This study examines the creating of strategic situation picture of cyber security based on a SWOT framework. The purpose of the study is to explore the applicability of SWOT as part of the strategic situation picture process in an organizational context. The strategic situation picture of cyber security has not been studied much and the strategic consideration of cyber security is still limited, although there is a growing interest in taking it into account, so the research topic is important.
The theoretical background of the study consists of a literature review and definition of SWOT analysis, situational awareness and understanding, special characteristics of the cyber environment such as reporting, cyber threats and strategic situation picture. The theoretical part of the study provides a background to the research itself, gives the reader sufficient basic in-formation on the research topic and opens the terminology used in the study. The research method used in this study is Design Science Research. The data used in empirical part are from publicly available cyber security reports produced by cyber and information security companies, which contain threat intelligence information on the cyber environment.
The content of the reports was analyzed using SWOT and the findings were used to create a strategic situation picture of cyber security on organizational level. The results of the analysis and the generated situation picture proved that the SWOT framework can be used as part of the strategic situation picture, but as such it is not the most optimal framework for analyzing such a specific topic. It was difficult to thematize the findings, e.g. in terms of opportunities, in the framework.
In conclusion, a modified SWOT, named by SWCT, framework was developed, replacing opportunities with countermeasures, and specifying threats as cyber threats. In addition to the SWCT framework, a strategic situation picture template was developed for the general use of organizations’. These developments will better address the need to detect, understand and assess the implications of the situation under consideration for the future of the organization.