Rethinking Security Incident Response: The Integration of Agile Principles

In today's globally networked environment, information security incidents can inflict staggering financial losses on organizations. Industry reports indicate that fundamental problems exist with the application of current linear plan-driven security incident response approaches being applied in many organizations. Researchers argue that traditional approaches value containment and eradication over incident learning. While previous security incident response research focused on best practice development, linear plan-driven approaches and the technical aspects of security incident response, very little research investigates the integration of agile principles and practices into the security incident response process. This paper proposes that the integration of disciplined agile principles and practices into the security incident response process is a practical solution to strengthening an organization's security incident response posture.Comment: Paper presented at the 20th Americas Conference on Information Systems (AMCIS 2014), Savannah, Georgi

“I don't think we're there yet”: The practices and challenges of organisational learning from cyber security incidents

Learning from cyber incidents is crucial for organisations to enhance their cyber resilience and effectively respond to evolving threats. This study employs neo-institutional and organisational learning theories to examine how organisations learn from incidents and gain insights into the challenges they face. Drawing on qualitative research methods, interviews were conducted with 34 security practitioners from organisations operating in the UK spanning a range of industries. The findings highlight the importance of consciously evaluating learning practices and creating a culture of openness to hear about incidents from employees, customers and suppliers. Deciding which incidents to learn from, as well as who should participate in the learning process, emerged as critical considerations. Overcoming defensiveness and addressing systemic causes were recognised as barriers to effective learning. The study emphasises the need to assess the value and impact of identified lessons and to avoid superficial reviews that treat symptoms rather than underlying causes to improve resilience. While progress has been made in learning from incidents, further enhancements are needed. Practical recommendations have been proposed to suggest how organisations may gain valuable insights for maximising the benefits derived from incident learning. This research contributes to the existing knowledge on organisational learning and informs future studies exploring the social and political influences on the learning process. By considering the suggested recommendations, organisations may strengthen their cyber security, foster a culture of continuous improvement, and respond effectively to the dynamic cyber security landscape

Gestão do conhecimento : modelação dos incidentes e das respostas

Este trabalho pretende demonstrar que as políticas de gestão de uma organização podem ter influência directa na segurança de informação, não bastando apenas o recurso à tecnologia para a sua eficaz protecção. Neste sentido a Gestão do Conhecimento pode contribuir positivamente, tendo em conta o desenvolvimento e a autonomia dos indivíduos que integram e constituem a organização, estimulando a partilha da informação, a partilha do conhecimento e a aprendizagem. A cultura organizacional tem um papel determinante na partilha do conhecimento e na definição de poderes. É neste contexto que a Gestão de Incidentes pode contribuir com a detecção, registo e investigação de incidentes que podem auxiliar à mitigação de riscos, contribuindo para a inexistência de falhas parciais ou mesmo totais. As políticas de gestão como incentivos ou recriminações às notificações de incidentes, assim como a atribuição de recursos apropriados às investigações destes, podem ter resultados surpreendentes e promissores espelhados neste trabalho, através do estudo de variáveis comportamentais de gestão num modelo de simulação dinâmica.The purpose of this paper is to demonstrate that the policies of management in an organization can have a direct influence in the security of information, and that the technology by itself is not enough to provide an efficient means of protection. In this sense, Knowledge Management can give a positive contribution, considering the evolution and the autonomy of the individuals that constitute the organization, stimulating the sharing of information, the sharing of knowledge and learning. The organizational culture has a decisive role in sharing the knowledge and defining powers. It is in this context that Incident Management can contribute by detecting, registering and investigating incidents that might help minimizing risks and having a minimum of partial faults, or even total faults. Management policies as incentives or recriminations of incidents notifications, along with the appropriate attribution of adequate resources when investigating them, can have surprising and promising results, as we show in this paper through the study of management behavioral variables in a model of dynamic simulation

Tackling the Challenges of Information Security Incident Reporting: A Decentralized Approach

