Beyond Security: A Qualitative Study of Cyber Resilience Across the Software Development Lifecycle in German Organisations

As digital products become increasingly embedded in organisational operations, cyber resilience – the ability to anticipate, withstand, recover from and adapt to cyber disruptions – has become essential. This paper investigates how professionals in German organisations interpret cyber resilience within the software development lifecycle and how socio-technical factors influence its implementation. Drawing on the MITRE Cyber Resiliency Engineering Framework for data collection and coding on Socio-Technical Systems as an interpretive lens, the study adopts a qualitative approach based on semi-structured interviews with 14 professionals across five organisations. The findings reveal a pronounced socio-technical imbalance: while technical measures centred on anticipate and withstand are comparatively established, the corresponding social factors – shared understanding, dedicated responsibility structures, and systematic learning – remain underdeveloped. These conditions are compounded by resource constraints and the absence of strategic prioritisation. Six exploratory hypotheses capture these patterns and offer empirically grounded starting points for future research on product-level cyber resilience.