*4.2. Semi-Supervised Learning (SSL)*

The SSL approach is a combination of supervised and unsupervised ML. SSL uses small amounts of labeled data and a large amount of unlabeled data to train a model to label data. It is useful in a situation where limited labeled training data are available with a large amount of unlabeled samples [37]. According to Ouali et al. [38], SSL and its applications can be used to reduce the amount of labeled data required either by developing new methods or adopting existing SSL frameworks for a DL setting. For example, cluster analysis is a method that groups datasets into homogenous subgroups that contain similar characteristics in the data such as the same gender or common group associations as the goal is to identify the similarities and differences between data points. The application of cluster analysis in SSL is to use some known cluster information to classify other unlabeled data, which uses both labeled and unlabeled data. There are various methods and approaches such as consistency regularization (or consistency training) for perturbed vision, for example, proxy-label uses a heuristic approach and leverages trained model on the labeled set to produce training examples by labeling unlabeled sets; generative models use learned features on one task that can be transferred to other tasks; and graph-based methods that propagate labels from labeled nodes to unlabeled nodes by using the similarities of two nodes [38].

#### *4.3. Unsupervised Learning*

With regard to the unsupervised machine learning algorithms, these include K-means clustering for identifying groups and iteration, factor analysis (FA), principal component analysis (PCA, to reduce dimensions), DBSCAN (density-based spatial clustering of applications with noise, which are used for data mining), and singular value decomposition (SVD) [19]. In unsupervised deep learning, the learning models such as self-organizing maps (SOMs); Boltzmann machines and AutoEncoders [39,40] are used to reduce dimensionality as the output is always 2-dimentional and is well-used. These allow the user to identify clusters of a specific type of input pattern [41]. The network of Boltzmann machines (or stochastic model) is a systematically connected neuron-like sampling learning algorithm and allows for interesting features in complex training data to be identified [42]. AutoEncoders are used in processing audio raw data into secondary vector space (e.g., word2vec) and have various variations such as spare AutoEndoders (allows a hidden layer and a reduction in overfitting), or contractive AutoEncoders (prevents overfitting and copying of values from hidden layers, add to the loss function), which are useful in terms of building the recommend systems or reducing dimensionality [35].

Unsupervised learning is useful for monitoring a system or building a binary recommend system. For example, it can be used to detect specific types of fraud. The key aspect of unsupervised learning is to unveil hidden patterns or groups from unlabeled large volumes of data, faster than supervised ML can do. Based on past purchase data, unsupervised ML can assist managers to identify trends in the data that can be used to plan a cross-selling strategy through add-on recommendations to customers during the check-out stage [43]. However, there are some aspects that need attention. Issues such as complexity in computation to train high volumes of data, and a lack of clarity as to which data were clustered and how the data were labeled. This means that users need time to understand the labeling and classifications, and interpretation. Unsupervised learning can be used for segmentation or understanding different customer groups, which helps managers to redefine their communication strategy better to fit the needs of certain groups and to monitor for fraudulent transactions or analyze the customer preference based on their search history [44].

#### *4.4. Reinforcement Learning (RL)*

Reinforcement learning (RL) models are either positive or negative based. The methods for RL such as SARSA (state-action-reward-state-action for learning Markov decision process policy), n-step method (the increment for rewards is estimated value of at time t, that incorporates n-step backup), actor–critic methods (or TD methods), and Q-learning [45]. Q-learning is value-based learning, which helps the agent (model) determine the optimal action within an environment. Examples of RL are in AlphaGo, Alpha Zero, Mario, Deepmind in Google data centers (with AI), self-driven car (with AI), and Keras in libraries [19]. RL can be applied widely such as self-driving in the automotive industry, for business strategy planning and data processing, but attention is needed in various aspects such as the parameters as this may affect the speed of learning.

Intuitive AI is an artificial natural network based on deep learning that can level up the result of analytics through the emulation of a wide range of human cognition and learning and the adaption of intuitively based understanding (e.g., Google's Deep mind (AI)). In AI development, there are different types of AI such as narrow AI is descriptive and performs one task at a time (answers are provided to the question of what happened); general AI, which is diagnostic (answers to comprehend the question of why did it happen) and makes a decision based on learning (independent); and predictive (answers to the question of what might happen next) [46,47]. Intuitive AI can identify anomalies in the dataset and make a deduction based on analyzed information, which, for example, helps to detect threats in financial services [46,47].

