**1. Introduction**

For an organization to become more resilient, top management needs to take heed of the fact that cyber attacks are likely to intensify in the years ahead and because of this, cyber security needs to be placed in a strategic cyber security management context [1]. The need for such an approach is clear, bearing in mind that: "Even with U.S. company losses due to cyberattacks nearing a reported \$1 trillion by late 2020, a survey of nearly 1000 organizations found that only 44% had cyber preparedness and incident response plans in place" [2] (p. 2). It seems logical, therefore, for managers to counteract cyber attacks by utilizing cyber security technology more fully, but also for them to discover new ways to engage in cyber security management. A key role of senior management is to help managers draw on operand and operant resources so that they can strengthen the organization's defenses against cyber attacks.

Advice relating to the appropriateness of cyber security technology comes in the form of government advice, highly specialized companies that operate cyber security technological solutions, consultants that have in-depth knowledge of cyber security problems and working practices, and university research teams that develop specific types of security software. There are, of course, other sources of intelligence that originate from government

**Citation:** Trim, P.R.J.; Lee, Y.-I. Combining Sociocultural Intelligence with Artificial Intelligence to Increase Organizational Cyber Security Provision through Enhanced Resilience. *Big Data Cogn. Comput.* **2022**, *6*, 110. https://doi.org/ 10.3390/bdcc6040110

Academic Editor: Fabrizio Baiardi

Received: 26 August 2022 Accepted: 1 October 2022 Published: 8 October 2022

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

agencies and specialist consultancies, for example. Taking this into account, it can be suggested that managers need to adopt a pro-active approach to cyber security as resilience requires that intelligence-gathering involves the deployment of technology that has the power of human cognition and the ability to learn/reason and hear/see [3] (p. 109). An important point that surfaces, however, is that to be effective, organizational resilience needs to be placed within the context of how organizational staff coordinate investment in cyber security across the supply chain [4] (p. 169). Bearing this in mind, it is pertinent to suggest that cyber security management is to be viewed as a strategic-level capability [5], whereby security is linked with business continuity management and a set of procedures whereby security is placed within a crisis/disaster management setting. The case can be made, therefore, for a cyber security manager to be appointed to take charge of cyber security, which is at the heart of an organization's security [1].

Understanding the motivations of those who carry out a cyber attack means having an in-depth appreciation of human behavior and establishing what causes an individual to behave in an anti-social/illegal manner. The cyber security manager is, therefore, required to have an appreciation of human psychology and possess adequate knowledge of how cyber security policy is formulated and implemented, if they are to provide guidance and advice to a range of functional heads. If a data breach does occur and results in reputational damage and an increase in adverse publicity resulting from a fine imposed by regulators, then cascading effects may have a debilitating effect on the organization and its trading partners. It is for this reason that the cyber security manager needs to have both technical and managerial knowledge relating to cyber security or have expertise available to them that can be drawn on when necessary.

The remit of the cyber security manager is to work with other senior managers and devise, manage, and implement cyber security policy decisions across the organization's networks. The focus of the research is, therefore, to explain how different approaches to intelligence (i.e., the intelligence cycle and the critical thinking process) can be combined and linked with cyber threat intelligence (CTI), which utilizes AI. To explain this, we explore how the cyber security manager can draw on social interaction and establish how it drives cognition [6] (p. 306). This can be viewed as logical in terms of establishing organizational resilience because cyber security management requires the cyber security manager to develop and share cyber security knowledge with individuals that are viewed as first responders. Social interaction is enhanced through trust-based relationships and open communication between staff and provides the basis for institutionalized learning. This gives rise to a defined risk mitigation policy and strategy within partner organizations and the utilization of cyber security models [7].

In terms of AI-based cyber attacks, it can be argued that cyber security experts will be required to intensify their effort to develop AI defense systems [8]. This will require that risk mitigation strategies are put in place to counteract cyber attacks; it also will focus attention on cyber defense from an intellectually driven and holistic perspective. It is with this in mind that the focus of the paper was to outline how sociocultural intelligence can be combined with AI to increase the organizational cyber security provision and enhance an organization's level of resilience. In doing so, we focused our efforts on providing answers to two questions: (1) How can a non-security specialist develop their appreciation and understanding of resilience through undertaking threat intelligence? (2) How can knowledge regarding different types of AI help managers better understand the complexities associated with different algorithms and their functionality vis-à-vis different types of defense system?

