Informal Learning in Security Incident Response Teams

Information security incident response is a critical security process for organisations aiming to provide an effective capability to recover from information security attacks. A critical component of security incident response methodologies is the ability to learn from security incidents on how to improve the incident response process in particular and security management in general. Best-practice methodologies and existing research in this area view the incident response process as highly formal and structured while providing recommendations on learning in formal feedback sessions at the conclusion of the incident investigation. This contrasts with more general organizational learning literature that suggests learning in organizations is frequently informal, incidental and ongoing. This research-in-progress paper describes the first phase of a project. Results from a focus group of experts indicates that response to incidents is largely informal suggesting a new Incident Response model is needed that incorporates informal learning practices

Incident Response Process Guidelines -For Information Security Management

ABSTRACT Attacks on information systems and networks have become more numerous, sophisticated, and severe in recent years. New types of securityrelated incidents emerge more frequently. While preventing such attacks would be the ideal course of action for organizations, not all information system security incidents can be prevented. Every organization that depends on information systems and networks to carry out its mission should identify and assess the risks to its systems and its information and reduce those risks to an acceptable leve

The duality of Information Security Management: fighting against predictable and unpredictable threats

Information systems security is a challenging research area in the context of Information Systems. In fact, it has strong practical implications for the management of IS and, at the same time, it gives very interesting insights into understanding the process of social phenomena when communication information technologies are deployed in organizations. Current standards and best practices for the design and management of information systems security, recommend structured and mechanistic approaches, such as risk management methods and techniques, in order to address security issues. However, risk analysis and risk evaluation processes have their limitations, when security incidents occur, they emerge in a context, and their rarity and even their uniqueness give rise to unpredictable threats. The analysis of these phenomena which are characterized by breakdowns, surprises and side-effects, requires a theoretical approach which is able to examine and interpret subjectively the detail of each incident. The aim of this paper is to highlight the duality of information systems security, providing an alternative view on the management of those aspects already defined in the literature as intractable problems and this is pursued through a formative context (Ciborra, Lanzara, 1994) that supports bricolage, hacking and improvisation.Information systems security is a challenging research area in the context of Information Systems. In fact, it has strong practical implications for the management of IS and, at the same time, it gives very interesting insights into understanding the process of social phenomena when communication information technologies are deployed in organizations. Current standards and best practices for the design and management of information systems security, recommend structured and mechanistic approaches, such as risk management methods and techniques, in order to address security issues. However, risk analysis and risk evaluation processes have their limitations, when security incidents occur, they emerge in a context, and their rarity and even their uniqueness give rise to unpredictable threats. The analysis of these phenomena which are characterized by breakdowns, surprises and side-effects, requires a theoretical approach which is able to examine and interpret subjectively the detail of each incident. The aim of this paper is to highlight the duality of information systems security, providing an alternative view on the management of those aspects already defined in the literature as intractable problems and this is pursued through a formative context (Ciborra, Lanzara, 1994) that supports bricolage, hacking and improvisation.Articles published in or submitted to a Journal without IF refereed / of international relevanc

Identifying the critical success factors to improve information security incident reporting

There is a perception amongst security professionals that the true scale of information security incidents is unknown due to under reporting. This potentially leads to an absence of sufficient empirical incident report data to enable informed risk assessment and risk management judgements. As a result, there is a real possibility that decisions related to resourcing and expenditure may be focussed only on what is believed to be occurring based on those incidents that are reported. There is also an apparent shortage of research into the subject of information security incident reporting. This research examines whether this assumption is valid and the potential reasons for such under reporting. It also examines the viability of re-using research into incident reporting conducted elsewhere, for example in the healthcare sector. Following a review of what security related incident reporting research existed together with incident reporting in general a scoping study, using a group of information security professionals from a range of business sectors, was undertaken. This identified a strong belief that security incidents were significantly under-reported and that research from other sectors did have the potential to be applied across sectors. A concept framework was developed upon which a proposal that incident reporting could be improved through the identification of Critical Success Factors (CSF’s). A Delphi study was conducted across two rounds to seek consensus from information security professionals on those CSF’s. The thesis confirms the concerns that there is under reporting and identifies through a Delphi study of information security professionals a set of CSF’s required to improve security incident reporting. An Incident Reporting Maturity Model was subsequently designed as a method for assisting organisations in judging their position against these factors and tested using the same Delphi participants as well as a control group. The thesis demonstrates a contribution to research through the rigorous testing of the applicability of incident reporting research from other sectors to support the identification of solutions to improve reporting in the information security sector. It also provides a practical novel approach to make use of a combination of CSF’s and an IRMM that allows organisations to judge where their level of maturity is set against each of the four CSF’s and make changes to strategy and process accordingly

A Coordinated Communication & Awareness Approach for Information Security Incident Management: An Empirical Study on Ethiopian Organizations