Some applications such as Replica, Sophia, Ellie, Nao, and Kasper recognize emotion and learn and adapt when interacting with humans. Empathy is an important ingredient in social interaction. Through the retailer deploying humanoid AI, they can manage the relationship with customers better as they can respond better to consumer requests by being able to detect the consumer's emotional state [48,49]. This can be looked upon positively as it represents a commitment to the customer centric approach and making the customer feel safe knowing that their needs are understood and that effort has gone into service their requirements, thus ensuring their expectations are met.

From the above, it can be noted that there are many different algorithms with different capabilities and functionalities, which associate with different levels of expert requirements and commitments. Table 1 is useful as it briefly outlines the different types of learning and their capabilities/functionalities and their application, especially in relation to DL. It provides a basic understanding to people who are enthusiastic in terms of using big data, but who have a limited knowledge of information technology and its application. Table 1 can be considered as useful with regard to answering questions such as:


#### **5. Improving Cyber Security through Utilizing AI**

It can be argued therefore that various managers (e.g., marketing managers, logistics and distribution managers, and finance managers) will have knowledge of the use of AI, and will understand the benefits afforded by AI. Hence, it is possible for managers to relate the use of AI from advertising and product promotion to security awareness and counteracting fraud by making staff aware of the need to improve their security behavior. For example, Bresniker et al. [50] (p. 46) provided a number of insights into how AI can be used to aid the cyber security management process, especially from the stance of detecting threats and state: "AI/ML can drive down response times from hundreds of hours to seconds and scale analyst effectiveness from one or two incidents to thousands daily. With an adequate knowledge base, it can preserve corporate knowledge and use that knowledge to automate tasks and train new analysists".

Bresniker et al. [50] (p. 46) indicate that AI/ML will be increasingly used to:


Bresniker et al. [50] provide a useful guide as to how AI/ML can enhance cyber security, however, in order for various managers in the organization to work together and provide an integrated approach toward strategic cyber security management [1], whereby the cyber security manager works closely with various other managers including the risk manager, the

business continuity manager, the IT manager, and the training manager, for example, it is necessary to match the human dimension of cyber security (e.g., identify human vulnerabilities) with the technical dimension of cyber security (e.g., identify technical vulnerabilities) through the application of the concept of sociocultural intelligence. The reason why matching is necessary is because fake news/disinformation is causing confusion and disruption and is likely to be weaponized further and used to complement various forms of cyber attack.

Fake news is well-orchestrated and targeted [51]. Petratos [52] (p. 764) draws on the United Nations definition and suggests that disinformation has been used "to confuse or manipulate people through delivering dishonest information to them". Bearing in mind that there has been an upward movement in ransomware attacks, managers need to realize that dealing with cyber criminals is not always as straight forward as expected. Drawing on the work of Greenberg, Tatar et al. [53] make known that a ransomware attack may be confused with data destruction malware whereby there is no possibility that the data would be made available to the target because the master boot records are in fact deleted by those carrying out the attack. It is for this reason that senior security managers within organizations need to develop a holistic approach to security because they may not be aware of the subtly behind disinformation. By accepting that disinformation detection requires a large investment in AI/ML, it should be possible for managers to develop resilience-based security by integrating cyber threat detection with security awareness.