To assist us in our task, we drew on the knowledge derived from a small group interview that involved an academic researcher discussing various aspects of intelligence in relation to organizational security with five experts. Each participant had spent over twenty years in security and had worked in different industries and was known to be an expert in the field of organizational resilience. We contribute to the field of cyber security management by combining elements of the intelligence cycle (IC) with the critical thinking

process (CTP) [9] (p. 139) to produce a cyber threat intelligence cycle process (CTICP). This should enable staff to adopt a strategic cyber security intelligence perspective. We also highlight the importance of organizational learning and how it facilitates a higher level of intelligence that involves sociocultural interaction and thus makes the organization more resilient. The advantage of this approach is that we reflect on the interplay between centralized versus localized learning and how sociocultural intelligence is viewed as a necessary component of the strategic cyber security management process. Finally, through linking AI with sociocultural intelligence, we outline the steps in the cyber threat intelligence cycle process (CTICP) that enable managers across various industries to adopt a resilience centric approach that hardens the organization.

#### **2. Background**

Bearing in mind that those carrying out cyber attacks are becoming more sophisticated and linked more firmly to those carrying out all types of scams, the cyber security manager needs to make a value judgement with regard to how cyber threat intelligence (CTI) is perceived by top management and how, because operant resources are scarce, staff can draw on technological aids such as artificial intelligence (AI) to enhance their cyber threat intelligence (CTI) decision-making capability. Hasan et al. [10] (p. 354) indicated that the advanced persistent threat (APT) is challenging organizational defenses because signaturebased defense mechanisms are unable to respond in real-time to new types of malicious code/intelligent mutant codes. It is worth noting that "Conventional cybersecurity tools look for historical matches to known malicious code, so hackers only have to modify small portions of that code to circumvent the defense. AI-enabled tools, on the other hand, can be trained to detect anomalies in broader patterns of network activity, thus presenting a more comprehensive and dynamic barrier to attack" [10] (p. 354).

Surya [11] (p. 991) has provided a useful definition of AI: "Artificial intelligence (AI) refers to the technology involved in the development of smart machines and software. This includes the developments of applications and systems that can reason, collect intelligence, prepare intelligently, learn, interact, interpret, and manipulate objects". Hence, AI allows users of big data to capture data from a variety of sources, store the data, and apply analytics so that decision-makers can use the outcome [11] (p. 992) in a variety of contexts (e.g., tactical and strategic).

AI can help managers to interpret patterns of cyber attack, and the outcome of a cyber threat intelligence (CTI) analysis can be placed in report form so that senior managers can offer advice based on the type of threat identified with a view to utilizing operand and operant resources. In addition, those charged with managing security can interact more fully with other functional managers and establish how cyber threat intelligence (CTI) can be strengthened using AI. However, it is worth noting that although it is recognized that AI can be used to defend an organization against cyber attacks [12] (p. 363), there are a number of challenges that senior management need to overcome vis-à-vis the use of AI. One such problem is the gap in knowledge relating to what AI/ML represents and how AI/ML can be used by managers operating at different levels of authority. It is possible to suggest that the complexities associated with AI/ML may well militate against individual managers understanding how AI can be used. To overcome the likely resistance of using AI, we propose that managers first develop an appreciation of AI/ML and think of how AI/ML can benefit them in terms of their decision-making so that the day-to-day operations are reinforced through contingency plans.

Managers need to be mindful of the fact that AI is refined through the application of ML but "humans are able to understand the behavior of others in terms of their mental states-intentions, beliefs and desires-by exploiting what is commonly designated as 'folk psychology'" [13] (p. 279). By acknowledging this, managers can avoid the various pitfalls associated with the use of AI, especially the contradiction whereby chatbots are used to help individuals (i.e., those using an organization's website) to gain certain information by responding/acting in known and logical ways. Gallese [13] (p. 285) suggests that although it is possible to make sense of how people respond to an event, with regard to human social cognition, "Language is the most specific hallmark of what it means to be human". It is with this in mind that we reflect on and pose the question: how can sociocultural intelligence be linked with AI to increase an organization's resilience?

