论文信息 - Cyber security exercises: testing an organization's ability to prevent, detect, and respond to cyber security events

Cyber security exercises: testing an organization's ability to prevent, detect, and respond to cyber security events

The digital age has transformed how today's organizations operate. The production and delivery of essential goods and services takes place through complex and interconnected business processes that in turn rely on a set of interdependent infrastructures. These infrastructures and their supporting information systems transcend individual organizations. However, information systems security research is largely under the purview of computer science and engineering departments, and consequently often focuses on technological issues while overlooking the pervasive nature of information systems in today's society. This has generated calls for a new approach to information systems security; one that employs a socio-organizational perspective that includes not only individual organizations but entire industry sectors and government agencies as well. This paper presents one such approach, the use of scenario-based exercises in addressing security issues common to large organizations, industry sectors, and various levels of government. Lessons learned from illustrative examples of such exercises, as well as suggestions to help organizations conduct their own exercise, are discussed.

[1] Stefan Savage,et al. The Spread of the Sapphire/Slammer Worm , 2003 .

[2] Lutz E. Schlange. Scenarios: The art of strategic conversation , 1997 .

[3] K. Schwalm. National Strategy to Secure Cyberspace , 2006 .

[4] P. Schoemaker. Scenario Planning: A Tool for Strategic Thinking , 1995 .

[5] Henk Sol,et al. Proceedings of the 54th Hawaii International Conference on System Sciences , 1997, HICSS 2015.

[6] Frederick M. Avolio. Best practices in network security , 2000 .

[7] Michael K. Reiter,et al. Homeland Security , 2004, IEEE Internet Comput..

[8] James Backhouse,et al. Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[9] Robert D Austin,et al. The myth of secure computing. , 2003, Harvard business review.

[10] James Backhouse,et al. Structures of responsibility and security of information systems , 1996 .

[11] S. M. Rinaldi,et al. Identifying, Understanding, and Analyzing , 2001 .

[12] Amitava Dutta,et al. Management's Role in Information Security in a Cyber Economy , 2002 .