How integration of cyber security management and incident response enables organizational learning

Digital assets of organizations are under constant threat from a wide assortment of nefarious actors. When threats materialize, the consequences can be significant. Most large organizations invest in a dedicated information security management (ISM) function to ensure that digital assets are protected. The ISM function conducts risk assessments, develops strategy, provides policies and training to define roles and guide behavior, and implements technological controls such as firewalls, antivirus, and encryption to restrict unauthorized access. Despite these protective measures, incidents (security breaches) will occur. Alongside the security management function, many organizations also retain an incident response (IR) function to mitigate damage from an attack and promptly restore digital services. However, few organizations integrate and learn from experiences of these functions in an optimal manner that enables them to not only respond to security incidents, but also proactively maneuver the threat environment. In this article we draw on organizational learning theory to develop a conceptual framework that explains how the ISM and IR functions can be better integrated. The strong integration of ISM and IR functions, in turn, creates learning opportunities that lead to organizational security benefits including: increased awareness of security risks, compilation of threat intelligence, removal of flaws in security defenses, evaluation of security defensive logic, and enhanced security response.

[1]  Reeshad S. Dalal,et al.  An Organizational Psychology Perspective to Examining Computer Security Incident Response Teams , 2014, IEEE Security & Privacy.

[2]  A. B. Ruighaver,et al.  Organisational security culture: Extending the end-user perspective , 2007, Comput. Secur..

[3]  Finn Olav Sveen,et al.  Blind information security strategy , 2009, Int. J. Crit. Infrastructure Prot..

[4]  Audrey J. Dorofee,et al.  Computer Security Incident Response Team Development and Evolution , 2014, IEEE Security & Privacy.

[5]  Adele Da Veiga,et al.  Achieving a Security Culture , 2019 .

[6]  Sean B. Maynard,et al.  Information security strategies: towards an organizational multi-strategy perspective , 2014, J. Intell. Manuf..

[7]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.

[8]  John McHugh,et al.  A Human Capital Model for Mitigating Security Analyst Burnout , 2015, SOUPS.

[9]  野中 郁次郎,et al.  The knowledge-creating company , 2008 .

[10]  Graeme G. Shanks,et al.  A situation awareness model for information security risk management , 2014, Comput. Secur..

[11]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[12]  Bruce Schneier,et al.  The Future of Incident Response , 2014, IEEE Secur. Priv..

[13]  M. Whitman,et al.  Management Of Information Security , 2004 .

[14]  Graeme G. Shanks,et al.  Organizational Security Learning from Incident Response , 2017, ICIS.

[15]  Terry Anthony Byrd,et al.  Information security policy: An organizational-level process model , 2009, Comput. Secur..

[16]  Jongwoo Kim,et al.  Incident-centered information security: Managing a strategic balance between prevention and response , 2014, Inf. Manag..

[17]  野中 郁次郎,et al.  The Knowledge-Creating Company: How , 1995 .

[18]  D. P. Baker,et al.  Teamwork as an essential component of high-reliability organizations. , 2006, Health services research.

[19]  Roderick E. White,et al.  An Organizational Learning Framework : From Intuition to Institution Author ( s ) : , 2007 .

[20]  Atif Ahmad,et al.  Information Security Risk Assessment: Towards a Business Practice Perspective , 2010, AISM 2010.

[21]  大林 正英,et al.  Computer Security Incidentとセキュリティ対策活動 , 2003 .

[22]  A. B. Ruighaver,et al.  Informal Learning in Security Incident Response Teams , 2011 .

[23]  Evangelos A. Kiountouzis,et al.  Aligning Security Awareness With Information Systems Security Management , 2009, MCIS.

[24]  Graeme G. Shanks,et al.  A case analysis of information systems and security incident responses , 2015, Int. J. Inf. Manag..

[25]  A. B. Ruighaver,et al.  Incident response teams - Challenges in supporting the organisational security function , 2012, Comput. Secur..

[26]  Vlado Dimovski,et al.  Evidence for the network perspective on organizational learning , 2008, J. Assoc. Inf. Sci. Technol..

