A doctoral dissertation by Mikko Suorsa , to be defended at the University of Vaasa, Finalnd, reveals that the energy retail sector is an essential yet vulnerable part of the energy industry’s value chain and of critical infrastructure. Having received comparatively little attention in cybersecurity efforts, the sector requires strengthened resilience, and the study introduces concrete methods to achieve this. It is one of the first studies to focus specifically on energy retail organisations.
While energy generation and transmission grids have traditionally been strictly protected as part of critical infrastructure, the cybersecurity of the energy retail sector has received far less attention. This dissertation, in the field of industrial management, shows that the sector is increasingly targeted by hybrid threats and cyberattacks: retail organisations process sensitive personal, consumption and location data of millions of Europeans and are closely interconnected with broader energy systems that are essential for the continuity of societal functions.
– Deficiencies in cybersecurity resilience can provide attackers with a pathway into the entire energy value chain, as retail organisations are closely connected to critical systems. Such breaches can lead to identity theft, disrupt commercial operations and cause significant financial losses, as well as weaken critical infrastructure and the resilience of essential societal functions. Cyber operations during the war in Ukraine have demonstrated that attacks targeting IT systems can also enable access to operational technology systems controlling power generation and transmission, Suorsa warns.
As a solution, Suorsa proposes a comprehensive approach to cybersecurity management that strengthens a company’s ability to withstand disruptions and recover quickly as part of maintaining critical infrastructure. The study also provides senior management with tools to address increasingly stringent regulatory requirements, such as the EU’s NIS2 Directive.
– Cybersecurity is a strategic factor for business continuity, not merely a concern for the IT department. A strong security culture develops when cybersecurity is integrated into management objectives and positive employee behaviour is systematically recognised. Personnel should also be actively encouraged to report risks and security incidents, Suorsa emphasises.
The research provides three key tools for strengthening cyber resilience:
– Without cyber resilience, even a minor security incident can escalate into a major disruption, halt commercial operations, compromise customer data and damage a company’s reputation and business continuity. From a critical infrastructure perspective, such impacts can extend to society as a whole. Conversely, strong cyber resilience enables an energy company to withstand cyberattacks and recover relatively quickly with minimal impact, Suorsa concludes.
Suorsa, Mikko (2026) Strengthening Information Security Resilience in the European Energy Retail Sector: A Multi-Method Study of Cultural Factors, Critical Controls, and Key Risks. Acta Wasaensia 582. Doctoral dissertation. University of Vaasa.
The public examination of M.Sc., M.Sc. (Admin.) Mikko Suorsa’s doctoral dissertation “ Strengthening Information Security Resilience in the European Energy Retail Sector: A Multi-Method Study of Cultural Factors, Critical Controls, and Key Risks” will be held on Monday 8 June 2026 at 12 at the University of Vaasa, auditorium Nissi.
It is possible to participate in the defence also online:
https://uwasa.zoom.us/j/69254657230?pwd=eC2w2wHnY3i0VqG4nasyIItpgYqaoc.1
Password: 355083
Professor Kimmo Halunen (University of Oulu) will act as opponent and Professor Petri Helo as custos.
Mikko Suorsa (M.Sc. Admin., M.Sc. Econ.) graduated with a Master of Administrative Sciences in 2007 (Public Management) and a Master of Science in Economics and Business Administration in 2009 (Industrial Management) from the University of Vaasa. Suorsa currently serves as a Business Information Security Officer (BISO) at the energy company Vattenfall in Germany.