Effectiveness and Adoption of NIST Managerial Practices for Cyber Resilience in Italy

In the last years the use of information and communication technology in organizations has become vital to the point that each menace to its continuous functioning is considered a noteworthy danger for each organization. Cybersecurity has the aim of protecting the organization from these events called cyber-attacks. The emergent cyber resilience management integrates cyber risk management (which is based on identifying, analyzing and mitigating risk of cyber-attacks) with the ability to front them, recover from them and adapt the organization to the new situation when unpredictable attacks occur, without regressing. Several guidelines have been developed to guide organizations in managing cyber resilience, the NIST framework suggested and organized IT and managerial practices among different reference cyber security standards offering a practical overview followed by companies all over the world. Practices and guidelines must be general and consequently they need to be adapted to the specific context in which the company is embedded. In order to identify the effectiveness of the suggested managerial practices and the way they are implemented in the Italian context, we conducted a multiple case study analysis interviewing 20 cybersecurity experts included in the official list realised by the Italian Ministry of Economic Development in 2019. Interesting insights emerged including the lack of disciplinary measures in case of any misconduct, the importance of investing in building a comprehensive awareness of people about cyber threats, the importance of log information for multiple reasons and the urgency for each organization of developing its own tailored policies.