IDEAS home Printed from https://ideas.repec.org/a/spr/elmark/v35y2025i1d10.1007_s12525-025-00802-x.html
   My bibliography  Save this article

An iterative five-phase process model to successfully implement AI for cybersecurity in a corporate environment

Author

Listed:
  • Sarah K. Lier

    (Leibniz University Hannover)

  • Tjelve M. Eppers

    (Leibniz University Hannover)

  • Jana Gerlach

    (Leibniz University Hannover)

  • Pascal Müller

    (Leibniz University Hannover)

  • Michael H. Breitner

    (Leibniz University Hannover)

Abstract

While traditional cybersecurity approaches effectively address static or well-known threats, they often struggle to keep pace with the rapidly evolving threat landscape. New research highlights that increasing sophistication and dynamism in cyberattacks require adaptive and proactive measures, such as artificial intelligence (AI) applications and services, to complement conventional methods. AI for cybersecurity is needed to respond efficiently and reliably to threats and attacks, to detect dynamic threats faster, to analyze more precisely, and to enable adaptive protective measures that outperform conventional approaches. We identified research needs for AI in cybersecurity that need to be addressed by implementing respective AI applications and services. Companies and organizations need further research and company-centric approaches. We address AI for cybersecurity through a literature review and semi-structured expert interviews in a design science research–oriented framework. We identify typical implementation steps, deduce critical process phases, and develop a new process model to successfully implement AI for cybersecurity, including five process phases and 19 process steps. Our iterative five-phase process model provides a structured framework that is flexible to adapt to specific and general requirements, focuses on iterative evaluations; addresses cost, functional requirements, certifications, and environmental impact; facilitates early risk identification; and strengthens resilience against cyberattacks. Furthermore, we deduce seven key performance indicators to support a quantitative assessment of AI’s efficiency and effectiveness, allow benchmarking, and develop best practices. Finally, we provide limitations and a further research agenda.

Suggested Citation

  • Sarah K. Lier & Tjelve M. Eppers & Jana Gerlach & Pascal Müller & Michael H. Breitner, 2025. "An iterative five-phase process model to successfully implement AI for cybersecurity in a corporate environment," Electronic Markets, Springer;IIM University of St. Gallen, vol. 35(1), pages 1-21, December.
    • Handle: RePEc:spr:elmark:v:35:y:2025:i:1:d:10.1007_s12525-025-00802-x
    DOI: 10.1007/s12525-025-00802-x
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1007/s12525-025-00802-x
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.
    File URL: https://libkey.io/10.1007/s12525-025-00802-x?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to

    for a different version of it.

