Phase II: Evaluation
CHAPTER 5: CONCEPTUAL MODELLING 5.1. Introduction
5.2. Identification and Scope of the Problem
As discussed, in Section 2.2 and Section 2.7 (Chapter Two), the preliminary investigation showed that both the lack of collaboration and poor reporting of incidents are of concern to organisations. This was further confirmed by the exploratory study (Chapter 4). It is evident that it is challenging to achieve proactive ISIM without proper communication and awareness formation in organisations. Such uncoordinated approaches have been attributed to the absence of managerial commitment, lack of collaboration, the lack of appropriate systems in managing
111
in incidents and lack of documentation which is supported by the findings of this study (Section 4.7).
The lack of collaboration and poor reporting of incident information minimises awareness and communication channels. Effective communication in ISIM processes (i.e., plan, detect, analyse, respond and lessons learnt) can play a substantial role in sharing incident information in a collaborative and coordinated approach. From the exploratory study, it was identified that the lack of appropriate reporting structures in organisations led to poor communication during an incident reporting scenario (Section 4.7.1).
Figure 5-1 shows the general demonstration of the problems of ISIM and a possible solution.
Figure 5-1: Identification and Scope of the Problem
Effective communication skills, collaborative learning, and coordinated mechanisms are particularly important for users in exchanging vast quantities of information of any kind in an organisational context (Leu & Kinzer, 2000). The greater the extent of communication flowing within an organisation, the better the levels of knowledge and awareness of security incident information is sustained (Hove & Tarnes, 2013). Indirectly, if users can get up-to-date information about incident information, this will reduce the probability of the breach occurring again (Knight & Nurse, 2020). In addition, users will have more awareness regarding existing security breaches and will be able to react more decisively if a similar incident arises.
Lack of Awareness and Poor Communication Channels
•Lack of Collaboration
•Poor Reporting of Incidents
Shared Mental Model
•Promotes Proactive Incident Management
112
This problem domain of awareness creation is fraught with difficulties as it crosscuts the technical and sociological domain. Studies related to information security awareness recommend training programmes for awareness formation among users (Hove et al., 2014;
Tøndel et al., 2014; Yohannes et al., 2019). Grounded on the problems that originated from the exploratory study, a socio-technical solution could be useful in coordinating the efforts of awareness and communication. ISIM could benefit from socio-technical solutions to proactively minimise information security incident challenges in organisations (Werlinger et al., 2010). Sarker et al. (2013) identified socio-technical factors such as behavioural, organisational, communication and management issues as core factors for ISIM, which need to be addressed. Thus, in addressing this problem, the study considered a theoretical concept from social psychology that may offer a possible solution, which is a shared mental model.
According to Jonker et al. (2011 p. 132), a shared mental model is defined as follows:
“Shared mental model theory as developed in social psychology, can be used as an inspiration for the development of techniques for improving team work in (human-) agent teams. Thus, it helps to improve team performance if team members have a shared understanding of the task that is to be performed and of the involved team work.”
Converse et al. (1993) contended that a shared mental model can help teams to collaborate effectively in decision making. Broadly speaking, a shared mental model which promotes a proactive ISIM approach is a possible resolution to the problems identified. A mental model can assist in problem-solving and it represents the knowledge of how various components affect other components and how components will act under the influence of numerous factors and stimuli (Floodeen et al., 2013).
Studies show that knowledge structure, team model and conducted cognitive tasks enhance the effectiveness of the team and that advanced analysts depend on prevailing mental models to map out threats and recognise gaps to better understand the operational picture (Chen et al., 2014; Maynard & Gilson, 2014). Entin and Entin (2000) concluded that mental models enable awareness creation, and the congruence and accuracy of these models can influence the level of situational awareness of teams. Floodeen et al. (2013) recommended the application of a shared mental model in security incident ticketing systems to enhance the efforts of
113
communication. However, they did not validate the process of a shared mental model; they sensed that this could be the unaccounted component of the information in the incident ticketing system required by many experts and technicians.
However, mental models are difficult to define and Endsley (2001) points out that those mental models are more generic whereas a situational awareness model incorporates the system’s parameters and the understanding of the dynamics, and provides a useful window on a generic mental model. Furthermore, a situational awareness model is a “current instantiation” of the mental model. Scarfone et al. (2008) proffered that in order to sustain situational awareness in incident management, the processes of preparation, documentation and the assignment of roles and responsibilities are critical issues. Situational awareness involves the informed and sensible dynamic contribution and reflection by an individual on a certain situation that provides a dynamic context to reflect on the past, present and potential future features of an incident (Stanton et al., 2001). The reflection dynamic can be constituted with conceptual-logical, ingenious, aware and unconscious elements which support activities of individuals to exercise mental models (Bendy et al., 1999). In the next section, the applicability of situational awareness to ISIM is considered.