#### **6. Materials and Methods**

To gain insights into how the concept of resilience can be embedded in the psyche of the organization so that it is a recognized component of the organization's memory, one of the researchers of this paper undertook a small group interview involving five highly knowledgeable organizational security experts. The experts were selected on the basis that they were knowledgeable in terms of strategic intelligence and were well able to place threat intelligence in the context of an organization's commitment to building resilience. The participants were all based in London and received permission from their employer to be involved in the research. Originally, it was envisaged that two small group interviews would be undertaken but it was not possible to organize two separate groups because those approached were busy and had commitments. Those that did attend and participate possessed operational knowledge that allowed them to offer unique insights into the topics under discussion [54] and uncover the underlying conditions [55]. In addition, they were known to have served in various senior security positions within an organization and were able to establish how intelligence and security could be integrated better so that security provision across business functions could be improved. The small group interview method was chosen because it allows for broad based questions to be asked that result in an open-ended group interview [56] (p. 17), whereby the participants can articulate their view, challenge and critique their peers, and then provide unique insights and solutions. Indeed, the selection of the group members (e.g., senior security professionals with work experience gained in both the private sector and the public sector) proved valuable in the sense that it was necessary to establish a group ethos [57] (p. 354) that allowed for meaning through reflection [9] (pp. 116–117). The small group interview was limited to one and a half hours and prior to the group interview commencing, the participants had agreed that the interview could be audio recorded. The researcher-facilitator agreed that specific comments made by individuals would not be attributed to the individuals concerned or the organization that they worked for. The group interview was framed so that the insights provided allowed for a holistic view of security to be derived that could then be interpreted from an organizational intelligence perspective. An interactive style was adopted during the small group interview, and this allowed each participant to explore the subject matter in the way they considered appropriate.

When undertaking a small group interview, it is important for the researcher to give attention to what the purpose of the group interview is and how the group members relate to each other. For the purpose of this research, the objective was not to look at a basic set of conditions or derive insights in relation to government policy. The objective was to bring a highly experienced group of security experts together so that they could provide an in-depth understanding and appreciation of the topics discussed [58]. This was conducted by placing intelligence in the context of organizational resilience and at the same time, allowing each participant to gain intellectual satisfaction and knowledge in relation to perfecting their own organizational resilience policy. A semi-structured, openended approach was adopted as this allowed specific questions to be posed and provided the participants with some latitude to branch out and provide answers that incorporated real world examples.

In order to generate the required data, a number of questions were posed during the small group interview that included: How useful is the organizational learning concept in relation to the development of a security culture? How effective is transformational leadership in terms of the strategic intelligence approach? How can organizational vulnerabilities be eradicated through threat intelligence? The advantage of this approach is that the predetermined open-ended questions used were supplemented with additional questions that emerged as the interview progressed [59] (p. 315). The sub-questions that emerged were related to a range of topics that surfaced including crisis management, intelligence tools, networks, organizational skills, outsourcing, transformational leadership, trend analysis, trustworthy behavior, and risk management.

The data collection process was judged important in terms of the evidence and linking theory and practice. However, it was recognized that differences in regulatory conditions meant that senior security managers in one industry operated under different conditions compared to security managers in other industries. Although the view taken by the researchers was that the regulatory conditions exhibited differences, they were differences in degree only.

Immediately after the small group interview had been completed, the transcript was transcribed and then analyzed by the researchers. Each participant was provided with a copy of their portion of the transcript so that they could verify what they had said. Each participant, and indeed the facilitator, were assigned a number as names had not been used, and were identified accordingly. For the data analysis, the inductive approach was used whereby "the patterns, themes, and categories" were derived from the data as opposed to being imposed by the researchers before the data were collected [56] (p. 390). The main themes were identified and reported in [60]. In terms of the analysis of the data, we adapted the process associated with the grounded theory approach whereby we undertook open coding, axial coding, and selective coding [60], and developed a set of themes. The researchers then constructed a narrative in relation to each of the main themes. This would help the non-security specialist to understand how security practitioners placed threat intelligence in a sociocultural context from the perspective of enhancing an organization's resilience. This allowed the researchers to relate the main themes identified back to the intelligence cycle (IC) and critical thinking process (CTP) so that a cyber threat intelligence cycle process (CTICP) could be produced that was generic in nature and could be extended or adapted by managers in different industries.

#### **7. Results**

From the small group interview, it was clear that organizational learning, transformational leadership, organizational restructuring, crisis management, and corporate intelligence emerged as the main management considerations (themes) to be taken into account by top management because together, they provided insights into how threat intelligence was viewed and managed.

