Cyber Security Policies in Crisis Response: Exploring the Predicament of Creating Safe But Workable Systems
Abstract
As societies become more connected, the nature and response to crises are becoming increasingly complex as well. Crises can affect our societies in unpredictable ways and thus require different actors to bring information together to take appropriate actions. However, as the number and diversity of actors increases, so does the quality and variety of information systems. Especially considering the increased availability and accessibility of technologies available together, process and exchange information.While these developments provide a high potential to improved information sharing, these options also present certain risks. Individual organizations may have measures, training, and policies in place for daily routines to mitigate these risks. During a crisis however, these measures can become a constraint, especially when sharing information in an inter-organizational and cross-boundary context. People in the crisis response team may not appreciate the risks, need to improvise, or even circumvent measures.In this paper, we examine the increased cybersecurity risks associated with the increased use of information technologies used in and facilitating information management during a crisis response. Using a serious gaming research method we examine how, in the context of crisis response, these factors are exacerbated under the pressure of time, uncertainty and coordination challenges. From this we identify the need for increased awareness about the risks of information technologies and sharing in heterogenous stakeholder environments. Specifically, a cultural change and need for additional capacities to understand, assess, and mitigate risks involved as the number of actors, systems, and technological options keep increasing.