Phase II: Evaluation
CHAPTER 5: CONCEPTUAL MODELLING 5.1. Introduction
5.5. Derivation of the Conceptual Model
5.5.1. Individual Situational Awareness Tier
121
In this study, the model encompasses the communication of incident information from one sender (user) to another (receiver) which will be encoded and stored in the system. Then, ISIRT will assess, evaluate, and disseminate the incident information. To support this interactive communication, various parties within the system may have diverse requirements regarding incident information and they may use the incident information according to their specific concern. Thus, the specialised requirements of incident information should be managed through distinct roles in their tasks at the organisation. Applying a role-based access control for incident information is especially important both in access and maintaining the functionality of the ISIM processes. Therefore, this study also considers using role-based access control to filter incident information as a tier within the model. As the applicability of the concepts underpinning the model, that is, situational awareness, IMC and the role-based access control mechanism to incident information was unpacked in the preceding sections, the next section is primed to present the derivation of the conceptual model.
122
cyber situational awareness, individuals may not have all the access to all the information within the shared environment (Husák et al., 2020).
Perception
From an information security perspective, perception involves knowing the elements in an information system such as being perceptive to the alerts from an IDS including knowing how to report the incident (D'Amico & Kocka, 2005). Perception is the ability of a person or a vigorous process whereby individuals detect relevant signals from their environment (Bolstad et al., 2004, Dominguez, 1994). Webb et al. (2014) described the phases of collection, processing, and exploitation from risk analysis as analogues to Perception. They describe collection and process as appearing concurrently which is gathering element state data where the perception is enhanced after machine processing. The process of information security incident detection can be triggered either through manual or automatic means (Metzger, Hommel, & Reiser, 2011). An individual’s information security perception is affected by their technical or formal risk assessment (Line, Tøndel, & Jaatun, 2016) which is also associated with incident detection and reporting. Some of the parameters related to perception include (Lu
& Kokar, 2015):
• Indicate the number and status of the incident: this helps users to specify and characterise the incident type, name, and different status of the incident that they perceive at the initial stage.
• Describe why a certain incident happens frequently: at perception level, users assess and analyse why a certain incident happens for a given period.
Comprehension
Comprehension is when individuals use their internal heuristics to understand, correlate, aggregate and compile what and how the cause of the incident happened from existing incident data (Lu & Kokar, 2015). From an information security perspective, comprehension involves determining which alerts are essential and which are not, and being able to discern the significance of an incident (D'Amico & Kocka, 2005). This describes the ability to inquire, filter and understand existing security concerns. Yufik (2014) argued the importance of comprehension with respect to human cognition for the purpose of inference and
123
understanding. Within the context of situational awareness, this model proposed here incorporated the elements of correlation, and triangulation as part of understanding incident information. The elements are incorporated as they enhance the comprehension process of understanding incident information.
To attain comprehension of an incident, analysis, documentation, classification and prioritisation are key functions of the detection and assessment phase of ISIM (Tøndel, Line,
& Jaatun, 2014; Cichonski et. al, 2012). Bolstad, Cuevas, Costello, and Rousey (2005) also applied situational awareness to the recovery of personnel in a military setting. Appropriating from their study, it is possible to infer and request information related to the comprehension of an incident which was revised to the context of ISIM such as (Yufik, 2014):
• What is the risk level regarding the incident (high threat, medium threat, or low threat) to the organisation?
• Determine the severity of the incident.
The incident category in terms of severity can range from a simple alarm to critical or to an emergency (ISO/IEC, 2016). Categorisation, compilation and grouping of similar incidents into clusters are important for further analysis within the ISIM processes of detection, analysis and response (Cichonski et. al, 2012). Thus, comprehension deals with the synthesis, inference and association issues of previously detected incidents (Bolstad et al., 2004; Lu & Kokar, 2015). As the comprehension process is related to the analysis and grouping of incidents (Yufik, 2014) it is further posited that the collective understanding of an incident can be improved with the processes of search, query, analyse, and triangulation. The following points discuss how the comprehension component can be supported:
• Correlation: This is the process of linking current incident information to previous incidents. Here the user can infer incident information by correlating the current incident with similar incidents. This implies that there must be a repository of similar incidents with their facets (damage caused, precautions etc.) available for the user to query.
124
• Triangulation: This process considers other incident categories from other sources to enhance situational awareness comprehension. Webb et al. (2014) related the concept of comprehension to drawing on multiple specialists to comprehend a state.
The analysis of an incident involves interlinking, classification and determining the status of previously detected incidents (Cichonski et. al., 2012). The process of situational awareness comprehension could be enhanced by applying those techniques to the incident assessment and decision phase of the ISIM process (Webb, Ahmad, Maynard, & Shanks, 2014).
Projection
Individual situational awareness involves projection in which users or individuals use their internal heuristics to understand and infer the causes and the patterns of incidents that occurred in their organisation (Bolstad et al., 2004; Franke & Brynielsson, 2014). Also, the process of projection, as indicated by Husák et al., (2020), is the capability to infer an upcoming forecast based on the data, information and knowledge extracted from the dynamics of the network components and comprehension of an incident situation (Yang et al., 2008). From an ISIM perspective, projection involves inferring the existing situation and predicting about a probable future incident (D'Amico & Kocka, 2005).
Bolstad et al. (2005) applied situational awareness related to the recovery of personnel in a military setting. The following questions (parameters) are related to collecting information concerning the projection of the incident which was revised to the context of ISIM:
• What could be the suspected incident from the previous incident pattern?
• How do you proactively prepare and plan for incidents before an incident occurs?
The following processes are involved during Individual Situational Awareness:
• Register incident: by user and ISIRT [during the Perception stage]
▪ Correlate incidents [to enhance Comprehension]
▪ Triangulate incidents [to enhance Comprehension]
▪ Project future incidents.
125
As organisations involve the collaboration of multiple users for information sharing, awareness cannot be done exclusively at an individual level, and the following section considers the integration of shared situational awareness into the model concept.