“I don't think we're there yet”: The practices and challenges of organisational learning from cyber security incidents

Learning from cyber incidents is crucial for organisations to enhance their cyber resilience and effectively respond to evolving threats. This study employs neo-institutional and organisational learning theories to examine how organisations learn from incidents and gain insights into the challenges they face. Drawing on qualitative research methods, interviews were conducted with 34 security practitioners from organisations operating in the UK spanning a range of industries. The findings highlight the importance of consciously evaluating learning practices and creating a culture of openness to hear about incidents from employees, customers and suppliers. Deciding which incidents to learn from, as well as who should participate in the learning process, emerged as critical considerations. Overcoming defensiveness and addressing systemic causes were recognised as barriers to effective learning. The study emphasises the need to assess the value and impact of identified lessons and to avoid superficial reviews that treat symptoms rather than underlying causes to improve resilience. While progress has been made in learning from incidents, further enhancements are needed. Practical recommendations have been proposed to suggest how organisations may gain valuable insights for maximising the benefits derived from incident learning. This research contributes to the existing knowledge on organisational learning and informs future studies exploring the social and political influences on the learning process. By considering the suggested recommendations, organisations may strengthen their cyber security, foster a culture of continuous improvement, and respond effectively to the dynamic cyber security landscape.