Before progressing, we consider it necessary to reflect on the notion of what resilience is and to have a clear understanding of what it incorporates. HSSAI [14] (p. 9) provides a useful definition of resilience by indicating that it is "the ability of a system to attain the objectives of resisting, absorbing, and recovering from the impact of an adverse event, before, during, and after its occurrence. It is also a dynamic process that seeks to learn from incidents to strengthen capabilities of the system in meeting future challenges. The goals are to maintain continuity of function, degrading gracefully, and recover system functionality to a pre-designated level, as rapidly as desired and feasible".

The focus is clearly to learn from an event/incident and to make sure that those with operational responsibility can "learn from incidents", as this is what machine learning sets out to achieve. In the context of organizational learning, whereby the focus of attention is on how an individual's skill level is enhanced, Argyris [15] (p. 8) provides guidance by indicating that: "Learning is defined as occurring under two conditions. First, learning occurs when an organization achieves what it intended; that is, there is a match between its design for action and the actuality or outcome. Second, learning occurs when a mismatch between intentions and outcomes is identified and it is corrected; that is, a mismatch it turned into a match".

Whether data are collected, analyzed, and interpreted by humans or are left to a machine(s) is not what is under consideration. What is important to acknowledge is that adequate resilience requires managers to consider how best to utilize intelligence and to make use of limited intelligence. McCreight [16] (p. 5) has offered a comprehensive view as to what resilience encompasses by indicating that there are five main dimensions of resilience, which are: personal and familial socio-psychological well-being; organizational and institutional restoration; economic and commercial resumption of services and productivity; restoring infrastructural systems integrity; and operational regularity of public safety and government. The five dimensions highlighted prove useful with regard to a manager developing a comprehensive understanding of what resilience involves and how to place resilience within an organization–government–society context. Whether the relationships developed are transactional in nature or transformational in nature depends upon the organization's value system, and the leadership style/model in place.

In order to utilize big data to counteract sophisticated cyber attacks, managers are paying increased attention to the capability of AI and its deployment. Hence, it is useful to acknowledge two main but contradictory issues: the volume of data that needs to be processed versus the time available to carry out an analysis, which yields an outcome that has relevance and can be acted upon. Additionally, attention needs to be given to the cost of hiring experts for labeling the data, which relates to the issue of supervised learning, semisupervised learning, and unsupervised learning. In terms of cyber threat protection, deep learning (DL) is receiving renewed attention. For example, one area that needs immediate attention is ransomware attacks. Andrade and Yoo [17] (p. 2) noted that between 2014 and 2017, 327 families of ransomware were identified that accounted for 184 million attacks. Because cyber criminals are behind such attacks and do, of course, use technology to carry out their actions, it would be logical to suggest that advances in deep learning (DL) will help those involved in cyber security to protect computer systems and networks better. An interesting and relevant point raised by Andrade and Yoo [17] is how cyber security specialists can consider using psychology to enhance cyber security situation(al) awareness and they make clear that cognitive sciences can be utilized to enhance cyber security.

Bearing in mind that the focus of this paper was to deepen our understanding of cyber threat intelligence (CTI) and provide arguments as to how AI/ML can help senior managers to make an organization more resilient, we first need to take cognizance of what Dawson [18] (pp. 268–269) has said about an organization as it provides the basis for better understanding the relational processes that allow individual managers to utilize technology for the benefit of the organization and its partners, and at the same time, provide the basis for strategic cyber security management [1] that is aimed at safeguarding the organization against cyber attack. Dawson [18] (pp. 268–269) highlights seven points that epitomize an organization: (i) an interactive system (e.g., change in one aspect will have repercussions for another); (ii) high level of complexity (e.g., uncertainty is evident); (iii) there is no single way in which to manage a situation; (iv) resources are scare; (v) different interest groups prevail (e.g., conflict, consensus and indifference are evident); (vi) constraints exist that effect action; and (vii) the level of the individual/group needs to be known in order to identify and solve problems. It is with these seven points in mind that we embrace the view that organizational resilience is dependent upon managers having a clear appreciation of what sociocultural intelligence involves and how AI can be utilized to enable managers to make more informed cyber security-based decisions.

