Determining Training Needs for Cloud Infrastructure Investigations using I-STRIDE

As more businesses and users adopt cloud computing services, security vulnerabilities will be increasingly found and exploited. There are many technological and political challenges where investigation of potentially criminal incidents in the cloud are concerned. Security experts, however, must still be able to acquire and analyze data in a methodical, rigorous and forensically sound manner. This work applies the STRIDE asset-based risk assessment method to cloud computing infrastructure for the purpose of identifying and assessing an organization's ability to respond to and investigate breaches in cloud computing environments. An extension to the STRIDE risk assessment model is proposed to help organizations quickly respond to incidents while ensuring acquisition and integrity of the largest amount of digital evidence possible. Further, the proposed model allows organizations to assess the needs and capacity of their incident responders before an incident occurs.Comment: 13 pages, 3 figures, 3 tables, 5th International Conference on Digital Forensics and Cyber Crime; Digital Forensics and Cyber Crime, pp. 223-236, 201

The value relevance of an official press release of a security breach and complementarities between the content elements of the release

The importance of signaling to inform the public of a security incident occurrence at a firm through an official press release is discussed. The majority of prior research has discussed the impact of public knowledge of a security incident occurrence on the share prices of a firm. This study analyzes two competing models of the relationship between a firm’s reputation and the firm doing a press release, and the subsequent impact on the market valuation of the firm. Content of the press release that is specific to information security, overt CEO involvement and transparency in data affected, serves as an additional signal for the market. A switching regression model of 169 security incidents (with and without an official press release) versus a Heckman Sample Selection model of 111 security incidents (with an official press release) of publicly traded firms between 2014 and 2021 upholds the logic of the signaling characteristic of the decision to do an official press release with respect to the reputation of the firm. The roles of overt CEO involvement and transparency in data affected under this framework is statistically significant

Mitigating Information security risks during the Transition to Integrated Operations: Models & Data

This research studies the change of information security risks during the transition toIntegrated Operations (an operation extensively utilize advanced information communicationtechnology to connect offshore facilities and onshore control centers and even vendors.) inNorsk Hydro, a Norwegian oil and gas company. The specific case for this study is a pilotplatform in transition to Integrated Operations, Brage: twenty traditional work processes areto be replaced by new work processes. The operators on the Brage platform have to build uprelevant new knowledge to work effectively with new work processes. The new workprocesses, new knowledge and their interrelationship all affect information security risks.The management of Norsk Hydro is concerned with the problem of the increasinginformation security risks, which might cause incidents with severe consequences. We lookfor policies that support a successful (smooth and fast) operation transition.System dynamics is adopted in this research to model the causal structure (mechanism) ofthe operation transition. We chose system dynamics because operation transition is a processrich in feedback, delays, nonlinearity and tradeoffs. All these features are captured by systemdynamics models. Moreover, system dynamics models can be used to simulate variousscenarios. The analyses of these scenarios can lead to insights on policy rules. Wespecifically investigate policies concerning transition speed, resource allocation during thetransition to Integrated Operations and investment rules in incident response capability.Since historical time series data about incidents and information security risks are scarce, weuse following model-based interventions to elicit structural information from our client andexperts:May 2005 First group model-building workshop Problem articulationSep 2005 Second group model-building workshop Model conceptualizationDec 2005 Model-based interview Model formulationYear 2006 Series of model-based meetings Model refinementNov 2008 Model-based interview Model validationThe Brage model was developed and validated through these model-based interventions. Theanalyses of various simulation results lead to the following policy insights: 1. Transition speed. The operation transition should be designed with a speed that allowsthe operators not only to get familiar with new work processes, but also to build up thedetailed knowledge supporting these work processes. The relevance of such knowledge,which is mostly tacit, is sometimes underrated. If the operators only know what to do,but not how to do it effectively, the benefit of the new technology (embedded in the newwork processes) will not be fully realized, and the platform will be more vulnerable toinformation security threats.2. Resource allocation. Resources (operators’ time) are needed to learn new work processesand to acquire related knowledge. Generally, the operators will first put their time intoachieving the production target. Investment on learning activities will not be prioritizedif these activities hinder reaching the production target, even if the operators know thisshort-term performance drop is the cost for obtaining long-term higher performance.Nevertheless strategic decision should never be influenced by operative goals and highlevel managements should be responsible to make decisions on whether focusing onlong-term profits and accept short-term performance drop as a trade-off.3. Investment in incident response capability. The management in Norsk Hydro is aware ofthe increasing information security risks changing from unconnected platforms tointegrated ones. However, investment in incident response capability to handleincreasing incidents is not made proactively. Only if the frequency of incidents hasincreased or severe incidents has occurred or the incident cost have been proved high,will the management decide to invest more on incident response capability. The Bragemodel simulations illustrate that these reactive decision rules will trap the managementinto ignoring the early signs of increasing information security risks, and causeunderinvestment, which results in inadequate incident response capability, andsubsequently leads to severe consequence. Proactive decision rules work effectively inreducing severity of incidents.This work helps our client in two ways. First, the model-based communication helps themanagement in Norsk Hydro clarify the problem it is facing and understand the underlyingmechanism causing the problem. There is an increased insight into the relevance of newknowledge acquisition. Second, the Brage model offers the management a tool to investigatethe long-term operation results under different policies, thus, helping improve themanagement decision process. This work contributes to the information security literature in three ways. First, previousresearch in information security is mostly on risk assessment methodology and informationsecurity management checklist. The dynamics of information security risks during theoperation transition period has not been well studied before. In this fast changing society,this aspect of changing information security risks is of importance. Second, we introduce adynamic view with the long-term perspective of information security. Although incidentshappen in random manner, the underlying mechanism that leads to such incidents oftenexists for a period. Understanding such mechanism is the key to prevent incidents. Last, butnot least, we demonstrate how formal modeling and simulation can facilitate the building oftheories on information security management. Information security management involvesnot only “hard” aspects, such as work processes and technology, but also “soft” aspects, suchas people’s awareness, people’s perception, and the cultural environment, - and all of whichchange over time. These soft aspects are sometimes the major factors affecting informationsecurity.This work also contributes to the system dynamics literature by adding examples of howmodel-based interventions are used to identify problems, conceptualize and validate models.The activities of group model-building workshops and model validation interviews arecarefully documented and reflected. It is an important step towards the accumulation ofknowledge in model-based intervention

Rethinking Security Incident Response: The Integration of Agile Principles

In today's globally networked environment, information security incidents can inflict staggering financial losses on organizations. Industry reports indicate that fundamental problems exist with the application of current linear plan-driven security incident response approaches being applied in many organizations. Researchers argue that traditional approaches value containment and eradication over incident learning. While previous security incident response research focused on best practice development, linear plan-driven approaches and the technical aspects of security incident response, very little research investigates the integration of agile principles and practices into the security incident response process. This paper proposes that the integration of disciplined agile principles and practices into the security incident response process is a practical solution to strengthening an organization's security incident response posture.Comment: Paper presented at the 20th Americas Conference on Information Systems (AMCIS 2014), Savannah, Georgi