Comment by Katrin Amelang

The lecture by Laura Kocksch was an excellent way to continue our exploration of “Infrastructuring indeterminacies” this semester and to follow up on the previous talk by Phoebe Sengers, which had inspired us to think of infrastructures from their edges. This time, however, the focus was on a different kind of infrastructural edge or angle, namely small and medium-sized enterprises (SMEs) in Denmark and the question how they approach and implement cybersecurity.

Drawing on a six-month ethnographic study that complemented a larger-sample survey of Danish SMEs’ digital security practices in cooperation with the Danish Business Authority, Laura Kocksch gave us rich insights into the everyday arrangements and practicalities of (doing) cybersecurity. In detail, we got an impression of the small and specific physical arrangements of SMEs with their cramped office and production spaces, where cybersecurity is more a matter of spatial than technical control but also a matter of trust and shared responsibility in small teams with long-standing working relationships. We heard about SMEs’ search for the “right” (affordable and appropriate) IT service as well as their workarounds and alignment of formal and informal IT (security) systems. Moreover, we heard of their material and organizational tactics in negotiating normative ISO standards, moral judgements of experts and various knowledges of cybersecurity issues – including their own assessments of cybersecurity risks and their unease with problematic setups. In short, we learned not only that there can be good organizational reasons for questionable cybersecurity but also about the many efforts of SMEs infrastructuring the indeterminacies involved.

For this reason, the story Laura Kocksch told us was neither one that portrays SMEs as naïve or blames them for not meeting the standards designed for larger companies, nor one that simply hails workarounds as innovation. In the case of Danish SMEs, cybersecurity was less about a solid and formally tested infrastructure in terms of a comprehensive, well-assured barrier but about a fragile way of maintaining and holding things together, of being “good enough” in the face of limited financial and organizational resources and in the awareness of living with indeterminacies. Asking how to capture this mode of action, the everyday calibrating and mending on the ground that is intertwined with normative relations, Laura Kocksch brought her findings into conversation with the research literature that explores and rethinks innovation, maintenance and repair – for instance, using terms like “material fragility” (Denis & Pontille) or “broken world thinking” (Jackson). In doing so, she questioned a narrow understanding of repair as fixing or of maintenance as preservation as well as the apparent solidness of cybersecurity infrastructures in general. Taken together, the lecture made SMEs a more serious case – to argue with and go beyond: on the one hand, for state-related actors concerned with security as a matter of regulation and formalization; on the other hand, for us as STS researchers in terms where we devote our attention. Regarding the first point, the collaborative practices of the research project are worth mentioning, e.g. the “Dilemma Game” developed on basis of research findings and played with collaborators from the Danish Business Authority and the Business Forum for Digital Security (who, incidentally, also proposed rather unstandardized solutions given the dilemmas of SMEs). The second point concerns a renewed invitation to study the more boring sides of computer technologies/infrastructures and to combine this with broken world thinking. By presenting cybersecurity as indeterminate and as part of indeterminate infrastructures, Laura Kocksch made a convincing case for understanding digital security practices (not only those of SMEs) as fragile, conflicted and “beyond repair”.