Lessons from small and highly-digitalised Estonia: Decision-making in the aftermath of cybersecurity crises

Abstract

As governments across the world increasingly undergo digitalisation processes, ensuring cybersecurity of these provisions cannot be 100% guaranteed. How, then, can governments best respond to a cybersecurity crisis in order to bolster cybersecurity in the future? Even Estonia, one of the earliest and most pervasive examples of e-governance globally, has not been without cybersecurity crises. Using four key Estonian examples, this paper examines the components of government decision-making in the aftermath of cybersecurity crises, which aim to bolster future cybersecurity. Three key approaches emerged from the crises examined: 1) decision-making is derived from prior knowledge and experience; 2) communications around cybersecurity crises is clear, coordinated, and transparent; and 3) innovation and planning should take place in times of non-crisis, as crises often expedite decision-making. Ultimately, this paper offers insight into how governments can make decisions following cybersecurity crises, in contexts beyond Estonia, as they undergo digitalisation processes and increasingly face cyberattacks.