Information security incident under-reporting is unambiguously a business problem, as identified by a variety of sources, such as ENISA (2012), Symantec (2016), Newman (2018) and more. This research project identified the underlying issues that cause this problem and proposed a solution, in the form of an innovative artefact, which confronts a number of these issues. This research project was conducted according to the requirements of the Design Science Research Methodology (DSRM) by Peffers et al (2007). The research question set at the beginning of this research project, probed the feasible formation of an incident reporting solution, which would increase the motivational level of users towards the reporting of incidents, by utilizing the positive features offered by existing solutions, on one hand, but also by providing added value to the users, on the other. The comprehensive literature review chapter set the stage, and identified the reasons for incident underreporting, while also evaluating the existing solutions and determining their advantages and disadvantages. The objectives of the proposed artefact were then set, and the artefact was designed and developed. The output of this development endeavour is “IRDA”, the first decentralized incident reporting application (DApp), built on “Quorum”, a permissioned blockchain implementation of Ethereum. Its effectiveness was demonstrated, when six organizations accepted to use the developed artefact and performed a series of pre-defined actions, in order to confirm the platform’s intended functionality. The platform was also evaluated using Venable et al’s (2012) evaluation framework for DSR projects. This research project contributes to knowledge in various ways. It investigates blockchain and incident reporting, two domains which have not been extensively examined and the available literature is rather limited. Furthermore, it also identifies, compares, and evaluates the conventional, reporting platforms, available, up to date. In line with previous findings (e.g Humphrey, 2017), it also confirms the lack of standard taxonomies for information security incidents. This work also contributes by creating a functional, practical artefact in the blockchain domain, a domain where, according to Taylor et al (2019), most studies are either experimental proposals, or theoretical concepts, with limited practicality in solving real-world problems. Through the evaluation activity, and by conducting a series of non-parametric significance tests, it also suggests that IRDA can potentially increase the motivational level of users towards the reporting of incidents. This thesis describes an original attempt in utilizing the newly emergent blockchain technology, and its inherent characteristics, for addressing those concerns which actively contribute to the business problem. To the best of the researcher’s knowledge, there is currently no other solution offering similar benefits to users/organizations for incident reporting purposes. Through the accomplishment of this project’s pre-set objectives, the developed artefact provides a positive answer to the research question. The artefact, featuring increased anonymity, availability, immutability and transparency levels, as well as an overall lower cost, has the potential to increase the motivational level of organizations towards the reporting of incidents, thus improving the currently dismaying statistics of incident under-reporting. The structure of this document follows the flow of activities described in the DSRM by Peffers et al (2007), while also borrowing some elements out of the nominal structure of an empirical research process, including the literature review chapter, the description of the selected research methodology, as well as the “discussion and conclusion” chapter

Two Cases in High Reliability Organizing: A Hermeneutic Reconceptualization.

In view of the primacy of organizational reliability, an exploration of what contextual and structural organization dimensions contribute to high reliability is a pertinent research issue. This dissertation attempts to answer this question in case of the incident management process of the IT department of a financial institution and of a nuclear power plant. By means of constructs stemming from research in so-called High Reliability Organizations (HRO) and SenseMaking, and by taking a hermeneutic research approach, building on quantitative as well as qualitative techniques, existing HRO literature is reconceptualized. It is this reconceptualization that allows for a confirmation of the assumption that not only the nuclear power plant – as an archetypical HRO – but also the financial institution – as a mainstream organization – are bearing genuine HRO hallmarks. However, the answer to what constitutes high reliability is less univocal. As a general observation, a high score on HRO constructs does not necessarily contribute to high reliability. Hence the conclusion that the poison makes the dose. On the other hand, starting from the reconceptualized framework, newly introduced HRO constructs like Team Orientation, Threat Flexibility and Efficiency do univocally influence high reliability. Therefore – notwithstanding the absence of an ideal reliability cocktail – there are strong indications that a reconceptualized HRO theory has the potential of offering valuable advice regarding organizing for high reliability.