i.e. which supplier organizations make up
the supply chain), (4) understand how a supplier meets the acquirer’s
requirements when not using a common, shared, framework, and lan­
guage, (5) identify acquirer information shared between the acquirer
and its direct suppliers, and acquirer information shared between direct
and indirect suppliers.
Sharkov (2016) shows the approach implemented in Bulgaria to
design a roadmap for the cyber-security national strategy. The national
strategy for Bulgarian cyber-security focus on two main aspects: the
implementation of the So-called “CIA triad” i.e. a triad for information
security made by confidentiality, integrity and availability and the
measurement of knowledge of risks and threats. Those two aspects allow
the structuring of objectives and measures at three nested levels: infor­
mation security, IT security and IT resilience. Threats, objectives and
measures are outlined in three categories: “Known”, “Unknown knowns”
and “Unknown unknowns”.
Tran, Campos-Nanez, Fomin, and Wasek (2016) designed the Cyber
Resilience Recovery Model (CRRM) to combat a zero-day malware at­
tacks. The model provides insights into the strengths and weaknesses of
current recovery processes and presents possible solutions for address­
ing changing cyber security threats.
Best practices as awareness trainings or the isolation of a machine
infected with zero-day malware using the full containment method
formatting and re-imaging a machine infected with zero-day malware
are indicated.
Rohmeyer, Ben-Zvi, Lombardi, and Maltz (2017) believe that com­
plete cyber resilience tests, based on the principles of cyber war-gaming
to involve all corporate domains, have the potential to increase knowl­
edge, improve resilience and make its improvement measurable. Coor­
dinated game events, discussion-based seminars and conferences, and
special forums to support collaborative analysis of real-world events and
emerging threats are also recommended.
Carayannis, Grigoroudis, Rehman, and Samarakoon (2019) outline
the anatomy an ambidextrous approach to cyber security adopting a
balanced scorecard, multistage approach under a 7Ps stage gate model
(Patient, Persistent, Persevering, Proactive, Predictive, Preventive, and
Preemptive). Such an approach “emphasizes the need to enable a com­
plex, nonlinear, adaptive process of dynamic intangible organizational
assets, resources, and capabilities across a performance frontier” (p. 1)
in order to enhance cyber resilience.
Caron (2019) highlights the potential of cyber-testing techniques in
assessing the effectiveness of cyber-security controls and obtaining audit
evidence.
Recently, Ganin et al. (2020) investigated the interconnections of
resilience with other systemic attributes, e.g. security and efficiency, in
the context of urban areas/smart cities and transportation, with
particular interest toward Intelligent Transportation Systems. Scenario
analyses led authors to conclude that there are complex in­
terconnections and tradeoffs between smartness and resilience, as some
systems may benefit more from smart development and less from resil­
ience, or the opposite, depending on several characteristics, as for
instance dimensions and the presence of critical infrastructures.
3. Research gap and research question
As evidenced from the analysis of literature, a non-negligible number
of contributions highlighted the impact and relevance of some contex­
tual factors (i.e. infrastructure, ownership, industry) in determining the
A. Annarelli et al. Computers & Industrial Engineering 149 (2020) 106829

Table 2
Sample description.
Case 1 Case 2 Case 3 Case 4 Case 5 Case 6

Country U.K. EU Country Italy Italy Italy Italy

Industry Consultancy Military (Public Banking Consultancy Public administration Banking
administration)
Years of activity 10 years 1 year 8 years 4 years 15 years 30 years
Number of employees 200.000 300 89.000 950 40 500
(approx.)
Number of employees More than 100 More than 200 150 3 3 5
involved in Cyber Security
Key informant Cyber Security Brigade General Cyber Senior Cybersecurity Self Employed consultant Business continuity &
Manager Analyst Partner for cybersecurity disaster recovery manager

management of cyber resilient systems, together with corresponding
actions to be undertaken.
Despite many frameworks, methodologies, metrics and best practices
developed in literature acknowledged the importance of contextualiza­
tion, few contributions investigated the relationship between context
and actions.
The awareness that each context provides his peculiar cyber work­
place (with his opportunities and criticalities) and the limited studies
focused on this, justify our research that aims to provide insights on the
implementation of managerial actions, as a function of the context, for a
cyber resilient system.
The present work aims at widening the knowledge basis on the
management of cyber resilient systems, together with corresponding
actions deriving from contextual needs, organized into a Managerial
Cyber Resilience Framework.
For this reason, our investigation attempted to answer the following
research question:
• How do different contexts determine the management of cyber
resilient systems?
In fact, there is a need for a wider analysis of cyber resilient systems
that takes in consideration context features.
Furthermore, according to what emerged from the analysis of pre­
vious works in the field, there is a research gap concerning the inter­
relationship between different contexts and managerial actions to be
undertaken in those contexts in order to ensure resilience to cyber
threats. As a matter of facts, throughout the years many works focused
on the concepts of resilience and cyber resilience and the underlying
processes (e.g. Haimes, 2009; Collier et al., 2014; Rogers et al., 2016),
while many other contributions dealt with the management of cyber-
resilient systems (e.g. Rowe & Gallaher, 2006; Katsumata et al., 2010;
Linkov, Eisenberg, Bates, et al., 2013; Linkov, Eisenberg, Plourde et al.,
2013; Kott and Linkov, 2019), but there are still missing evidences that
clearly link the adoption of specific managerial actions in relation to
specific contexts, to ensure cyber security and resilience.
4. Research method
To answer the research questions, we adopted the case study meth­
odology with an exploratory purpose to take into account the complex
interrelation of variables characterizing the phenomenon of cyber se­
curity and its interrelationships with resilience. The case study is the
preferred method to investigate an empirical topic by following a set of
pre-specified rules and procedures; it allows a holistic and contextual­
ized analysis, properly suited for exploratory research purposes, because
it allows the identification of crucial variables while exploring a given
phenomenon. In particular, this research employed a multiple case study
design, because it allows both an in-depth examination of each case and
the identification of contingent variables that distinguish each case from
the other (Eisenhardt, 1989; Yin, 1984). Moreover, the essence of a case
study is trying to illuminate a decision or a set of decisions: why they
were taken, how they were implemented, and with what result
(Schramm, 1971).
Cyber security can be considered as a relatively new topic, the
existing theoretical background can be considered as a solid base upon
which build and organize the research and the exploratory approach is
coherent with the aim of identifying and describing key variables and
linkages between them (Huberman and Miles, 2002). Given the above
considerations, for this research, there was need of exploratory efforts
and case studies have been designed for this purpose.
To cover the multi-faceted reality of cyber security, data collection
strategy was defined so as to gather evidences from multiple sources for
each case: direct and on-site observations, semi-structured interviews
with key informants, collection of materials from secondary sources (i.e.
archival documents and reports). Multiple data sources allowed us to
triangulate evidences and ensure validity of the study (as detailed in
Table 3). The overall process of data collection required about 3–4
months.
The research protocol has been designed in order to ensure a high
quality of research and methodological rigor. In order to reduce possible
biases, and to maximize validity and reliability, objective of the research
was to diversify data collection methods and sources (Eisenhardt, 1989;
Patton, 2002).
The study involved six exemplary and different cases, operating in
different industries and involving different types of organizations. In this
way, it has been possible to study different realities inside the same
phenomenon. The chosen approach has been that of theoretical sam­
pling (Eisenhardt & Graebner, 2007), which brought us to the identifi­
cation of the first three cases (Case 1–3). Following, we adopted an
approach of literal replication to select other three cases (Case 4–6),
with the aim of predicting similar results while maintaining the same
conditions/contextual factors (Yin, 1984). We selected six cases to
maximize the degree of information that could be extracted, privileging
an all-encompassing view on the overall (cyber) risk management
process.
Given this aim, we selected six key informants for cybersecurity: two
of them operate in international consultancy companies (labelled as
Case 1 and Case 4), two in public service organizations (Case 2 and Case
5) and two are embedded in the context of banking and finance (Case 3
and Case 6) (Table 2).
For each of the involved firms, we carried on a semi-structured
interview with a high-level manager working in the field of IT and
dealing with cyber security issues. The first part of the interview pro­
tocol has been focused on classifying firms and gathering more general
data about the approach in building a cyber security system. The
following part of the interview protocol has been structured in two
major sections and six sub-sections to investigate:
1. Cyber resilience context
1.2 Organizational structure for cyber security (Carayannis et al.,
2019; Ferdinand, 2015)
2.2 Investments in cyber security

