Identifying key factors of cybersecurity readiness in organizations: Insights from Malaysian critical infrastructure

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-09-15 DOI:10.1016/j.cose.2025.104674

Ahmad Fairuz Mohamed Noor, Sedigheh Moghavvemi, Farzana Parveen Tajudeen

{"title":"Identifying key factors of cybersecurity readiness in organizations: Insights from Malaysian critical infrastructure","authors":"Ahmad Fairuz Mohamed Noor, Sedigheh Moghavvemi, Farzana Parveen Tajudeen","doi":"10.1016/j.cose.2025.104674","DOIUrl":null,"url":null,"abstract":"<div><div>Cybersecurity readiness is critical for safeguarding National Critical Information Infrastructure (NCII) against rapidly evolving threats. This study applies Dynamic Capabilities (DC) theory to examine how Malaysian NCII agencies develop adaptive capabilities to counter such threats. Using a qualitative design, we conducted semi-structured interviews with 16 representatives from 15 organizations spanning finance, telecommunications, transportation, and government. Thematic analysis was employed to interpret readiness factors through the DC dimensions of sensing, seizing, and transforming. Findings reveal that <em>sensing capabilities</em> - such as situational awareness, policy flexibility, and technological agility - enable proactive threat detection and adaptation. <em>Seizing capabilities</em> emphasize dynamic leadership, strategic resource allocation, and proactive risk management as critical for addressing vulnerabilities and reinforcing resilience. <em>Transforming capabilities</em>, including crisis resilience planning, continuous learning, and a security-embedded organizational culture, underscore the need for ongoing adaptation and collaboration to sustain long-term cybersecurity readiness. The study reconceptualizes cybersecurity readiness as a dynamic, capability-driven process rather than a static checklist. The findings show that cybersecurity is not a one-time compliance exercise but an ongoing, evolving process requiring continuous sensing, seizing, and transforming. Leaders must prioritize adaptive governance structures that encourage strategic agility, flexible policy responses, and proactive risk management. The proposed DC-based framework offers practical guidance for high-risk organizations emphasizing leadership commitment, a security-oriented culture, and resource alignment. Although grounded in Malaysia’s NCII context, the framework has broader applicability for critical infrastructure globally.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104674"},"PeriodicalIF":5.4000,"publicationDate":"2025-09-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825003633","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Cybersecurity readiness is critical for safeguarding National Critical Information Infrastructure (NCII) against rapidly evolving threats. This study applies Dynamic Capabilities (DC) theory to examine how Malaysian NCII agencies develop adaptive capabilities to counter such threats. Using a qualitative design, we conducted semi-structured interviews with 16 representatives from 15 organizations spanning finance, telecommunications, transportation, and government. Thematic analysis was employed to interpret readiness factors through the DC dimensions of sensing, seizing, and transforming. Findings reveal that sensing capabilities - such as situational awareness, policy flexibility, and technological agility - enable proactive threat detection and adaptation. Seizing capabilities emphasize dynamic leadership, strategic resource allocation, and proactive risk management as critical for addressing vulnerabilities and reinforcing resilience. Transforming capabilities, including crisis resilience planning, continuous learning, and a security-embedded organizational culture, underscore the need for ongoing adaptation and collaboration to sustain long-term cybersecurity readiness. The study reconceptualizes cybersecurity readiness as a dynamic, capability-driven process rather than a static checklist. The findings show that cybersecurity is not a one-time compliance exercise but an ongoing, evolving process requiring continuous sensing, seizing, and transforming. Leaders must prioritize adaptive governance structures that encourage strategic agility, flexible policy responses, and proactive risk management. The proposed DC-based framework offers practical guidance for high-risk organizations emphasizing leadership commitment, a security-oriented culture, and resource alignment. Although grounded in Malaysia’s NCII context, the framework has broader applicability for critical infrastructure globally.

查看原文本刊更多论文

确定组织中网络安全准备的关键因素：来自马来西亚关键基础设施的见解

网络安全准备对于保护国家关键信息基础设施（NCII）免受快速发展的威胁至关重要。本研究应用动态能力（DC）理论来研究马来西亚NCII机构如何发展适应能力以应对此类威胁。采用定性设计，我们对来自金融、电信、交通和政府等15个组织的16名代表进行了半结构化访谈。通过感知、捕获和转换的DC维度，采用主题分析来解释准备度因素。研究结果表明，感知能力——如态势感知、政策灵活性和技术敏捷性——能够主动检测和适应威胁。抓住能力强调动态领导、战略性资源分配和前瞻性风险管理，这些对于解决脆弱性和增强复原力至关重要。转型能力，包括危机应变计划、持续学习和嵌入安全的组织文化，强调了持续适应和协作的必要性，以维持长期的网络安全准备。该研究将网络安全准备重新定义为一个动态的、能力驱动的过程，而不是一个静态的检查表。调查结果表明，网络安全不是一次性的合规活动，而是一个持续不断发展的过程，需要不断感知、把握和转变。领导者必须优先考虑鼓励战略敏捷性、灵活的政策响应和前瞻性风险管理的适应性治理结构。建议的基于dc的框架为高风险组织提供了实用的指导，强调领导承诺，以安全为导向的文化和资源对齐。虽然该框架基于马来西亚的NCII背景，但它对全球关键基础设施具有更广泛的适用性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.