    References listed on IDEAS

    as
    1. Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    2. Scott Thiebes & Sebastian Lins & Ali Sunyaev, 2021. "Trustworthy artificial intelligence," Electronic Markets, Springer;IIM University of St. Gallen, vol. 31(2), pages 447-464, June.
    3. Paul Benjamin Lowry & Tamara Dinev & Robert Willison, 2017. "Why security and privacy research lies at the centre of the information systems (IS) artefact: proposing a bold research agenda," European Journal of Information Systems, Taylor & Francis Journals, vol. 26(6), pages 546-563, November.
    4. Christian Meske & Babak Abedin & Mathias Klier & Fethi Rabhi, 2022. "Explainable and responsible artificial intelligence," Electronic Markets, Springer;IIM University of St. Gallen, vol. 32(4), pages 2103-2106, December.
    5. repec:dar:wpaper:135656 is not listed on IDEAS
    6. Steven Aftergood, 2017. "Cybersecurity: The cold war online," Nature, Nature, vol. 547(7661), pages 30-31, July.
    7. Kühl, Niklas & Schemmer, Max & Goutier, Marc & Satzger, Gerhard, 2022. "Artificial intelligence and machine learning," Publications of Darmstadt Technical University, Institute for Business Studies (BWL) 154356, Darmstadt Technical University, Department of Business Administration, Economics and Law, Institute for Business Studies (BWL).
    8. Jana Gerlach & Paul Hoppe & Sarah Jagels & Luisa Licker & Michael H. Breitner, 2022. "Decision support for efficient XAI services - A morphological analysis, business model archetypes, and a decision tree," Electronic Markets, Springer;IIM University of St. Gallen, vol. 32(4), pages 2139-2158, December.
    9. Niklas Kühl & Max Schemmer & Marc Goutier & Gerhard Satzger, 2022. "Artificial intelligence and machine learning," Electronic Markets, Springer;IIM University of St. Gallen, vol. 32(4), pages 2235-2244, December.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Zhang, Dongkuan & Anjum, Tanzila & Chu, Zhiqiang & Cross, Jeffrey S. & Ji, Guozhao, 2025. "Simulation of multiphase flow with thermochemical reactions: A review of computational fluid dynamics (CFD) theory to AI integration," Renewable and Sustainable Energy Reviews, Elsevier, vol. 221(C).
    2. Rainer Alt, 2022. "Electronic Markets on AI and standardization," Electronic Markets, Springer;IIM University of St. Gallen, vol. 32(4), pages 1795-1805, December.
    3. Leonardo Banh & Gero Strobel, 2023. "Generative artificial intelligence," Electronic Markets, Springer;IIM University of St. Gallen, vol. 33(1), pages 1-17, December.
    4. Christian Meske & Babak Abedin & Mathias Klier & Fethi Rabhi, 2022. "Explainable and responsible artificial intelligence," Electronic Markets, Springer;IIM University of St. Gallen, vol. 32(4), pages 2103-2106, December.
    5. Julia Brasse & Hanna Rebecca Broder & Maximilian Förster & Mathias Klier & Irina Sigler, 2023. "Explainable artificial intelligence in information systems: A review of the status quo and future research directions," Electronic Markets, Springer;IIM University of St. Gallen, vol. 33(1), pages 1-30, December.
    6. Isabel Bezzaoui & Carolin Stein & Christof Weinhardt & Jonas Fegert, 2025. "Explainable AI for online disinformation detection: Insights from a design science research project," Electronic Markets, Springer;IIM University of St. Gallen, vol. 35(1), pages 1-28, December.
    7. Eduard Hartwich & Alexander Rieger & Johannes Sedlmeir & Dominik Jurek & Gilbert Fridgen, 2023. "Machine economies," Electronic Markets, Springer;IIM University of St. Gallen, vol. 33(1), pages 1-13, December.
    8. Johannes Jakubik & Michael Vössing & Niklas Kühl & Jannis Walk & Gerhard Satzger, 2024. "Data-Centric Artificial Intelligence," Business & Information Systems Engineering: The International Journal of WIRTSCHAFTSINFORMATIK, Springer;Gesellschaft für Informatik e.V. (GI), vol. 66(4), pages 507-515, August.
    9. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    10. Radha Mookerjee & Jayarajan Samuel, 2023. "Managing the security of information systems with partially observable vulnerability," Production and Operations Management, Production and Operations Management Society, vol. 32(9), pages 2902-2920, September.
    11. Yan Chen & Dennis F. Galletta & Paul Benjamin Lowry & Xin (Robert) Luo & Gregory D. Moody & Robert Willison, 2021. "Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model," Information Systems Research, INFORMS, vol. 32(3), pages 1043-1065, September.
    12. Terrence August & Duy Dao & Kihoon Kim, 2019. "Market Segmentation and Software Security: Pricing Patching Rights," Management Science, INFORMS, vol. 65(10), pages 4575-4597, October.
    13. Maurizio Cavallari, 2023. "Organizational Determinants and Compliance Behavior to Shape Information Security Plan," Academic Journal of Interdisciplinary Studies, Richtmann Publishing Ltd, vol. 12, November.
    14. Chao Luo & Hiroyuki Okamura & Tadashi Dohi, 2016. "Optimal planning for open source software updates," Journal of Risk and Reliability, , vol. 230(1), pages 44-53, February.
    15. A. J. Burns & Tom L. Roberts & Clay Posey & Paul Benjamin Lowry & Bryan Fuller, 2023. "Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse," Information Systems Research, INFORMS, vol. 34(1), pages 342-362, March.
    16. Doroudi, Sherwin & Avgerinos, Thanassis & Harchol-Balter, Mor, 2021. "To clean or not to clean: Malware removal strategies for servers under load," European Journal of Operational Research, Elsevier, vol. 292(2), pages 596-609.
    17. Anjuli Franz & Alexander Benlian, 2022. "Exploring interdependent privacy – Empirical insights into users’ protection of others’ privacy on online platforms," Electronic Markets, Springer;IIM University of St. Gallen, vol. 32(4), pages 2293-2309, December.
    18. Hung-Pin Shih & Wuqiang Liu, 2023. "Beyond the trade-offs on Facebook: the underlying mechanisms of privacy choices," Information Systems and e-Business Management, Springer, vol. 21(2), pages 353-387, June.
    19. Yukthakiran Matla & Rohith Rao Yannamaneni & George Pappas, 2024. "Globalizing Food Items Based on Ingredient Consumption," Sustainability, MDPI, vol. 16(17), pages 1-22, August.
    20. Ioannidis, Christos & Pym, David & Williams, Julian, 2012. "Information security trade-offs and optimal patching policies," European Journal of Operational Research, Elsevier, vol. 216(2), pages 434-444.

    More about this item

    Keywords

    ;
    ;
    ;
    ;
    ;

    JEL classification:

    • L21 - Industrial Organization - - Firm Objectives, Organization, and Behavior - - - Business Objectives of the Firm
    • M15 - Business Administration and Business Economics; Marketing; Accounting; Personnel Economics - - Business Administration - - - IT Management

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:spr:elmark:v:35:y:2025:i:1:d:10.1007_s12525-025-00802-x. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.springer.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.