5
A. Annarelli et al.
Table 3
Validity and reliability of case studies.
Characteristics Criteria
Construct • Data triangulation: use of primary data (retrieved through
validity interviews) and secondary data (from archival evidence)
• Review of transcriptions by co-authors and key informants
• Explanation of data analysis procedures
Internal validity • Research framework derived from literature
External validity • Cross-case analysis (multiple case studies)
• Rationale for cases selection: theoretical sampling
Reliability • Adoption of an interview protocol
• Development of a case study database
3.2 Risk management process for cyber security (Katsumata et al.,
2010; Collier et al., 2014)
4.2 Risk analysis approach (Sharkov, 2016)
5.2 Definition of cyber resilience (Bodeau & Graubart, 2011; Boyes,
2015; Burstein et al., 2012; Tran et al., 2016)
2. Actions for cyber resilience
1.2 Reactive/proactive approach against cyber attacks (Katsumata
et al., 2010)
2.2 By mean of which actions the company introduces and imple­
ments cyber security (Linkov, Eisenberg, Bates, et al., 2013;
Linkov, Eisenberg, Plourde et al., 2013)
Case analysis was conducted following recommendations of Yin
(1984), Eisenhardt (1989), McCutcheon and Meredith (1993), and Miles
and Huberman (1994). We conducted a within-case analysis according
to coding techniques (Strauss & Corbin, 1990; Strauss, 1987). Cross-case
analysis was conducted according to Eisenhardt (1989), Runkel (1990),
and Yin (1984), seeking matches, similarities, differences, and crossing
variables, among cases, to maximize validity and generalizability of the
study. Criteria of internal validity, construct validity, external validity,
and reliability were taken into account, according to Cook and Campbell
(1979), Yin (1984), Eisenhardt and Graebner (2007), and are schema­
tized in Table 3.
First, we performed a within-case analysis in order to understand the
relevance of contextual factors and their influence and capability of
explaining cyber security’s practices and the effects in enhancing
organizational resilience. After that, we used the factors to perform a
cross-case analysis in order to allow comparisons between different
implementation contexts. The analysis revealed some interesting dis­
cernments for enhancing resilience in organizations having similar or
different criticalities in terms of contexts.
5. Results
The case studies enabled us to examine data at the micro level.
Through these six cases, we had the opportunity to collect and to analyse
data from real situations providing insights coming from primary and
secondary data, while the different industries and organizational envi­
ronments allowed a cross-contexts analysis.
5.1. Case 1: the multinational consultancy company
The first organization analyzed is a service company, a world leader
in the strategic, legal and financial consulting market: the key informant
involved in the study is the cyber security manager for Italy.
In this company, only in Italy, more than 100 employees are focused
on cyber security. It is necessary, however, to make a distinction: on the
one hand, there is a portion of the company that provides services to
other organizations and includes a hundred people working with the key
informant; on the other hand, there is a dedicated team focusing
exclusively on company’s security. In the second case, it is not merely an
IT function but a well-structured security function, composed of a Cyber
Information Security Office (CISO) that deals with the security of
6
Computers & Industrial Engineering 149 (2020) 106829
internal projects and with teams that are not very large, formed by about
20 people.
People represent the weakest element in security systems chains, and
therefore there is a great need for investment in training and social
engineering activities, which, in the field of information security, is the
study of individual behaviors aimed at stealing useful information. In
order to strengthen procedures and policies the company invested in
writing rules and identifying protocols to be followed. Finally, the major
investment in technology is the purchase of cutting-edge tools.
This company is ISO 27001 certified. ISO 27001 is the international
standard in Europe for information security management.
5.1.1. Cyber resilience context
Among the six phases in which a risk management process is
conventionally divided, the key informant acknowledged that the
company is missing a key step, namely the definition of the perimeter,
which should be performed among the first steps of risk definition and
identification. Indeed, the size of the company involves many difficulties
in the development of risk analysis. Being unable to consider everything,
the company gives priority in risk analysis to value-added processes and
to those processes with a strong impact on the budget.
According to the key informant, one of the most frequent errors is
looking at security as a cost without any monetary return. On the other
hand, Case 1 company invests yearly about one million euros for the
prevention of risks related to information security.
An interesting observation, concerning the interpretation of resil­
ience, emerged as the key informant stressed the importance for the
company of not incurring in damages rather than earning money. The
key informant states that resilience does not consist in knowing how to
protect oneself but in being able to deal positively with what happens.
Regarding the choice between a reactive and proactive approach
against cyber attacks, the key informant claims that it is increasingly
necessary to adopt a proactive approach.
5.1.2. Actions for cyber resilience
Recently, a series of initiatives gathered under the name of threat
intelligence (which are going to mix with artificial intelligence) are
taking place more and more in the cyber field. These activities are based
on the concept of neural systems or systems that “learn”. There are
threat intelligence services and activities that help identifying new
emerging threats day by day. These services are based on feed mecha­
nisms that send a data stream and anticipate threats, starting from an
intelligence analysis.
For some activities such as Vulnerability Assessment and Penetration
Test, it is important to consult the CVSS catalogue (Common Vulnera­
bility Scoring System) and to check if these vulnerabilities are exploit­
able, i.e. if a hacker can take advantage from them and be able to attack
and violate the system.
According to the key informant, when cyber security attacks occur, it
is important that critical infrastructure operators learn from it and un­
dertake actions in order to avoid similar situations in future. A key
aspect in this process, as every risk management process, is the need to
conduct an update and review of the information deriving from pre­
liminary phases.
Although intrusion detection systems and monitoring tools play a
significant role in network security, the key security element, among all,
is represented by human resources. Employees play the most delicate
role because, having access to company data and privacy, they have a
great responsibility. For this reason, there are considerable investments
in HR allocating compulsory, online and frontal training paths with a
teacher. Some of these courses focus on specific topics, such as data
protection. These courses provide information to employees about on­
line security and social engineering, when users are connected to their
workstations and access websites that could lead to potential cyber at­
tacks. Further, training programs are very often able to monitor users’
progress. To this extent, reviewing and updating training programs is a
A. Annarelli et al. Computers & Industrial Engineering 149 (2020) 106829

Table 4 administrations is the best solution for responding to cyber attacks.

Case 1 context and managerial actions.
Case 1 Cyber Context Managerial 5.2.1. Cyber resilience context
Actions Within a cyber risk management process, the six steps conventionally
• Strategic, legal and • More than 100 individuals • Artificial recognized in a risk management cycle are executed. It is an iterative
financial consultancy are focused on Intelligence; process that, at the end of the risk mapping and after designing an action
organization cybersecurity but just 20 • Audit Log; framework, dynamically restarts: the goal is that of creating a cycle that
• One of the biggest and are focused in that one of • Cost-benefit keeps threats under control. Each stage is assigned to a manager who
most important the “Case 1” organization analysis;
organization of this sector • The organization is certified • Social
conducts a constant monitoring while coordinating with the other sector
in the world ISO27001. Engineering; managers, possibly with the support of IT tools.
• The key informant is a • Threat Through the analysis, one of the most important information is the
Cyber Security Manager Intelligence; list of risk priorities together with the corresponding response plans.
• Trend Analysis;
This is because the attack surface is so wide that one cannot afford, not
• Penetration
Test; even as a nation, to establish countermeasures for any type of threat, as
• Vulnerability this would imply particularly high costs. Therefore, the first thing to do
Assessment; is to define the potential attacks for which it is valuable to take pre­
• Training; ventive measures and, therefore, to draw a perimeter within which only
the risks with greater priority assigned will fall.
key step in ensuring their effectiveness. The Case 2 organization has set up the main figures who must comply
The training outcome is then tested with the direct use of social with what their duties and role require. Certainly, the problem arises in
engineering activities: employees are exposed to real receipts of false e- the case of small and medium-sized enterprises, when these do not have
mails, attacks, and other simulations of attempts to extort sensitive data. enough staff to dedicate to this purpose. In these cases, it is therefore
These tests are also performed to reduce the risk that people did not pay necessary to proceed with an ad hoc investment program. Investing in
enough attention during training and formation. Of course, training cyber security, however, as well as undertaking risks, often turns out to
courses will not avoid human errors but, if done correctly, they can be very expensive.
increase awareness. The key informant suggests that the salient point of each organiza­
For what concerns future development directions, the manager tion’s policy should be to establish, even in agreement with the trade
acknowledged that two paths are opening for the future in cyber: arti­ unions, clear rules that do not appear as simple regulatory dictates or
ficial intelligence and insurance. prescriptions but rather are shared with employees. He claims that there
About artificial intelligence the manager believes that we are going is a need for creating a knowledge culture in which everyone must know
more and more towards a world in which man will give instructions and why each policy has a reason to exist: employees must be aware of
machines will learn. The new cyber trend will see hackers no longer reasons behind security concerns, e.g. if passwords must be of a certain
attempting to attack the system but badly instructing machines in doing type, if the usage of external USB drives is not authorized, or access is not
it. About insurance, the key informant sustains that it is difficult to allowed during the weekend or night hours to external systems from
mitigate all the risks, so he highly recommends the development and the outside. It is mostly about establishing a continuous dialogue and a full
adoption of cyber risk insurances. In Table 4, context and managerial sharing of objectives with the company. Also, creating repositories and
actions of “Case 1” organization are summarized. archives, to be reviewed and updated, with data on previous measures
and attacks contributes to this goal.
Resilience is a very structural and systemic concept, according to the
5.2. Case 2: the public military organization key informant. Even considering resilience as the ability to resume op­
erations following a damage suffered, it must be considered that resil­
The second interview was submitted to a cyber security manager ience can assume political, infrastructural, physical, logical and
operating in the military context. His field of expertise is related to the individual character. From the political point of view, resilience is the
protection of military networks and military information in Italy and ability of the Nation to put in place policies that then allow all systems to
abroad, where there are networks connected or military actions resume functioning in unanimity. From an infrastructural point of view,
undergoing. system redundancy, whether infra-structural or info-structural, must
The organization chart includes a command and staff area and an exist.
operational department, a training area and an experimental area. The We must not forget that internet was born in the ARPA (Advanced
mission of Case 2 organization is focused on cyber defense and cyber Research Projects Agency) as the ability to allow the various nodes to
network defense. communicate in cases of nuclear war, to get information from EBI (Eu­
Cyber defense is a static defense of the network, using monitoring ropean Bioinformatics Institute) ensuring the possibility of taking
systems that allow the company to observe the integrity and availability different paths. Therefore, while the physical resilience is given by the
of data and networks on which they work. On the other hand, cyber redundancy of the systems, alternative A, B or C plans constitute the
network defense also includes the ability to perform Vulnerability logical resilience since, given a failure or an inefficiency, we can still
Assessment (VA) and Penetration Test (PT), i.e. the continuous verifi­ connect the various nodes through them. In this case, a great contribu­
cation of network efficiency and the search for vulnerabilities. tion could be made from the world of modeling and simulation, with
The key informant is a manager who has been working in the cyber those algorithms and data mining that allow us to automatically extract
defense sector for more than four years. He takes care of the organiza­ useful information from huge amounts of data and make them under­
tion, the management of human resources, the info-structure and stand the correlations.
infrastructure sector and takes care of all the educational and training Finally, resilience must be considered from an individual point of
activities of the personnel, which consists of a few hundred people. view. Resilience takes the cultural character of people and how the
The cyber environment has exploded over the past decades. In the nation faces the issue of system security, so a large component is pre­
last five years, there has been a strong acceleration in the need to adhere cisely the training of personnel, who must understand their central role
the indications provided by the NIST and GDPR directives, regarding the in the process of building resilience. People must first be educated to
protection of privacy. According to the key informant, creating a link protect themselves more, and this practically means being less superfi­
between the academic world, the industrial world and other cial in generating passwords and not disclosing, for example, their email

