Organisational Learning From Cyber Security Incidents

As cyber security threats increase in frequency and sophistication, organisations must find more effective ways to learn from incidents in order to strengthen their defences and improve resilience. While industry guidance recommends post-incident reviews, recent research on this topic is limited, and much of the earlier work has focused narrowly on analysing causes rather than examining the entire learning process-from identifying which incidents to learn from to ensuring that lessons are implemented to improve security practices.

This thesis investigates how organisations currently approach learning from cyber security incidents and identifies key challenges in this process. Applying organisational learning theory and neo-institutional theory, the research highlights both internal and external pressures that shape learning practices. A pragmatic, mixed methods approach was employed to identify real-world challenges and offer practical recommendations to cyber security practitioners.

The study includes a systematic literature review following the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) method, semi-structured interviews with 34 senior cyber security practitioners from large organisations operating in the UK, and thematic analysis. It synthesises current practices across disciplines and highlights common barriers, such as time pressures and cultural resistance, that impede effective learning. Practical recommendations were developed and then empirically validated through a two-round Delphi study involving over 20 expert practitioners, strengthening their credibility and applicability. This resulted in six endorsed recommendations to enhance organisational learning from incidents.

The overall findings indicate that, while all organisations studied conduct post-incident reviews, they have not consciously designed their learning practices. This supports the view from neo-institutional theory that organisational practices are often shaped by isomorphic pressures rather than deliberate efforts to ensure their effectiveness. Furthermore, despite recognising the importance of learning from incidents, organisations often focus on immediate technical issues, neglecting to explore underlying causes and systemic vulnerabilities. This aligns with organisational learning theory, where defensiveness can hinder effective learning. The empirically validated and practitioner-endorsed recommendations in this thesis provide strategies for overcoming these challenges.

This research contributes to cyber security practice by offering recommendations for organisations to improve their learning from incidents and build a more resilient cyber security posture. Theoretically, it extends the application of organisational learning and neo-institutional theories to a domain where these frameworks have been underutilised. Methodologically, it demonstrates the value of qualitative approaches-such as in-depth interviews and the Delphi method-in capturing practitioner perspectives. The thesis concludes with suggestions for future research inspired by this work.