Collaborative change analysis of IoT cyber security

Collaborative change analysis of IoT cyber security

This tool targets changing the company's resources as well as managers’ and employees’ perceptions towards IoT cybersecurity through a collaborative learning process.

Collaborative change analysis of IoT cyber security

Collaborative change analysis of IoT cyber security

This tool targets changing the company's resources as well as managers’ and employees’ perceptions towards IoT cybersecurity through a collaborative learning process.

IoT Cyber Security Learning Module

september 27, 2023

The module – in brief

This module uses the roadmap for IoT cybersecurity. The tangible outcome of the tool is a realistic and concrete change plan for the first building block(s) in the visual roadmap, including choices for how to proceed with IoT cybersecurity in the company.

The collaborative learning process creates awareness and understanding of the complexity of change in a company's actual situation, involving both drivers and barriers for the next steps in IoT cybersecurity for the company. 

In the end, the result of using this tool is a new organisational reality for the company's work with the building blocks for IoT cybersecurity because of the collaborative learning process.

Prerequisites for using the collaborative change tool

A change process is the intended and planned way to close the gap between a present situation and a desired goal-situation in the company regarding IoT cybersecurity.

The company needs to have completed the visual roadmap for the four building blocks for IoT cybersecurity as the roadmap describes the desired future state for the company’s IoT cybersecurity and the planned sequence of building blocks. 

Basic concepts 

Now the change process and relevant analytical concepts will be defined.

Change process

In this tool, a change process is understood as the process of moving the company from a present not-wanted situation to a desired situation in the foreseeable future

The underlying principle of the tool is that change can be planned but change activities and resulting changes to behaviour depend on the company's resources and perceptions of IoT cybersecurity. This means that the collaborative change analysis is based on company members’ practical experience with IoT cybersecurity.

The collaborative change tool can, in principle, cover both visionary and radical changes but it is designed for real-life changes in resources and perceptions of IoT cybersecurity that can be achieved and/or furthered by changing the present situation through a structured change process based on collaborative insights.

Analytical concepts

Inspired by collaborative evaluation (Petersen & Søndergaard, 2021) [1], the following concepts are used in the collaborative change analysis of the IoT cybersecurity:

  • Resources: the existing or lacking resources for a successful change process: 
    • for example, the existence of or lack of global company goals for IoT cybersecurity or relevant standards, or a common language for IoT cybersecurity across all company.
  • Change activities: the change-related initiatives and actions to further IoT cybersecurity that will be part of the change plan. 
  • Change perceptions: The social and psychological perceptions in the company influencing how the change activities can be/will be carried out and responded to in the company: 
    • for example, managers' perception of the importance of IoT cybersecurity, or what is seen as appropriate IoT security in a group of employees.
  • Results:  the intended change in resources working for and perceptions of IoT cybersecurity in the company. This is stated in the description of the desired situation for the building block's IoT cybersecurity as the goal of the change process.

Collaborative change analysis

The process for collaborative change analysis consists of two parts: 

  1. analysis of the present situation and its change potential, and 
  2. the realistic plan for change informed by the analysis.

Analysis of present situation's potential for change

The analysis is made for each building block at a time with focus on building blocks in the roadmap's first periods to keep the planning horizon realistic. The analysis of the potential for change in the present situation is made with respect to the intended goal of the change process for each of the building blocks.

The analysis of the present situation is made with two perspectives: 

  • what drives and
  • what  blocks 

the change process, e.g. the movement from the present situation to a desired situation. 

Resources and change perceptions can be seen as either drivers for or barriers to change. 

Sometimes the perception is tied to a specific group in the company or external partners and market. For example, a demand from customers regarding more IoT cybersecurity might be seen as furthering the change process by the company's managers, while R&D-employees may see it as external forces meddling in the company's strategy (and thus hindering the change).

After describing existing and lacking resources, and furthering and hindering perceptions, the team of change agents will score each change perception and each resource to create an overview of the change potential in the current situation thereby assessing the scope of the change process.

 

content/tools/20230930_cypro_uk_potential-for-change_resized.png

“Potential for change” by CyPro under license CC BY-SA 4.0 

project logos
Potential for change
Printable version of the tool in large format

Plan of change

The realistic plan for the change process incorporates the analysis of the change potential in the present situation. The plan describes an iterative change process where the change team considers change actions and change perceptions/resources tied together in progressive movements towards the desired situation. 

A change action can for example be:

  • to provide or create a lacking resource
  • to strengthen a furthering perception 
  • to weaken a hindering perception
  • a combination of the above.

The change team should think like this when working with the change plan:

If we do this first change action, then we expect it will further this change perception/resource and/or minimise this hindering change perception/resource. Based on the resulting situation after executing the change action, we will then initiate the next change actions and so on.

content/tools/20230930_cypro_uk_plan-for-change.png

“Plan for change” by CyPro under license CC BY-SA 4.0 

project logos
Plan for change
Printable version of the tool in large format

The point of the plan is to ensure a systematic dialogue for the change team about change actions and their rationale based on collaborative insights into the company's collected resources and perceptions related to the desired situation of a building block.

Example: analysis of potential for change

content/tools/20230930_cypro_uk_potential-for-change_example_resized.png

“Example for potential for change” by CyPro under license CC BY-SA 4.0 

The summed-up numbers in the example, indicate more impact from perceptions and lack of resources on the barrier side compared to the change driver side of the present situation. 