7
A. Annarelli et al.
to anyone. Resilience obviously also depends on the amount of in­
vestments that are made. Therefore, since cyber security is a “problem”
of the Nation and many contributing actors are involved, procurement
initiatives are necessary, thus acquiring technologies and material ca­
pacities, which are above all characterized by interoperability, allowing
the various ministries to communicate. Surely, all the aspects of antic­
ipation, recovery, resistance, evolution, are necessary to build a resilient
environment for cyber attacks, but there is a need to start building
tailored systems not relying on “commercial” solutions.
In order to be resilient, organizations cannot privilege exclusively a
reactive approach or proactive approach, but it is above all the union of
the two, a third approach that is the predictive prognostic approach, to
ensure that there are capabilities for resilience. The key informant ex­
plains that he calls it “prognostic approach” because through data cor­
relations it is possible to forecast the arrival of a catastrophic event.
Speaking of a reactive approach, the key informant refers to an attitude
of the Nation that is ready to react in a very short time thanks to
communication, to info sharing and to industrial capabilities.
5.2.2. Actions for cyber resilience
According to the manager, the Case 2 company focuses on the arti­
ficial intelligence sector, but there should be a greater focus in
embracing solutions that allow systems to react automatically. With
regards to monitoring technologies, the most advanced ones now rely on
SIEM (Security Information and Event Management) systems of all
types, which can make correlations between data form different sources
and of different nature, ranging from IBM to the Firewall. The support of
the human being is fundamental, that is, there must be a class of oper­
ators that have an all-encompassing knowledge and awareness of sys­
tems employed.
As already reported, the key informant thinks the key factor in cyber
security is the “human” factor. For this reason, the activities on which
Case 2 company invests the most are training, recruitment and retention
mechanisms to avoid the loss of key employees who bring value to the
organization. The key informant suggests that the education of the
human system should start from schools.
The manager affirms that there will be a constant raise in IT and
cyber security investments in the next five or ten years. Indeed, in the
next five years, he foresees that major investments will be dedicated to
the retrofit of all ICT information systems; for the next ten years, he also
expects a lot to be invested in artificial intelligence. Furthermore, the
manager stressed the risks and issues deriving from the lack of education
of the national leadership: nowadays the world of information tech­
nology is entrusted only to a small group of specialized technicians, who
are unable to effectively communicate the real criticalities of the cyber
context. Therefore, it is important to invest in training and foremost into
educational activities oriented at building cyber security culture and
global awareness. In table 5, context and managerial actions of “Case 2”
organization are briefly reported.
5.3. Case 3: multinational banking services company
The third interview was submitted to a computer security consultant
of one of the largest banking services companies in Italy (and in the
world), labelled as Case 3. The key informant is a senior analyst who has
been dealing with computer security for about seven years and, for this
reason, he had the opportunity to learn about many aspects of this area,
including, for instance, online application security and infrastructure
security. He deals with defining what the mitigation actions downstream
of a risk should be and what the costs are related to these actions.
CERT is the acronym of “Computer Emergency Response Team”: it is
a team designated to respond to security issues in case of need. Usually,
several levels of response are established: a team is in charge of the
supervision, then real-time monitoring of all the corporate in­
frastructures, twenty-four hours a day and seven days a week and, when
certain alarms occur, if the employees are not able to understand if it is
8
Computers & Industrial Engineering 149 (2020) 106829
Table 5
Case 2 context and managerial actions.
Case 2 Cyber Context Managerial
Actions
• It is one of the military • Less than 100 employees • Audit Log;
organizations of a are focused in • Backup;
European country: it cybersecurity • Data mining;
provides cyber security • Investment in Cyber • Penetration
solutions also for other Security have been Test;
public organizations introduced more than 10 • Recruitment
• The main objective is to years ago but in the last 5 and retention;
increase cyber defence and years increased to • SIEM tool;
cyber network defence. adequate to NIST e GDPR • Training.
• The key informant is a standards.
Brigade General
indeed a real problem, a false positive or even a failed attempt, the CERT
comes into play.
Within this group there is a primary structure, the Security Opera­
tions Centre (SOC), from which monitoring and supervision activities
are carried out, and a secondary structure that represents the real heart
of CERT, corresponding to the second level of incident response, who is
called to intervene in cases of extreme necessity. Therefore, the CERT is
specifically the body that oversees confirming the occurrence of a real
accident, and in this case indicates the countermeasures to be taken, or
instead to ascertain whether it is an oversight of the system or a false
positive. Incident management includes many aspects because, based on
the type of issue that emerged, certain initiatives are taken rather than
others. Companies must periodically conduct reviews on the effects
produced by countermeasures put in place, so as to update all previous
steps, e.g. the identification of risks, to provide a more effective guid­
ance in case of future attacks.
Since the introduction of the GDPR (General Data Protection Regu­
lation), the document already illustrated in the previous case study,
there are certain areas and contexts in which there are constraints that
require special attention. These are mandatory constraints and, if the
threat is real and falls within a specific case, it is necessary to contact
designated experts and evaluate with them whether to proceed with a
publication for customers, in case the threat impacts on them. The cyber
environment is very large, and this means that the company uses a lot of
resources in cyber security. It includes anti-fraud activities, threat in­
telligence, prevention and protection teams, which operate to prevent
and protect against threats in a preventive way. This constitutes a great
gain for the company because preventing threats rather than having to
manage them once they happen brings an advantage in terms of re­
covery costs. In this company, about 150 people are employed in the
cyber security context in different sites in Italy.
Investment is very high: about tens of millions euros per year.
Obviously, it depends on the type of organization, and it will therefore
be proportional to the company’s business and to the volume of users/
customers: the greater the volume of the company, the greater is the
investment made to protect the core business and users.
5.3.1. Cyber resilience context
The cyber security issue can be analyzed from different points of
view: first of all, from the operational point of view of the analyst, but
also from that of processes and of governance-related context. Based on
the company’s specific cyber security approach, several risk manage­
ment steps are performed. This way of acting is part of the risk man­
agement prevention phase. There is a specific field related to cyber,
namely business continuity, that allows the company to guarantee
business continuity and, in a companies like the one under analysis, this
plays a fundamental role. In this regard, the company favors a proactive
approach, despite it demands higher costs compared to the reactive one.
According to the key informant, estimating costs related to a possible
contingency is certainly the most effective way to react. For this reason,
there are figures dedicated to prevention and protection that work on
A. Annarelli et al.
this aspect of proactivity: starting from one or more problems that
happened in the past, outcomes are analyzed to understand strengths
and weaknesses and to study ways of improvement. After this analysis,
the team looks for the right system that can bring improvements in both
qualitative and quantitative monitoring.
For the key respondent of Case 3 company resilience cannot be
generalized, it must always be contextualized. In a cyber environment,
adapting to change is very difficult because it goes much faster than one
can keep up. The key informant says that organizations need to know
how to adapt to change moving from risks faced in a specific moment
and defines resilience as the ability to stand up once fallen. In risk
management, context resilience is the intrinsic ability to change its
functioning before, during and following a change or a disturbance, he
says. This definition is well suited to the context under study as the cyber
space is a field characterized by highly dynamic systems.
The intent is to approach resilience in a dynamic way, but it is not
always possible in the environment in which one finds oneself because
sometimes there are constraints linked to certain business realities that
could constitute obstacles for an incident response process, which
should instead manage the occurrence of these issues. These difficulties
often derive from another factor that must be considered, namely the
fact that, within large companies, modifying processes is very difficult.
What can be done, instead, is to intervene in operations by making
changes that can be made even without modifying the process. This
difference becomes important when it is not enough to change the
approach to a problem, but it is necessary to change the way of
approaching that problem.
5.3.2. Actions for cyber resilience
Within the IT world and, in general, companies that have many as­
sets to monitor, protect and defend (meaning both physical and digital
assets, both end points and servers, network devices such as routers and
switches), there are systems that collect logs, or systems that maintain
the computerized traces that devices produce, thus allowing to store the
information collected by the systems in the field, centralize them and
aggregate them according to data models. These systems are called SIEM
and today are a key requirement for managing events of all kinds. They
collect all the events that originate from the various devices and, starting
from the evidences identified, they create an alarm system that is
designed, developed, tested and then fielded. With this alarm system,
trends are defined and analyzed so that the alarm is triggered whenever
something is out of the baseline trend. The company Case 3 has an alarm
that monitors whether an antivirus identifies specific files on the ma­
chines, and, in this case, an incident response process starts. The key
informant sustains that the weak link in modern computing and Cyber is
the “human” element because it is the one who makes mistakes and
introduces risks. In order to mitigate this aspect and train people,
awareness campaigns are promoted. Often, these campaigns are not very
effective because of the availability of people, who should be ready to
accept it. An effective way to enhance awareness consists in creating
Table 6
Case 3 context and managerial actions.
Case 3 Cyber Context Managerial
Actions
• The organization is focused on • The cybersecurity team • Anti-fraud
the cybersecurity of one of the is composed by 150 Intelligence;
biggest Italian banks individuals • Audit log;
• The organization invests a lot • Clone system;
in cybersecurity, about 10 • Phishing
million euro per year simulations;
• The key informant is a • Threat
computer security consultant intelligence;
• Trend
analysis;
• SIEM tool;
• Training;
9
Computers & Industrial Engineering 149 (2020) 106829
false attack vectors, simulations of the possible occurrence of certain
conditions reported as anomalous. An example of simulation is the
phishing campaign, that is a targeted attack to a certain group of em­
ployees that aims at obtaining data and information from them, and this
means not just sensitive data but also personal ones (name, surname,
date of birth), from which it is possible to obtain the identity, or
particular private data of interest for the attacker. In this way, a phishing
simulation allows to test the overall preparedness of employees to in­
formation stealing attempts. Therefore, in practice, the phishing
campaign consists in monitoring how many people fall into the trap to
see if the awareness campaign had an impact or not, because companies
aim to develop the ability to recognize the possible attack vectors and
have a complete picture of the company’s perimeter of exposure.
The company in question, for the most part, carries out these activ­
ities internally but there are technologies that are still entrusted to third
parties. There are very critical assets that must be managed internally,
while there are less sensitive assets that can be outsourced. Theoreti­
cally, if the company has a working SIEM it can entrust the management
of assets to third parties, monitor their progress remotely and make
specific risk analyzes to understand the situation before contacting the
manager.
Many appliances and software have already begun to exploit artifi­
cial intelligence, a part of computer science that allows machines to self-
learn. This part of artificial intelligence is called “machine learning” and
is already implemented by the company that uses this type of system.
This is a very powerful technology but also very risky because, in
managing a self-learning system, the most relevant problem is being able
to configure its learning in a proper way.
Machine learning is certainly one of the most important future di­
rections of this field: this is especially true considering that new tech­
nological solutions, driven by automated systems, are being developed
at an increasing rate. However, the key informant remains of the opinion
that know-how and dynamism of people are irreplaceable by artificial
intelligence that can instead be introduced as a support, concluding that
the figure of computer analyst has not to be eliminated. Currently, ac­
cording to the key informant’s experience, the biggest mistake that can
be made is cutting safety costs. Luckily, this now happens less and less
frequently because organizations begun to understand the importance of
safety, which is the pillar for the survival of any company and therefore
one of the most important aspects on which to invest economic re­
sources. A strong limitation is that security is often considered only as a
cost and the real benefits are not realized. Another problem lies in the
lack of sensitivity to contents that should be managed and protected,
both on the part of those who perform security-related activities and on
the part of those who benefit from them. It often happens that people
within companies are hostile to security consultations because users
may feel limited. Nevertheless, this is necessary to reduce their proba­
bility of making mistakes and to put them in situations of greater pro­
tection from possible attacks, preserving the reliability and integrity of
the company’s systems. Cyber is increasingly becoming a source of
attack and defense, but people do not yet have an awareness of the
importance of data. Table 6 briefly describes context and managerial
actions of the “Case 3” organization.
5.4. Case 4: consultancy company
The key informant of “Case 4” company is a self-employed consultant
for cybersecurity who belongs to an Italian company operating in the
Audit & Consulting sector, inserted in an international network of
similar organizations. The organization has about 950 employees
operating in 17 workplaces in Italy while the international network in­
cludes a much higher number of people, more than 10.000.
The company decided to delegate IT security responsibilities to a
team composed by three people who (and eventually to consultants).
Investments in cybersecurity is below the average of the investments
made by similar companies: the percentage of turnover is lower than
A. Annarelli et al.
2%. The cyber resilience process can be improved: a greater commit­
ment from management would greatly increase the organization’s se­
curity levels.
The company is currently ISO 27001 certified for information sys­
tems. The decision to certify the company was promoted by the IT se­
curity manager in order to regulate internal processes; it was necessary
to consult a team of external consultants who provided all the infor­
mation necessary to prepare the documentation needed for the
certification.
5.4.1. Cyber resilience context
As mentioned in the previous paragraph, the company has not
invested significantly in IT security in the past. International standards
are important referments for the process development and request is to
certify at least the company information systems in which confidential
documents are kept. The organization has started to protect itself against
cyber threats such as identity theft.
The process is delegate to a small team with limited resources but
with decades of experience in the world of information security.
Through the knowledge acquired with expert consultants and subse­
quently with the practices dictated by the ISO27001 standards, the
process is much more formalized even if it would be appropriate to
monitor and manage the IT risks present throughout the network and
not only in the most critical areas to increase the levels of protection.
The ISO27001 certification drastically improved the development of
the company IT security level and greater economic investments in this
direction would be needed.
Numerous procedures and policies have been formalized within the
organization since 2018; all this guarantees a good level of protection
and an increasing awareness of the importance of process and actions of
everyone.
5.4.2. Actions for cyber resilience
The management strongly conditions the way the company’s policies
and procedures are implemented and has the responsibility to endorse
the proposals made by the security managers. It evaluates the proposals
and their feasibility often based on the impact that the update would
have on the way the organization works. The evaluations should analyze
the benefits and the risks mitigation. The level of corporate security is
respecting a minimum-security standard that has been accepted by the
Italian CEO. The proposals made by the IT security manager must
therefore consider the impact on the users’ activity since the context in
which the company operates requires a strong flexibility of systems
used, being continuously in relationship with the external customer.
Levels of too high protection may not be compatible with the external
customers’ systems and therefore could compromise business consul­
tants’ work. This compromise slows down and complicates the pro­
ductivity of internal collaborators. The proposed procedures and
policies, although they must take into account multiple factors, are well
formalized. This allows the team to create proposals and solving system
problems by reflecting business needs and subsequently having them
assessed by the management.
In the event of a certain incorrect behavior by a user of the company
internal network, the IT function starts a report to the human resources
office, as previously mentioned these calls are not connected to real
sanctions but are calls that refer to the procedure not respected and
therefore are aimed at improving the individual’s behavior. It would be
appropriate to deal analytically with the calls necessary to better
analyze the potential vulnerabilities of the corporate network.
The dimension of the company highlighted the need for internal
communication procedures. In fact, by promoting standardization of the
process, the team is able to respond promptly to emergency situations,
manage the event appropriately and reduce the impact caused. The
protocol was drawn up internally on the basis of an assessment of the
organization’s specific critical issues; the choice to adapt the standard
and add new procedures can be defined as a correct choice that increases
10
Computers & Industrial Engineering 149 (2020) 106829
