Change Management: A Key in Achieving Successful Cyber Security : A Multiple Case Study of Organizations in Sweden

Abstract: Purpose – The purpose of this study is to enhance the understanding of how organizations can improve their cyber security with change management. To fulfill the purpose, the following research questions were developed: RQ1: What are the key factors for effective change management in the context of cyber security? and RQ2: How can organizations manage these factors to improve cyber security? Method – A qualitative research method with an inductive approach was chosen. The empirical data collection was performed as a multiple case study with 16 semi-structured interviews with respondents from six organizations, and the data were analyzed through a thematic analysis. Result – The findings of this study is gathered in a framework for successful cyber security culture change that highlights each essential activity for how to improve cyber security with change management. It also shows when and how these activities should be performed, when to consider each leadership characteristic, and what employee sensemaking needs that should be considered during the process.  Theoretical contribution – The study contributes to both cyber security literature and change management literature. It contributes to the cyber security literature by providing a processual model that illustrates the factors dependency of each other. Also, by adding the perspective of sensemaking, the study provides an overall picture, with both a leader and employee perspective, of how change management can be used to improve cyber security. Additionally, this study extends earlier change management literature by providing a sensemaking approach to the change process. Managerial implications – The study contributes with valuable insights for management in practice by presenting a framework that can help CISO’s, security consultants or other managers responsible for the organizations security to execute successful cyber security culture change. With the presented framework, they can plan, execute and sustain the change in the organization’s cyber security culture.