[27]  Kim-Kwang Raymond Choo,et al.  A survey of information security incident handling in the cloud , 2015, Comput. Secur..

[28]  Reeshad S. Dalal,et al.  Improving Cybersecurity Incident Response Team Effectiveness Using Teams-Based Research , 2015, IEEE Security & Privacy.

[29]  Tim Storer,et al.  Security Incident Response Criteria: A Practitioner's Perspective , 2015, AMCIS.

[30]  Kevin C. Desouza Managing Knowledge Security: Strategies for Protecting Your Company's Intellectual Assets , 2007 .

[31]  Martin Gilje Jaatun,et al.  Information Security Incident Management: Planning for Failure , 2014, 2014 Eighth International Conference on IT Security Incident Management & IT Forensics.

[32]  Franklin G. Miller,et al.  A Case Analysis , 2002 .

[33]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[34]  이무원 조직학습이론(Organizational Learning Theory)의 과거, 현재, 그리고 미래 , 2015 .

[35]  Thomas Finne,et al.  Information Systems Risk Management: Key Concepts and Business Processes , 2000, Comput. Secur..

[36]  Kevin C. Desouza,et al.  Strategically-motivated advanced persistent threat: Definition, process, tactics and a disinformation model of counterattack , 2019, Comput. Secur..

[37]  G. Huber Organizational Learning: The Contributing Processes and the Literatures , 1991 .

[38]  P. Shrivastava A TYPOLOGY OF ORGANIZATIONAL LEARNING SYSTEMS , 1983 .

[39]  Michelle L. Kaarst-Brown,et al.  Sensitive information: A review and research agenda , 2005, J. Assoc. Inf. Sci. Technol..

[40]  Karin Bernsmed,et al.  Information Security Incident Management: Identified Practice in Large Organizations , 2014, 2014 Eighth International Conference on IT Security Incident Management & IT Forensics.

[41]  Evangelos A. Kiountouzis,et al.  Information systems security policies: a contextual perspective , 2005, Comput. Secur..

[42]  Jean-Raymond Abrial,et al.  On B , 1998, B.

[43]  Martin Gilje Jaatun,et al.  Information security incident management: Current practice as reported in the literature , 2014, Comput. Secur..

[44]  Karen E. Watkins,et al.  Informal and Incidental Learning , 2001 .

[45]  Robin M. Ruefle,et al.  Handbook for Computer Security Incident Response Teams (CSIRTs) , 2003 .

[46]  Thomas Johnson,et al.  Computer Security Incident Handling Guide , 2005 .

[47]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[48]  R. Manzini,et al.  Intellectual Property Protection Mechanisms in Collaborative New Product Development , 2016 .

[49]  Edwin B. Heinlein Principles of information systems security , 1995, Comput. Secur..

[50]  Rossouw von Solms,et al.  Management of risk in the information age , 2005, Comput. Secur..

[51]  Donald A. Schön,et al.  Organizational Learning: A Theory Of Action Perspective , 1978 .

[52]  Sean B. Maynard,et al.  Towards a Taxonomy of Information Security Management Practices in Organisations , 2014 .

[53]  Lorne Olfman,et al.  Organizational Memory , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[54]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[55]  Martin Gilje Jaatun,et al.  A framework for incident response management in the petroleum industry , 2009, Int. J. Crit. Infrastructure Prot..

[56]  Samuel B. Bacharach,et al.  Organizational Theories: Some Criteria for Evaluation , 1989 .

[57]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[58]  Ulrich Storz,et al.  Intellectual property protection , 2011, mAbs.

[59]  Rens Scheepers,et al.  Asset Identification in Information Security Risk Assessment: A Business Practice Approach , 2016, Commun. Assoc. Inf. Syst..

[60]  Erka Koivunen "Why Wasn't I Notified?": Information Security Incident Reporting Demystified , 2010, NordSec.

[61]  Gary Hackbarth,et al.  Data architectures for an organizational memory information system , 2013, J. Assoc. Inf. Sci. Technol..