corporate resilience from cyber-attacks by reducing response time and
promoting internal collaboration. The importance of this documentation
for the company is confirmed by the frequency with which the protocol
is reviewed by the team, in fact 2/3 times a year a document evaluation
process is carried out aimed at implementing certain changes necessary
to respond to new critical issues and improve the overall process.
Controls are not done internally but are delegated to external com­
panies that test the system through operation tests, in this way a service
quality standard is ensured but the organization is exposed to several
risks due to the information sharing with external users. The system
modification process is handled internally in the most procedural way
possible.
Not only the technical part of the system is updated, but also the
human part: every 6 months a cyber war news training is carried out
aimed at testing users, then data are collected to be able to train those
who need it. The sanctioning policy favors the compactness of the staff
and aims to reduce system vulnerabilities by constantly updating the
most attackable users. System vulnerabilities are also reduced thanks to
the use of tools such as multifactor authentication to access information
in the system and email, also no user is an administrator of the machine;
the centralization of the system favors and facilitates the management of
the various machines inside, allowing the team to intervene more
quickly if necessary.
The search for vulnerabilities is carried out on a continuous and daily
basis through systems that use a sort of artificial intelligence. The pro­
cess is based on the use of a cloud and the services offered in collabo­
ration with a programming language (SWIFT). This allows the team to
constantly monitor the health of the system and collect information from
numerous machines connected to the network. The cloud therefore has a
double function, it is in fact used as a cybersecurity engine, as through
the cloud the user behavior is monitored giving the possibility to quickly
find anomalies, and it is used to allocate information of the organization,
being an important tool for the organization for which high safety levels
should be maintained. For these reasons, management has recognized it
as a critical infrastructure to which it pays attention to prevent cyber
attacks especially related to the theft of or damage to information.
Part of the information entered in the cloud are the backups made,
the latter are placed on a server owned by the organization located in
Netherlands. In this way, the organization doesn’t let the cloud be
administered by third parties and protects itself from any accidental
damage to the physical structures of the organization.
Encryption is a very important tool for corporate data security and it
is used on all the computers. By encrypting data entered in the machines
and in the corporate network, the organization achieves to counter the
data trash and prevents access to data in the event of theft. There are two
levels of encryption: one used widely on the operating systems of
corporate notebooks which, through zip locker, encrypts about 90% of
the corporate network and another type for virtual structures.
The company makes an accurate monitoring of the accesses in the
network necessary in order to detect anomalous behaviors and intervene
promptly in case of threat. Through a log control system, the team can
monitor all the accesses to the system and monitor all the operations that
are carried out by employees, including those related to accessing files
on the intranet.
The team considers it very effective increase the level of IT.
The process therefore mainly aims to directly involve the personnel
and not only to protect the structures with sophisticated protection
systems; through these measures we want to make the employees un­
derstand what are the real threats to the company and what are the
correct actions to carry out and in case of human error the management
and the team use the various lessons learned to avoid similar wrong
behaviors in the future.
It very important from a legal point of view to draw up an accident
report since both ISO27001 and the General Data Protection Regulation
require it. A formalized and consistent data breach procedure is used so
that if a data breach is opened all the events must be recorded and
A. Annarelli et al.
Table 7
Case 4 context and managerial actions.
Case 4 Cyber Context Managerial Actions
• The organization is a • The organization started • Artificial
consultancy company investing in Intelligence;
with 950 employees and cybersecurity just two • Audit log;
part of a big international years ago. • Backup;
network. • The organization is • Cryptography;
• The key informant is a certified ISO27001. • Penetration Test;
cybersecurity partner • The IT security team is • Phishing
composed by 3 simulation;
individuals • Multifactor
Authentication;
• Training (Cyber
war news training);
documented, a notification process begins both at the same time towards
the compliance of the data breach and therefore involving internal and
external interested parties involved in the event, finally all the relevant
involved stakeholders are informed, as required by the GDPR rules.
Table 7 presents the context and the managerial actions suggested by
Case 4.
5.5. Case 5: consultancy for public administration
The fifth case study analyzes an Italian small consultancy firm and
the key informant is a self-employed consultant for cybersecurity. The
core business is represented by data protection consultancy, both for
individuals and public administrations, therefore the company can be
defined as business-to-costumer and business-to-government. Non-
standard but customized software are developed based on the specific
needs of the customer starting from an initial phase of design to develop
the web-oriented information system. About 30–40 consultants collab­
orate within the company, which is a medium-small enterprise with a
team of three people in charge of corporate IT security. The team has
been working on information security for about five years and it is
composed by professional figures inserted in the same context for many
more years, therefore it has a significant experience. The type of busi­
ness strongly influences business needs in terms of IT security, the small
company size means that the organization does not need to connect
many users to the network, therefore management is simplified and
allows the organization to allocate a coherent figure to cybersecurity
with corporate needs but tending towards a prudent management of the
share capital.
Therefore, operating in a cybersecurity context, the company is
aware that it owns many technical data protection skills. The company is
not certified and its reputation is mainly based on its own work, this
implies that a cyber-attack would have a greater impact on the company
by damaging the reputation; however, the choice to not certify with
certain international standards is consistent with the context in which
the company works, the small dimensions are related to a turnover that
is also limited and simplify the risk management process.
5.5.1. Cyber resilience context
The company structure proves to be fairly simplified about the
number of collaborators involved, nevertheless the various figures
responsible for the IT security process are well defined with the defini­
tion of the related skills; the management therefore decided to entrust
safety to a team composed by different professional figures able to
encompass all the skills necessary for adequate risk management.
Management has a very important role for the cybersecurity as it is
expensive, and an incorrect economic choice could cause disastrous ef­
fects for the organization. Since the company provides consultancy for
cybersecurity services, the management composed of salespeople who
sell these products are facilitated in understanding the advantages
related to the investment in cybersecurity, reducing costs related to data
loss and reputation. Despite this, for ordinary decisions the management
11
Computers & Industrial Engineering 149 (2020) 106829
is not directly involved but they are managed by delegating a partner
who will be responsible for managing a budget assigned to him. For the
most relevant decisions, management can be involved at various levels
based on the extent of the problem: if a critical choice for the company is
to be evaluated, it is discussed in the board of directors.
The board of directors evaluates the reports produced on cyberse­
curity at least once a year and makes an examination of data protection
and information security system through a report. In this report any
critical issues encountered are analyzed and related requests for inter­
vention are reported. All this is consistent with what is recommended by
ISO standards; the evaluation of the security levels and internal IT
resilience are fundamental to give value to the whole process and it
renewed annually.
5.5.2. Actions for cyber resilience
Being the organization “Case 5” small, cybersecurity roles are not
always formalized. The team is made up of only three resources: the
heterogeneity of the components allows numerous managerial practices
adoption aimed at increasing the resilience from cyber-attacks of the
organization. The entire IT security process is managed by the team that
is responsible for the technical-legal analysis in relation to IT security,
including the reference partner in cases the situation requires IT.
Cybersecurity policies are made by analyzing the case, it is validated by
the technical managers of the resource in question and finally applied.
Internal communication is not regulated. The team works closely
every day, collaboration is improved and facilitated by the context,
however the presence of formal procedures would speed up the team’s
response times and increase the team’s productivity.
The procedures and policies adopted by the company refer to
authoritative standards and some simplified standards. For each pro­
cedure, the company assesses which is the standard that best suits the
specific needs and then formalizes the various documents that regulate
the processes. Very different standards are considered: not only ISO and
NIST standards for information security and operating methods, but also
less authoritative standards such as those drawn up by non-profit or­
ganizations are used. One of the most used documents is the one that
considers the 10 main vulnerabilities that exist in internet exposed
systems. The standard adoption must be consistent with the economic
strategies. The use ISO or NIST. Standards for the creation of guidelines
for staff allows the organization to keep management costs within the
limits and dedicate the resources available to manage the main vul­
nerabilities of the system in an adequate.
It is important to highlight that through the continuous team
updating on the various security bulletins, the procedures and policies
change when necessary. An example is a recent update of NIST, in fact its
standard for credential management has been modified, with an update
that modifies the situation: while robustness and complexity remain a
key element for protection, password rotation is no longer so important.
The high frequency with which these complex passwords are pinned in
physical and non-physical places, effectively increase system’s vulner­
abilities. After these updates, an evaluation phase of the possible change
begins and after carrying out a cost-benefit analysis.
Updating is one of the key factors for the protection and resilience of
the organization from cyber-attacks, it is not only aimed at the imple­
mentation of new procedures but is linked to staff training. The team
trains all new resources, company procedures and policies are given to
all new structured ones, while for sporadic collaborations the process
provides just the information needed to complete the specific project. On
the other hand, there are no update courses on a regular basis for the
staff, but they are only held on special occasions (for an emergent crit­
icality or an update that involves considerable technological change. It is
important for the company to adapt the personnel to the procedures and
to immediately understand the company’s “modus operandi” in order to
standardize the various operations as much as possible and reduce the
system’s vulnerabilities as well as facilitate internal collaboration pro­
cesses. The courses’ frequency should be regularized: the lack of these
A. Annarelli et al.
Table 8
Case 5 context and managerial actions.
Case 5 Cyber Context Managerial
Actions
• The organization operates • The organization started • Audit Log;
in the field of managerial investing in cybersecurity • Backup;
consultancy five years ago. • Cost-Benefit
• It is composed by 40 • It is not certified Analysis;
employees • The IT security team is • Risk
• The key informant is a self- composed by 5 individuals Analysis;
employed consultant for • Training.
cybersecurity
events can hide a number of system vulnerabilities. However, manage­
rial choices could be influenced by company size, the medium-small size
of the company network system implies a reduced number of updates
and affects the management choices. Table 8 presents the context
described and the managerial practices implemented by Case 5.
5.6. Case 6: banking industry
The sixth case study shows the cyber resilience context and mana­
gerial actions undertaken by one of the main Italian banking in­
stitutions. The management of the IT services has been entrusted to a
subsidiary organization in which our key informant works. It deals with
the management of a much larger context both in terms of turnover and
in terms of company size.
The company has always been focused on issues related to possible IT
attacks and, being a rib of the banking group, it has always dealt with the
institution’s IT security. It is composed by 500 employees, including 5
with duties related to corporate IT security.
For legal reasons and to improve internal coordination, the company
uses standards such as ISO27001 and ISO 9001.
5.6.1. Cyber resilience context
The highly organized company structure ensured the right level of
internal coordination and of operations’ standardization; about 5% of
the company’s turnover is invested in cybersecurity.
Raising awareness on the cybersecurity issue is explicitly wanted by
management to raise the overall level of company security by reviewing
the occurring events and subsequently improving procedures.
The policy deriving from that of the entire banking group has
inherited a high level of accuracy, detail, rigorousness and complete­
ness. This allowed the organization to have an adequate level of un­
derstanding of the importance of the whole process, formed by the
highly regulated cooperation of motivated users. One of the strengths of
the organization lies in the constant updating of the entire process, both
in terms of hardware and human resources; collaboration and innova­
tion make the process very efficient and the context increases company
security levels and the productivity of the specific function.
Coordination with other corporate functions is an organizational
strength since each new service designed must be assessed and deemed
consistent with the company policy. Each new project developed in­
volves the cybersecurity team to allow the organization to evolve,
innovate but at the same time be consistent with its strategies and
protected in the field of IT security. The importance of the process can be
seen from the involvement: the attention to regulation has strongly
empowered the staff responsible for IT security and their collaborators,
who are also responsible for the security of the entire system, increasing
the collaboration capacity within the organization and overall security
levels.
The context can be defined highly formalized, the present regulation
allows a rapid execution of the various phases of the risk management
process even if the company is made up of 500 employees. Strong
regulation can however be problematic when the process undergoes
important changes and the revision of the entire system becomes
12
Computers & Industrial Engineering 149 (2020) 106829
necessary, in these cases the phases of revision, control, evaluation and
subsequent changes’ implementation could prove to be very long,
complex and expensive for the organization.
5.6.2. Actions for cyber resilience
The risk management process is regulated by the company policy and
procedures used over time. Being very concentrated on IT security, all
the phases are regulated by procedures that refer to international stan­
dards and risks and system vulnerabilities are identified and monitored.
The company is very organized for what concerns the identification
of the necessary roles and skills: it entrusted a high-level security
governance that dealt with the management of the cybersecurity audit.
In some specific cases, the company call external consultants to solve
specific problems that cannot be resolved through the vulnerability as­
sessments made internally.
An increase in safety levels has been requested by the new man­
agement. More resources have been given regarding company policy
and regulations within the organization: new procedures were imple­
mented concerning the systematic search for vulnerabilities and the
business continuity plan was modified to analyze the incident response
processes and the incident management.
The reference banking group regulations represents the way the
company operates. Since the process is well regulated, all the process
stages have been integrated into the business plans and foresee pro­
cedures. Attention has been paid to the constant updating of all this to
keep them up to date and efficient by defining various professional
figures responsible for the revision process, communication and imple­
mentation of the changes. The differentiation of roles and figures is
considered a strength to improve the quality of the process by inserting
various technical skills within it both as regards the IT system itself and
for the means by which to communicate the changes that have occurred
on the vulnerabilities detected and for being able to effectively imple­
ment the managerial provisions. The importance of cyclically carrying
out a process review allows the organization to be able to rely on valid
and updated tools such as the various plans mentioned above, all of this
represents a competitive advantage for the company and are a funda­
mental tool for good organizational resilience.
In this context, the information held by the company represents a
great asset for it and a theft would represent enormous damage to the
system and organization more generally. For this reason, there is a safety
compliance office in charge of drawing up procedures for using the
systems, responsible for monitoring them. The involvement of managers
of individual business units and office managers is also expected to
implement the various procedures and to check in detail the use of
confidential and valuable data for the company.
To further increase and improve control, log systems are used to
monitor access to the system. Through specific properties attribution
and access rights for each employee, the organization has managed to
better protect critical information, profiling the various users of the
network and allowing access to certain files and/or systems only to those
who have one proven need. Users “external” to the organization as
suppliers, guests or visitors could access the system if necessary, through
’ad hoc’ credentials that allowed limited access to specific areas of the
system to avoid intrusions. Access monitoring provides a real-time
control which allows the team in charge to constantly check the sys­
tem and in the event of unwanted or unauthorized access to track
anomalous logs through specific procedures. All this allows the organi­
zation to respond quickly to an external intrusion and resolve any crit­
ical issues promptly, significantly reducing the impact of the attack.
The control system is connected to a corporate policy which provides
for sanctions in case of unsuitable behavior. The policy provides for a
series of gradual penalties, starting from reminders made by those
directly responsible up to reports to the personnel office. There are a
series of responses proportional to the seriousness of the action
committed by the collaborator. These practices are not commonly used,
especially in small or medium-sized enterprises; the corporate
A. Annarelli et al. Computers & Industrial Engineering 149 (2020) 106829

