Cybersecurity Strategy and Strategic Decision-making: An Examination from Dynamic Capability and Judgment-based View Perspectives




Journal Title

Journal ISSN



Volume Title


De Montfort University


Thesis or dissertation

Peer reviewed


With the increasing power and frequency of cyber-attacks world-wide, organizations are becoming cognizant for the need to have not only cybersecurity measures, but a strategy itself for cybersecurity and an effective approach to its development. Thus, an investigation of the cybersecurity strategy development process has become particularly important for organizations. This importance of this research endeavor, however, is heightened when I examine the state of the literature around cybersecurity and strategy-making. I contend that cybersecurity strategy-making research in the strategic management discipline is exceedingly rare, while research streams in cybersecurity research are heavily focused on the technical aspects of it with little discussion of strategy. With respect to the strategic management literature, while there is much written around strategy development, the tendency has been to create models or frameworks of strategy-making that applies to functions (such as marketing) or to the organization-level. It is not realistic to attempt to take another model or framework in an “off-the-shelf” manner and apply that to cybersecurity strategy-making, as we see with the growth in research around digitization strategies, as cybersecurity strategy should cross functional boundaries and business units. The consequences of cybersecurity failures can also be immense and wipe out entire business overnight. As such, it is necessary to develop a framework for cybersecurity strategy-making that accounts for both the need to be adaptive to maintain strategic fit while also coping with great uncertainty.

This research sought to address this knowledge and research gap by identifying the factors affecting cybersecurity strategy development and to create a framework for cybersecurity strategy development. To do this, a thorough review of the literature revealed appropriate theoretical lenses to guide this work in the Teecian dynamic capability (1997 onwards) tradition and Foss and Klein’s (2012, 2015) judgment-based theory. Since dynamic capabilities determine the firm's ability to integrate, build, and reconfigure internal and external resources and functional competencies to address turbulent and everchanging business environments (Teece et al., 1997), the Dynamic capability theory served as an overarching theory in this work. This theory dovetails well with the judgment-based theory of Foss and Klein (2012, 2015) that explains the acts of strategy-making and decision-making as the allocation and reallocation of firm resources under uncertainty. As cybersecurity activities are inherently uncertain, these theories combined are appropriate lenses for examining the cybersecurity strategy development process.

The research aim, then, is to develop a framework to materialize cybersecurity strategy-making, stemming from understanding its development process and going through its practical implementation.

With a qualitative study approach using interview data gathered from a series of fourteen in-depth interviews, I investigated the strategy development and decision-making process in the cybersecurity domain. Through the interview participants’ executive roles, significant expertise and industry diversifications, I went beneath the surface of cybersecurity strategy-making to get clearer image on the issue of strategy-making and cybersecurity strategy implementation. My qualitative research discovered deeper activities in organizations’ cybersecurity strategy-making process and gained an understanding on how those activities developed with time.

Employing NVivo software to aid with coding and thematic analysis, my research results shows that cybersecurity strategy, as a practice revolves, around 11 main concepts (e.g., roles & responsibilities, risk appetite, decision-making, finance/budget, awareness, type of business etc) with other related sub-concepts (e.g., intuition, resources etc) that evolved from my comprehensive data analysis.

From the research findings and data analysis I developed a non-technical and strategy-focused framework for cybersecurity strategy development that is valuable to strategic management scholars and practitioners alike so that both constituents have a basis to work from for centralizing cybersecurity strategy and strategic management in both practice and models of strategy-making going forward.

In my research, I went through the journey of understanding all aspects influencing the cybersecurity strategy-making process from how strategic decisions are made, to ideas and norms key informants discussed during the development of cybersecurity strategy, and how organizational stakeholders understand and interpret their cybersecurity strategy. Taken together, this allowed me to provide a comprehensive but practical framework that can make a difference in advancing the cybersecurity discipline as a major strategic influencer in today’s business world, where cyber-attacks can at happen anytime and the need for effective strategy is paramount.





Research Institute