Benjamin Shreeve,Joseph Gardiner,Joseph Hallett,David Humphries,Awais Rashid

2023-06-21

Abstract:Cyber incident response is critical to business continuity -- we describe a new exercise that challenges professionals to play the role of Chief Information Security Officer (CISO) for a major financial organisation. Teams must decide how organisational team and budget resources should be deployed across Enterprise Architecture (EA) upgrades and cyber incidents. Every choice made has an impact -- some prevent whilst others may trigger new or continue current attacks. We explain how the underlying platform supports these interactions through a reactionary event mechanism that introduces events based on the current attack surface of the organisation. We explore how our platform manages to introduce randomness on top of triggered events to ensure that the exercise is not deterministic and better matches incidents in the real world. We conclude by describing next steps for the exercise and how we plan to use it in the future to better understand risk decision making.

Cryptography and Security

Abdulaziz Gulay,Leandros Maglaras

2024-10-03

Abstract:The increasing frequency and sophistication of cybersecurity incidents pose significant challenges to organisations, highlighting the critical need for robust incident response capabilities. This paper explores a possible utilisation of IR CMMs assessments to systematically prioritise incidents based on their impact, severity, and the incident response capabilities of an organisation in specific areas associated with human and organisational factors. The findings reveal common weaknesses in incident response, such as inadequate training and poor communication, and highlight best practices, including regular training programs, clear communication protocols, and well-documented response procedures. The analysis also emphasises the importance of organisational culture in enhancing incident response capabilities. By addressing the gap in understanding how the output of IRM assessments can be immediately utilised to prioritise high-risk incidents, this paper contributes valuable insights to academia and practice, offering a structured approach to enhancing organisational resilience against cybersecurity threats.

Cryptography and Security

Magdalena Glas,Gerhard Messmann,Günther Pernul

DOI: https://doi.org/10.1016/j.cose.2024.103965

IF: 5.105

2024-06-27

Computers & Security

Abstract:The global shortage of cybersecurity professionals poses a daunting challenge for organizations seeking to protect their assets and data. To counteract this workforce shortage, cyber range exercises (CRXs) can equip individuals with the necessary knowledge and skills to become security professionals. However, the complexity of CRXs tends to overwhelm trainees with little prior cybersecurity experience, resulting in ineffective learning experiences. To address this issue, we take an interdisciplinary approach, leveraging established models on learning and motivation for cybersecurity. In this pursuit, we propose a literature-based framework of six design principles that aim to facilitate CRX designers in creating more effective CRXs. To illustrate the framework's utility, we introduce a CRX for incident response built upon these principles. To evaluate the effectiveness of this principle-driven CRX design, we conducted a user study with N=89 participants. The results of this study showed that the design provided an engaging learning experience that enabled participants to effectively acquire incident response knowledge and skills.

computer science, information systems

Ensar Şeker

DOI: https://doi.org/10.48550/arXiv.1906.03184

2019-05-24

Cryptography and Security

Abstract:This paper discusses the concept of cyber defence exercises -CDX- that are very important tool when it comes to enhancing the safety awareness of cyberspace, testing an organization's ability to put up resistance and respond to different cyber events to establish the secure environment, gathering empirical data related to security, and looking at the practical training of experts on this subject. The exercises can give ideas to the decision makers about the precautions in the cybersecurity area and to the officials, institutions, organizations, and staff who are responsible on the cyber tools, techniques, and procedures that can be developed for this field. In the cyber defense exercises, the scenarios that are simulated closest to reality which provides very important contributions by bringing together the necessity of making the best decisions and management capabilities under the cyber crisis by handling stress and coordinated movement as a team. The objective of this paper is to address the issue from a scientific point of view by setting out the stages of planning, implementation, and evaluation of these exercises, taking into account and comparing international firefighting exercises. Another aim of the work is to be able to reveal the necessary processes that are required for all kind of cyber exercises, regardless of the type, although the processes involved vary according to the target mass of the planned exercise.

Eveliina Hytönen,Jyri Rajamäki,Harri Ruoslahti

DOI: https://doi.org/10.34190/iccws.18.1.979

2023-02-28

International Conference on Cyber Warfare and Security

Abstract:Combining business continuity management (BCM) and systematic cyber threat intelligence (CTI) can improve cyber situational awareness to support decision-making through the phases of the resilience cycle (plan, absorb, recover, adapt) to ensure the continuity of organizational operations when encountered by cyber disruptions. End-user needs, human factors, high ethical standards, and social impacts can best be adapted when professionals from different fields work together with end-users to refine and co-develop selected tools into a platform. A resilience assessment that combines BCM and CTI enables 1) quick or detailed assessment of the investigated industry and its critical processes, 2) measurement of performance goals based on information received from end users, where artificial intelligence-based self-learning approaches can be used for functional descriptions, 3) information on the sensitivity of the investigated industry and vulnerability and 4) resilience and BCM throughout the entire resilience cycle. A new Horizon Europe project DYNAMO (Dynamic Resilience Assessment Method including a combined Business Continuity Management and Cyber Threat Intelligence solution for Critical Sectors) works towards combining BCM and CTI to generate a situational picture for decision support. Having this in mind, certain cybersecurity and BCM tools will be developed, refined, and integrated into the DYNAMO platform to provide decision support and awareness to chief information security officers, cybersecurity practitioners, and other stakeholders. This paper reports a case study that explores how combining CTI and BCM can help in the case of a cyber-attack. The research material consists of the news articles by the largest newspaper in Finland, Helsingin Sanomat (HS) of how the cyber attack against the therapy center Vastaamo progressed during the first week after the attack. The results show that cyber threat intelligence when flexibly integrated into the BCM approach could create better conditions for improved organizational foresight to react to unpredictable cyber threats to ensure business continuity.