Table 9 from the organization. For these reasons, there are rules for the use and
Case 6 context and managerial actions. change of passwords, blocking of desktops and non-dissemination of
Case 6 Cyber Context Managerial Actions information that is not authorized outside the organization. Table 9
presents the context and the managerial actions suggested by Case 6.
• The organization is part • The organization core • Audit Log;
of one of the biggest Bank activity is data protection • Backup;
in Italy • It is composed by 500 • Intrusion
• The key informant is a employees, including 5 Detection
5.7. Multiple cases analysis
business continuity & with duties related to Systems;
disaster recovery corporate IT security. • Operation The multiple case analysis revealed interesting insight regarding the
manager • The company uses Security; existence of common managerial actions introduced and implemented
ISO27001 and ISO 9001 • SIEM tool;
to enhance cyber resilience and differences due to different contexts.
standards • Risk Analysis;
• Training; The figure below (Fig. 1) reported the set of managerial actions and
• Vulnerability the future directions; the shared practices are reported in the in­
Assessment. tersections and the specific organization that mentioned them are
specified in parenthesis. In the figure, in correspondence of each set and
of any possible intersection, we specified also the peculiarities of the
dimension and the rigorous way of acting however make it inevitable
context. The managerial actions and future directions mentioned are
and functional for the organization to use this tool to keep track of errors
reported for each intersection.
and protect itself from any opportunistic behaviors. This partially re­
In table 10 there is a summary of the six cases context and managerial
presses the spirit of collaboration necessary for the organization to
actions.
implement in time quick business procedures.
The definitions of the managerial actions suggested by the key in­
In addition to this, at the end of each relationship, whether working
formants of the six cases are listed in Table 11.
or not with a user connected to the network, a standard procedure was
Case 1 and Case 4 (customer oriented private organizations) belong
implemented to revoke the system access credentials from the user to
to the multi-sectoral managerial consultancy industry and are charac­
effectively expel him from the system and protect the latter from
terized by few critical structures/activities, Case 2 and 5 (public,
external access.
customer oriented public organizations) belong to the public adminis­
Attention to credentials is emphasized by the presence of a specific
tration context with critical structures/activities and Case 3 and Case 6
policy, the organization has in fact made available to the various col­
(respectively consumer and customer oriented) belongs to the banking
laborators rules of conduct on the use of the tools available. All of this is
industry and are characterized by critical structures/activities.
aimed at reducing the system’s vulnerabilities, in fact, the access points
What directly emerges from the presented cases is the great impor­
are considered critical elements and therefore require special attention
tance of “training” and the recognition of “artificial intelligence” as the