In this situation, it might be easier to increase the driving forces by for example adding training and reward systems, and company goals for IoT cybersecurity. Company goals for IoT cybersecurity (or even standards) would engage management, increase the present low company accountability for IoT services and products, and at the same time eventually minimise the perception that IoT cybersecurity is not important or measurable. An important consideration in this regard is the response from the people not willing to be accountable for goals external to their own department. Will overarching company goals for IoT cybersecurity create new barrier perceptions?

Practical information

The collaborative change analysis is a learning process designed to inform the company’s change process to anchor cybersecurity for IoT.

It is important to note that it is the change team who decides what are resources and what are change perceptions. This is clearly an interpretation based on experience with the company's practice with IoT cybersecurity.

This means that the pinnacle of the analysis is for the change agents collaboratively to reflect on and gain new insights into the totality of the situation regarding the company's cybersecurity of IoT.

The best way to do it is:

  • To get people representing as many aspects of the building block(s) for the collaborative change analysis as possible together at a meeting with a duration of approx. 1,5 hours. 3-4 persons are the best group size for the analysis. If more people are needed, then break the analysis up into more meetings.
  • For preparation, ask the participants to familiarise themselves with the collaborative change analysis by providing them with a link to this online tool. Also ask them to refer to the visual roadmap for IoT cybersecurity for the company, and to make a short bullet list of important content for the building block(s) spanning the first 1-2 years in the roadmap.
  • Print out some templates of the collaborative change analysis, preferable in A3.

Step-by-step guide

This step-by-step guide involves two parts.

Part 1: Analysis of change potential in present situation
(1 hour)

  • If you have more than one building block in the first year of the visual roadmap, pick one of these building blocks to begin with.
  • Together agree on and describe the desired situation for this building block – Include reflections on the interdependencies of all four building blocks in the roadmap.
  • In a collaborative discussion, identify, name and include for the present situation:
    • Furthering perceptions and resources already pushing the building block in the direction of the desired situation. 
    • Hindering perceptions and lack of resources for the building block's development to reach the desired situation.
  • For each identified perception and resource: 
    • Score the perception/resource on a scale from 1-5 on the influence scale, where 5 = highest influence on the change process
  • Sum the scores of resources and change perceptions in the boxes to get an overview of the change potential in the building block's present situation and assess the scale of the change process:
    • If highest values on the hindering side: could lead to a major change process, both strengthening and eliminating perceptions and creating lacking resources.
    • If highest values on the furthering side: could be sustaining a change already underway, sustaining furthering perceptions and resources.

Part 2: Plan of change
(30 min.)

Move on to the plan of change template that in the end will be a chain of change actions and assumptions of how these change actions are expected to change resources and perceptions identified and described in the analysis of the present situation.

  • Note the desired situation on the plan template to the right. It may need adjusting due to the analysis of the change potential in the present situation.
  • Begin in topmost left corner by describing the first relevant change activity. If In doubt, the change team can discuss the following:
    • Look at the single scores in the analysis of the change potential in the present situation: what are hindering or furthering the desired change?
    • Look at the whole present situation: what comes first? How will perceptions and resources interact based on practical experience?
  • Describe the assumed change to resources and or perceptions made by the action directly below the action.
  • Continue with defining the next change action, building on the assumed change made by the first action.
  • Proceed with describing change actions and their assumed influence on perceptions and resources until you have a step-by-step realistic plan for how to move the present IoT cybersecurity building block to its desired situation.
  • Evaluate the plan by comparing it to the analysis of the present situation:
    • Are all influential change perceptions and resources accounted for?
    • Is the plan feasible? Do you trust it enough to set it to work?

Outcome

The tangible outcome is a realistic and concrete change plan for the first building block(s) in the visual roadmap, including choices for how to proceed with cybersecurity for IoT in the company.

The plan is contextualised and is the result of a collaborative learning process that in itself is creating a new reality for IoT cybersecurity in the company. This new reality is an awareness of the complexity of the change dynamics and an elaborate understanding of what change perceptions and lacking resources that keep the present situation from changing.

Expert advice

The most important outcome of the tool is the collaborative learning and insights that the company's IoT cybersecurity will build on. It is important not to overly focus on whether something conceptually is a resource or a perception, but instead to focus on creating a common interpretation and to score its influence on the change process in question. Sometimes perceptions may turn into a resource, and resources can be perceived differently by different groups in the company. Just make it clear how you see it to structure and fuel the change plan.

Framing the change process as a learning process also shows that data collection and analysis must continue throughout the change process. When set in motion, the change plan is an iterative learning process whereby the change agents through continuous discussions of employees' and manager's behaviour, gain insights into and understanding of their situation and how to keep on track towards the desired situation, as it evolves.

Next step

The next step is to carry out the planned change, and to keep on checking that the analysis is still adequate and represents the building block’s situation.

The change process is a circle of planning, action, and fact-finding about the results of the change action, which implies that the 'present situation' is always changing.

End notes

[1] Petersen, CK & Søndergaard, AP (2021) Evaluering som samarbejde om fælles løsninger, Tenakel, Skanderborg

Collaborative change analysis of IoT cyber security

The contents described above have been developed in the project:

’CyPro – Cybersecure manufacturing in Denmark’ by Aarhus UniversityAlexandra InstitutDAMRCUGLA Insights and FORCE Technology funded by The Danish Industry Foundation. Material from the project is published under licence CC BY-SA 4.0

CyPro

bubble