THEORETICAL ADVANCES OF CYBER RESILIENCE – PRACTICE, GOVERNANCE AND CULTURE OF DIGITALIZATION

The project strengthens society's ability to build cyber security and reduce digital vulnerability through concepts from the field of "resilience". Resilience as a concept is central to e.g., EU policies and strategies in cyber security. The field is composed of many roots, with a focus on characteristics such as resiliency, rebound and robustness. In recent years, a distinctive approach, Resilience Engineering, has emerged, more explicitly oriented towards dynamic adaptability. Society's digital vulnerability and the geopolitical threat picture increases dramatically. Cyber security must increasingly consider malicious, deliberate influence and intelligent circumvention. To take advantage of resilience thinking against digital vulnerability, more applicable knowledge is required, as well as a critical reflection on the knowledge base. A theoretical foundation of cyber resilience is built, with relevance for practitioners, managers and governing authorities who must deal with digital vulnerability in today's and future's critical societal functions. The focus is on socio-technical practice in daily handling of complex systems, management and accountability in relation to new risks, and cultural differences accompanying different technological approaches. This applies, e.g., to general IT, industrial IT, and new technological trends. The rise of artificial intelligence (AI) is a unique challenge since resilience thinking puts human knowledge, experience and imagination at the center. The project is empirically oriented towards the oil and gas sector, the energy sector and the water supply. The theory development is anchored in studies of current and future IT solutions in these, but the theoretical results will have wider relevance. Resilience implies new premises for control and management. TECNOCRACI therefore addresses a wide range of vulnerabilities and threats that come with accelerating digitalisation, where increasing complexity means a lack of both overview and time to understand the challenges in detail. Genuine surprises must be expected and must be dealt with even when preparations are insufficient or inappropriate. Cyber resilience therefore does not exclude but exceeds concepts such as built-in robustness and planned recovery capability. Cyber resilience can be neither individual nor transactional but based on initiative and reciprocity. Theory development must therefore also aim at a digital ecosystem that can jointly support emerging solutions to dynamic and unforeseen challenges, both for the individual business and in an overall (systemic) perspective. This is particularly important in relation to the new geopolitical situation, with Norway as an energy supplier. Resilience is a popular term. The research design is therefore designed to maneuver in a landscape of theory and practice where the term is used on different premises. It is important to be theoretically rigorous, but also pragmatically oriented in relation to different applications and contexts. Presuppositions should not be a straitjacket that shields research from unexpected discoveries and insights. Theory development must therefore be gradual, reflective and open to criticism. It is not just a conclusion at the end of the journey, but just as much reflection along the way which will contribute to an applicable and practicable theory as the end result. The results so far point towards devoting special attention to the phenomenon of adaptive capacity where resilience is understood as a process, separating this from the understanding of resilience as a result of other processes and phenomena (i.e., as an epiphenomenon), but at the same time focusing on how the different approaches can support each other. An overall theoretical framework is in ongoing development and is published in various stages, and literature studies have been published that relate to the preparatory work. These are used in empirical studies. The last phase of the theory development is aimed at the dialectical relationship between "work as imagined" and "work as done", the connection to complexity theory, how systemic cyber resilience can supplement the concept of systemic risk, as well as the use of "explainable" AI as a tool to manage adaptive capacity. A common basis is maintained for the three case areas, which can be used for external communication. In addition to workshops and interviews, a specially adapted research method based on a game-based training tool is used to operationalize case studies. This tool provides valuable feedback both to the business exploring the scenarios and practices, and to the theory development process. TECNOCRACI has a dialogue with other research projects, incorporates preliminary results into new project proposals, and provides input to private and public enterprises. The results can be used for policy development, training and the development of adaptive capacity as a supplement to other digital security.

Industrial Control Systems or "Operational Technologies" (OT) implement key functions in safety-critical industrial and critical infrastructure contexts. OT and IT systems are exposed to cyberattacks, mercilessly demonstrating a persistent security gap, affecting safety. Human and organizational contribution to any safety or security solution requires a practice-oriented approach to "work as done", a sociotechnical perspective to unlock the dialectic between "work as done" and "work as imagined", and a sensitivity to technocultural diversities. TECNOCRACI is founded on the belief that the emerging concept of cyber resilience can be extended to meet the above requirements in a manner that also meets the need for managerial accountability for the (speed of) digitalization. The objective is to develop a supportive and comprehensive theory cyber resilience, grounded in current and future challenges of digitalized critical infrastructures. While modern safety approaches acknowledge the sociotechnical perspectives of situated practice, and the leading resilience (engineering) approaches are founded on them, the field of cyber security is still dominated by experts' advice and technically oriented "best practices" of unclear origin. There is thus a fundamental risk of a mere relabelling of existing cyber security practices into "resilience", and of seeking alignment between "work as imagined" and "work as done" rather than releasing the dialectical potential through commitment to situated practice. The needed transition is not straightforward, as the complexities of cyber events often are more intractable and less tangible than those related to safety. TECNOCRACI addresses these challenges by combining descriptive studies of the use of current technologies, with prospective studies on the use of new technologies in critical infrastructures, as the engine of theory development. The results will be highly applicable for any digitalization process.