The coordination of communication and awareness efforts in the process of Information Security Incident Management (ISIM) has been identified as a critical means of enhancing information security protection in organizations. This paper aims to explore the nuances of organizational information security with respect to the coordination of communication and awareness efforts among organizational stakeholders towards achieving a shared, interactive, and participatory ISIM. According to the findings of the study in the organizations sampled, it has been identified that reporting, communication, and awareness efforts within ISIM were found to be largely uncoordinated. The exploratory findings provided a rationale for the proposal of a conceptual model. The model would unify and subsume situational awareness and interactive modes of communication toward improving the coordination of awareness and communication efforts among stakeholders in the management of information security incidents

Cyber onboarding is ‘broken'

Cyber security operations centre (CSOC) is a horizontal business function responsible primarily for managing cyber incidents, in addition to cyber-attack detection, security monitoring, security incident triage, analysis and coordination. To monitor systems, networks, applications and services the CSOC must first on-board the systems and services onto their security monitoring and incident management platforms. Cyber Onboarding (a.k.a. Onboarding) is a specialist technical process of setting up and configuring systems and services to produce appropriate events, logs and metrics which are monitored through the CSOC security monitoring and incident management platform. First, logging must be enabled on the systems and applications, second, they must produce the right set of computing and security logs, events, traps and messages which are analysed by the detection controls, security analytics systems and security event monitoring systems such as SIEM, and sensors etc.; and further, network-wide information e.g. flow data, heartbeats and network traffic information are collected and analysed, and finally, threat intelligence data are ingested in real-time to detect, or be informed of threats which are out in the wild. While setting up a CSOC could be straightforward, unfortunately, the ‘people’ and ‘process’ aspects that underpin the CSOC are often challenging, complicated and occasionally unworkable. In this paper, CSOC and Cyber Onboarding are thoroughly discussed, and the differences between SOC vs SIEM are explained. Key challenges to Cyber Onboarding are identified through the reframing matrix methodology, obtained from four notable perspectives – Cyber Onboarding Perspective, CSOC Perspective, Client Perspective and Senior Management Team Perspective. Each of the views and interests are discussed, and finally, recommendations are provided based on lessons learned implementing CSOCs for many organisations – e.g. government departments, financial institutions and private sectors

A Framework for Managing Predictable and Unpredictable Threats: The Duality of Information Security Management

Information systems security is a challenging research area in the context of Information Systems. In fact, it has strong practical implications for the management of IS and, at the same time, it gives very interesting insights into understanding the process of social phenomena when communication information technologies are deployed in organizations. Current standards and best practices for the design and management of information systems security, recommend structured and mechanistic approaches, such as risk management methods and techniques, in order to address security issues. However, risk analysis and risk evaluation processes have their limitations, when security incidents occur, they emerge in a context, and their rarity and even their uniqueness give rise to unpredictable threats. The analysis of these phenomena which are characterized by breakdowns, surprises and side- effects, requires a theoretical approach which is able to examine and interpret subjectively the detail of each incident. The aim of this paper is to highlight the duality of information systems security, providing an alternative view on the management of those aspects already defined in the literature as intractable problems and this is pursued through a formative context (Ciborra, Lanzara, 1994) that supports bricolage, hacking and improvisation

Measuring Information Security Awareness of Indonesian Smartphone Users

One of information security management elements is information security awareness program. Usually, this programs only involve the employees within the organization. Some organizations also consider security awareness for some parties outside the organization like providers, vendors, and contractors. This paper add consumers as variable to be considered in information security awareness program as there are also some threats for organization through them. Information security awareness will be measured from user’s knowledge, behavior, and attitude of five information security focus areas in telecommunication, especially related with smartphone users as one segment of telecommunication provider. For smartphone users, information security threats not only from Internet, but also by phone call or texting. Therefore, focus area in this research consist of adhere to security policy, protect personal data, fraud/spam SMS, mobile application, and report for security incident. This research use analytic hierarcy process (AHP) method to measure the information security awareness level from smartphone users. In total, the result indicated that awareness level is good (80%). Although knowledge and attitude dimension are in good criteria of awareness level, but behaviour dimension is average. It can be a reason why there are still many information security breach against smartphone user despite good awareness level

Improving Organizational Information Security Strategy via Meso-Level Application of Situational Crime Prevention to the Risk Management Process

Existing approaches to formulating IS security strategy rely primarily on the risk management process and the application of baseline security standards (e.g., ISO 27002, previously ISO 17799). The use of existing approaches generally leads to measures that emphasize target hardening and incident detection. While such measures are appropriate and necessary, they do not capitalize on other measures, including those that surface when situational crime prevention (SCP) is applied to specific crimes. In particular, existing approaches do not typically surface measures designed to reduce criminal perceptions of the net benefits of the crime, or justification and provocation to commit the crime. However, the methods prescribed to-date for implementing SCP are cumbersome, requiring micro-level, individual analysis of crimes. In the current article, we propose that concepts derived from SCP can be strategically applied at an intermediate (meso) level of aggregation. We show that such meso-level application of SCP, when combined with the traditional risk management process, can reduce residual information security risk by identifying new strategies for combating computer crime. Using three illustrative cases, we demonstrate that the application of the proposed strategic approach does surface meaningful countermeasures not identified by the traditional risk management process alone

