Cyber situation awareness during an emerging cyberthreat: New study in the International Journal of Information Security
30 September, 2025
How do organizations actually handle a large-scale cyber incident when the "internet is on fire"? A new study from the Center for Security and Resilience at the Stockholm School of Economics provides an inside look at how a major Swedish public sector organization responded to the Log4Shell vulnerability - one of the most critical cybersecurity threats of the past decade.
Drawing on semi-structured interviews and organizational documentation, the study provides a rare inside look at how staff developed cyber situation awareness during an ongoing cybersecurity incident. The researchers examined how teams established (and struggled with) common operational pictures, and how issues of information sharing influenced decision-making in real time.
Three key challenges stood out:
- Information sharing was not seamless in the large and complex organization.
- There was no organization-wide common operational picture, which meant that different teams worked from different perspectives.
- Inaccurate or delayed information sometimes triggered actions that, in hindsight, could have been managed differently.
By highlighting these dynamics, the study offers valuable lessons for practitioners in cybersecurity, crisis management, and organizational resilience. It underscores both the challenges and the learning opportunities that arise when organizations must respond to rapidly evolving threats.
Research team
- Annika Andreasson (Stockholm School of Economics)
- Henrik Artman (KTH Royal Institute of Technology)
- Joel Brynielsson (KTH Royal Institute of Technology & FOI)
- Ulrik Franke (Swedish Defence University & KTH Royal Institute of Technology)