Fig. 1. Cross Case analysis.

13
A. Annarelli et al. Computers & Industrial Engineering 149 (2020) 106829

Table 10
Context and managerial actions of the six cases.
Case Cyber Context Managerial Actions

Case 1 • More than 100 individuals are focused on cybersecurity but just 20 are • Artificial
focused in that one of the “Case 1” organization Intelligence;
• Strategic, legal and financial consultancy organization • The organization is certified ISO27001. • Audit Log;
• One of the biggest and most important organization of this sector in • Cost-benefit analysis;
the world • Social Engineering;
• The key informant is a Cyber Security Manager • Threat Intelligence;
• Trend Analysis;
• Penetration Test;
• Vulnerability
Assessment;
• Training;
Case 2 • Less than 100 employees are focused in cybersecurity • Audit Log;
• Investment in Cyber Security have been introduced more than 10 years ago • Backup;
• It is one of the military organizations of a European country: it but in the last 5 years increased to adequate to NIST e GDPR standards. • Data mining;
provides cyber security solutions also for other public organizations • Penetration Test;
• The main objective is to increase cyber defense and cyber network • Recruitment and
defense. retention;
• The key informant is a Brigade General • SIEM tool;
• Training.
Case 3 • The cybersecurity team is composed by 150 individuals • Anti-fraud
Intelligence;
• The organization is focused on the cybersecurity of one of the biggest • Audit log;
Italian banks • Clone system;
• The organization invests a lot in cybersecurity, about 10 million euro • Phishing simulations;
per year • Threat intelligence;
• The key informant is a computer security consultant • Trend analysis;
• SIEM tool;
• Training;
Case 4 • The organization started investing in cybersecurity just two years ago. • Artificial
• The organization is certified ISO27001. Intelligence;
• The organization is a consultancy company with 950 employees and • The IT security team is composed by 3 individuals • Audit log;
part of a big international network. • Backup;
• The key informant is a cybersecurity partner • Cryptography;
• Penetration Test;
• Phishing simulation;
• Multifactor
Authentication;
• Training
Case 5 • The organization started investing in cybersecurity five years ago. • Audit Log;
• It is not certified • Backup;
• The organization operates in the field of managerial consultancy • The IT security team is composed by 5 individuals • Cost-Benefit
• It is composed by 40 employees Analysis;
• The key informant is a self-employed consultant for cybersecurity • Risk Analysis;
• Training.
Case 6 • The organization core activity is data protection • Audit Log
• It is composed by 500 employees, including 5 with duties related to • Backup
• The organization is part of one of the biggest Bank in Italy corporate IT security. • Intrusion Detection
• The key informant is a business continuity & disaster recovery • The company uses ISO27001 and ISO 9001 standards Systems;
manager • Operation Security;
• SIEM tool;
• Risk Analysis;
• Training;
• Vulnerability
Assessment.

future of cyber security.
Common practices of the customer-oriented organizations are
“Penetration Testing” and “Vulnerability Assessment”, showing a com­
mon understandable interest in testing (rather than in prevention and
protection as in the consumer-oriented case) since they deal with
external organizations: they need to know the environment before to
provide effective cyber resilient solutions. “anti-fraud intelligence”,
“clone system” are reported by the only consumer-oriented and critical
organizations (Case 3 which is a bank) revealing a major interest in the
prevention and protection phase rather than in testing; this is plausible
even from a logical point of view since they don’t necessarily need to
“test” the organizational context to get to know it and provide solutions.
“Intrusion detection systems”, “operation security profiling” are re­
ported by the only customer oriented company belonging to the bank
industry.
For the private organizations, valuable actions are threat
intelligence, trend analysis, disaster recovery plan and phishing simu­
lations while in the private cases (in particular Case 2) “data mining”
and “recruitment and retention” are the mentioned instruments.
Three of the four cases presenting a more critical structures use a
SIEM tool while in the consultancy case the attention is on “artificial
intelligence” followed by “disaster recovery plan”, “cryptography”,
“multifactor authentication” and “social engineering”.
All the practices and managerial actions are related to four general
phases proposed by Linkov, Eisenberg, Bates, et al. (2013):
• plan/prepare: organize to keep services available and assets func­
tioning during a disruptive event (malfunction or attack);
• absorb: maintain most critical asset function and service availability
while repelling or isolating the disruption;
• recover: restore all asset function and service availability to their pre-
event functionality;

14
A. Annarelli et al. Computers & Industrial Engineering 149 (2020) 106829

Table 11
Definitions of the managerial actions suggested by the case studies.
Managerial Actions Definition Source(s)

Artificial Intelligence Term used to describe “a machine that mimics “cognitive” functions that humans associate with other Russell & Norvig, 2016, p.2
human minds, such as “learning” and “problem solving” “
Audit Log A chronological record of system activities. Includes records of system accesses and operations NIST - Glossary of Key Information Security
performed in a given period. Terms, 2013CNSSI-4009
Backup A copy of files and programs made to facilitate recovery,if necessary NIST - Glossary of Key Information Security
Terms, 2013SP 800–34; CNSSI-4009
Clone System In computer science, cloning is the process of creating an exact copy of another application program or IBM Knowledge Center
object. It is an operation that enables an administrator to replicate profiles.
Cost-Benefit Analysis “A financial analysis tool used to determine the benefits provided by a project against its costs” PMBOK®Guide – Sixth Edition, 2017, p. 703
Credential Service A trusted entity that issues or registers Subscriber tokens and issues electronic credentials to NIST - Glossary of Key Information Security
Provider (CSP) Subscribers. The CSP may encompass Registration Authorities (RAs) and Verifiers that it operates. A Terms, 2013SP 800–63
CSP may be an independent third party, or may issue credentials for its own use.
Cryptography It is categorized as either secret key or public key. Secret key cryptography is based on the use of a NIST - Glossary of Key Information Security
single cryptographic key shared between two parties. The same key is used to encrypt and decrypt Terms, 2013FIPS 191
data. This key is kept secret by the two parties. Public key cryptography is a form of cryptography
which makes use of two keys: a public key and a private key. The two keys are related but have the
property that, given the public key, it is computationally infeasible to derive the private key [FIPS
140–1]. In a public key cryptosystem, each party has its own public/private key pair. The public key
can be known by anyone; the private key is kept secret
Cyber Insurance “Cyber insurance policies provide coverage against many of the losses associated with cyber-induced Young, Lopez, Rice, Ramsey, & McTasney, 2016,
incidents (e.g., data destruction and theft, extortion, malicious code, denial-of-service attacks, p. 45
response activities and legal claims)”.
Data Mining “An analytical process that attempts to find correlations or patterns in large data sets for the purpose NIST - Special Publication 800–53 Revision 4,
of data or knowledge discovery.” 2013, p.B-6
Fraud Intelligence Fraud intelligence is the analysis of financial transactions to identify out-of-the-ordinary activity and Lloyds Banking Group – Press Release, 2019
thwart fraud before or during a transaction. It combines biometrics, big data and artificial intelligence
to analyze data in real time and prevent frauds.
ICT investments Investments in “all categories of ubiquitous technology used for the gathering, storing, transmitting, NIST - Glossary of Key Information Security
retrieving, or processing of information (e.g., microelectronics, printed circuit boards, computing Terms, 2013
systems, software, signal processors, mobile telephony, satellite communications, and networks)”.
Know How Transfer The transferring of tacit, nonproprietary technological knowledge. Kachra & White, 2008
Penetration Testing A test methodology in which assessors, using all available documentation (e.g., system design, source NIST - Glossary of Key Information Security
code, manuals) and working under specific constraints, attempt to circumvent the security features of Terms, 2013, p. 139
an information system.
Phishing simulations A simulation of a “digital form of social engineering that uses authentic-looking—but bogus—emails NIST - Glossary of Key Information Security
to request information from users or direct them to a fake Web site that requests information.” Terms, 2013, p. 142
Recruitment and Once recruited the right employees, retention is a strategic opportunity for many organizations to De Long & Davenport, 2003; Messmer, 2006;
retention maintain a competitive workforce and it is improved when employees are offered compensation and Schramm, 2006
benefits, have a supportive work culture, can develop and advance and balance work and life
activities.
Secure by design “Secure by design is an approach to developing secure software systems from the ground up. In such Santos, Tarrit, & Mirakhorli, 2017, p.1
approach, the alternate security tactics are first thought; among them, the best are selected and
enforced by the architecture design, and then used as guiding principles for developers.”
SIEM tool Application that provides the ability to gather security data from information system components and NIST - Glossary of Key Information Security
present that data as actionable information via a single interface. Terms, 2013, p. 177
Social Engineering Campaigns to make employees aware of the risk of being involved in an “An attempt to trick someone NIST - Glossary of Key Information Security
Campaigns into revealing information (e.g., a password) that can be used to attack systems or networks”. Terms, 2013, p. 185
Threat Intelligence Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to NIST - Glossary of Key Information Security
provide the necessary context for decision-making processes. Terms, 2013, p.
Training Teaching people the knowledge and skills that will enable them to perform their jobs more effectively NIST - Glossary of Key Information Security
Terms, 2013, p.
Trend analysis “An analytical technique that uses mathematical models to forecast future outcomes based on PMBOK®Guide – Sixth Edition, 2017, p. 725
historical results “
Vulnerability Systematic examination of an information system or product to determine the adequacy of security NIST - Glossary of Key Information Security
Assessment measures, identify security deficiencies, provide data from which to predict the effectiveness of Terms, 2013, p. 212
proposed security measures, and confirm the adequacy of such measures after implementation