### **3. Placing Sociocultural Intelligence in Perspective**

The concept of sociocultural intelligence has been gaining momentum over a number of years and it is clear that the field of intelligence is expanding, and new perspectives are being offered that allow managers such as the cyber security manager to comprehend how intelligence is managed across organizational networks. To ensure that AI is not misused, we advocate a cautious and incremental approach to its use but also advise a wider understanding of AI's application in terms of intelligence provision. What can be deduced from the study of intelligence is that sociocultural intelligence (SOCINT) is purported to include "the process of directing, collecting data related to any of the social sciences, analyzing, producing, and then disseminating such data for situational awareness in any operational environment" [9] (p. 11). This is a well-known and accepted view. To better understand the antecedents of cyber threat intelligence CTI), we suggest that managers take cognizance of the intelligence cycle (IC) process and the critical thinking process (CTP), as outlined by Patton [9] (p. 139). The intelligence cycle (IC) is known to be composed of five separate but linked stages including (i) planning and direction; (ii) collection; (iii) processing; (iv) analysis and production; and (v) dissemination. The critical thinking process (CTP) is known to include eight separate but linked stages: (i) purpose; (ii) question at issue; (iii) information; (iv) interpretation and inference; (v) concepts; (vi) assumptions; (vii) implications and consequences; and (viii) point of view. By merging the intelligence cycle (IC) with the critical thinking process (CTP), it should be possible to establish how AI can be utilized by managers to better understand the role that cyber threat intelligence (CTI) plays and how it is to be managed across organizations. Before we explain this, we need to understand how the differences in learning capabilities associated with AI/ML can be drawn on to provide an intelligence focused appreciation, leading to an enhanced appreciation of resilience. To achieve this, we focused on AI/ML in relation to business so that managers in charge of various business functions can relate better to the learning capabilities afforded by AI/ML, and not worry too much about the technical aspects. Should managers need to, they can deepen their knowledge of AI/ML by consulting those with expert knowledge and/or attend specialist courses of study.

#### **4. Algorithms and Their Learning Capability**

Deep learning (DL) is a subset of AI, and it structures algorithms in layers to create an artificial neural network (e.g., a human brain) for filtering information and learning from it and making intelligent/informed decisions. DL applies ML to large datasets. ML uses algorithms to analyze, learn from the data, and make decisions based on the learning. Both DL and ML are subsets of AI. It is useful to note that different algorithms have their own unique functionality and capability for learning, some of which can be used for specific tasks. Table 1 shows different forms of learning in DL. AI systems can be divided into three types such as narrow AI (which is goal-oriented and programmed to perform a single task); general AI (representative of a machine that can learn, understand, and act in a way similar

to that of a human in a given situation); and super AI (a hypothetical AI where a machine exhibits intelligence that surpasses the brightest humans).

**Table 1.** The different types of learning associated with functionality/capability.


Source: The authors.

Managers in various industries such as banking, the motor industry, and health care have paid careful attention to AI implementation in relation to learning capabilities. Retailers utilize augmented reality for a better image (e.g., ASOS, visual search [22] and some retailers such as M&S and Kohl's have partnered with Snapchat and implemented a virtual fitting room [23]). The use of an avatar, a virtual character, with virtual reality and/or with a chatbot, is also gaining the attention of an increasing number of managers in business. It allows them to create virtual social touch points as well as create entertaining effects that result in a richer customer experience and higher customer engagement [24–26].

The application of methods and algorithms in AI/ML varies and produces a specific effect in the way in which the interaction process with end users is managed. Different algorithms also have implications for the types of data that are needed and how the data are captured and analyzed. AI is concerned with designing intelligent systems that exhibit characteristics associated with human intelligence and behavior and involves cognitive processes such as adapting to the latest information and problem-solving [27]. AI's capability varies, for example, Google Home and Alexa, integrate AI and advanced analytics (ML algorithms); chatbots sense the context of the conversation, but cannot perform a set of activities on their own; virtual assistants (e.g., Alexa, Apple Siri, Google assistant or Corona) provide daily activities such as emails or schedule meetings and can crawl through existing resources for a range of requests but with regard to customer service, however, they cannot resolve queries on their own [28] and friendly conversational chatbots such as Mitsuku and Replika, which are humanoid AI, are able to respond to emotional verbal reactions in a meaningful way [29,30]. What can be noted from this is that the communication process between a potential customer and the organization itself can be enriched by staff providing reassurance about the organization in terms of its resilience, which is mapped to an end user's understanding of security awareness. From this, we can identify the following question: how can an individual's learning capability be enhanced through using AI/ML? Finding an answer is important because managers need to link AI learning with the analysis of data and the interpretation of data so that the intelligence derived can be evidence based and used to underpin various plans/strategies. However, we stress that it is not just about AI enhancing what the organization is in terms of its commitment to dealing with customer requests or undertaking cyber threat intelligence (CTI) analysis. It is more about assuring external individuals that the staff are pro-active in terms of security awareness and can link the need for intelligence with the learning capability of those interested in buying the company's products and services, so they feel confident in buying from the company and avoid buying from rogue websites.