Mitigating Information security risks during the Transition to Integrated Operations: Models & Data

This research studies the change of information security risks during the transition toIntegrated Operations (an operation extensively utilize advanced information communicationtechnology to connect offshore facilities and onshore control centers and even vendors.) inNorsk Hydro, a Norwegian oil and gas company. The specific case for this study is a pilotplatform in transition to Integrated Operations, Brage: twenty traditional work processes areto be replaced by new work processes. The operators on the Brage platform have to build uprelevant new knowledge to work effectively with new work processes. The new workprocesses, new knowledge and their interrelationship all affect information security risks.The management of Norsk Hydro is concerned with the problem of the increasinginformation security risks, which might cause incidents with severe consequences. We lookfor policies that support a successful (smooth and fast) operation transition.System dynamics is adopted in this research to model the causal structure (mechanism) ofthe operation transition. We chose system dynamics because operation transition is a processrich in feedback, delays, nonlinearity and tradeoffs. All these features are captured by systemdynamics models. Moreover, system dynamics models can be used to simulate variousscenarios. The analyses of these scenarios can lead to insights on policy rules. Wespecifically investigate policies concerning transition speed, resource allocation during thetransition to Integrated Operations and investment rules in incident response capability.Since historical time series data about incidents and information security risks are scarce, weuse following model-based interventions to elicit structural information from our client andexperts:May 2005 First group model-building workshop Problem articulationSep 2005 Second group model-building workshop Model conceptualizationDec 2005 Model-based interview Model formulationYear 2006 Series of model-based meetings Model refinementNov 2008 Model-based interview Model validationThe Brage model was developed and validated through these model-based interventions. Theanalyses of various simulation results lead to the following policy insights: 1. Transition speed. The operation transition should be designed with a speed that allowsthe operators not only to get familiar with new work processes, but also to build up thedetailed knowledge supporting these work processes. The relevance of such knowledge,which is mostly tacit, is sometimes underrated. If the operators only know what to do,but not how to do it effectively, the benefit of the new technology (embedded in the newwork processes) will not be fully realized, and the platform will be more vulnerable toinformation security threats.2. Resource allocation. Resources (operators’ time) are needed to learn new work processesand to acquire related knowledge. Generally, the operators will first put their time intoachieving the production target. Investment on learning activities will not be prioritizedif these activities hinder reaching the production target, even if the operators know thisshort-term performance drop is the cost for obtaining long-term higher performance.Nevertheless strategic decision should never be influenced by operative goals and highlevel managements should be responsible to make decisions on whether focusing onlong-term profits and accept short-term performance drop as a trade-off.3. Investment in incident response capability. The management in Norsk Hydro is aware ofthe increasing information security risks changing from unconnected platforms tointegrated ones. However, investment in incident response capability to handleincreasing incidents is not made proactively. Only if the frequency of incidents hasincreased or severe incidents has occurred or the incident cost have been proved high,will the management decide to invest more on incident response capability. The Bragemodel simulations illustrate that these reactive decision rules will trap the managementinto ignoring the early signs of increasing information security risks, and causeunderinvestment, which results in inadequate incident response capability, andsubsequently leads to severe consequence. Proactive decision rules work effectively inreducing severity of incidents.This work helps our client in two ways. First, the model-based communication helps themanagement in Norsk Hydro clarify the problem it is facing and understand the underlyingmechanism causing the problem. There is an increased insight into the relevance of newknowledge acquisition. Second, the Brage model offers the management a tool to investigatethe long-term operation results under different policies, thus, helping improve themanagement decision process. This work contributes to the information security literature in three ways. First, previousresearch in information security is mostly on risk assessment methodology and informationsecurity management checklist. The dynamics of information security risks during theoperation transition period has not been well studied before. In this fast changing society,this aspect of changing information security risks is of importance. Second, we introduce adynamic view with the long-term perspective of information security. Although incidentshappen in random manner, the underlying mechanism that leads to such incidents oftenexists for a period. Understanding such mechanism is the key to prevent incidents. Last, butnot least, we demonstrate how formal modeling and simulation can facilitate the building oftheories on information security management. Information security management involvesnot only “hard” aspects, such as work processes and technology, but also “soft” aspects, suchas people’s awareness, people’s perception, and the cultural environment, - and all of whichchange over time. These soft aspects are sometimes the major factors affecting informationsecurity.This work also contributes to the system dynamics literature by adding examples of howmodel-based interventions are used to identify problems, conceptualize and validate models.The activities of group model-building workshops and model validation interviews arecarefully documented and reflected. It is an important step towards the accumulation ofknowledge in model-based intervention