Creating Value Added for an Enterprise by Managing Information Security Incidents (original) (raw)
Related papers
Multidisciplinary Aspects of Production Engineering, 2018
This article presents structure and analysis of possible events for information security of a production company. The aim of the analysis is to identify incident events, their time and frequency. The analysis includes occurrence of notifications, threatening events, employee errors and false alarms. Also, the conducted research takes into account the functions performed in the enterprise. For these events, a daily distribution of events and statistical analysis of their occurrence were developed. Thanks to the analysis of the phenomena in time, enterprises can introduce actions preventing the occurrence of incidents. The conducted research has shown that employees report incidents which, in their opinion, constitute an incident, which greatly facilitates the work of the information security administrator. These events are analyzed and classified accordingly. The analysis showed that most events take place between midnight and two in the morning. The conducted analysis is a pilot stu...
2005
Information security executives have always been faced with the problem of justifying security technology investments because the technology benefits are difficult to estimate. There are tangible and intangible benefits that accrue from implementation of security measures; similarly the losses due to security incidents fall into both of these categories. This further complicates estimation. Currently a formal approach to assess damages to information security systems does not exist, neither does a model to select control measures. This paper provides a real world study of the threats to information systems, their damages, and maps some control measures to the threats that can cause these damages.
Developing a Risk Management System for Information Systems Security Incidents
2004
Question 3-If the threat has not yet occurred, how long do you think it will be (in months) before you suffer such a threat? Case1-"We would expect to see such an attack occur within the next 24 months or so." Case 2-"DoS in next 12 months." Case 3-"NA" Case 4-"Within months to two years" Question 4-What type of damages did this/these threat(s) cause? (or would likely cause)? Case 1-"If such an attack were to take place, substantial, but not irreparable damage to the company brand would occur. The damage would be dependent on the publicity surrounding the access". Case 2-"Virus: shutdown systems, caused rebuilds. Intrusions: Notification cost, outside consulting costs, redesign costs." Case 3-"A lot would depend on what may have been taken, proprietary information, intellectual properties, etc. For example a bank lost several credit cards, identity theft, and the bad guy(s) actually were able to charge around $10.00. But when this became public the banks stock feel over 3 points. This lose could have been in the 100's of 1000's. " Case 4-"We have had one successful application incident that defaced our homepage with profanity. I'm more concerned with what's to come than what we have experienced to date. My concerns lie in someone using our application to access 78 privileged information, planting files on web servers and phasing our customer base." Question 5-Is/are this/these threat(s) more likely to be caused by unauthorized or authorized users by using software techniques? Case 1-"Authorized users of the system are unlikely to cause these problems, because they are mostly external and minimally motivated to engage in these behaviors. Unauthorized attackers are much more worrisome." Case 2-"Unauthorized users" Case 3-"Could be both. In addition social engineering could also be used." Case 4-"Unauthorized users are our focus for now but the authorized users are still of concern." Question 6-What control measure(s) did you have in place that failed to stop the threat? Case 1-"N/A" Case 2-"Virus. Scanners. (No signatures, old signatures). Break-in (passwords, firewalls, IDS systems)" Case 3-"NA" Case 4-"There are no control measures in place to counter an application threat." Question 7-What type of control measure do you use for this/these threat(s) that do not fall in the category of access control, authentication, data confidentiality, data integrity, and non-repudiation services? Case 1-"Source code analysis and intrusion detection systems." Case 2-"Background checks" Case 3-"This would not apply to us. We respond after the fact in most cases. If we are consulting we would set up some kind of secure server and/or disaster recovery solution. Case 4-"We are looking into an application firewall and application auditing software for the developers and security team to help mitigate our exposure." Question 8-According to the CSI/FBI Survey, attacks which can cause the most serious financial damages are: theft of propriety information, financial frauds, and viruses. Do you think this/these attack(s) are more likely to be caused by unauthorized or authorized users by using software techniques? Case 1-"Your use of the phrase "by software techniques" is not clear, but we think that unauthorized external users are the biggest threat. This is somewhat caused by the unusual nature of the data we carry for customers." Case 2-"Techniques? Financial fraud is almost always an insider job, usually with authorization. Viruses are from unauthorized outsides." Case 3-"I believe currently, by far maybe even up to and over 70%, employees cause the most damage. They of course would be using the company's software products." Case 4-"Because we are a .com company with all employees online at all times with little restriction, unauthorized users are presently our biggest threat. Employees are always exposed to unauthorized users nefarious techniques." 80 Question 9-Which combination of control measures do you prefer? Case 1-"Effective ones!" Case 2-"Policies and processes. Security Architecture including access control and proactive methods (Virus scanning). Encryption for storing of sensitive data." Case 3-"First of all you need policies. Then you would need some kind of hardware and/or software monitoring devices. If probable cause is present, you could take control by using a keystroke monitoring device, with the proper authority." Case 4-"Access control and web application security testing and assessment software." Question 10-How would you rate the effectiveness of these control measures? For example, to what degree did this/these control measure(s) reduce the probability of the threat or the actual cost of the damage? Case 1-"Unfortunately, measuring the effectiveness of most of our defensive measures is difficult." Case 2-"I am sure that they reduce the risk. Difficult to determine how much. Good data back up policies reduce the cost to recover." Case 3-"If the employee knows they are monitoring his status, etc., it could be very effective." Case 4-"Out of 1 to 10? I would rate it the measures a 7" Question 11-In some cases, using stronger control measures can cause dissatisfaction of clients, e.g. using stronger encryptions cause delay in response time. What is the maximum response time to a mouse click, in seconds, that you consider acceptable for your web-based customers?
