In case of a major cyber incident, organizations usually rely on external providers of Cyber Incident Response (CIR) services. CIR consultants operate in a dynamic and constantly changing environment in which they must actively engage in information management and problem solving while adapting to complex circumstances. In this challenging environment CIR consultants need to make critical decisions about what to advise clients that are impacted by a major cyber incident. Despite its relevance, CIR decision making is an understudied topic. The objective of this preliminary investigation is therefore to understand what decision-making strategies experienced CIR consultants use during challenging incidents and to offer suggestions for training and decision-aiding. A general understanding of operational decision making under pressure, uncertainty, and high stakes was established by reviewing the body of knowledge known as Naturalistic Decision Making (NDM). The general conclusion of NDM research is that experts usually make adequate decisions based on (fast) recognition of the situation and applying the most obvious (default) response pattern that has worked in similar situations in the past. In exceptional situations, however, this way of recognition-primed decision-making results in suboptimal decisions as experts are likely to miss conflicting cues once the situation is quickly recognized under pressure. Understanding the default response pattern and the rare occasions in which this response pattern could be ineffective is therefore key for improving and aiding cyber incident response decision making. Therefore, we interviewed six experienced CIR consultants and used the critical decision method (CDM) to learn how they made decisions under challenging conditions. The main conclusion is that the default response pattern for CIR consultants during cyber breaches is to reduce uncertainty as much as possible by gathering and investigating data and thus delay decision making about eradication until the investigation is completed. According to the respondents, this strategy usually works well and provides the most assurance that the threat actor can be completely removed from the network. However, the majority of respondents could recall at least one case in which this strategy (in hindsight) resulted in unnecessary theft of data or damage. Interestingly, this finding is strikingly different from other operational decision-making domains such as the military, police and fire service in which there is a general tendency to act rapidly instead of searching for more information. The main advice is that training and decision aiding of (novice) cyber incident responders should be aimed at the following: (a) make cyber incident responders aware of how recognition-primed decision making works; (b) discuss the default response strategy that typically works well in several scenarios; (c) explain the exception and how the exception can be recognized; (d) provide alternative response strategies that work better in exceptional situations.
The external expectations of organizational accountability force organizational leaders to find solutions and answers in organizational (and information) governance to assuage the feelings of doubt and unease about the behaviour of the organization and its employees that continuously seem to be expressed in the organizational environment. Organizational leaders have to align the interests of their share– and stakeholders in finding a balance between performance and accountability, individual and collective ethical approaches, and business ethics based on compliance, based on integrity, or both. They have to integrate accountability in organizational governance based on a strategy that defines boundaries for rules and routines. They need to define authority structures and find ways to control the behaviour of their employees, without being very restrictive and coercive. They have to implement accountability structures in organizational interactions that are extremely complex, nonlinear, and dynamic, in which (mostly informal) relational networks of employees traverse formal structures. Formal processes, rules, and regulations, used for control and compliance, cannot handle such environments, continuously in ‘social flux’, unpredictable, unstable, and (largely) unmanageable. It is a challenging task that asks exceptional management skills from organizational leaders. The external expectations of accountability cannot be neglected, even if it is not always clear what is exactly meant with that concept. Why is this (very old) concept still of importance for modern organizations?In this book, organizational governance, information governance, and accountability are the core subjects, just like the relationship between them. A framework is presented of twelve manifestations of organizational accountability the every organization had to deal with. An approach is introduced for strategically govern organizational accountability with three components: behaviour, accountability, and external assessments. The core propositions in this book are that without paying strategic attention to the behaviour of employees and managers and to information governance and management, it will be extremely difficult for organizational leaders to find a balance between the two objectives of organizational governance: performance and accountability.
The literature on how organizations respond to institutional pressure has shown that the individual decision-makers’ interpretation of institutional pressure played an important role in developing organizational responses. However, it has paid less attention to how this interpretation ultimately contributes to their range of organizational decisions when responding to the same institutional pressure. We address this gap by interviewing board members of U.S. and Dutch hospitals involved in adopting best practices regarding board evaluation. We found four qualitatively different cognitive frames that board members relied on to interpret institutional pressure, and which shaped their organizational response. We contribute to the literature on organizational response to institutional pressure by empirically investigating how decision-makers interpret institutional pressure, by suggesting prior experience and role definition as moderating factors of multidimensional cognitive frames, and by showing how these cognitive frames influence board members’ response to the same institutional pressure.
Performance feedback is an important mechanism of adaptation in learning theories, as it provides one of the motivations for organizations to learn (Pettit, Crossan, and Vera 2017). Embedded in the behavioral theory of the firm, organizational learning from performance feedback predicts the probability for organizations to change with an emphasis on organizational aspirations, which serve as a threshold against which absolute performance is evaluated (Cyert and March 1963; Greve 2003). It postulates that performance becomes a ‘problem’, or the trigger to search for alternative procedures, strategies, products and behaviors, when performance is below that threshold. This search is known as problemistic search. Missing from this body of research, is empirically grounded understanding if the characteristics of performance feedback over time matter for the triggering function of the feedback. I explore this gap. This investigation adds temporality as a dimension of the performance feedback concept guided by a worldview of ongoing change and flux where conditions and choices are not given, but made relevant by actors and enacted upon (Tsoukas and Chia 2002). The general aim of the study is to complement the current knowledge of performance feedback as a trigger for problemistic search with an explicit process temporal approach. The main question guiding this project is how temporal patterns of performance feedback influence organizational change, which I answer in four chapters, each zooming into one sub-question.First, I focus on the temporal order of performance feedback by examining performance feedback and change sequences organizations go through. In this section time is under study and the goal is to explore how feedback patterns have evolved over time, just as the change states organizations pass through. Second, I focus on the plurality of performance feedback by investigating performance feedback from multiple aspiration levels (i.e. multiple qualitatively different metrics and multiple reference points) and how over time clusters of performance feedback sequences have evolved. Next, I look into the rate and scope of change relative to performance feedback sequences and add an element of signal strength to the feedback. In the last chapter, time is a predictor (in the sequences), and, it is under study (in the timing of responses). I focus on the timing of organizational responses in relation to performance feedback sequences of multiple metrics and reference points.In sum, all chapters are guided by the timing problem of performance feedback, meaning that performance feedback does not come ‘available’ at a single point in time. Similarly to stones with unequal weight dropped in the river, performance feedback with different strength comes available at multiple points in time and it is plausible that sometimes it is considered by decision-makers as problematic and sometimes it is not, because of the sequence it is part of. Overall, the investigation is grounded in the general principles of organizational learning from performance feedback, and the concept of time as duration, sequences and timing, with a focus on specification of when things happen. The context of the study is universities of applied sciences and hotels in The Netherlands. Project partner: Tilburg University, School of Social and Behavioral Sciences, Department of Organization Studies