• adapt: using knowledge from the event, alter protocol, configuration
of the system, personnel training, or other aspects to become more
resilient.
In consideration of the above evidences and of the state of the art on
cyber security and resilience, we provide in Fig. 2 a managerial cyber
resilience framework reporting those practices mentioned by at least
50% of the sample for each context analyzed.
Fig. 2 synthesizes the practices implemented in the cases in a
Managerial Cyber Resilience Framework that illustrates the four general
phases by clarifying the central role of organizational learning and of
context in the correct selection and implementation of different tools
and practices (large arrows).
The Plan/Prepare phase is the one that most seems to be conditioned
by the context. In the Context-Based Managerial Cyber Resilience
Framework (presented in Fig. 3), this phase is function of the three
context factors identified in literature and characterizing the companies
under study. The new framework in the Plan / Prepare phase lists the
managerial macro-actions that all companies seem to undertake (Data
Protection, Prevention, Test and Training) to manage resilient systems
and details some actions taken by companies having common contextual
factors.
The actions detailed in the specific contexts not only enrich our
framework by making it a function of some contextual factors, but they
provide us the evidences to conclude that:
• having customer as final users leads organizations to focus on pro­
tection phase and test phase to manage cyber resilient systems;

15
A. Annarelli et al. Computers & Industrial Engineering 149 (2020) 106829

Fig. 2. Managerial Cyber Resilience Framework.

Fig. 3. Context-Based Managerial Cyber Resilience Framework.

• having critical structure / activities leads organizations to the
adoption of Security Information and Event Management (SIEM) tool
to manage cyber resilient systems and to analyse risks;
• having a private ownership leads organizations to the implementa­
tion of managerial actions focused on the prevention of the cyber
resilience systems.
6. Conclusions
Organizations excelling in cyber security recognize the importance
of investing in learning of employees and of machines (human resources
training and artificial intelligence solutions as machine learning) as
actions to manage cyber resilient systems. For instance, a considerable
amount of people, both employees and final users/consumers handling
vital and private information and data, still ignore how easily these in­
formation and data can be stolen. Therefore, in all the six cases,
“training” is considered important investment to build resilience from
cyber-attacks. In fact, tools and managerial practices can provide valu­
able results only if paired with investments in training to develop
awareness and to prevent erroneous behaviors. There is, however, the
need for developing also machine learning: all the key informants
highlighted artificial intelligence as a future direction of investment and,