*Organizational learning* is viewed as important because it is a process whereby the mindsets of managers can be changed to embrace organizational values. In relation to how threats can be confronted and communicated to stakeholders, it is important for threatbased intelligence to be shared in real-time. As security covers a range of sensitive topics, it

is for this reason that staff are required to understand what trustworthy behavior is and why acts of benevolence are considered important and underpin relationship building. By establishing trust-based relationships, it is easier for individuals to share information when necessary and to safeguard themselves. This can be achieved by working within the organization's ethical code of conduct. Managers need to understand that the insider threat is continually evident, and the best approach appears to be for senior management to establish clearly defined security related roles that individuals can adopt when performing their duties. This means that security training needs to be formalized and a distinction made between training and education. The latter can be viewed as a higher level of knowledge attainment and inclusive of the understanding of what cyber threat intelligence (CTI) involves and how it is used on a day-to-day basis. Although not all staff need to be aware of the technical aspects of cyber security, those in positions of responsibility are required to have an all-round appreciation of the subject. In-house, formal cyber security awareness programs can be organized and administered on a continual basis to up-date staff and to make sure information technology staff talk with staff throughout the organization about security related issues. This should prove beneficial in terms of establishing and maintaining a security culture and ensuring that staff are aware of why and how they are to relate to law enforcement personnel when problems occur such as fraudulent practice, for example.

*Transformational leadership* was considered as a precursor of organizational change and is brought about through the implementation of strategic vision. Acknowledging that people can become complacent, it is necessary to ensure that people also do not become demotivated and lose sight of important considerations such as day-to-day security. However, transformational leadership is about establishing an organizational security culture, which should be viewed as a collectivist process. Another point that arose was that staff need to develop an understanding of the needs of people in other organizations. This will help staff to recognize symptoms such as corrupt practices and inefficiency in operations that could prove detrimental to the organization and its partners. Part of the transformational process involves staff using their own social network(s) to gain intelligence about cyber related attacks and centralizing this in the form of threat intelligence within a central command and control system within the organization. With regard to the security skill base of employees, managers need to ensure that security is defined in a certain way so that risk management is given adequate attention. To ensure that transformational leadership is effective, people within the organization that are viewed as supportive of security initiatives can adopt the role of champion of the cause and be given prominence to participate in in-house security seminars.

*Organizational restructuring* can result in an upheaval that places the organization at risk, especially when the management's attention is focused on other, non-security issues. Internal conflict can result in an organization becoming vulnerable because the type of uncertainty being dealt with relates more to an organization's internal situation than an outside threat penetrating the organization's defenses.

*Crisis management* is considered necessary because it can be assumed that at some point in time, the organization will be penetrated, and it is likely that other partner organizations will also be affected. Although essentially crisis management may be undertaken in different ways (e.g., depending upon the size and complexity of the organization), it must be noted that there are both direct and indirect influences involved. The organization's value system needs to support teamwork and requires that crisis management is viewed as an essential and combined process, whereby senior management make known to employees what a resilient organization is and how such an organization remains resilient. Areas often overlooked or underplayed include cyber insurance, and therefore the risk management process needs to be more formalized than it sometimes is.

*Corporate intelligence* is aided by the process of risk management and an area of attention is advances in biometrics, which covers threats brought about by fake IDs. Regarding the protection of the identity of employees, managers need to ensure that a person's

identity is always safeguarded and because information about an individual can be used against them, attention needs to be given to issues such as identity theft. This means that risk management is viewed from several perspectives and can also be related to human resource management policy and the recruitment of staff both from within the country and from abroad.

The findings from the small group interview highlight various issues that the cyber security manager needs to be aware of. These include the need to define what the organization's stance is in terms of security and resilience; and what the boundaries are that staff need to pay attention to when sharing information. These are important considerations with regard to how staff obtain data and information from outside the organization and share intelligence/knowledge with internal staff so that a cyber attack does not get through the organization's defenses. The quality of the data shared, and the way in which the data are shared, need to be given consideration in advance of a crisis occurring. During a crisis (e.g., an attack has penetrated the organization's defenses and staff struggle to deal with it in real-time), staff need to follow the policy laid down and ensure that cascading effects do not materialize.

Security awareness is, therefore, reflective of the investment in security training and education, however, it is recognized that more investment is needed in making staff aware of the consequences of an impact and convincing them that a proactive approach to gaining cyber security knowledge from appropriate sources is viewed as good practice.