Security Incident Recognition and Reporting (SIRR): An Industrial Perspective
ArXiv, 2017
Reports and press releases highlight that security incidents continue to plague organizations. While researchers and practitioners' alike endeavor to identify and implement realistic security solutions to prevent incidents from occurring, the ability to initially identify a security incident is paramount when researching a security incident lifecycle. Hence, this research investigates the ability of employees in a Global Fortune 500 financial organization, through internal electronic surveys, to recognize and report security incidents to pursue a more holistic security posture. The research contribution is an initial insight into security incident perceptions by employees in the financial sector as well as serving as an initial guide for future security incident recognition and reporting initiatives.
A Comparative Assessment of Computer Security Incidence Handling
British Journal of Mathematics & Computer Science, 2014
Incidence response and handling has become quite a crucial, indispensible constituent of information technology security management, as it provides an organised way of handling the aftermaths of a security breach. It presents an organisation's reaction to illegitimate and unacceptable exploits on its assets or infrastructure. The goal must be to successfully neutralise the incident, such that damages are significantly reduced with attendant reduction in recovery time and costs. To achieve this, several approaches and methodologies proposed have been reviewed with a view to identifying essential processes. What is needed is referred to as incident capability mingled with collaborations. This defines a shift from response to management of computer security incidents in anointer relationship manner that foster collaboration through the exchange and sharing of incidence management details among several distinct organizations. Key step-up aspects centre on issues of enforcing and assuring trust and privacy. A viable collaborative incident response approach must be able to proffer both proactive and reactive mechanisms that are management-oriented and incorporating all required techniques and procedures.
Security Incident Response Criteria: A Practitioner's Perspective
Industrial reports indicate that security incidents continue to inflict large financial losses on organizations. Researchers and industrial analysts contend that there are fundamental problems with existing security incident response process solutions. This paper presents the Security Incident Response Criteria (SIRC) which can be applied to a variety of security incident response approaches. The criteria are derived from empirical data based on in-depth interviews conducted within a Global Fortune 500 organization and supporting literature. The research contribution of this paper is twofold. First, the criteria presented in this paper can be used to evaluate existing security incident response solutions and second, as a guide, to support future security incident response improvement initiatives.
Proceedings of the 21st International Conference on Enterprise Information Systems
The growth and evolution of threats, vulnerabilities, and cyber-attacks increase security incidents and generate adverse impacts on organizations. Nowadays, organizations have been strengthened in aspects of information security and information through the implementation of various technological solutions. Nevertheless, defined processes for the proper handling and coordinated management of security incidents should be established. In this paper, we propose an incident management framework that is adaptable to educational organizations and allows them to improve their management processes in the face of computer incidents. We introduce a coordination network with three levels of decision-making that defines interfaces and communication channels with supporting policies and procedures for coordination across processes and process actors. It enables different organizations to maintain focus on different objectives, to work jointly on common objectives, and to share information that supports them all in case of security incidents. Our model enables the examination of incident management processes that cross organizational boundaries, both internally and externally. This can help CSIRTs improve their ability to collaborate with other business units and other organizations when responding to incidents.
Computers & Security, 2016
Recent attacks and threat reports indicate that industrial control organizations are attractive targets for attacks. Emerging threats create the need for a well-established capacity for responding to unwanted incidents. Such a capacity is influenced by organizational, human, and technological factors. We have conducted extensive fieldwork for 2.5 years in Norwegian electric power companies with the aim of identifying challenges for improving information security incident management practices. Semi-structured interviews, document analysis, a survey and participant observations have been performed as part of this case study. We describe how training for responding to information security incidents is given low priority and that different types of personnel, such as business managers and technical personnel, have different perspectives and priorities in regard to information security. Moreover, there is a gap in how IT staff and control system staff understand information security. Furthermore, cross-functional teams need to be created to ensure a holistic view during the incident response process. To improve the capacity for responding to incidents, organizations need regular training sessions and systematic evaluations after such sessions. There is also the potential for improvement in evaluating minor incidents. A transition from an ad hoc approach to a systematic approach in training and learning requires a reorientation not only by the electric power companies but also by management. We found that learning to learn will enable the organizations to improve their incident response practices.
2018
This paper reports a systematic literature review that explores challenges related to information security practices in organizations and the ways these challenges are managed to avoid security breaches. We focused on empirical evidence from extant research studies and identified four general challenges related to: (1) security rules and procedures, (2) individual and personal risks, (3) culture and security awareness, and (4) organizational and power relations. To manage these risks, nine measures were prominent in the selected studies. Training and organizational collaboration across the hierarchical levels were widely used to enhance the security culture. In addition, awareness campaigns for the workforce, as well as continuously measuring and improving security initiatives were highly recommended. Our literature review points to the socio-technical aspects of information security. Although many organizations have both administrative and technical infrastructures in place, they must also think about employee attitudes, knowledge, and behavior. Information systems research towards this direction needs to be further developed. More qualitative studies are needed for exploring how to develop a culture of security awareness and for gaining insights on how security rules and training courses can become more appealing and accessible.