Phase II: Evaluation

CHAPTER 5: CONCEPTUAL MODELLING 5.1. Introduction

5.3. Applicability of Situational Awareness to ISIM

113

communication. However, they did not validate the process of a shared mental model; they sensed that this could be the unaccounted component of the information in the incident ticketing system required by many experts and technicians.

However, mental models are difficult to define and Endsley (2001) points out that those mental models are more generic whereas a situational awareness model incorporates the system’s parameters and the understanding of the dynamics, and provides a useful window on a generic mental model. Furthermore, a situational awareness model is a “current instantiation” of the mental model. Scarfone et al. (2008) proffered that in order to sustain situational awareness in incident management, the processes of preparation, documentation and the assignment of roles and responsibilities are critical issues. Situational awareness involves the informed and sensible dynamic contribution and reflection by an individual on a certain situation that provides a dynamic context to reflect on the past, present and potential future features of an incident (Stanton et al., 2001). The reflection dynamic can be constituted with conceptual-logical, ingenious, aware and unconscious elements which support activities of individuals to exercise mental models (Bendy et al., 1999). In the next section, the applicability of situational awareness to ISIM is considered.

114

Figure 5-2: Levels of Situational Awareness (from Endsley (1995)) redefined to encompass ISIM

The concepts of ‘perception’, ‘comprehension’, and ‘projection’ can be considered to symbolise progressively developing levels of awareness ranging from (i) basic perception of data, (ii) combination and interpretation of data, and (iii) aptitude to predict future events and their implications (Bendy et al., 1999; Franke & Brynielsson, 2014; Stanton et al., 2001). The situational awareness model is highly suited to organisational processes. The practice of situational awareness for incident response is lower in organisations which indicates the need for further empirical studies from the process perspective (Ahmad et al., 2021; O’Brien et al., 2020). In this regard, Webb et al., (2014) emphasised the importance of situational awareness to information security and risk management which have common problems with ISIM – (1) risk identification of information is perfunctory; (2) information security risks are projected without a consideration of situational awareness; (3) security risk evaluations are conducted irregularly without the consideration of previous data. The application of situational awareness is also extraordinarily complex and needs to consider other factors such as individual, team and environmental issues (Bolstad & Gonzalez, 2004).

In a previous study conducted by Line and Albrechtsen (2016), the application of situational adaption to ISIM was considered from an industrial perspective from theory as a management element for industrial safety. An analysis of incident data from organisational collaborative practices linked situational awareness to design and policy implications (Riebe et al., 2021).

Section 2.3 of Chapter Two explored a study to develop a toolset for cyber-incident handling

o prehension o the urrent

itua on ro ec on o uture tatus

e sense akin o the incident that

occurred e

percei in a ne incident

e orecas n a out uture

incidents

ercep on o le ents in the urrent itua on

115

of decision support systems, which applied a situational awareness model within the OODA (Observe, Orient, Decide, Act) loop, however, the process was automated without human involvement (Husák et al., 2022). Situational awareness was also applied in sharing information for critical infrastructures to support decision making through operational and technical means (Pöyhönen et al., 2019). The model developed by Padayachee and Worku (2020) exemplified that the process of ISIM could progress from individual situational awareness to shared situational awareness thereby enhancing the collaborative power and responsiveness in the process. Nevertheless, the model does not accommodate the communication channels. Linderoth et al. (2015) who studied situational awareness within health care emergencies, which shares some parallels with incident response, revealed that communication, situational awareness, and attitude were the major problems and they specified that effective communication mechanisms are critical to obtaining acceptable and congruent situational awareness. The processes of information security incident planning, identification and communication are vital steps in ISIM processes, followed by assessment, response, decision and lessons learnt (Humphreys, 2008). Thus, communication pathways are a focal element within every phase in information security incident response (ISO/IEC, 2016; Tøndel, Line, & Jaatun, 2014).