#### **8. Discussion**

As well as placing emphasis on the quality of information/data derived from outside the organization, we also focus attention on the use of AI and whether managers can deploy supervised, semi supervised, or unsupervised algorithms for data analysis. This brings to attention whether managers have the knowledge required to interpret the results of the analysis (e.g., through human interpretation or machine interpretation) or whether a higher-level knowledge interpretation is required. Senior managers do need to invest time and effort into discussing these points and will need to put in place a protocol that provides guidance with regard to the analysis of big data. Acknowledging that sociocultural intelligence needs to be analyzed in a certain way and is dependent on the insights of experts brings to the fore the fact that managers need to consider the issue of resource availability.

The findings from the small group interview also highlight the need for a senior security manager/cyber security manager to adopt a transformational approach to security whereby threat analysis is an integral part of intelligence activity. By including current information pertaining to cyber threats, it is possible to highlight the need for cyber threat analysis to be viewed as necessary and to advocate a strategic cyber security management [1] approach. This will provide a basis for cyber security to be more widely appreciated than it is at present by managers that have a non-technical disposition. By adopting a more corporate intelligence focused approach to cyber security, whereby the lead organization takes greater responsibility for security, especially cyber security, guidance and support can be provided to the suppliers. Security staff, and the cyber security manager in particular, can promote the stakeholder view of security whereby supply chain partners take responsibility for updating their security and at the same time, pass threat intelligence data and information onto other stakeholders/network members. This will allow each stakeholder to coordinate their investment in cyber security [4]. The key point to note is that AI/ML can assist managers to undertake cyber threat intelligence (CTI), however, gaining permission across various supply chains is time consuming and requires negotiated access. This involves the sharing of sensitive data and information, and a commitment to building a sociocultural intelligence knowledge base.

To achieve linkage between security and intelligence, it is necessary to have an appropriate leadership model in place that embraces organizational learning and integrates the key aspects of the intelligence cycle (IC) with the critical thinking process (CTP) [9] (p. 139). The COVID-19 pandemic is continuing to have a lasting effect on the international economy, and evidence of this can be seen in the actions of unscrupulous individuals who are intent on exploiting health care provision [61]. By including issues such as fake news, identity theft, and ransomware, for example, in cyber threat intelligence (CTI), it is possible to establish how organized criminals are exploiting the market for legitimate drugs by engaging in online activities in relation to COVID-19 and the methods by which they gain financially. A question that arises is how can senior management devise a strategic approach to cyber security management that results in a collectivist appreciation whereby organizational partners pool resources to mitigate the risks identified? This is a question that top management appears to be discussing but the problem basically remains that not all business relationships are long-term in orientation. Opportunistic behavior may militate against a more structured and integrated approach to cyber security management across supply chains. Another issue that arises is, if partner organizations do not cooperate and share risk related data/information, how is a potential crisis to be effectively dealt with in real-time? Although the cyber security manager may focus on a specific type of cyber threat, it can be suggested that the scale of the problem means that it is necessary to utilize AI/ML to help counteract a range of cyber attacks.

It can be noted that AI is developing through time and its capability is to be viewed as several inter-locking AI and ML capabilities. By progressing from supervised to unsupervised learning and beyond, AI and ML assume a high level of decision-making that is freeing managers to invest time in strategy formulation as they are no longer required to undertake a lot of the analytical tasks themselves. Hence, it can be suggested that managers view the utilization of AI in terms of fostering the strategic capability of the organization and aiding business planning and resilience policy. To understand how AI is to be implemented requires strategic vision and a commitment to investing in a range of platforms (business platforms, enterprise platforms and enabling platforms) [62] that provide the company with a sustainable competitive advantage through relationship building.

