Digital Business Ecosystem: Multiple Interactions, Unexpected Events


Posted on by Jeimy Cano

Today, organizations do not operate in isolation, but in connection with others. Likewise, the dynamics of organizations are in the relationships that materialize between the different people who work there and their interactions with the different components such as infrastructure, applications, data, and services. In this context, a digital business ecosystem is constituted as a “socio-technical system made up of business and technical components, in which the technical components are used to facilitate business activities and interactions” (Chekfoung et al., 2020).

In this sense, people's behaviors around the different elements of the ecosystem establish the dynamics that define not only the effectiveness of the operations, but also the value promise from the applications and services with which customers interact. This exercise of collaboration (to build and explore new opportunities), cooperation (operating around concrete agreements reached), coordination (orderly actions directed to realize the promise of value), and communication (tuning the readings of the promise of value of all participants) to generate the necessary trust that demands to connect with the organization's appetite for cyber risk and the business capabilities needed to accompany the customer experience.

Therefore, as the digital business ecosystem is a socio-technical system, i.e., “it is a network of interconnected elements formed by groups of people and technology that functions as a simple or complex system designed to achieve specific objectives” (Bone & Lee, 2023), it must be designed from the beginning based on four fundamental concepts: (Bone & Lee,  2023)

  • Error: Understood as the variance between expected and actual results, where the previous knowledge of the participants and the learning that arises in the interactions are taken into account.
  • Redundancy: As the mechanisms designed to cushion the few errors or failures that occur in the operations or in the redundant mechanisms themselves.
  • Controls: As the process for detecting and responding to system errors, including those caused by surprising perturbations in the operating environment, which require calibration and adjustment to the dynamics of the ecosystem all the time.
  • Resilience: As the adaptive capacity of a system to respond to a significant failure and resume achieving its objectives, or alternatively to set new ones, which demands flexibility and adaptation.

In this context, cyber risk management focuses on recognizing and analyzing the possible adversaries that generate relevant threats to the ecosystem, reducing the vulnerabilities inherent to the different relationships raised, and preparing the organization to reduce the impacts of the materialization of this risk, which by definition is systemic and therefore, with contagion effects on the other components or participants, which necessarily entails visible or invisible domino effects in the dynamics of the ecosystem.

Thus, although good practices and standards help to understand individually how the different components can insure themselves against known and documented risks, they leave out the natural socio-technical and systemic view of organizations, allowing unexpected events generated by relationships and interactions (known or unexpected) between the different components and participants to surprise the organization and generate uncertain and unforeseen events that compromise its operations and reveal its lack of preparation to assume the inevitability of failure.

This implies moving from an enterprise risk management in the perspective of ISO 31000 individually by subject matter and particular assurance by areas (risk mitigation), to one that demands the recognition of the company's cyber risk appetite where the practice of continuous management of exposure to threats becomes the basis of an early warning system for emerging threats,  which unlike traditional approaches, understands that threats are dynamic, evolving, and disruptive, so a systemic and adaptive vision is needed (D'Hoinne et al., 2023).

Therefore, cyber risk management in an ecosystemic perspective demands the development of at least four mutually reinforcing elements to maintain a vigilant posture of the organization towards its environment. These elements are: (Cano, 2024)

  • Resilience: Absorb shocks and operate in the midst of instability, uncertainty, and chaos.
  • Antifragility: Understanding error as a learning window, taking advantage of adverse events.
  • Flexibility: Reconciling strategy and vision in the face of the inevitability of failure, within the framework of the company's cyber risk appetite.
  • Anticipation: Imagining and acting in the face of different possible and probable futures.

In this way, it not only understands the natural dynamics of digital business ecosystems, but develops a proactive emerging risk posture that goes beyond regulatory assurance and offers executives possible scenarios with key opportunities and risks to motivate decision-making that understands that: (Gigerenzer, 2014, pp.40-41)

  • The best risk-based decision is not the best uncertainty-based decision.
  • In an uncertain world, basic business rules can lead to a better decision than sophisticated calculations of quantified risks.
  • Complex problems do not always require complex solutions. In the end, complexity is in the eye of the beholder, not in the objects observed.

References

Bone, J. & Lee, J. (2023). Cognitive risk. Boca Raton, Fl. USA. CRC Press.

Cano, J. (2024). RAFA Model. Rethinking Cyber Risk Management in Organizations. En Jahankhani, H. (eds) Cybersecurity Challenges in the Age of AI, Space Communications and Cyborgs. ICGS3 2023. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-031-47594-8_12

Chekfoung, T., Sunil, D., & Binita, G. (2020). Conceptualising capabilities and value co-creation in a digital business ecosystem (DBE): A systematic literature review. Journal of Information Systems Engineering and Management, 5(1). https://doi.org/10.29333/jisem/7826

D’Hoinne et al. (2023). Implement a continuous threat exposure management (ctem) program. Gartner. ID G00763954

Gigerenzer, G. (2014). Risk savvy. How to make good decisions. New York, NY. USA: Penguin Books.


Contributors
Jeimy Cano

International Consultant, Personal

Risk Management & Governance

Network / Infrastructure Security application security critical infrastructure access control risk management

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs