United We Stand, Divided We Fall: An Autogenic Perspective on Empowering Cybersecurity in Organizations

Cybersecurity groups navigate complex, challenging environments in their mission to protect their organizations. They experience uncertainty from adaptive threats from external attackers and unpredictable stakeholders. Under such volatility, business groups operate best when they are psychologically empowered. Recognizing the potential for empowerment to reduce organizational risk, we sought to learn how cybersecurity groups come to be (dis)empowered and how this (dis)empowerment is sustained. Instead of the conventional view of the empowerment process as designed, we advance an emergent view of the empowerment process. We abductively surface this process from our case analyses of 15 U.S. organizations. We offer three insights: First, organizations with empowered cybersecurity groups enjoy an enhanced level of protection from breaches. Second, we highlight generative rules through which groups become empowered—via their bridging initiatives that co-opt stakeholders into security behaviors and stakeholder responsiveness to bridging, rather than unilaterally applied buffering initiatives. Third, we highlight reinforcing rules through which empowered states persist—via the group’s ability to safeguard organizational information assets, thereby ensuring cybersecurity group viability, continued bridging, and motivated stakeholder responsiveness. For practitioners, our study underscores the interdependence between cybersecurity groups and their stakeholders in securing an organization and posits processes for empowering cybersecurity groups.