Cyber security and the organizational servomechanism

Published: Friday, 19 March 2021 13:46

An organization's stability and adaptability functions are controlled by the ‘organizational servomechanism’ (OSM). In this article, Alberto G. Alexander, Ph.D, MBCI, describes a step by step process to address cyber security risks affecting the OSM and gives some recommendations for developing associated continuity strategies.


Organizations of any type and size are constantly at risk of suffering cyber attacks and the strategic level at most companies recognizes cyber risk as an essential topic on their agendas. Worldwide, boards and executive leaders want to know how well cyber risk is being managed in their organizations. Regulators are challenging the levels of enterprise resilience that companies claim to have attained. Everybody, including business executives, regulators, customers, and the general public agrees that cyber risk is serious and calls for special attention.

This article focuses specifically on what organizations should do to protect their basic functions that allow a company to survive, grow and perform. These functions are the adaptability and stability mechanisms.  One of the purposes of cyber security should be to protect these functions from any type of cyber risks. When developing a business continuity management system (BCMS), practitioners should consider identifying cyber threats that could harm the adaptability and stability functions in any type of organization.

In today’s computerized world, new risks emerge every hour of every day. Connecting to the Internet opens up the possibility of a hacker targeting an organization. Cybercrime is becoming big business and cyber risk a focus of organizations and governments globally. Monetary and reputational risks are high if organizations don’t have an appropriate cyber security plan.

Cyber security is making sure that the organization’s systems and data are safe from attacks from both internal and external bad actors. It can encompass a body of technologies, processes, structures, and practices used to protect networks, computers, programs, and data from unauthorized access or damage. The goal of any cyber security strategy is to ensure confidentiality, data integrity, and availability.

There are several primary means by which cyber security issues can affect (or even destroy) an organization and its reputation. There is the risk that a hacker might obtain sensitive information such as bank account or credit cards details. There are open markets for such information on the ‘Dark Web’. Each month high-profile security breaches impacting individual data are reported globally.

If a hacker attacks the stability function of a firm, damaging its control system and creating an unstable situation, the organization would not be able to generate its products/services at a predetermined performance according to agreed specifications. This situation would severely damage the reputation and goodwill of the firm; and performance would become unacceptable.

This article provides points of guidance on a step by step process to be followed to address cyber security risks affecting the organizational servomechanism (OSM) of an organization and gives some recommendations that business continuity managers should consider when identifying cyber security threat scenarios and developing continuity strategies.

Organizational functioning

Any type of organization needs to adapt rapidly to environmental changes and needs to establish a stable situation for its operations, to control its performance and to be able to provide products/services at a predetermined level. This is managed via the stability and adaptability functions.

The organizational stability and adaptability functions are controlled by what is called the ‘organizational servomechanism’ (OSM). This mechanism, is actually three linked parts:
(1) One for converting raw material into output,
(2) Another for controlling this conversion process based on inputs of feedback about what the process is doing and goals as to where the process should go.
(3) A mechanism that sets these goals in response to the demands of the environment (adaptability function).

This stabilizing mechanism is analogous to the natural homeostatic mechanisms in humans and other animals.

The OSM basic abstraction

Figure one, below, shows the basic abstract model. For the ongoing organizational system, the three levels of the servomechanism constitute a necessary and sufficient set. Each is needed. The policy level (Adaptation Function) is required to set goals.


Figure one: Organizational Servomechanism Basic Abstraction

The operations level is needed to convert the raw materials into the finished product. The latter is the achievement of these goals. The control level is required to monitor the performance of operations and to adjust the flows so that its output stays in line with the prescribed goals. The ends are set by the top level (adaptation function) and the means to achieve these ends are employed by the bottom level, while the middle level functions to ensure that performance remains compatible with objectives (stability function).

Similarly, the six flows and the manner in which they link the functions and the environment, are necessary and sufficient. Together, the functions and the flows constitute the organizational servomechanism.

This model evolves from the writings of a number of authors who observed the general nature of the organization as a system:  Ashby,1958; Brown, 1966; Katz, 1955; Rome and Rome, 1964; Swinth,1974; Alexander,2021.

For the firm to work as a system and to avoid developing organizational entropy it is required that both the adaptability and stability functions perform their purpose. If suddenly any of these functions have their performance impacted by any type of incident, the organization could start having problems in the achievement of its goals and the enterprise could have an unacceptable performance.

Organizations, therefore, need to protect their OSM from any type of threats and avoid developing vulnerabilities.