16
A. Annarelli et al.
in the case of the consultancy company, it is already considered as an
investment.
Indeed, this study recognizes the factor that plays an important role
in building a resilient system for cyber security: organizational learning.
There is a need for introducing and continuously developing an organi­
zational culture of cyber security a deep knowledge of its main aspects
spreading at all organizational levels rather than pushing the unaware
adoption of high-tech tools and techniques.
Our framework and the linked considerations provide a double
contribution, for both research and practice: it represents a new insight
and direction for research on managerial aspects of cyber security and
gives awareness of the necessity of investing in training for managers
willing to invest in security systems in order to enhance the cyber
resilience of their organizations.
However, the study has some limitations. First of all, its exploratory
nature that did not give us the opportunity to arrive to a set of propo­
sitions linking the cause-effect relationship between context, imple­
mentation of managerial practices and success of these practices. For
instance, the framework did not consider the nature of investments in
cyber security, which do not provide a direct return and can be
considered as sunk costs. Future research efforts should take into ac­
count also this aspect to understand the overall willingness of company
to invest in cyber security, given the highlighted drawback. The set of
companies studied is small, and future research is needed with a larger
sample to confirm our findings, to offer a set of propositions for theory
building subsequently confirmed by a quantitative study for theory
testing using a survey methodology.
CRediT authorship contribution statement
Alessandro Annarelli: Conceptualization, Methodology, Valida­
tion, Formal analysis, Investigation, Data curation, Writing - original
draft, Writing - review & editing, Visualization. Fabio Nonino:
Conceptualization, Methodology, Validation, Formal analysis, Investi­
gation, Data curation, Writing - original draft, Writing - review & edit­
ing, Visualization, Supervision. Giulia Palombi: Conceptualization,
Methodology, Validation, Formal analysis, Investigation, Data curation,
Writing - original draft, Writing - review & editing, Visualization.
Acknowledgement
This work is supported by the fund “Progetto di Eccellenza” of the
Department of Computer, Control and Management Engineering
“Antonio Ruberti” of Sapienza University of Rome. The department has
been designated by the Italian Ministry of Education (MIUR) for being
“Department of Excellence” in advanced training programs in the field
of cybersecurity.
References
Abdullah, N. A. S., Noor, N. L. M., & Ibrahim, E. N. M. (2013). Resilient organization:
Modelling the capacity for resilience. In International conference on research and
innovation in information systems (ICRIIS) (pp. 319–324).
Alberts, D. S., & Hayes, R.E. (2003). Power to the edge: Command... control... in the
information age. Office of the Assistant Secretary of Defense Washington DC
Command and Control Research Program (CCRP).
Bishop, M., Carvalho, M., Ford, R., & Mayron, L. M. (2011). Resilience is more than
availability. In Proceedings of the 2011 new security paradigms workshop (pp. 95–104).
Bodeau, D., Graubart, R. (2011). Cyber resiliency engineering framework. MTR110237,
MITRECorporation.
Boyes, H. (2015). Cybersecurity and cyber-resilient supply chains. Technology Innovation
Management Review, 5(4), 28.
Burstein, M., Goldman, R., Robertson, P., Laddaga, R., Balzer, R., Goldman, N., &
Keller, P. (2012). Stratus: Strategic and tactical resiliency against threats to
ubiquitous systems. In IEEE sixth international conference on self-adaptive and self-
organizing systems workshops (pp. 47–54).
Carayannis, E. G., Grigoroudis, E., Rehman, S. S., & Samarakoon, N. (2019).
Ambidextrous cybersecurity: The seven pillars (7Ps) of cyber resilience. IEEE
Transactions on Engineering Management.
Caron, F. (2019). Obtaining reasonable assurance on cyber resilience. Managerial
Auditing Journal.
17
Computers & Industrial Engineering 149 (2020) 106829
Collier, Z. A., DiMase, D., Walters, S., Tehranipoor, M., Lambert, J. H., & Linkov, I.
(2014). Cybersecurity standards: Managing risk and creating resilience. Computer, 47
(9), 70–76.
Cook, T. D., & Campbell, D. T. (1979). Quasi-experimentation: Design and analysis for field
settings. Chicago, IL: Randy Mc Nally.
Davis, A. (2015). Building cyber-resilience into supply chains. Technology Innovation
Management Review, 5(4).
De Long, D. W., & Davenport, T. (2003). Better practices for retaining organizational
knowledge: Lessons from the leading edge. Employment Relations Today, 30(3), 51.
DiMase, D., Collier, Z. A., Heffner, K., & Linkov, I. (2015). Systems engineering
framework for cyber physical security and resilience. Environment Systems and
Decisions, 35(2), 291–300.
Eisenhardt, K. M. (1989). Building theories from case study research. Academy of
Management Review, 14, 532–550.
Eisenhardt, K. M., & Graebner, M. E. (2007). Theory building from cases: Opportunities
and challenges. Academy of Management Journal, 50, 25–32.
Ferdinand, J. (2015). Building organisational cyber resilience: A strategic knowledge-
based view of cyber security management. Journal of Business Continuity & Emergency
Planning, 9(2), 185–195.
Ganin, A. A., Quach, P., Panwar, M., Collier, Z. A., Keisler, J. M., Marchese, D., &
Linkov, I. (2020). Multicriteria decision framework for cybersecurity risk assessment
and management. Risk Analysis, 40(1), 183–199.
Gisladottir, V., Ganin, A. A., Keisler, J. M., Kepner, J., & Linkov, I. (2017). Resilience of
cyber systems with over-and underregulation. Risk Analysis, 37(9), 1644–1651.
Haimes, Y. Y. (2009). On the definition of resilience in systems. Risk analysis. An
International Journal, 29(4), 498–501.
Hohenstein, N. O., Feisel, E., Hartmann, E., & Giunipero, L. (2015). Research on the
phenomenon of supply chain resilience: A systematic review and paths for further
investigation. International Journal of Physical Distribution & Logistics Management, 45
(1/2), 90–117.
Huberman, M., & Miles, M. B. (Eds.). (2002). The qualitative researcher’s companion.
Thousand Oaks, CA: Sage.
Jensen, L. (2015). Challenges in maritime cyber-resilience. Technology Innovation
Management Review, 5(4), 35.
Kachra, A., & White, R. E. (2008). Know-how transfer: The role of social, economic/
competitive, and firm boundary factors. Strategic Management Journal, 29(4),
425–445.
Kamalahmadi, M., & Parast, M. M. (2016). A review of the literature on the principles of
enterprise and supply chain resilience: Major findings and directions for future
research. International Journal of Production Economics, 171, 116–133.
Kaplan, S., & Garrick, B. J. (1981). On the quantitative definition of risk. Risk analysis, 1
(1), 11–27.
Katsumata, P., Hemenway, J., Gavins, W. (2010). Cybersecurity risk management. In
MILCOM - military communications conference (pp. 890–895).
Kawanaka, T., Matsumaru, M., & Rokugawa, S. (2014). Software measure in cyber-
attacks on production control system. Computers & Industrial Engineering, 76,
378–386.
Knowles, W., Prince, D., Hutchison, D., Disso, J. F. P., & Jones, K. (2015). A survey of
cyber security management in industrial control systems. International Journal of
Critical Infrastructure Protection, 9, 52–80.
Koelemeijer, D. (2018). Enhancing the cyber resilience of critical infrastructures through
an evaluation methodology based on assurance cases. Procedia Computer Science,
126, 1779–1791.
Kott, A., Wang, C., & Erbacher, R. F. (Eds.). (2015). Cyber defense and situational
awareness (Vol. 62). Springer.
Kott, A., & Linkov, I. (Eds.). (2019). Cyber resilience of systems and networks. Springer
International Publishing.
Linkov, I., Eisenberg, D. A., Bates, M. E., Chang, D., Convertino, M., Allen, J. H., …
Seager, T. P. (2013). Measurable resilience for actionable policy. Environmental
Science & Technology, 47(18), 10108–10110.
Linkov, I., Eisenberg, D. A., Plourde, K., Seager, T. P., Allen, J., & Kott, A. (2013).
Resilience metrics for cyber systems. Environment Systems and Decisions, 33(4),
471–476.
Linkov, I., & Trump, B. D. (2019). The science and practice of resilience. Springer
International Publishing.
Linkov, I., Roslycky, L., & Trump, B. D. (Eds.). (2020). Applying resilience to hybrid threats:
Integrating infrastructural, digital and social systems (Vol. 55). IOS Press.
Lloyds Banking Group, Press Release (2019). Smelling a rat: Lloyds Bank’s fraud team
uses artificial intelligence to help sniff out scams BEFORE they happen. Available
online: https://www.lloydsbankinggroup.com/globalassets/documents/media/
press-releases/lloyds-bank/2019/lloyds-banks-fraud-team-uses-artificial-intellige
nce-to-help-sniff-out-scams.pdf.
McCutcheon, D. M., & Meredith, J. R. (1993). Conducting case study research in
operations management. Journal of Operations Management, 11(3), 239–256.
Messmer, M. (2006). Four keys to improved staff retention. Strategic Finance, 13–15.
Miles, M. B., & Huberman, A. M. (1994). Qualitative data analysis: An expanded source
(2nd ed.). London, UK: Sage.
Mourtzis, D., & Vlachou, E. (2016). Cloud-based cyber-physical systems and quality of
services. Total Quality Management, 28(5), 704–733.
Mourtzis, D., Vlachou, E., Xanthopoulos, N., Givehchi, M., & Wang, L. (2016). Cloud-
based adaptive process planning considering availability and capabilities of machine
tools. Journal of Manufacturing Systems, 39, 1–8.
Mourtzis, D., Milas, N., & Vlachou, A. (2018). An internet of things-based monitoring
system for shop-floor control. Journal of Computing and Information Science in
Engineering, 18(2).
A. Annarelli et al.
National Academies (US). (2012). Disaster resilience: A national imperative. National
Academies Press.
NIST Interagency/Internal Report (NISTIR) – 7298 - Rev. 2 (2013). Glossary of Key
Information Security Terms.
NIST Special Publication (SP) - 800-53 - Rev. 4 (2013). Security and Privacy Controls for
Federal Information Systems and Organizations.
Patton, M. Q. (2002). Qualitative research and evaluation methods (3rd ed.). Thousand
Oaks, CA: Sage.
PMBOK® Guide – Sixth Edition (2017).
Ribeiro, J. P., & Barbosa-Povoa, A. (2018). Supply Chain Resilience: Definitions and
quantitative modelling approaches–A literature review. Computers & Industrial
Engineering, 115, 109–122.
Roege, P. E., Collier, Z. A., Chevardin, V., Chouinard, P., Florin, M. V., Lambert, J. H., …
Todorovic, B. (2017). Bridging the gap from cyber security to resilience. In Resilience
and Risk (pp. 383–414). Dordrecht: Springer.
Rogers, R., Apeh, E., Richardson, C.J. (2016). Resilience of the Internet of Things (IoT)
from an Information Assurance (IA) perspective. In 10th International Conference on
Software, Knowledge, Information Management & Applications (SKIMA) (pp.
110–115).
Rohmeyer, P., Ben-Zvi, T., Lombardi, D., & Maltz, A. (2017). Capability effectiveness
testing for architectural resiliency in financial systems. In Portland international
conference on management of engineering and technology (PICMET) (pp. 1–7).
Rowe, B. R., & Gallaher, M. P. (2006). Private sector cyber security investment strategies:
An empirical analysis. In The fifth workshop on the economics of information
security (WEIS06).
Runkel, P. (1990). Casting nets and testing specimens: Two grand methods of psychology.
New York, NY: Praeger.
Russell, S. J., & Norvig, P. (2016). Artificial intelligence: A modern approach. Malaysia:
Pearson Education Limited.
Santos, J. C., Tarrit, K., & Mirakhorli, M. (2017). A catalog of security architecture
weaknesses. In 2017 IEEE international conference on software architecture workshops
(ICSAW) (pp. 220–223). IEEE.
Schramm, J. (2006). Future focus: Targeting retention. HR Magazine, 51(9), 216.
Schramm, W. D. (1971). How communication works. In The Process and Effects of Mass
Communication (p. 4). Urbana: University of Illinois Press.
SEBoK. (2017). System resilience. Systems engineering body of knowledge. Available:
http://sebokwiki.org/wiki/System_Resilience.
Sharkov, G. (2016). From cybersecurity to collaborative resiliency. In ACM workshop on
automated decision making for active cyber defense (pp. 3–9).
Soni, U., Jain, V., & Kumar, S. (2014). Measuring supply chain resilience using a
deterministic modeling approach. Computers & Industrial Engineering, 74, 11–25.
Steen, R., & Aven, T. (2011). A risk perspective suitable for resilience engineering. Safety
science, 49(2), 292–297.
Strauss, A. L. (1987). Qualitative analysis for social scientists. Cambridge, NY: Cambridge
University Press.
Strauss, A. L., & Corbin, J. (1990). Basics of qualitative research. Grounded theory
procedures and techniques. Newbury Park, CA: Sage.
Tapoglou, N., Mehnen, J., Vlachou, A., Doukas, M., Milas, N., & Mourtzis, D. (2015).
Cloud-based platform for optimal machining parameter selection based on function
blocks and real-time monitoring. Journal of Manufacturing Science and Engineering,
137(4).
Tierney, K., & Bruneau, M. (2007). Conceptualizing and measuring resilience: A key to
disaster loss reduction. TR News May-June, 2007, 14–17.
18
Computers & Industrial Engineering 149 (2020) 106829
Tran, H., Campos-Nanez, E., Fomin, P., & Wasek, J. (2016). Cyber resilience recovery
model to combat zero-day malware attacks. Computers & Security, 61, 19–31.
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security.
Computers & Security, 38, 97–102.
Wang, W., & Lu, Z. (2013). Cyber security in the smart grid: Survey and challenges.
Computer networks, 57(5), 1344–1371.
Wieland, A., & Wallenburg, C. M. (2013). The influence of relational competencies on
supply chain resilience: A relational view. International Journal of Physical Distribution
& Logistics Management, 43(4), 300–320.
Yin, R. K. (1984). Case study research: Design and methods (2nd ed.) Newbury Park, CA:
Sage. Applied Social Research Method Series.
Young, D., Lopez, J., Jr, Rice, M., Ramsey, B., & McTasney, R. (2016). A framework for
incorporating insurance in critical infrastructure cyber risk strategies. International
Journal of Critical Infrastructure Protection, 14, 43–57.
Alessandro Annarelli (PhD) is a Post-Doc Research Fellow at Sapienza University of
Rome. After receiving his Master Degree at Sapienza University of Rome, he obtained a
PhD in Sustainable Energy and Technologies at the Free University of Bolzano-Bozen
(Italy). During his PhD, he spent a visiting period at Luleå Tekniska Universitet (LTU) in
Luleå, Sweden. His interests are on digitalization, cybersecurity and product-service sys­
tems. His main publications appeared in Omega – The International Journal of Manage­
ment Science, Journal of Cleaner Production and Industrial Management and Data
Systems.
Fabio Nonino (PhD) is Associate Professor of Business Management and Project Man­
agement at Sapienza University of Rome. He carries out his research activities in the field
of Management focusing on Operations and Service Management, Innovation Manage­
ment and Organizational Behaviour development. His main publications appeared in
Journal of Cleaner Production, Supply Chain Management: An international Journal,
Production Planning & Control, Omega – The Journal of Management Science, Interna­
tional Journal of Production Research and Technological Forecasting and Social Change.
He is a Member of the editorial board of Kybernetes – The International Journal of Cy­
bernetics, Systems and Management Sciences and the International Journal of Information
Systems and Supply Chain Management.
Giulia Palombi (PhD) is a Post-Doc Research Fellow at Sapienza University of Rome,
currently she is carrying out mainly researches on the managerial aspects of Cyber Secu­
rity, being working on the “Excellence Program of Cyber Security” of her university
department. Her other research interests concern Intra Organizational Social Networks,
Behavioural Economic in Management, Operation/Industrial Management and Project
Management. Previously she received her master’s degree with honour on Management
Engineering at Sapienza University of Rome and her PhD in 2019 in Industrial and Man­
agement Engineering at Sapienza University of Rome with an experimental PhD thesis
developed in collaboration with University of Kentucky. During her PhD, she awarded a
personal special scholarship for her visiting at the LINKS centre for Social Network
Analysis at University of Kentucky (centre of excellence for Social Network in Management
studies). She presented her studies at several international conferences including
EUROMA, IFKAD and ISPIM and she published on Journal of Manufacturing Technology
Management.