What Works Well? A Safety-II Approach to Cybersecurity

The field of cybersecurity is used to focusing on what goes wrong. Threats, incidents, and impact are factors that are widely investigated, and the solutions presented often lie in correcting errors and mistakes. However, in many organisations, cybersecurity incidents do not happen, or at least not as often as the focus on incidents would predict. We argue that a focus on what works well, instead of focusing only on the incidents and what went wrong, can provide unique insights into how to improve cybersecurity in organisations. This focus, known as Safety-II in the safety science literature, aims to investigate what end-users, teams and organisations do well and what factors lead to incidents being prevented, or dealt with more swiftly. In this paper, we argue for a Safety-II approach to cybersecurity, and outline various topics of interest along an incident timeline. Furthermore, we discuss a research agenda: Which avenues should be explored further to improve cybersecurity in organisations using a Safety-II approach?