‘Risk Based Cyber Security in the OSM’

From my experience of working with companies in a variety of industries in different sectors, I have developed the ‘Risk Based Cyber Security in the OSM’ strategy. This includes eight steps, presented below, which should help organizations develop business continuity strategies for cyber risks.

To understand the approach to Risk Based Cyber Security in the OSM a few definitions are required. First, cyber risk is ‘only’ another kind of operational risk. That is, cyber risk refers to the potential for business losses of all kinds - financial, reputational, operational, productivity related, and regulatory related - in the digital domain. Cyber risk can also cause losses in the physical domain, such as damage to operational equipment. But it is important to stress that cyber risk is a form of business risk.

Furthermore, cyber risks are not the same as cyber threats, which are the particular dangers that create the potential for cyber risk. Threats include privilege escalation, vulnerability exploitation, and phishing. Cyber threats exist in the context of enterprise cyber risk as potential avenues for loss of confidentiality, integrity, and availability of digital assets. By extension, the risk impact of cyber threats includes fraud, financial crime, data loss, or loss of system availability.

As was mentioned earlier, in the OSM we find two functions: adaptability and stability. Both functions have processes that use different types of assets, which could be a target of a cyber attack, resulting in a loss of system availability.

At the adaptability function we mainly find processes that encompass: people (top management), computers, laptops, tablets, and different mobile devices. All the data processing relies on different servers.

At the stability function, we also find processes with people (middle management) and equipment and devices such as: (1) different types of a sensing devices (sensor or receptor) for detecting or measuring what is going on, (2) control center  / centre (collator) which compares what is going on to some concept or standard, (3) a motor device (effector) which takes action to bring results into line with the standard. All the performance of the stability function also relies on servers.

The Risk Based Cyber Security in the OSM concept is depicted in figure two below and a description of the most important aspects to be considered in a project to identify continuity strategies for OSM threat scenarios follows:

Figure two: Risk Based Cyber Security in the OSM

The eight steps are a project that has to be performed in a certain amount of time,  consuming different resources. All these steps have to be carried out using a project management approach.

Step 1: Managing the force field analysis

The first step is the management of the force field analysis. This method was created by the late Kurt Lewin.

Before starting with the steps of the project, it is recommended to identify ahead of time the driving and resisting forces to accomplish the continuity strategies for OSM threat scenarios. The model portrays driving forces (those that are working in the direction of the intended outcome) and resisting and/or restraining forces (those that tend to support the status quo).

To increase the probability of success in the project, actions focusing on reducing the strength of the forces opposing the project need to be developed or the forces pushing in favour of the project need to be increased.

Step 2: Embed the cybersecurity in the OSM risk framework

A risk based cyber program should be fully embedded in the OSM framework. This framework must not be used as the general guideline to perform a cyber risk approach to the OSM. The framework should become the organizing principle. Is important to be clear. The risks the enterprise faces to its adaptability and stability functions should be analyzed and categorized into a cyber risk framework.

Once cyber risk is understood more clearly as a business risk that happens in the OSM domain, the organization will be rightly oriented to begin implementing the risk based approach to its OSM.

Step 3: Understand vulnerabilities across the OSM

The starting point is for the organization to plot the people, technology, and third-party components of its value creating processes. After doing this it should proceed with a thorough identification of associated vulnerabilities.

Step 4: Threat actors and their capabilities

Threat actors and their capabilities - the tactics, techniques, and procedures they use to exploit OSM vulnerabilities - define the organization´s threat landscape.

Only by understanding its specific threat landscape can an organization reduce risk. Threat analysis begins with the question ‘Which threat actors are trying to harm the OSM components and what are they capable of?’ In response, organizations should be proactive and visualize the vulnerabilities commonly exploited by relevant threats, and appropriate controls can then be selected and applied.

In identifying the controls needed to close specific gaps, organizations need to size up potential attackers, their capabilities, and their intentions, as well as the threat actor´s strength and will (intention) to create a risk event. This involves collecting information on and understanding how the attackers connect, technically and nontechnically, to the people, process, and technology vulnerabilities within the OSM in the enterprise.

Step 5: Address OSM vulnerabilities

To defeat threat actors, vulnerabilities discovered in the third step will either be closed by existing controls, activities, and initiatives, or may require new control efforts.

Any new controls needed should be added to the program backlog as either standalone or composite initiatives. The risk based approach importantly bases the scope of both existing and new initiatives in the same control framework.

