How integration of cyber security management and incident response enables organizational learning

Digital assets of organizations are under constant threat from a wide assortment of nefarious actors. When threats materialize, the consequences can be significant. Most large organizations invest in a dedicated information security management (ISM) function to ensure that digital assets are protected. The ISM function conducts risk assessments, develops strategy, provides policies and training to define roles and guide behavior, and implements technological controls such as firewalls, antivirus, and encryption to restrict unauthorized access. Despite these protective measures, incidents (security breaches) will occur. Alongside the security management function, many organizations also retain an incident response (IR) function to mitigate damage from an attack and promptly restore digital services. However, few organizations integrate and learn from experiences of these functions in an optimal manner that enables them to not only respond to security incidents, but also proactively maneuver the threat environment. In this article we draw on organizational learning theory to develop a conceptual framework that explains how the ISM and IR functions can be better integrated. The strong integration of ISM and IR functions, in turn, creates learning opportunities that lead to organizational security benefits including: increased awareness of security risks, compilation of threat intelligence, removal of flaws in security defenses, evaluation of security defensive logic, and enhanced security response.