Through establishing data-driven knowledge base construction, cyber security staff can guard against the problem of "inaccurate entity recognition and unreliable property/relation discovery due to insufficient training data" [63] (p. 11). In other words, it can be pointed out that cyber security specialists should work with those involved in cognitive sciences such as psychology to better understand how cyber security awareness and other areas of interest such as situational analysis can be incorporated more fully into the process of cyber threat intelligence (CTI) [17]. This should ensure that spikes of activism are noted and linked with disruptive geopolitical campaigns and specific types of hacking activity. Furthermore, emerging trends in fraudulent behavior may be linked to deteriorating economic conditions and the rise in criminal behavior, whereby organized criminal syndicates seek and exploit new market opportunities (e.g., fake websites linked to fictious products and services). Through converting information into intelligence and developing cyber security knowledge, a formalized approach to cyber threat intelligence (CTI) will materialize. Hence, threat actors need to be identified and categorized and this can be conducted by means of a threat template that outlines the opportunities in relation to the selected threat actors [64] (p. 6). By establishing the motivations of threat actors and linking through with their intended actions, it should be possible to understand the nature of the threat(s) and how matters escalate and an impact occurs [64] (p. 8).

Intra- and inter-company relationship building is important from the stance of sharing and utilizing threat-based data and information and can be considered as an integral part of cyber threat intelligence (CTI). Incident analysis tools exist [65] (p. 169) that can undergo further development that results in new initiatives in cyber security provision. It is also hoped that the sharing of such technology will encourage more dialogue between governments and a concerted effort will arise that results in a greater pooling of resources and cutting-edge joint research projects. The logic underpinning this view is to acknowledge that the pressures on managers to analyze big data will increase and new ways of detecting threats need to be found and implemented across industry sectors. Taking note of the risk associated with advanced persistent threats (APTs), it can be suggested that the incident

management process needs to be given increased attention. In addition, staff involved in cyber security need to have the confidence to question management practices and lobby for changes in company policy so that improved cyber security occurs at the same time as cyber threat intelligence (CTI) is upgraded.

Bearing the above in mind, we can reflect on the individual stages of the intelligence cycle (IC) and the critical thinking process (CTP) [9] (p. 139) and suggest that cyber threat intelligence (CTI) should be merged into the cyber threat intelligence cycle process (CTICP) so that the following stages are visible: (1) objective resilience (e.g., top management define resilience so that the organization is able to withstand a range of cyber attacks); (2) question framing (e.g., top management establish how the organization is to be made more resilient through human action and the combined usage of AI and ML); (3) threat intelligence (e.g., managers define what is involved and map the identified impacts against possible outcomes); (4) work tasks established (e.g., individual managers and experts are appointed to undertake specific tasks and roles); (5) collection of threat intelligence data and information (e.g., various research and data collection exercises are undertaken but mostly utilize AI and ML); (6) the analysis of threat intelligence data and information (e.g., cause and effect established/patterns in the data are identified that indicate a certain type of attack is occurring/is likely to occur); (7) interpretation of the results (e.g., risk register(s) up-dated within the organization and partner organizations); (8) dissemination of the results (e.g., the cyber security manager liaises with government bodies/agencies, trade associations and various resilience community groups and shares relevant industry information); (9) cyber threat intelligence (CTI) concepts/frameworks/models devised (e.g., industry specific and improved through additional evidence from university research group(s); (10) strategic cyber security management (e.g., assumptions are incorporated into a new way of thinking about the role that cyber security management plays); (11) reflection (e.g., staff focus on how advances in AI and ML will change the nature of future cyber threat intelligence (CTI) analysis and interpretation); and (12) intelligence culture (e.g., promotional activity undertaken within the partnership arrangement and more widely to help people in society prepare for cyber attacks and develop their own level of cyber security awareness so that they are better able to handle the psychological consequences of such attacks).

The benefits of such an approach are clear to see. The cyber security manager and various managers throughout the organization and its partners can utilize sociocultural intelligence to gain a more strategic view of the nature of cyber threats and how various cybers attacks are to be unleashed. The advantage of formalizing cyber threat intelligence (CTI) as opposed to viewing it as ad hoc is clear to see. Cyber threat intelligence (CTI) can be viewed from several stances including allowing "early detection of malicious behavior, preferably before a malicious actor gains a foothold in the network" and aiding the sense-making process by providing "insight into the relevant threat environment to decisionmakers" [66] (p. 301). Cyber threat intelligence (CTI) can therefore improve situational awareness and focus attention on key concerns such as how to guard against bias. Bias originates from cyber threat intelligence (CTI) feeds and/or analysis and can be linked to both criminal groups and state actors [66] (pp. 309–310). Bias is associated with the process itself whereby poisoning attacks occur as a result of training data, derived from open-source platforms, being manipulated/contaminated by malicious actors [67,68].

