Research unlocks agile cyber policy frameworks
While organisations routinely update operating systems and security tools, their policies often remain static until external mandates, such as ISO standards or regulatory bodies, force change. Meanwhile, cyber threats evolve daily, leaving outdated policies unable to address emerging risks.
This PhD research was led by ACS NSW member, Dr Masoud Afshari, and supervised by Professor Babak Abedin and Dr Ali Amrollahi, from Macquarie Business School, Macquarie University. It introduces the concept of agile cybersecurity policymaking, a dynamic process that enables organisations to interpret signals from their environment and translate them into timely policy updates. By making even the most stable elements of cybersecurity adaptive, this approach ensures policies can anticipate, mitigate, and deter incidents before they occur.
What inspired or triggered this line of research- was it a real-world incident, a technology gap, or a collaboration with partners?
This research was inspired by a clear gap in both scholarship and practice: the absence of data-driven agility in policymaking before disruptions occur. Most approaches to cyber resilience focus on agility during or after incidents, leaving organisations reactive rather than proactive. Yet, the pre-disruption phase is critical—where policy adjustments can prevent threats from materialising in the first place. Recognising this gap motivated me to explore how agility can be embedded at the very foundations of cybersecurity policymaking, enabling organisations to stay ahead of evolving risks rather than simply respond to them.
What exactly are you and your team developing, and how does it differ from or improve on current approaches in the field?
We are developing the concept of cybersecurity policymaking agility, which we define as an organisation’s ability to rapidly sense environmental changes and adjust policies in real time. Current frameworks such as NIST and ISO recommend periodic revisions—often every six or twelve months. Our approach shifts this model from periodic to continuous adaptation. By embedding agility, policies evolve in step with the threat landscape rather than lagging behind it. This offers organisations a proactive, resilient, and future-ready approach to cybersecurity governance.
What obstacles have you and your team come across in your project?
The project progressed smoothly without major obstacles. However, one recurring challenge has been raising awareness among stakeholders that policies, often considered “static” and stable, must be treated as dynamic tools requiring regular adaptation.
Looking ahead, what are the next steps or opportunities for this research, and how might ACS Members get involved?
The next step is to develop practical frameworks and tools that organisations can adopt to build agility into their policymaking processes. This includes integrating data analytics, scenario planning, and feedback loops into governance structures. For ACS Members, there are opportunities to contribute by sharing industry case studies, collaborating on pilot projects, and testing these frameworks in real-world settings. Their input will be invaluable in ensuring the research translates into practical, impactful solutions for the Australian cybersecurity ecosystem.
Through our Academic Spotlight series, we highlight pioneering research emerging from Australia’s universities. These projects tackle some of the most pressing challenges facing industry and society, whether safeguarding critical infrastructure, securing the next generation of networks, or building trust in emerging technologies. By sharing the stories behind this work, we connect the ACS community with the ideas, people, and innovations shaping the future of technology and its impact on industry.