Phase II: Evaluation
CHAPTER 5: CONCEPTUAL MODELLING 5.1. Introduction
6.2. Structural Components and Design Specifications of the Model
The prototype was an interface prototype which simulates a subset of the functionality of the model. The encoding and decoding elements of the communication protocols were not prototyped as these functionalities are internal to the system and would theoretically use contextual information to encode and decode the incident information contained in the reports.
The prototype was only evaluated on sample data. The prototype was not evaluated within a real-world context. The structural components of the prototype are derived from the core components of the model. The following sub-sections discuss the structural components of the model.
6.2.1. Individual Situational Awareness – Specific Descriptions
The individual situational awareness incorporates perception, comprehension, and projection components of the model (Section 5.5.1).
Perception
The system is predicated on the user detecting an information security incident. This process involves the perception of the source of an incident which is the basic preliminary incident data before any form of processing. It includes data related to the incident name, incident type, incident category, and incident frequency. It may also locate the basic source of the incident using its Internet Protocol (IP) address in collaboration with the Information Security Incident
139
Response Team (ISIRT) members. This process allows registered users to capture an occurrence of an incident on the system.
Comprehension
This process deals with further analysis of the basic incident information detected at the perception step. The comprehension component analyses possible existing relationships between available incidents for their correlation or interaction. The comprehension component enables the user to trace the frequency of an incident from a triangulation of a variety of sources. Users can visually view the source IP address and its relation to other IP addresses amongst numerous transactions. The visualisation links incident information between various entities to animate the path of the incident. Thus, such relational linkage enables the reporter of the incident to enhance their comprehensibility at an individual level so that users can relate and link their existing knowledge with the organisational incident database. As all the incident information is stored and communicated to all users depending on their role and access, the cumulative summary and aggregate analysed incident data by all users support both individual and shared understanding. This helps to have a common and shared picture of how information security incidents are manifesting in the organisation. This component leverages the strategies of Triangulation (i.e., multiple sources of data) and Correlation with known incidents from Sense-making and includes visualisation to improve the understanding of an incident.
Projection
This step considers the projection of the next incident based on the current incident encountered. The projection component attempts to visualise the frequency and patterns of incidents using graphs and charts. This step aims to determine the next entity that could be attacked if the attacker is not circumvented or the type of attack that will prevail in a specific context. For example, an attacker who gains access to an employee entity can therefore use this information to gain access into the client entity. It incorporates information on the type of incident and on the group that could be vulnerable to the attack. These projections assist users of organisations to infer and predict the probability of a reoccurrence of an incident from existing collected incident information.
140
The information collection for incident projection includes:
• Incident type
• Attack intention
• Incident source (origin)
• IP Address
• Incident frequency
• Incident damage
6.2.2. Shared Situational Awareness – Specific Descriptions
In the shared situational awareness component (Section 5.5.2), conveyance, convergence and visualisation are core mechanisms. This component will support the processes of conveyance and convergence with respect to strategies such as contextualisation (i.e. team members use their past experiences to develop a shared understanding), action (i.e. team members use this strategy when confronted by new incidents and they interact with one another by asking and responding to questions and seeking and providing information), triangulation (i.e. using a variety of sources to obtain a rich picture from a diversity of users), deliberation (i.e. integrate the contextualisation, triangulation and action information to form an individual mental model) and affiliation (i.e. creates a shared mental model through comparing with individual mental models). However, in a socio-technical solution, some aspects occur between human actors, and it was not practically possible to show these interactions within the interface prototype.
This component also supports the functional processes of ISIM (i.e., planning, detection, assessment, response, and lessons learnt). Some of the actions that are depicted in the prototype include detection, assessment, response, and lessons learnt. Note these depictions are largely limited in that only a minor subset of the functionality is considered. In the shared situational awareness component, the processes of comprehension and projection are also involved in promulgating a shared understanding of the incidents. The comprehension and projection at the individual level are also mirrored at the shared level for users ensuring enhanced understanding. Much of the shared situational awareness component revolves around the processes of ISIM and the engagement of the ISIRT.
141 Thus, the ISIRT is involved in the following objectives:
• Comprehends, assesses, and determines incident severity level.
• Assesses and updates incident metadata such as its source, intention, and type.
• Conducts incident assessment retrospectively for possible causal analysis and response.
• Verifies incident data input by users for its completeness and truthfulness.
• Projects the next incident from the previous incident.
Note these objectives of the ISIRT are also limited in the interface prototype, however, these interactions need to be considered for a full-scale implementation of the model.
6.2.3. Role-based Situational Awareness – Specific Descriptions
The various roles in the organisation are simulated in the prototype (Section 5.5.3). The differentiated role supports users to obtain incident information pertaining to their access and privileges in the organisation. In this instance, the role is categorised into three types: end-user, ISIRT and management. In this regard, the model provides a mechanism for each role to receive customised incident information.
6.2.4. Summary Requirements for Implementing the CCAISIM Model
Table 6-1 provides a list of specifications for implementing the CCAISIM model. These specifications establish the basic functionality of the model.
Table 6-1: Summary Requirements for the CCAISIM Model Prototype Design Features Description
Individual Situational Awareness
This feature enables individual users to engage in the system as part of the processes of individual situational awareness. Users are engaged in incident reporting/registrations (i.e., perception), incident comprehension and incident projection.
Shared Situational Awareness
The shared situational awareness feature enables users to access incident information from various users for a shared understanding.
This feature works through approval and review of the incident information by the ISIRT. The sense-making strategies of conveyance and convergence also support the transformation of incident information from one group of users to another for shared understanding. It is also supported with the visualisation of incident information.
Convey Incident This feature enables users to transfer incident information upon registration to other users in a shared environment. ISIRTs take action for reported incidents by collaborating with stakeholders.
Users also take action as part of the response process in the form of complying with precautions or recommended actions. Moreover,
142 Prototype Design Features Description
users can triangulate and contextualise incident information to support their decision-making and action taking.
Converge Incident Deliberation involves integrating the incident information gained through action, triangulation, and contextualisation in order to understand the current situation. The registered incident information will be converged in a repository central system for shared understanding. Affiliation or a shared model of understanding about the incident is achieved through incident sharing among individual users. The centralised data repository is supported by centralised management by the ISIRT and sharing of converged incident information supports affiliation (shared mental model) among users for mutual understanding.
Contextualisation Contextual information (e.g., incident type, incident source, incident category) about the incident is collated from the individuals then by the ISIRT to support the shared understanding, comprehension, and projection of an incident.
Action Team members use this strategy when confronted by a new incident and they interact with one another. This can be through providing incident information, linking incident information, and interacting with other individual users to understand the nature of the incident.
Triangulation Using a variety of sources to obtain a richer picture from a diversity of users. The triangulation of incident information or crosschecking from the system can be performed by end-users, ISIRT and management using various criteria such as incident source, damage, intention, and severity. The triangulation feature helps users to obtain a nuanced understanding of the general patterns and trends of incidents for appropriate action.
Deliberation This feature involves integrating the incident information from the processes of action, triangulation, and contextualisation.
Affiliation This feature generates a shared mental model by comparing individual mental models. The association of an incident from one individual to another which supports the relation of incident information from the individual to the shared level is supported by a central repository.
Role-based Situational Awareness
The role-based feature enables users to access incident information pertaining to their role and privilege. This feature clusters users into different groups such as end-user, ISIRT member and management.
This may involve a classification of incident information according to organisational information security policies (it is beyond the scope of the thesis to consider how the roles and privileges will be defined).
143