Phase II: Evaluation
CHAPTER 5: CONCEPTUAL MODELLING 5.1. Introduction
6.7. Demonstration of the Interface Prototype
6.7.1. Individual Situational Awareness
152 Lessons Learnt
The lesson learning mechanism is a way of ensuring that the incident is less likely to occur in the future or if it does to minimise the damage it could cause. The mechanism could be achieved by ensuring that users comply with the organisational information security policies. For instance, individuals could be notified of their compliance or non-compliance with information security policies thus increasing their awareness of ISIM processes, which is one of the main objectives of the study.
153
Figure 6-5: Users’ Login Form
Detection-Registration of an Incident
The perception phase at the individual level occurs when the user detects an information security incident, which leads to registering the incident on the system. The system administrator or the ISIRT provides the required credentials for all users. It includes their personal details such as full name, department, phone number, email address and physical address, etc.).
154
Figure 6-6: An Instance of the Information Security Incident Reporting Page
The captured personal information data is utilised to compile a profile of users in order to identify the reporter of an incident.
Figure 6-6 shows the incident registration or reporting page. The reporting page helps users in the system to identify various attributes of the incident (i.e., type, intention, source, IP address, frequency, and damage). All users register this basic incident information irrespective of their role and user group. Once the incident is registered, it will be available for review and assessment by the ISIRT members. The ISIRT members will embed additional information such as incident cause, damage, ‘precaution’, severity, etc. ‘Precaution’ is the set of actions that users must comply with as part of the ISIM response process. Moreover, all users will also be able to access incident information according to their role.
155
Figure 6-7: An Instance of a Review Incident Report
Users can review past incident information to enhance the shared understanding of related incidents. This review report allows users to review the type of incident, intention, source (i.e., branch) and the damage caused. Figure 6-7 shows the summary report of past information security incidents. Although the ‘Review Incidents’ functionality was not demonstrated to the participants, it was available in the prototype for review.
Comprehension of the Incident
Comprehension of an incident at an individual level includes triangulation and correlation with other incidents that are related within the organisation. It is supported by a sense-making functionality of past incidents in order to enhance the understanding of the current incident.
During the comprehension stage, the user can triangulate information via a system query.
Figure 6-8 shows the triangulation mechanism to retrieve incident information as part of the comprehension process.
156
Figure 6-8: Demonstration of Incident Triangulation
Figure 6-9 shows the report of the triangulated incident information from the search demonstrated in Figure 6-8. Depending on the incident data, the result shows the number of incident data associated with the parameters of the incident. The triangulated incident information shows the incident number, who reported the incident, incident type, attack intention, incident source, IP address, incident category, incident causes, the recommended precaution, the severity, and the status of the incident.
Figure 6-9: An Instance of an Information Security Incident Triangulation Report
157
The triangulation functionality was not demonstrated to the participants but was available in the prototype for inspection. The triangulation function works in the prototype by selecting the incident number, intention, source, and other parameters.
Correspondingly, users reach the comprehension phase regarding an incident from the
‘Comprehend Incident Report’ (see Figure 6-10). This report (comprehend incident report), which is depicted in the demonstration shows the triangulated incident with its attributes such as the incident type, incident intention, incident source, IP address, incident damage, incident category, incident cause, incident precaution, incident severity and incident status for further understanding. In this comprehension process, the ISIRT updates it according to the incident report whereas users access the comprehension report for understanding purposes.
Figure 6-10: An Instance of an Information Security Incident Comprehension Report
This incident information will be registered in the central information security repository. The registered incident information will then be reviewed and ‘comprehended’ by ISIRT members for validity and dissemination. In the comprehension process and function, this
‘comprehended’ incident information can be accessed by all users. Thus, all users can request, access, and utilise this comprehension report for their consumption thus enhancing their awareness.
158 Projection of Future Incidents
Users can project incidents from previously submitted incidents. The projection of incidents at this level by an individual enables the user to independently infer the pattern of incidents in their organisation without the support of ISIRT. Such projected incident information will be available for review by the ISIRT members. The ISIRT will use this information and their technical expertise to adjust the user projection into an enhanced incident forecast. Figure 6-11 shows the projection component of an incident at the individual level. At this stage, there is a mechanism for users to project incidents at their role level through selecting and matching the various attributes of the incident such as source, cause, branch, damage, and incident category.
Users select numerous parameters of the incident and activate the ‘Project Incident’ button to acquire the projection report.
Figure 6-11: An Instance of an Information Security Incident Projection Page
After the user clicks the ‘project incident’ button, an incident projection report will be retrieved from the system by triangulating a simulated visual projection report. The data for the projection is set by the user in order to obtain the visualised interface-based projection according to their input parameters. Users initially input various parameters for incident projection such as intention, branch, and cause of incident for projection purposes. After the users have inputted the required parameters on the projection page, the system retrieves incident data from the database to show the pattern of projection across various incident types.
Note this process was simulated. The number of incidents, attack type or incident severity as a visualisation is displayed. The projection of incidents is displayed in a visualised manner so
159
that users can easily infer the most pressing incident in the organisation. Figure 6-12 shows how the individual situational awareness incident projection simulation can be retrieved. Figure 6-12 shows the projected probability of incident occurrence (vertical) in relation to incident case type (horizontal) that occurred in the organisation.
Figure 6-12: An Instance of an Individual Situational Awareness Incident Projection Report