The cyber threat intelligence cycle process (CTICP) can help managers to identify how malicious actors are targeting organizations and how they are identifying future targets. This is conducted through the cooperation of designated managers, a commitment to using quality data and appropriate data analysis tools, and the sharing of intelligence on malicious actors and their networks. It is also envisaged that a range of ethical concerns will need to be addressed including data privacy, integrity and the accuracy of predictive intelligence [69]. By incorporating ethical issues and concerns into the process, it should be possible for managers to view predictive intelligence from the perspective of the changing needs of society, maintaining individual privacy and meeting legal challenges as and when

they occur. In addition, by embracing the sociocultural intelligence approach, the cyber security manager should be well placed to challenge and verify the patterns identified during the analysis of the big data.

#### **9. Conclusions**

For managers within an organization that are not familiar with AI to understand more fully what is involved when applying AI to help deal with cyber threats and to deal with cyber attacks when they occur, it is important to understand what cyber threat intelligence (CTI) is and how it feeds into strategic cyber security management [1]. Well-established intelligence concepts can be drawn on and modified to help the cyber security manager devise a cyber threat intelligence (CTI) blueprint that can be used to produce a more generic model or industry specific model, which is aimed at hardening the organization's defenses. By being committed to the use of situational analysis and embracing sociocultural intelligence inputs from external experts as well as in-house company staff, a security culture can be developed that has cyber security at the heart of it.

The advantage of placing cyber security at the center of security is that sociocultural intelligence can be reinforced by AI and in turn, AI can be monitored in terms of its ability to detect fake data and information and counter acts of data poisoning. The greater the quality of the data and the more sophisticated the process of analysis, the more the cyber security manager is able to work alongside colleagues to strengthen the organization's defenses. Through the process of integrating a number of separate but related tasks into a proactive stakeholder approach to cyber security management, the organization's supply chain will become more resilient and better able to withstand various forms of cyber attack.

#### **10. Future Research**

It is clear from the forgoing that a follow-up study can be undertaken that focuses more deeply on how AI/ML can enhance cyber security provision from the stance of a coordinated investment in cyber security from the organizations in a specific supply chain. This will provide insights into how organizations with a common trading mandate anticipate and guard against a possible cyber attack(s) and coordinate their defense [4]. The advantage of such a study is that it will provide evidence of a specific type of cyber threat intelligence (CTI) and outline how managers identify and organize supply chain resilience. Another research project that can be undertaken is to establish how managers overcome their lack of knowledge in relation to AI, and how they can develop relevant insights and/or contribute to the development of AI focused cyber security tools that lead to a better understanding of company–industry–society considerations and the need to ensure that AI is regulated appropriately [3] (p. 114). In addition, the insights into knowledge creation through various forms of learning [70] can be drawn on and placed more firmly in the context of managers understanding why network associations are important and how they can be developed through investment in AI.

It would also be appropriate to undertake research that contributes to cyber threat intelligence (CTI) methodology as this would help broaden the base of cyber threat intelligence (CTI) and solve a well-stated problem: "The volume and velocity with which new attacks are reported leads to a high daily influx of many single IoC datapoints that need further triangulation to assess their relevance to the specific threat context" [66] (p.304). Indeed, it should be possible to deploy soft systems methodology [71] and scenario planning [72] to link planning and modeling with strategy formulation and answer "what if" type questions that arise and once answered, enable initiatives in policy to be aimed at solutions to be found through learning.

**Author Contributions:** Conceptualization, Y.-I.L. and P.R.J.T.; Methodology, Y.-I.L. and P.R.J.T.; Formal analysis, Y.-I.L. and P.R.J.T.; Writing—original draft preparation, Y.-I.L. and P.R.J.T.; Writing—review and editing, Y.-I.L. and P.R.J.T. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research received no external funding.

**Institutional Review Board Statement:** Not applicable.

**Informed Consent Statement:** Not applicable.

**Data Availability Statement:** Not applicable.

**Acknowledgments:** The authors would like to express their gratitude to the reviewers for their in-depth comments and suggestions for improving the paper.

**Conflicts of Interest:** The authors declare no conflict of interest.