Step 6: Perform a cyber risk assessment of the OSM

At this step a cyber risk assessment of the processes involved in the OSM functions is performed. A good guide for cyber risk assessment is ISO 31000:2018. The cyber risk assessment starts with cyber risk identification. Here the purpose is to find, recognize, and describe cyber risks that might prevent the firm achieving its OSM objectives at the stability and adaptability functions.

The organization should identify cyber risks, whether or not their sources are under its control. Consideration should be given that there may be more than one type of outcome, which may result in a variety of tangible or intangible consequences.

After identifying all the possible cyber risks affecting the processes involved in the OSM, cyber risk analysis starts. Cyber risk analysis involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, and controls and their effectiveness.

Cyber risk analysis provides an input to cyber risk evaluation, to decisions on whether cyber risk needs to be treated and how, and on the most appropriate cyber risk treatment strategy and methods. The results provide insight for decisions, where choices are being made, and the options involve different levels of cyber risk.

Cyber risk evaluation has the purpose of supporting decisions. It involves comparing the results of the cyber risk analysis with established cyber risk criteria to determine where additional action is required.

Step 7: Identify threat scenarios affecting the OSM

One of the main outcomes of the Cyber Risk Assessment in the OSM is the identification of threat scenarios. Threat scenarios that could seriously affect the functioning of the processes involved in the OSM should be identified.

These scenarios need to be ranked by threat level, based on the extent to which operations of the adaptability and stability functioning could be interrupted. The principal objective is to understand, at a high level, what could go wrong and what essential functions of the OSM would be affected.

This type of assessment is typically conducted in conjunction with an analysis of the probability and/or potential impact of each scenario. This can be very helpful to prioritize the development of appropriate continuity strategies.

Step 8: Design continuity strategies for OSM threat scenarios

At this step, for each ranked threat scenario, the organization needs to determine an appropriate business continuity strategy (BCS) to be able to resume and recover activities of the OSM functions at a specified minimum acceptable level. The development of a BCS is probably one of the most complicated steps in building a business continuity management system (BCMS). An appropriate BCS demands the usage of a methodological approach and creative thinking.

In terms of a methodological approach “the development of a business continuity strategy development is composed of the following phases: (1) recovery requirements identification, (2) recovery options identification, (3) availability time assessment and (4) cost capability assessment” (Alexander, 2016). The sequence of steps need to be followed. No step can be skipped. It is important to use the workshop style for putting into action all the steps of the BCS framework. The composition of the group is important. The team that is going to create the recovery options needs to consist of individuals who are knowledgeable regarding the recovery requirements and who are familiar with the threat scenarios.

It is very important to be clear that two ingredients are necessary to effectively manage a BCS strategy development; one is to understand the steps in the framework for developing the BCS, and the other one is to facilitate the environment for creative thinking to flourish. Creativity “involves the generation of new ideas or the recombination of known elements into something new, providing valuable solutions to a problem,” (Cyzewski, 2012). The person acting as a facilitator plays a very important role, he or she needs not only to be knowledgeable but also needs to manage different creativity supporting techniques. The main objectives of a “creative thinking process is to think beyond existing boundaries, to awake curiosity, to break away from rational, conventional ideas and formalized procedures, to rely on the imagination, the divergent, the random and to consider multiple solutions and alternatives,” (Michalko, 2011).


The organizational stability and adaptability functions are dealt with what is called the organizational servomechanism (OSM). These functions allow a company to adapt to changes in the environment and keep a stable performance al the operational level.
One of the purposes of cyber security should be to protect these functions from any type of cyber risks.

Firms need to protect the OSM from any type of threats and avoid developing vulnerabilities.

From the experience of working with companies in a variety of industries in different sectors, the Risk Based Cyber Security in the OSM approach has been developed. The eight steps presented in this article should help with developing continuity strategies that, if a cyber risk develops, the company can rapidly put into action.

Continuity strategies for cyber threats need to be developed and included in the BCMS. If the OSM gets affected, continuity strategies should be implemented to ensure that the firm is able to continue to deliver products and services at an acceptable predefined capacity during the disruption.

Continuity strategies addressing possible disruptions affecting the OSM contribute to the organization’s competitive advantage by enabling it to operate during disruptions, and to the organization’s overall organizational resilience.

The author

Alberto G. Alexander, Ph.D, MBCI,  International Consultant
Dr. Alexander holds a Ph.D from The University of Kansas and a M.A from Northern Michigan University. He is the Managing Director of the international consulting and training firm Eficiencia Gerencial y Productividad, located in Lima, Perú. He is a Professor at The Graduate Business School, of ESAN University and a member of the Business Continuity Institute. Contact him at