Search results

Collaborative-based national cybersecurity incident management benefits from the huge size of incident information, large-scale information security devices and aggregation of security skills. However, no existing collaborative approach has been able to cater for multiple regulators, divergent incident views and incident reputation trust issues that national cybersecurity incident management presents. This paper aims to propose a collaborative approach to handle these issues cost-effectively.

A collaborative-based national cybersecurity incident management architecture based on ITU-T X.1056 security incident management framework is proposed. It is composed of the cooperative regulatory unit with cooperative and third-party management strategies and an execution unit, with incident handling and response strategies. Novel collaborative incident prioritization and mitigation planning models that are fit for incident handling in national cybersecurity incident management are proposed.

Use case depicting how the collaborative-based national cybersecurity incident management would function within a typical information and communication technology ecosystem is illustrated. The proposed collaborative approach is evaluated based on the performances of an experimental cyber-incident management system against two multistage attack scenarios. The results show that the proposed approach is more reliable compared to the existing ones based on descriptive statistics.

The approach produces better incident impact scores and rankings than standard tools. The approach reduces the total response costs by 8.33% and false positive rate by 97.20% for the first attack scenario, while it reduces the total response costs by 26.67% and false positive rate by 78.83% for the second attack scenario.

There is a research gap in the explanation of cyber incident response approaches in management to increase cyber maturity for small–medium-size enterprises (SMEs). Therefore, based on the literature analysis, the chapter aims to (1) provide cyber incident response characteristics, (2) show the importance for SMEs, (3) identify cyber incident response feasibility and causal factors, (4) provide scenarios for consideration to create an incident response plan (IRP), and (5) discuss the cyber incident response and managerial approaches in SMEs. The authors used content analysis of scientific and professional articles to develop the theoretical foundation of incident response approaches in management for SMEs. The authors start from the fundamentals to obtain knowledge and understanding of the latest threats and opportunities, and how to defend themselves using the limited capacity of resources might be the starting point to building an extensive incident response capability. Incident response capabilities and maturity levels vary widely between various organisations. There is no simple one-size-fits-all process for incident response; each case is unique and requires continuous refinement. Differentiation and adaptation to different types of SMEs are pivotal to developing cyber maturity and defining requirements that fit the market’s needs and are therefore more efficient in achieving the goal of increasing cyber security (CS) among business management. SMEs may not have a mature IRP, but at least one readiness indicator could lead to the preparation of a mature IRP. Implementation of the secure undertakings and information processes requires using modern information and communication technologies, incident response processes, and other modules that could enhance support for decision-making processes in management. The approach requires a systematic approach to issues related to constructing these solutions. The authors highlight that building efficient incident response approaches in management to improve cyber maturity will begin with infrastructure and people factors.

Grid computing has often been heralded as the next logical step after the worldwide web. Users of grids can access dynamic resources such as computer storage and use the computing resources of computers under the umbrella of a virtual organisation. Although grid computing is often compared to the worldwide web, it is vastly more complex both in organisational and technical areas. This also extends into the area of security and incident response, where established academic computer security incident response teams (CSIRTs) face new challenges arising from the use of grids. This paper aims to outline some of the organisational and technical challenges encountered by the German academic CSIRT, DFN‐CERT while extending and adapting their services to grid environments during the D‐Grid project.

Most national research and education networks (NRENs) already have computer security incident response teams to respond to security incidents involving computers connected to the networks. This paper considers how one established NREN CSIRT is dealing with the new challenges arising from grid computing.

The paper finds that D‐Grid Initiative is an ongoing project and the establishment of CSIRT services for grids is still at an early stage. The establishment of communication channels to the various grid communities as well as gaining of knowledge about grid software has required DFN‐CERT to make changes even though the basic principles of CSIRT operation remain the same.

The D‐Grid project aims to establish a common grid infrastructure that can be used by other scientific domains. The project consists of six community projects and one integration project (DGI – D‐Grid Integration). The DGI project will develop the basic infrastructure, while the community projects will build on this infrastructure and enhance it for the specific needs of their research areas. At the initial stage of the DGI project, the idea of a central CSIRT for all grids in Germany was seen as an advantage over having a CSIRT for each grid project, which would have replicated efforts and thus wasted resources. This paper gives an overview about the organisational and technical challenges and experiences DFN‐CERT has encountered while setting up a CSIRT for the D‐Grid communities.

Security information management systems (SIMs) have been providing a unified distributed platform for the efficient management of security information produced by corresponding mechanisms within an organization. However, these systems currently lack the capability of producing and enforcing response policies, mainly due to their limited incident response (IR) functionality. This paper explores the nature of SIMs while proposing a set of requirements that could be satisfied by SIMs for the efficient and effective handling of security incidents.

These requirements are presented in a high‐level architectural concept and include policy visualization, system intelligence to enable automated policy management, as well as, data mining elements for inspection, evaluation and enhancements of IR policies.

A primitive mechanism that could guarantee the freshness and accuracy of state information that SIMs provide in order to launch solid response alarms and actions for a specific incident or a series of incidents is proposed, along with a role based access control administrative model (ARBAC) based on a corporate model for IR. Basic forensic and trace‐back concepts that should be integrated into SIMs in order to provide the rich picture of the IR puzzle are also examined.

The support of policy compliance and validation tools to SIMs is also addressed.

The aforementioned properties could greatly assist in automating the IR capability within an organization.

The purpose of this paper is to examine security incident response practices of information technology (IT) security practitioners as a diagnostic work process, including the preparation phase, detection, and analysis of anomalies.

The data set consisted of 16 semi‐structured interviews with IT security practitioners from seven organizational types (e.g. academic, government, and private). The interviews were analyzed using qualitative description with constant comparison and inductive analysis of the data to analyze diagnostic work during security incident response.

The analysis shows that security incident response is a highly collaborative activity, which may involve practitioners developing their own tools to perform specific tasks. The results also show that diagnosis during incident response is complicated by practitioners' need to rely on tacit knowledge, as well as usability issues with security tools.

Owing to the nature of semi‐structured interviews, not all participants discussed security incident response at the same level of detail. More data are required to generalize and refine the findings.

The contribution of the work is twofold. First, using empirical data, the paper analyzes and describes the tasks, skills, strategies, and tools that security practitioners use to diagnose security incidents. The findings enhance the research community's understanding of the diagnostic work during security incident response. Second, the paper identifies opportunities for future research directions related to improving security tools.

The paper proposes looking at the automation of the incident response (IR) process, through formal, systematic and standardized methods for collection, normalization and correlation of security data (i.e. vulnerability, exploit and intrusion detection information).

The paper proposes the incident response intelligence system (IRIS) that models the context of discovered vulnerabilities, calculates their significance, finds and analyzes potential exploit code and defines the necessary intrusion detection signatures that combat possible attacks, using standardized techniques. It presents the IRIS architecture and operations, as well as the implementation issues.

The paper presents detailed evaluation results obtained from real‐world application scenarios, including a survey of the users' experience, to highlight IRIS contribution in the area of IR.

The paper introduces the IRIS, a system that provides detailed security information during the entire lifecycle of a security incident, facilitates decision support through the provision of possible attack and response paths, while deciding on the significance and magnitude of an attack with a standardized method.

The purpose of this paper is to study the implementation of organizational information security measures and assess the effectiveness of such measures.

A survey was designed and data were collected from information security managers in a selection of Norwegian organizations.

Technical‐administrative security measures such as security policies, procedures and methods are the most commonly implemented organizational information security measures in a sample of Norwegian organizations. Awareness‐creating activities are applied by the organizations to a considerably lesser extent, but are at the same time these are assessed as being more effective organizational measures than technical‐administrative ones. Consequently, the study shows an inverse relationship between the implementation of organizational information security measures and assessed effectiveness of the organizational information security measures.

Provides insight into the non‐technological side of information security. While most other studies look at the effectiveness of single organizational security measures, the present study considers combinations of organizational security measures.

The aim of this study is to empirically identify crucial dimensions of security management in the container shipping sector in Taiwan and assess their impacts on security performance.

Data for this study were collected by questionnaire survey. An exploratory factor analysis was performed to identify crucial security management dimensions in the container shipping sector. Multiple regression analysis was then performed to examine the effect of security management on the security performance.

Four crucial security management dimensions were identified: facility and cargo management; accident prevention and processing; information management; and partner relationship management. Multiple regression analysis revealed that information management and partner relationship management had significant positive effects on safety performance, whereas partner relationship management had a significant positive effect on customs clearance performance.

This study primarily focuses on the effect of security management on security performance. Future research could identify the drivers and barriers to comply with supply chain security initiatives.

Container shipping firms can improve safety and customs clearance performance by focusing security management efforts on facility and cargo management, accident prevention and processing, information management, and partner relationship management.

Government administrators or other authorities may want to consider using crucial container shipping security management dimensions as criteria for assessing security performance in container shipping firms.

This study presented is the first to assess the effect of security management on security performance in the container shipping sector. Particularly, partner relationship management is found to be the key dimension for supply chain security success.

Despite many technically sophisticated solutions, managing information security has remained a persistent challenge for organizations. Emerging IT/ICT media have posed new security challenges to business information and information assets. It is felt that technical solutions alone are not sufficient to address the information security challenge. It has been argued that organizations also need to consider the management aspects of information security. Consequently, literature, especially in the last decade, has witnessed various scholarly works in this direction. Therefore, a synthesis exercise is required to bring clarity on categorizing the issues of organizational information security management (ISM) to take the research forward. The purpose of this paper is to identify management factors that address organizational information security challenges.

Using a mix method approach, the paper adopts the qualitative (keyword analysis and experts’ opinion) and quantitative (questionnaire survey) research routes. Exploratory factor analysis is conducted to find out the key factors of organizational ISM.

The paper categorizes various organizational ISM functions into ten factors. Spanning across three levels (strategic, tactical and operational), these factors cover various management issues of organizational ISM.

The paper takes the ISM literature forward by statistically validating the key management factors of organizational ISM. The study outcome should help to draw the attention of organizations toward the managerial challenges of organizational ISM.

Describes a study to measure the quality of service provided by food‐poisoning surveillance agencies in England and Wales in terms of the requirements of a representative consumer ‐ the egg producing industry ‐ adopting “egg associated” outbreak investigation reports as the reference output. Defines and makes use of four primary performance indicators: accessibility of information; completeness of evidence supplied in food‐poisoning outbreak investigation reports as to the sources of infection in “egg‐associated” outbreaks; timeliness of information published; and utility of information and advice aimed at preventing or controlling food poisoning. Finds that quality expectations in each parameter measured are not met. Examines reasons why surveillance agencies have not delivered the quality demanded. Makes use of detailed case studies to illustrate inadequacies of current practice. Attributes failure to deliver “accessibility” to a lack of recognition on the status or nature of “consumers”, combined with a self‐maintenance motivation of the part of the surveillance agencies. Finds that failures to deliver “completeness” and “utility” may result from the same defects which give rise to the lack of “accessibility” in that, failing to recognize the consumers of a public service for what they are, the agencies feel no need to provide them with the data they require. The research indicates that self‐maintenance by scientific epidemiologists may introduce biases which when combined with a politically inspired need to transfer responsibility for food‐poisoning outbreaks, skew the conduct of investigations and their conclusions. Contends that this is compounded by serious and multiple inadequacies in the conduct of investigations, arising at least in part from the lack of training and relative inexperience of investigators, the whole conditioned by interdisciplinary rivalry between the professional groups staffing the different agencies. Finds that in addition failures to exploit or develop epidemiological technologies has affected the ability of investigators to resolve the uncertainties identified. Makes recommendations directed at improving the performance of the surveillance agencies which, if adopted will substantially enhance food poisoning control efforts.