Extant literature demonstrated the application of situational awareness within the context of information security and emphasised the key role of team work at every step of cyber security for a coordinated effect of situational awareness processes for improved response (Husák et al., 2022). While many studies relate security awareness to learning, organisations do not practically learn from earlier incidents within a real-world context and consequently neglect to implement strategic security issues (Ahmad et al., 2012). Thus, the application of the situational awareness model in information technology and other disciplines has been emphasised and used in a variety of contexts (Webb, Ahmad, Maynard, & Shanks, 2014). Although Yang, Byers, Holsopple, Argauer, and Fava (2008) considered the concept of projection from Intrusion Detection Systems (IDS), in the study at hand, the proposed model also considers a user-centred perspective in which it uses existing data directly obtained from the user to analyse, compare, decide and project incidents. The existing incident information from the previous steps (perceiving and comprehension) will serve as a mechanism to project the possibility and occurrence of incidents with detailed information about the previous incident.

116

Situational awareness has a significant role in understanding, perceiving, and projecting of imminent incidents to proactively address risks and vulnerabilities. Consistent with Barford et al., (2010), there are seven elements of situational awareness that is applicable to ISIM which were also promoted by Padayachee and Worku (2017). The seven aspects of situational awareness that could be used to support ISIM are listed as follows:

(i) Awareness of the existing situation which includes situation sensing (recognising that an incident attack is happening) and detection (i.e., type of attack), the source (who, what) and potential attack target.

(ii) Awareness of the attack impact (assessment and analysing vulnerability) which includes the existing impact and successive assessment.

(iii) Tracking the existing situation.

(iv) Adversary’s behaviour awareness, patterns, intent, and trend analysis.

(v) Understanding why and how the current situation is occurring.

(vi) Understanding of the reliability of the gathered incident situation information.

(vii) Predicting future actions away from the adversary and limiting the adversary in the future, whereby the control involves knowing the motive, prospect, and ability.

However, a multi-actor engagement such as ISIM requires more than individual situational awareness; it requires shared situational awareness. According to Endsley (2001, p. 3), shared situational awareness is defined as “the degree to which team members possess the same SA (situational awareness) on shared SA (situational awareness) requirements”. Shared situational awareness which is apt to organisational situations refers to “the degree of accuracy by which one's perception of his current environment mirrors reality and a number of individuals trying to create a common picture” (Nofi, 2000, p. 4). According to Kurapati et al. (2012, p. 48), research on shared situational awareness has “not dealt enough with the multi-stakeholder networks or organisations”. Nofi (2000) proposes building shared situational awareness based on the following criteria. Initially, consider the individual’s situational awareness within the structure of what needs to be undertaken. Secondly, form roles for other members of the organisation to properly share their mental models (awareness) using a given communication procedure. Thirdly, incorporate numerous individual mental models of the situation to produce a mutual understanding. Thus, Padayachee and Worku (2020) leveraged communication protocols of shared situational awareness, appropriating from Linderoth et al. (2015), in that

117

their model considers communication and situational awareness to intervene as pathways for effective shared understanding.

Although there are various works on situational awareness concerning industrial control systems, IDSs and algorithms, less work is devoted to communication or information exchange (Franke & Brynielsson, 2014). The connexion of shared situational awareness relative to ISIM is illustrated in Figure 5-3.

Figure 5-3: Shared Situational Awareness in ISIM (adapted from Padayachee and Worku (2020) and Linderoth et al. (2015))

In Figure 5-3, a user identifies an incident and is required to report the incident. The user reports it according to their perception about the incident (e.g., the type of incident, source of incident and potential target of the incident). The user will also attempt to ‘comprehend’ the information related to the incident from perceived and existing incidents. In addition, the user will create a

‘projection’ of the incident based on their perception and comprehension of the incident. In other words, they will forecast future incidents. The user will then communicate their incident report to the Information Security Incident Response Team (ISIRT) who will analyse and

118

interpret the incident report. By applying the existing information and further tools (e.g., vulnerability analysis and impact assessment) and their perceptions and comprehension of the current situation, the ISIRT teams will also make a projection of succeeding incidents that will support the planning, preparation and lesson learning processes of ISIM. This is an internal communication between the team members within ISIRT. Thereafter, the ISIRT will communicate the assessments, responses and decisions made to the wider community in the system, thereby increasing the participation of all stakeholders. The framing shows that incident communication is possible among users thereby supporting a shared understanding of an information security incident.

While the application of situational awareness is useful in multi-actor contexts, the integration of communication mechanisms has been considered a critical factor in enhancing situational awareness in an interactive manner (Bolstad et al., 2004). The next subsections explore the coordination of communication efforts in tandem with situational awareness to address the key challenges identified by the exploratory study.