When Systems Resume but Trust Does Not

Cyber resilience may depend less on restoring operations than on creating the conditions for return.

Cyber incidents are most often discussed in terms of compromised systems, disrupted services, financial losses and regulatory consequences. A growing body of research points to a parallel reality: cyber incidents are also human events.

Opening a recent cyber trauma workshop at Aston Business School, Dr Laura Di Chiacchio highlighted research linking many cyber incidents to human factors, alongside evidence showing the enduring strain that cyber events can place on individuals and organisations long after systems have been restored.

One point proved especially striking: technical recovery and trust recovery rarely move at the same speed. A system may be restored in days or weeks. Confidence takes in average up to six months to return.

Dr Di Chiacchio then introduced students to a model of psychological resilience. Following adversity, individuals do not follow a single recovery trajectory. Some regain equilibrium quickly. Others require longer periods of adjustment. Some emerge stronger than before. What differentiates these paths is not only the disruption itself, but the capacity to regulate emotion, process uncertainty and adapt over time.

Although developed to describe individuals, the model offered an illuminating lens through which to examine organisations. Cyber incidents are frequently treated as singular events. A ransomware attack occurs, systems are compromised, response plans are activated, and recovery begins.

Recovery, however, does not unfold along a single path.

One Incident, Multiple Recovery Journeys

As students assumed the roles of CEO, HR director, legal counsel, finance director, IT and ops director, head of communications, and BtB customer responding to the same ransomware incident, a pattern emerged. Every stakeholder was participating in the same event, yet each was recovering from a different disruption.

• The customer worried about trust.

• The HR leader worried about stability.

• The finance director worried about survival.

• The IT and ops director carried responsibility.

• The legal counsel confronted liability and disclosure.

• The communications director wrestled with credibility and public confidence.

• The CEO confronted legitimacy.

The exercise suggested that cyber incidents generate multiple recovery journeys operating simultaneously within the same organisation.

To explore this further, students were asked two additional questions developed by RIZOM:

• What has broken for this stakeholder?

• What visible action would show stakeholders that trust is being repaired?

Deliberately, the answers did not focus on technology. Students consistently pointed toward confidence, responsibility, trust, psychological safety, legitimacy, communication, and meaning.

These elements rarely appear on operational recovery dashboards. They nevertheless shape whether people are willing to act, collaborate, decide, commit, and move forward together.

The Leadership Challenge of Return

This distinction becomes particularly important when considering leadership.

Leaders are often described as responsible for recovery. In practice, they are also participants in the disruption itself.

The chief executive confronting a major cyber incident experiences uncertainty alongside everyone else. Senior teams absorb pressure from regulators, customers, investors, employees and boards while attempting to maintain direction and coherence. Their own confidence, judgement and sense of control are tested precisely when others look to them for reassurance.

Resilient leadership therefore involves more than decision-making.It requires a form of organisational elasticity: the capacity to absorb disruption without transmitting panic, to acknowledge uncertainty without amplifying it, and to maintain coherence while the organisation searches for a new equilibrium.

This role cannot be fulfilled through operational metrics alone. Leaders must attend simultaneously to systems and to the human conditions that allow systems to function.

Beyond Business Recovery

The workshop exposed a distinction between two forms of recovery.

• Business recovery focuses on restoring what can be measured: systems, services, compliance, operational continuity, and financial performance.

• Human return concerns restoring what enables collective action: trust, confidence, psychological safety, legitimacy, responsibility, and shared meaning.

The gap between the two is the return gap.

A business may resume operations while employees remain anxious, customers remain doubtful, leaders remain defensive and teams remain uncertain about what has really changed.

That gap matters because organisations do not operate only through processes. They operate through belief, confidence, trust, attention and shared meaning.

When those are damaged, the organisation may appear recovered from the outside while still carrying the imprint of the incident inside its working life.

From Recovery to Return

The Aston workshop was valuable because it made this visible.

By asking students to inhabit different stakeholder roles, the session showed that cyber resilience is not only a matter of response planning. It is also a matter of recognising the different forms of rupture that one incident creates.

For RIZOM, this is where the idea of organisational return becomes practical.

Return is not the same as going back to the previous state.

It involves trust, clarity, emotional regulation, credible communication and visible acts of repair.

The practical questions for cybersecurity leaders is therefore not only whether the systems are working again. They are also:

• Who has not yet returned?

• Whose confidence remains damaged?

• Where has truth become difficult to say?

• What visible action would show that trust is being repaired?

These questions are not separate from cybersecurity. They are part of what cybersecurity becomes when the human factor is taken seriously.

The challenge for leaders is to restore operations while recognising, supporting and accelerating the conditions under which return becomes possible.