Challenges in IT security preparedness exercises: A case study

Preparedness exercises need to be performed in several different ways.Only one goal should be defined for each exercise, and the design depends highly on this goal.All required competence needs to be included in an IT security preparedness exercise.Post-evaluation highly increases the learning effect from an exercise. The electric power industry is currently implementing major technological changes in order to achieve the goal of smart grids. However, these changes are expected to increase the susceptibility of the industry to IT security incidents. IT security preparedness exercises are not commonly performed in the electric power industry, even though this industry is considered part of society's critical infrastructure. Resolving an IT security incident requires inter-departmental collaborations between various categories of personnel, and to successfully achieve this, training is required. The process of preparing a response to incidents enhances the nature of collaboration, coordination, and communication within an organization. Our objective is to understand the challenges faced when performing IT security preparedness exercises, as challenges experienced during these exercises affect the response process during a real incident. By improving the exercises, the response capabilities would be strengthened accordingly. We have designed a multiple-case study with six teams in three organizations. We collected data by performing semi-structured interviews, participant observations, and from process artifacts. We identified six main challenges involving team composition and external expert involvement, goal definition, documentation, and time management. In summary, there are many ways of conducting preparedness exercises. Therefore, organizations need to both optimize current exercise practices and experiment with new ones in order to ensure continuous learning and improvement; hence, they can be adequately prepared to respond to IT security incidents.

[1]  Lars Groth Future organizational design : the scope for the IT-based enterprise , 1999 .

[2]  Lars Groth,et al.  Future Organizational Design , 1999 .

[3]  Hilda Tellioglu,et al.  Understanding Complex Coordination Processes in Health Care , 1999, Scand. J. Inf. Syst..

[4]  Henry Mintzberg Mintzberg on management : inside our strange world of organizations , 1991 .

[5]  Kyle Lewis,et al.  Transactive Memory Systems: Current Issues and Future Research Directions , 2011, Organ. Sci..

[6]  Maria B. Line,et al.  Why securing smart grids is not just a straightforward consultancy exercise , 2014, Secur. Commun. Networks.

[7]  J. Hackman,et al.  The psychology of self-management in organizations , 1986 .

[8]  Kevin Crowston,et al.  The interdisciplinary study of coordination , 1994, CSUR.

[9]  Erik Hollnagel,et al.  The Four Cornerstones of Resilience Engineering , 2016 .

[10]  Gianluca Stringhini,et al.  Targeted Attacks against Industrial Control Systems: Is the Power Industry Prepared? , 2014, SEGS@CCS.

[11]  Martin Gilje Jaatun,et al.  Information Security Incident Management: Planning for Failure , 2014, 2014 Eighth International Conference on IT Security Incident Management & IT Forensics.

[12]  Tore Dybå,et al.  A teamwork model for understanding an agile team: A case study of a Scrum project , 2010, Inf. Softw. Technol..

[13]  Gregory B. White,et al.  SP 800-84. Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities , 2006 .

[14]  A. Hale,et al.  Working to rule, or working safely? Part 1: A state of the art review , 2013 .

[15]  Karin Bernsmed,et al.  Information Security Incident Management: Identified Practice in Large Organizations , 2014, 2014 Eighth International Conference on IT Security Incident Management & IT Forensics.

[16]  C. Robson,et al.  Real World Research: A Resource for Social Scientists and Practitioner-Researchers , 1993 .

[17]  R. Yin Case Study Research: Design and Methods , 1984 .

[18]  Poul E. Heegaard,et al.  The future of information security incident management training: A case study of electrical power companies , 2016, Comput. Secur..

[19]  Robert E. Kraut,et al.  Coordination in software development , 1995, CACM.

[20]  Nils Brede Moe,et al.  Understanding Collaborative Challenges in IT Security Preparedness Exercises , 2015, SEC.

[21]  Beth A. Bechky,et al.  10 Coordination in Organizations: An Integrative Perspective , 2009 .