RESEARCH ROADMAP
CHAPTER 2: LITERATURE REVIEW 2.1. Introduction
2.3. Related Work
22
to safeguarding informational assets (Knight & Nurse, 2020). Policies could be established to promote the communication of information security incidents, thus expediting the corrective actions that need to be undertaken (Cheung, 2014). This underscores the importance of communication and awareness formation within ISIM processes owing to the human dimension, which warrants further study.
23
response and prevention paradigm with a careful balance between the two (i.e., prevention and response). The advantage of the model is that it attempts to prioritise the management of incidents via the incorporation of the “lessons learnt” phase as a core element between prevention and response. The model developed by Padayachee and Worku (2017) was based on the notion that the processes of ISIM iterate from individual situational awareness (i.e.
“knowing what is going on around you”) to a shared situational awareness thereby enhancing the responsiveness and collaboration of stakeholders when an incident occurs.
Husák et al. (2022) developed a new tool set (named CRUSOE) for enabling situational awareness in order to address the lack of procedures that manage situational awareness and decision-making in incident handling. The authors claim that the processes of situational awareness are not adequately managed. The aforementioned authors designed a visually enabled web-based system from the OODA (observe, orient, decide and act) to support decision making within the incident response phases, however the system focuses primarily on awareness for decision-making without a consideration of reporting and communication of incidents. Similarly, the model developed by Ahmad et al. (2021) also demonstrates the application of situational awareness from a management perspective by designing a process model within the incident response process. However, there was no real participation by end- users because initial requirements elicitation excluded them. Thangavelu et al. (2021) also proposed an empirically validated model for information security professionals to demonstrate the link between metacognitive awareness and self-efficacy, but with limited emphasis on communication and instigating the participation of end-users. Likewise Thangavelu and Krishnaswamy (2020) developed a conceptual model for incident management by using the National Institute of Standards and Technology Special Publication (NIST-SP-800-16) to depict the effects of Comprehensive Information Security Awareness (CISA) on threat management from a system and situational awareness perspective without due consideration to the communication perspective, which the current study attempts to incorporate.
Existing models to support ISIM are limited in some respects. For instance, although the model proposed by Metzger et al. (2011) was successfully implemented, the reporting process is limited to specific users such as Computer Security Incident Response Teams (CSIRT) and network administrators. Additionally, some security incidents are not reported at all, which
24
limits situational awareness and hinders users from reporting incidents comprehensively. The model proposed by Imamverdiyev (2013) does not consider the socio-technical perspective and focused only on the prioritisation of incidents with a limited focus on post-incident prioritisation. Moreover, the model proposed by Baskerville et al. (2014) does not address the elements of communication and awareness efforts required in the practice of ISIM. The model proffered by Padayachee and Worku (2020) did not incorporate communication protocols as a fundamental element within the processes of ISIM. The model by Husák et al. (2022) does not instigate the participation by end-users because initial requirements elicitation excluded them.
Organisational studies show that incident reporting, collaboration, incident detection, post- incident experience sharing, and rehearsals were not given the required attention (Tøndel et al., 2014; Yohannes et al., 2019). According to Ahmad et al. (2015), who conducted a study on the financial sector (Australia), the lack of formal structures has negatively impacted the “lessons learnt” component of ISIM. This implied that the lessons learnt from previous incidents in an organisation could not be effectively used to resolve future incidents. According to Bartnes et al. (2016), who conducted a study on an electric power organisation (Norway) to assess the practice of ISIM, the coordination of the processes was limited. Similarly Line (2013) found that in power industries, ISIM processes were relatively unsystematic and that the coordination among organisational users was poorly managed. Correspondingly, Yohannes et al. (2019) who conducted a study involving Ethiopian banks, found that although the banks were compliant with the Information Technology Infrastructure Library (ITIL) and the International Organisation for Standardisation (ISO) standards, there were no formal means of ISIM practices in these entities. Jaatun et al. (2009) who conducted a study on the ISIM practices within the petroleum industry (Norway) by interviewing nine experts, found several issues of concern. Their study revealed the following issues: information security measures were mostly technical (not human-centric), mutual plans for responding to incidents were largely absent, scenario training opportunities were not considered, learning from previous incidents was unpublished, root causes of incidents were not identified, openness and awareness of incidents were marginal, and reporting systems were incompatible. Thus, incident reporting, collaboration, incident detection, post-incident experience sharing, and rehearsals were not given the required attention.
25
Various recommendations have been suggested to address the challenges concerning the management of ISIM. Metzger et al. (2011) recommends automatic, scheduled reporting functions and the opportunity to configure thresholds for mail monitoring and quarantining of compromised systems and sub networks in a formally specified incident response process.
Padayachee and Worku (2017) recommended the involvement and active engagement of all users (end-users and management) within routine incident management processes. Husák et al.
(2022) posited that the cyber security community should embrace the concepts of cyber- situational awareness and the tools that facilitate it. A comprehensive and unified approach for ISIM was recommended by Line et al. (2014). Correspondingly, Jaatun et al. (2009) rationalised that it is essential to inculcate a reporting culture in organisations for the unification of ISIM processes. Suggestions include enhancing the communication capacity of stakeholders through individual training and organisational learning in order to unify situational understanding. The recommended approach involves learning lessons from incidents (both reactive and proactive), as the organisation can learn from previous and real-time incidents by accentuating the importance of organisational learning (Jaatun et al., 2009). van Wyk, Van Biljon, and Schoeman (2020) also recommend that future research should examine how the evolutionary processes of reformulation, technology advancements and design improvements including considerations of how the solution (including the knowledge visualisation criteria and incident management system) can be generalised to solve similar problems in other contexts.
From an organisational perspective, ISIM can be supported by means of automated incident reporting. For instance the use of incident tracking systems could be advantageous (Metzger et al., 2011; Tøndel et al., 2014). It is advisable for organisations to maintain a structured approach in information security awareness programs in order to measure their effect and effectiveness towards empowering end-users to ensure safety and security online (Kruger & Kearney, 2006).
The ISO/IEC 27035 standard promotes training, awareness and up-to-date incident information reporting and sharing; however, ISIM is marred by poor cooperation and insufficient incident communication efforts (Tøndel et al., 2014). Thus, organisations should leverage an integrated and standardised format for incident response (Schlette et al., 2021). In this regard, organisational stakeholders (external or internal) may be the weakest information link or potential threat to the organisation (Johnson, 2006). Therefore, it is imperative that the
26
employees of an organisation are required to work in a collaborative, dynamic and coordinated manner in order to manage these challenges (Line et al., 2016). Consequently, since effective communication mechanisms are critical to obtain relevant situational awareness (Linderoth et al., 2015), this research study aims to explore how organisations manage and harmonise awareness and communication efforts in ISIM as a foundation for suggesting a conceptual model to respond to these core challenges.