Abstract:

As Winston Churchill was working to form the United Nations after WWII, he famously said, “Never let a good crisis go to waste”. Learning from crisis, or what we could refer to as crisis induced learning, can bring about organizational change, but can this crisis be avoided to begin with through well-designed crisis management exercises? Teachable moments from crisis have shown to deepen students’ learning, and also to make individual life-style changes. How organizations can change to adapt learning from crisis is however not as obvious, especially with information- and cyber security incidents where near misses can easily be misread or even ignored.

Learning from crisis exercises in the same way as learning from incidents has shown to occur, but what factors that bring this about is still unclear. In this paper, we present our ongoing attempts to introduce and develop a triple-loop learning process via a discussion exercise in a Master of Science (MSc) Introduction to Information Security Management course. We also present ongoing research and data on learning activities during full-scaled information- and cyber crisis exercises for public organizations at the Norwegian Cyber Range. We apply dynamic capability learning activities theory in exercises design for both the information security management master course, and to proof-of-concept exercises with a large hospital development project in Norway.

Over a two years period (course semesters of 2020 and 2021), we have tested the discussion exercise where students are required to use socio-technical feed-back forms to reflect on their actual performance in crisis management exercises. Results from year 1 (N=83 participants), and year 2 (N=130 participants) indicate that this form of discussion exercise can function as a deeper learning artifact to help meet intended learning objectives (ILO) in information- and cyber security management courses. Results also suggest that experiential learning along with triple-loop learning will give the students a better platform to meet the increased need to consider alternative learning artifacts both to themselves and for learning in organizations in real life.

Scenario being the foundation for the discussion, and distributed cognition as the optimized way of managing the incident response, deliveries during the exercise focused on a diversity of management communications, covering both top-down approaches, bottom-up approaches, reporting mechanisms as management summaries and finally creating a draft for a press-release on behalf of a top management group. A final activity was the lectures beforehand, covering socio-technical incident response, but also giving examples of how to create the expected deliveries.

The evaluation used was a modified Design Science Research Information systems (DSRIS)-process originally presented by Karokola, which has three cycles, design, relevance, and rigor. Moreover, the evaluation was executed on both the lectures, the discussion exercise (as the learning artifact), the scenario (relevance), the student deliveries (performance deliveries) and also the final results.

Although more data and proof of concept trials are needed, preliminary data indicates that crisis induced learning with adequate reflection and debrief techniques framed and modelled within a socio-technical context can support learning and moreover management and thereby organizational change.

Keywords:

Organizational learning, Information security, Crisis management, Triple-loop-learning.