Pathways to cyber peril: Ten configurational routes to cybersecurity breaches in the FM industry

Erika Anneli Parn; Muammer Semih Sonkor; Borja García de Soto; Soheila Kookalani

Journal of Information Technology in Construction

ISSN: 1874-4753

Editor-in-chief-:

Robert Amor

ITcon adheres to:

Web Of Science:

IF (2024): 3.8, Q1

Members of:

Acknowledgement

Journal is partially sponsored by:

Slovenian Research and Innovation Agency

ITcon Vol. 31, pg. 332-352, http://www.itcon.org/2026/14

Pathways to cyber peril: Ten configurational routes to cybersecurity breaches in the FM industry

DOI:	10.36680/j.itcon.2026.014
submitted:	December 2025
published:	March 2026
editor(s):	Turk Z
authors:	Erika Anneli Parn, Research Scientist Division of Engineering, New York University Abu Dhabi, United Arab Emirates eap9920@nyu.edu Muammer Semih Sonkor, Graduate Research Assistant Division of Engineering, New York University Abu Dhabi, United Arab Emirates semih.sonkor@nyu.edu Borja García de Soto, Associate Professor Division of Engineering, New York University Abu Dhabi, United Arab Emirates garcia.de.soto@nyu.edu Soheila Kookalani, Research Associate Civil Engineering Department, University of Cambridge, United Kingdom sk2268@cam.ac.uk
summary:	Facilities Management (FM) is undergoing a rapid transformation driven by the adoption of IoT devices, building management systems, and building information models. This disruptive shift introduces significant cybersecurity threats, posing risks to safety, data privacy, and operational continuity. This paper investigates which specific configurations of organizational, technological, and human factors lead to cybersecurity breaches within FM environments. Moreover, there is a notable gap within the FM literature in terms of comprehensive understanding and strategic readiness regarding cybersecurity threats. To address this gap, this paper presents findings from an extensive survey involving 114 FM professionals who experienced cybersecurity breaches. A Fuzzy-set Qualitative Comparative Analysis (fsQCA) was utilized to identify ten distinct pathways and combinations of organizational, technological, and human factors that commonly lead to cybersecurity incidents. The analysis revealed ten distinct configurations where limited internal preparedness, financial constraints, and insufficient awareness converge to create sufficient conditions for a breach. These findings provide FM practitioners and security officers with a diagnostic taxonomy of "vulnerability profiles," allowing them to prioritize interventions based on their specific organizational constraints. This research establishes a foundation for longitudinal studies to test how these breach configurations evolve as FM systems become increasingly autonomous and integrated.
keywords:	facilities management, cyber security, fsQCA, configurational analysis, organizational theory, digital asset management
full text:	(PDF file, 0.885 MB)
citation:	Parn, E. A., Sonkor, M. S., García de Soto, B., & Kookalani, S. (2026). Pathways to cyber peril: Ten configurational routes to cybersecurity breaches in the FM industry. Journal of Information Technology in Construction (ITcon), 31, 332-352. https://doi.org/10.36680/j.itcon.2026.014
statistics: