Search results
1 – 10 of over 14000Oluwafemi Oriola, Adesesan Barnabas Adeyemo, Maria Papadaki and Eduan Kotzé
Collaborative-based national cybersecurity incident management benefits from the huge size of incident information, large-scale information security devices and aggregation of…
Abstract
Purpose
Collaborative-based national cybersecurity incident management benefits from the huge size of incident information, large-scale information security devices and aggregation of security skills. However, no existing collaborative approach has been able to cater for multiple regulators, divergent incident views and incident reputation trust issues that national cybersecurity incident management presents. This paper aims to propose a collaborative approach to handle these issues cost-effectively.
Design/methodology/approach
A collaborative-based national cybersecurity incident management architecture based on ITU-T X.1056 security incident management framework is proposed. It is composed of the cooperative regulatory unit with cooperative and third-party management strategies and an execution unit, with incident handling and response strategies. Novel collaborative incident prioritization and mitigation planning models that are fit for incident handling in national cybersecurity incident management are proposed.
Findings
Use case depicting how the collaborative-based national cybersecurity incident management would function within a typical information and communication technology ecosystem is illustrated. The proposed collaborative approach is evaluated based on the performances of an experimental cyber-incident management system against two multistage attack scenarios. The results show that the proposed approach is more reliable compared to the existing ones based on descriptive statistics.
Originality/value
The approach produces better incident impact scores and rankings than standard tools. The approach reduces the total response costs by 8.33% and false positive rate by 97.20% for the first attack scenario, while it reduces the total response costs by 26.67% and false positive rate by 78.83% for the second attack scenario.
Details
Keywords
Reza Alavi, Shareeful Islam and Haralambos Mouratidis
The purpose of this paper is to introduce a risk-driven investment process model for analysing human factors that allows information security managers to capture possible…
Abstract
Purpose
The purpose of this paper is to introduce a risk-driven investment process model for analysing human factors that allows information security managers to capture possible risk–investment relationships and to reason about them. The overall success of an information security system depends on analysis of the risks and threats so that appropriate protection mechanism can be in place to protect them. However, lack of appropriate analysis of risks may potentially results in failure of information security systems. Existing literature does not provide adequate guidelines for a systematic process or an appropriate modelling language to support such analysis. This work aims to fill this gap by introducing the process and reason about the risks considering human factors.
Design/methodology/approach
To develop risk-driven investment model along with the activities that support the process. These objectives were achieved through the collection of quantitative and qualitative data utilising requirements engineering and secure tropos methods.
Findings
The proposed process and model lead to define a clear relationship between risks, incidents and investment and allows organisations to calculate them based on their own figures.
Research limitations/implications
One of the major limitations of this model is that it only supports incident-based investment. This creates some sort of difficulties to be presented to the executive board. Secondly, because of the nature of human factors, quantification does not exactly reflect the monetary value of the factors.
Practical implications
Applying the information security risk-driven investment model in a real case study shows that this can help organisations apply and use it in other incidents, and more importantly, to the incidents which critical human factors are a grave concern of organisations. The importance of providing a financial justification is clearly highlighted and provided for seeking investment in information security.
Social implications
It has a big social impact that technically could lead for cost justifications and decision-making process. This would impact the whole society by helping individuals to keep their data safe.
Originality/value
The novel contribution of this work is to analyse specific critical human factors which have subjective natures in an objective and dynamic domain of risk, security and investment.
Details
Keywords
Rodrigo Werlinger, Kasia Muldner, Kirstie Hawkey and Konstantin Beznosov
The purpose of this paper is to examine security incident response practices of information technology (IT) security practitioners as a diagnostic work process, including the…
Abstract
Purpose
The purpose of this paper is to examine security incident response practices of information technology (IT) security practitioners as a diagnostic work process, including the preparation phase, detection, and analysis of anomalies.
Design/methodology/approach
The data set consisted of 16 semi‐structured interviews with IT security practitioners from seven organizational types (e.g. academic, government, and private). The interviews were analyzed using qualitative description with constant comparison and inductive analysis of the data to analyze diagnostic work during security incident response.
Findings
The analysis shows that security incident response is a highly collaborative activity, which may involve practitioners developing their own tools to perform specific tasks. The results also show that diagnosis during incident response is complicated by practitioners' need to rely on tacit knowledge, as well as usability issues with security tools.
Research limitations/implications
Owing to the nature of semi‐structured interviews, not all participants discussed security incident response at the same level of detail. More data are required to generalize and refine the findings.
Originality/value
The contribution of the work is twofold. First, using empirical data, the paper analyzes and describes the tasks, skills, strategies, and tools that security practitioners use to diagnose security incidents. The findings enhance the research community's understanding of the diagnostic work during security incident response. Second, the paper identifies opportunities for future research directions related to improving security tools.
Details
Keywords
Mark Glenn Evans, Ying He, Iryna Yevseyeva and Helge Janicke
This paper aims to provide an understanding of the proportions of incidents that relate to human error. The information security field experiences a continuous stream of…
Abstract
Purpose
This paper aims to provide an understanding of the proportions of incidents that relate to human error. The information security field experiences a continuous stream of information security incidents and breaches, which are publicised by the media, public bodies and regulators. Despite the need for information security practices being recognised and in existence for some time, the underlying general information security affecting tasks and causes of these incidents and breaches are not consistently understood, particularly with regard to human error.
Design/methodology/approach
This paper analyses recent published incidents and breaches to establish the proportions of human error and where possible subsequently uses the HEART (human error assessment and reduction technique) human reliability analysis technique, which is established within the safety field.
Findings
This analysis provides an understanding of the proportions of incidents and breaches that relate to human error, as well as the common types of tasks that result in these incidents and breaches through adoption of methods applied within the safety field.
Originality/value
This research provides original contribution to knowledge through the analysis of recent public sector information security incidents and breaches to understand the proportions that relate to human error.
Details
Keywords
Finn Olav Sveen, Jose M. Sarriegi, Eliot Rich and Jose J. Gonzalez
This research paper aims to examine how incident‐reporting systems function and particularly how the steady growth of high‐priority incidents and the semi‐exponential growth of…
Abstract
Purpose
This research paper aims to examine how incident‐reporting systems function and particularly how the steady growth of high‐priority incidents and the semi‐exponential growth of low‐priority incidents affect reporting effectiveness. Social pressures that can affect low‐ and high‐priority incident‐reporting rates are also examined.
Design/methodology/approach
The authors reviewed the incident‐reporting system literature. As there are few studies of information security reporting systems, they also considered safety‐reporting systems. These have been in use for many years and much is known about them. Safety is used to “fill in the gaps”. The authors then constructed a system dynamics computer simulation model. The model is used to test how an incident‐reporting system reacts under different conditions.
Findings
Incident reporters face incentives and disincentives based on effects on through‐put but have limited knowledge of what is important to the organization's security. Even if a successful incident‐reporting policy is developed, the organization may become the victim of its own success, as a growing volume of reports put higher pressure on incident‐handling resources. Continuously hiring personnel is unsustainable. Continuously improving automated tools for incident response promises more leverage.
Research limitations/implications
The challenges in safety may not be the same as those in information security. However, the model does provide a starting‐point for further enquiries into information security reporting systems.
Originality/value
An examination of basic factors that affect information security reporting systems is provided. Four different policies are presented and examined through simulation scenarios.
Details
Keywords
Manfred Vielberth, Ludwig Englbrecht and Günther Pernul
In the past, people were usually seen as the weakest link in the IT security chain. However, this view has changed in recent years and people are no longer seen only as a problem…
Abstract
Purpose
In the past, people were usually seen as the weakest link in the IT security chain. However, this view has changed in recent years and people are no longer seen only as a problem, but also as part of the solution. In research, this change is reflected in the fact that people are enabled to report security incidents that they have detected. During this reporting process, however, it is important to ensure that the reports are submitted with the highest possible data quality. This paper aims to provide a process-driven quality improvement approach for human-as-a-security-sensor information.
Design/methodology/approach
This work builds upon existing approaches for structured reporting of security incidents. In the first step, relevant data quality dimensions and influencing factors are defined. Based on this, an approach for quality improvement is proposed. To demonstrate the feasibility of the approach, it is prototypically implemented and evaluated using an exemplary use case.
Findings
In this paper, a process-driven approach is proposed, which allows improving the data quality by analyzing the similarity of incidents. It is shown that this approach is feasible and leads to better data quality with real-world data.
Originality/value
The originality of the approach lies in the fact that data quality is already improved during the reporting of an incident. In addition, approaches from other areas, such as recommender systems, are applied innovatively to the area of the human-as-a-security-sensor.
Details
Keywords
Grid computing has often been heralded as the next logical step after the worldwide web. Users of grids can access dynamic resources such as computer storage and use the computing…
Abstract
Purpose
Grid computing has often been heralded as the next logical step after the worldwide web. Users of grids can access dynamic resources such as computer storage and use the computing resources of computers under the umbrella of a virtual organisation. Although grid computing is often compared to the worldwide web, it is vastly more complex both in organisational and technical areas. This also extends into the area of security and incident response, where established academic computer security incident response teams (CSIRTs) face new challenges arising from the use of grids. This paper aims to outline some of the organisational and technical challenges encountered by the German academic CSIRT, DFN‐CERT while extending and adapting their services to grid environments during the D‐Grid project.
Design/methodology/approach
Most national research and education networks (NRENs) already have computer security incident response teams to respond to security incidents involving computers connected to the networks. This paper considers how one established NREN CSIRT is dealing with the new challenges arising from grid computing.
Findings
The paper finds that D‐Grid Initiative is an ongoing project and the establishment of CSIRT services for grids is still at an early stage. The establishment of communication channels to the various grid communities as well as gaining of knowledge about grid software has required DFN‐CERT to make changes even though the basic principles of CSIRT operation remain the same.
Originality/value
The D‐Grid project aims to establish a common grid infrastructure that can be used by other scientific domains. The project consists of six community projects and one integration project (DGI – D‐Grid Integration). The DGI project will develop the basic infrastructure, while the community projects will build on this infrastructure and enhance it for the specific needs of their research areas. At the initial stage of the DGI project, the idea of a central CSIRT for all grids in Germany was seen as an advantage over having a CSIRT for each grid project, which would have replicated efforts and thus wasted resources. This paper gives an overview about the organisational and technical challenges and experiences DFN‐CERT has encountered while setting up a CSIRT for the D‐Grid communities.
Details
Keywords
Sarandis Mitropoulos, Dimitrios Patsos and Christos Douligeris
Security information management systems (SIMs) have been providing a unified distributed platform for the efficient management of security information produced by corresponding…
Abstract
Purpose
Security information management systems (SIMs) have been providing a unified distributed platform for the efficient management of security information produced by corresponding mechanisms within an organization. However, these systems currently lack the capability of producing and enforcing response policies, mainly due to their limited incident response (IR) functionality. This paper explores the nature of SIMs while proposing a set of requirements that could be satisfied by SIMs for the efficient and effective handling of security incidents.
Design/methodology/approach
These requirements are presented in a high‐level architectural concept and include policy visualization, system intelligence to enable automated policy management, as well as, data mining elements for inspection, evaluation and enhancements of IR policies.
Findings
A primitive mechanism that could guarantee the freshness and accuracy of state information that SIMs provide in order to launch solid response alarms and actions for a specific incident or a series of incidents is proposed, along with a role based access control administrative model (ARBAC) based on a corporate model for IR. Basic forensic and trace‐back concepts that should be integrated into SIMs in order to provide the rich picture of the IR puzzle are also examined.
Practical implications
The support of policy compliance and validation tools to SIMs is also addressed.
Originality/value
The aforementioned properties could greatly assist in automating the IR capability within an organization.
Details
Keywords
Ieva Auzina, Tatjana Volkova, Diego Norena-Chavez, Marta Kadłubek and Eleftherios Thalassinos
There is a research gap in the explanation of cyber incident response approaches in management to increase cyber maturity for small–medium-size enterprises (SMEs). Therefore…
Abstract
There is a research gap in the explanation of cyber incident response approaches in management to increase cyber maturity for small–medium-size enterprises (SMEs). Therefore, based on the literature analysis, the chapter aims to (1) provide cyber incident response characteristics, (2) show the importance for SMEs, (3) identify cyber incident response feasibility and causal factors, (4) provide scenarios for consideration to create an incident response plan (IRP), and (5) discuss the cyber incident response and managerial approaches in SMEs. The authors used content analysis of scientific and professional articles to develop the theoretical foundation of incident response approaches in management for SMEs. The authors start from the fundamentals to obtain knowledge and understanding of the latest threats and opportunities, and how to defend themselves using the limited capacity of resources might be the starting point to building an extensive incident response capability. Incident response capabilities and maturity levels vary widely between various organisations. There is no simple one-size-fits-all process for incident response; each case is unique and requires continuous refinement. Differentiation and adaptation to different types of SMEs are pivotal to developing cyber maturity and defining requirements that fit the market’s needs and are therefore more efficient in achieving the goal of increasing cyber security (CS) among business management. SMEs may not have a mature IRP, but at least one readiness indicator could lead to the preparation of a mature IRP. Implementation of the secure undertakings and information processes requires using modern information and communication technologies, incident response processes, and other modules that could enhance support for decision-making processes in management. The approach requires a systematic approach to issues related to constructing these solutions. The authors highlight that building efficient incident response approaches in management to improve cyber maturity will begin with infrastructure and people factors.
Details
Keywords
Giddeon Njamngang Angafor, Iryna Yevseyeva and Leandros Maglaras
This paper aims to discuss the experiences designing and conducting an experiential learning virtual incident response tabletop exercise (VIRTTX) to review a business's security…
Abstract
Purpose
This paper aims to discuss the experiences designing and conducting an experiential learning virtual incident response tabletop exercise (VIRTTX) to review a business's security posture as it adapts to remote working because of the Coronavirus 2019 (COVID-19). The pandemic forced businesses to move operations from offices to remote working. Given that this happened quickly for many, some firms had little time to factor in appropriate cyber-hygiene and incident prevention measures, thereby exposing themselves to vulnerabilities such as phishing and other scams.
Design/methodology/approach
The exercise was designed and facilitated through Microsoft Teams. The approach used included a literature review and an experiential learning method that used scenario-based, active pedagogical strategies such as case studies, simulations, role-playing and discussion-focused techniques to develop and evaluate processes and procedures used in preventing, detecting, mitigating, responding and recovering from cyber incidents.
Findings
The exercise highlighted the value of using scenario-based exercises in cyber security training. It elaborated that scenario-based incident response (IR) exercises are beneficial because well-crafted and well-executed exercises raise cyber security awareness among managers and IT professionals. Such activities with integrated operational and decision-making components enable businesses to evaluate IR and disaster recovery (DR) procedures, including communication flows, to improve decision-making at strategic levels and enhance the technical skills of cyber security personnel.
Practical implications
It maintained that the primary implication for practice is that they enhance security awareness through practical experiential, hands-on exercises such as this VIRTTX. These exercises bring together staff from across a business to evaluate existing IR/DR processes to determine if they are fit for purpose, establish existing gaps and identify strategies to prevent future threats, including during challenging circumstances such as the COVID-19 outbreak. Furthermore, the use of TTXs or TTEs for scenario-based incident response exercises was extremely useful for cyber security practice because well-crafted and well-executed exercises have been found to serve as valuable and effective tools for raising cyber security awareness among senior leadership, managers and IT professionals (Ulmanová, 2020).
Originality/value
This paper underlines the importance of practical, scenario-based cyber-IR training and reports on the experience of conducting a virtual IR/DR tabletop exercise within a large organisation.
Details