Understanding Collaborative Challenges in IT Security Preparedness Exercises

IT security preparedness exercises allow for practical collaborative training, which in turn leads to improved response capabilities to information security incidents for an organization. However, such exercises are not commonly performed in the electric power industry. We have observed a tabletop exercise as performed by three organizations with the aim of understanding challenges of performing such exercises. We argue that challenges met during exercises could affect the response process during a real incident as well, and by improving the exercises the response capabilities would be strengthened accordingly. We found that the response team must be carefully selected to include the right competences and all parties that would be involved in a real incident response process, such as technical, managerial, and business responsible. Further, the main goal of the exercise needs to be well understood among the whole team and the facilitator needs to ensure a certain time pressure to increase the value of the exercise, and both the exercise and existing procedures need to be reviewed. Finally, there are many ways to conduct preparedness exercises. Therefore, organizations need to both optimize current exercise practices and experiment with new ones.

[1]  Tore Dybå,et al.  A teamwork model for understanding an agile team: A case study of a Scrum project , 2010, Inf. Softw. Technol..

[2]  R. Yin Case Study Research: Design and Methods , 1984 .

[3]  J. Hackman,et al.  The psychology of self-management in organizations , 1986 .

[4]  Kyle Lewis,et al.  Transactive Memory Systems: Current Issues and Future Research Directions , 2011, Organ. Sci..

[5]  Hilda Tellioglu,et al.  Understanding Complex Coordination Processes in Health Care , 1999, Scand. J. Inf. Syst..

[6]  Martin Gilje Jaatun,et al.  Information Security Incident Management: Planning for Failure , 2014, 2014 Eighth International Conference on IT Security Incident Management & IT Forensics.

[7]  Maria B. Line,et al.  Why securing smart grids is not just a straightforward consultancy exercise , 2014, Secur. Commun. Networks.

[8]  Robert E. Kraut,et al.  Coordination in software development , 1995, CACM.

[9]  Gianluca Stringhini,et al.  Targeted Attacks against Industrial Control Systems: Is the Power Industry Prepared? , 2014, SEGS@CCS.

[10]  Kevin Crowston,et al.  The interdisciplinary study of coordination , 1994, CSUR.

[11]  Gregory B. White,et al.  SP 800-84. Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities , 2006 .

[12]  Erik Hollnagel,et al.  The Four Cornerstones of Resilience Engineering , 2016 .

[13]  A. Hale,et al.  Working to rule, or working safely? Part 1: A state of the art review , 2013 .

[14]  Karin Bernsmed,et al.  Information Security Incident Management: Identified Practice in Large Organizations , 2014, 2014 Eighth International Conference on IT Security Incident Management & IT Forensics.

[15]  Beth A. Bechky,et al.  10 Coordination in Organizations: An Integrative Perspective , 2009 .

[16]  R. Yin,et al.  Case Study Research: Design and Methods (4th ed. , 2009 .