Cybersecurity and Workplace Innovation
SFI NORCICS
Centers for Research-driven Innovation (SFI for short in Norwegian) is a Norwegian tool to enhance the continuous innovation in Norwegian companies helped by universities and research institutes. One such center is NORCICS (Norwegian Center for Cybersecurity in Critical Sectors). Since Norway is among the most digitalised countries in the world, the center’s vision is to contribute to making Norway the most securely digitalised country in the world by improving the cybersecurity and resilience of critical sectors, through research-based innovation. One focus area is the human and organisational impact of cyber-attacks and how to learn from them to become more resilient. A story can illustrate such impacts.
Big company case
Early one morning: 35.000 employees in 40 different countries got the message to not log on to any computer or any device. The company was under a sophisticated cyber-attack. During the night, the top managers tried to figure out how to communicate this without any functional communication platform. Soon, it was obvious to them the only way was to choose an extremely open policy for communication. Putting out information on Facebook and WhatsApp as basic tools, and within a week establishing a new website, in addition to daily press conferences. The policy included a focus on the people behind solving the problems, the cyber heroes, as the company called them. They invited journalists to visit these heroes and even opened the control room for such visits. The media praised the openness and received a prize for openness in crisis.
Seemingly, they did everything right, and the stock market responded with a raised stock price during the crisis. The employees at the production plants felt it differently. An interview with the person in charge of ICT at one of the production plants in Norway told an interesting story. The plant was in a small community where everyone either worked at it or the plant was the reason for their existence. Coming to work that morning, a handwritten note met the workers telling them not to log on or start their PCs, a frightening message. Everybody felt an existential threat, especially from the ICT person in charge. He felt that the entire future of the small community lay on his shoulders. If he doesn’t fix this and get the production started, the plant will be closed for good. An enormous responsibility that was not part of his job description. However, the main office flew in experts with a helicopter to help this poor man. The other employees saw this unusual helicopter with experts, and it contributed to more uncertainty. In this situation, Facebook, WhatsApp, and the press briefings were vital to getting reassuring information to all employees.
Eventually, the attack is estimated to cost 800 mill. NOK (approx 70 mill. EURO).
Short about the theoretical lens
Employee-driven innovation (EDI) is a concept that has gained interest in the last decades. It tries to answer the fundamental question “How do employees who are learning in the work-place produce innovation?” (Høyrup, 2012). It aims to tap into the ordinary employee, that does not have innovation in their job description, effort to learn and innovate for increasing productivity. Høyrup (2012) argues that it has three strategic dimensions, bottom-up, mixed, and top-down pointing to where the initiative originates from. Opland (Opland et al., 2022) argue for the concept of employee-driven digital innovation, where the digital tools for creating innovation are central. However, in the employee-driven digital innovation framework the cyber security issues are missing. Illustrated by the case, several burning issues emerge.
Why is this story important?
First, it shows that it is not a question about how to prevent a cyber-attack, but what do you do when attacked? Even big companies with lots of resources for preventing cyber-attacks do not go untouched. Training and planning for such an event must be high on the agenda in every company or organisation.
Secondly, a cyber-attack will have a tremendous influence on any organisation. It can be an existential frightening experience and therefore needs special attention. Little research has been done to understand how it affects innovation efforts and continuous improvement.
Thirdly, we are slowly realising that learning through “pointing the finger – do not do this”, is not the best learning tool. What types of training and knowledge are needed at the operator level to have better resilience for such events?
Fourthly, the person(s) that has unwillingly done something to expose the company for attack, should be taken care of. They will feel a big responsibility and be put under tremendous stress, just as much as the “heroes” in the story. How does the organisation care for the personnel involved?
World Economic Forum, 2022a, The Global Risks Report 2022, 17th edition.
World Economic Forum, 2022b, Global Cybersecurity Outlook 2022, insight report, January 2022.
Høyrup, S. (2012). Employee-Driven Innvation: A New Phenomenon, Concept and Mode of Innovation. In S. Høyrup, M. Bonnafous-Boucher, C. Hasse, M. Lotz, & K. Møller (Eds.), Employee-Driven Innvation – A New Approach. Palgrave Macmillan.
Opland, L. E., Pappas, I. O., Engesmo, J., & Jaccheri, L. (2022). Employee-driven digital innovation: A systematic review and a research agenda. Journal of Business Research, 143, 255-271. https://doi.org/https://doi.org/10.1016/j.jbusres.2022.01.038
Share This Story!
European Workplace Innovation Network (EUWIN)
EUWIN was established by the European Commission in 2013 and is now entirely supported by contributions from an international network of partners co-ordinated by HIVA (University of Leuven). EUWIN also functions as a network partner to BEYOND4.0 and BRIDGES5.0 projects.
Contact: Workplace Innovation Europe CLG (contact@workplaceinnovation.eu).