Learning can, according to Campbell et al. [31] and Ma and Sun [19] be divided into four types: supervised learning; semi-supervised learning; unsupervised learning; and reinforcement learning. In supervised learning, an expert trains the system by feeding labeled training data and defines variables to algorithms whereas in the case of unsupervised learning, the machine can learn inductively from unlabeled/unorganized data by analyzing the datasets to draw meaningful correlations or inferences by identifying hidden groups or grouping patterns. It can be noted that reinforcement learning (RL) is behavior-driven auto-learning where the algorithm/model (called agent) learns from interaction with its environment (by choosing from a set of possible actions) and their outcome. The sequential order and time plays an important role in reinforcement learning and is linked with a reward or penalty depending on the performance correctness and attempts to maximize the cumulative number of rewards.

The functions of AI/ML in an online business context can be grouped. For example, the basic mechanical function is an analytical tool, and the intuitive function includes humanoid AI [32]. Understanding different functions of AI/ML is useful as it helps managers to choose appropriate AI/ML tools in relation to the company's positioning strategy. We reiterate that the positioning strategy links learning with security awareness and is derived from the leadership style/model and organizational value system.

With regard to the basic mechanical function, it is based on rule-based learning at the minimum and relies on prior knowledge to perform repeated routines and/or transactional tasks (e.g., search engine used by Google or Bing). The analytical function relates to how information is processed for problem-solving in logical reasoning and how AI/ML tools learn from it. It is advanced, rule-based learning that carries out complex tasks and executes rational decisions (e.g., Deep Blue, IBM's chess player). The intuitive function incorporates digital technology that can mimic a human's learning intuitively. It is this, we feel, that can be used to ensure that sociocultural intelligence can be harnessed to get an individual to look more deeply at the issues relating to cyber threat intelligence (CTI) and map the outcomes to their own level of security awareness. Table 1 outlines the different types of AI/ML associated with learning and their use in business and is for illustrative purposes only. The differences in supervised learning, semi-supervised learning, unsupervised learning, and reinforcement learning are discussed next.

#### *4.1. Supervised Learning*

There are various algorithms for supervised learning such as a neural network (that has layers of nodes and trains data by mimicking the connectivity of the human brain, through each node being made up of inputs, weights, a threshold (bias)), and output; K-nearest neighbors (for prediction); naïve Bayes (is a classification method and wellused for text mining, spam filtering, and a recommend system); linear regression (used to identify relationships between a dependent and one or more independent variables); logistic regression (used to produce binary output by leveraging linear regression); support vector machine (SVM) (used for both data classification and regression, however, especially useful in the decision boundary to separate classes of data points); and decision tree (based on one input variable, each step split an existing subset into two, and has the capability of intuitive interpretations [19,33].

With respect to the analytical function of AI and ML, there are various levels of sophisticated applications [33,34]. For example, a convolutional neural network (CNN) is normally used for visual image analysis, classification, medial recreation, and is the recommended system, for example, whereas recurrent neural network (RNN) uses sequential data, which is distinguished by memory, and prior inputs influence the current input and output [19,35], but the outcome can vary depending on the type of RNN such as music generation, sentiment classification, and machine translation (e.g., IBM Watson Studio and Watson Machine Learning) [36]. The use of supervised learning in retail allows managers to use a shopper's basket datasheet to further define sub-segment groups by using the price of each product and the budget of an individual. It helps to uncover demand patterns for different products at different stores. For example, the combination of regression techniques may allow a retailer to predict the probability of a target variable (e.g., predict churn and switching behavior) that measures the satisfaction and engagement in the website characteristics and demographic information. This can be considered as confidence building from the perspective of the customer and provides them with a sense of well-being. However, supervised learning requires knowledge and the time to train the model, which can result in human error, which affects whether the algorithm performs as expected. Reflecting on this point, it can be suggested that should an error occur for whatever reason, it is likely that the end user will become less trusting of the technology and therefore seek to purchase another company's product/brand.