Jason E. Ellis,Travis W. Parker,Joachim Vandekerckhove,Brian J. Murphy,Sidney Smith,Alexander Kott,Michael J. Weisman

DOI: https://doi.org/10.1109/MILCOM55135.2022.10017529

2023-02-16

Abstract:The vulnerability of cyber-physical systems to cyber attack is well known, and the requirement to build cyber resilience into these systems has been firmly established. The key challenge this paper addresses is that maturing this discipline requires the development of techniques, tools, and processes for objectively, rigorously, and quantitatively measuring the attributes of cyber resilience. Researchers and program managers need to be able to determine if the implementation of a resilience solution actually increases the resilience of the system. In previous work, a table top exercise was conducted using a notional heavy vehicle on a fictitious military mission while under a cyber attack. While this exercise provided some useful data, more and higher fidelity data is required to refine the measurement methodology. This paper details the efforts made to construct a cost-effective experimentation infrastructure to provide such data. It also presents a case study using some of the data generated by the infrastructure.

Cryptography and Security

Alexandros Zacharis,Vasilios Katos,Constantinos Patsakis

DOI: https://doi.org/10.1007/s10207-024-00860-w

2024-05-12

International Journal of Information Security

Abstract:The escalating complexity and impact of cyber threats require organisations to rehearse responses to cyber-attacks by routinely conducting cyber security exercises. However, the effectiveness of these exercises is limited by the exercise planners' ability to replicate real-world scenarios in a timely manner that is, most importantly, tailored to the training audience and sector impacted. To address this issue, we propose the integration of AI-driven sectorial threat intelligence and forecasting to identify emerging and relevant threats and anticipate their impact in different industries. By incorporating such automated analysis and forecasting into the design of cyber security exercises, organisations can simulate real-world scenarios more accurately and assess their ability to respond to emerging threats. Fundamentally, our approach enhances the effectiveness of cyber security exercises by tailoring the scenarios to reflect the threats that are more relevant and imminent to the sector of the targeted organisation, thereby enhancing its preparedness for cyber attacks. To assess the efficacy of our forecasting methodology, we conducted a survey with domain experts and report their feedback and evaluation of the proposed methodology.

computer science, information systems, theory & methods, software engineering

M. Goh,Siddhant Shrivastava,A. Mathur,Francisco Furtado

DOI: https://doi.org/10.23919/CyCon55549.2022.9811000

2022-05-31

Abstract:This paper explores the objectives, tactics, and strategies for identifying, planning, conducting, and evaluating an international cyber-physical exercise (CPX). The goal of a CPX is to improve defense capabilities for defending national critical infrastructure via global coordination. Lessons about CPX have been derived from a series of annual cyber-physical defense exercises conducted since 2015, referred to as Critical Infrastructure Security Showdowns (CISS). The cyber range of a CISS consists of a realistic and operational enterprise network coupled to water treatment and distribution plants in the form of physical testbeds and digital twins. These systems simulate and integrate information technology (IT) and operational technology (OT) scenarios that are ubiquitous in modern-day critical infrastructure controlled by industrial control systems (ICS). Participants from the red, blue, green, and white teams are assigned specific roles to attack, defend, visualize, and manage the plant, respectively. Each of these roles is evaluated via a specific set of metrics by a panel of judges and automated systems. The scoring criteria incentivize the red teams to design and launch novel attacks to contribute to and improve the cybersecurity community’s knowledge base regarding offense and defense. The lessons distilled from these positive-sum games are analyzed and shared in the form of post-event reports.From 2015 to 2021, CISS has constantly evolved to mimic contemporary cyber-physical security scenarios in the real world. These evolutions have forced the CISS organizing team to adapt and design novel infrastructure to support the changing needs of the event and its stakeholders, from tooling, logistics, and network infrastructure to scoring criteria and cross-disciplinary collaboration.The cited reports on techniques, tactics, and procedures will be valuable to stakeholders from the military, industry, government, and academia.

Environmental Science,Engineering,Computer Science

David Hogg,Richard Smith,Jennifer Thompson,Ryan Bunker,Rachael Huey,Makenzie J. Krocak

DOI: https://doi.org/10.1175/bams-d-23-0294.1

IF: 9.116

2024-04-07

Bulletin of the American Meteorological Society

Abstract:Tabletop exercises examining weather-related hazards are not uncommon but are often built around somewhat generic scenarios that only touch on the meteorological communication environment at a very shallow level. A recent exercise in central Oklahoma sought to change that. A local emergency manager, personnel from a National Weather Service (NWS) forecast office, and a severe weather researcher with a background in exercise design and facilitation worked together to create and deliver a realistic severe weather simulation. Exercise participants were exposed to detailed forecast information via NWSChat - a dedicated communication tool used to connect NWS forecasters, emergency managers, and media members for real-time information sharing. NWS forecasters were able to both actively play in the exercise due to the use of NWSChat, as well as observe how local decision makers interpreted and utilized the IDSS graphics and short-term forecast updates. The collaborative approach of developing a detailed scenario with numerous real-world Impact-Based Decision Support Services (IDSS) graphics, along with the use of NWSChat for real-time delivery, resulted in overwhelmingly positive feedback from the participants. The local emergency management office identified numerous areas for improvement in communicating real-time forecast information across their jurisdiction, along with gaps in current plans and resources. Meanwhile, the NWS forecast office had the opportunity to experiment with using the new NWSChat platform in a high-impact severe weather environment before a real-world event took place. Forecasters also gained insight into current IDSS graphic interpretation, noting areas for improved messaging to end users, such as adding storm motion to existing severe weather graphics.

meteorology & atmospheric sciences

Charles DeVoe,Shawon Rahman

DOI: https://doi.org/10.5121/ijnsa.2013.5201

2015-12-01

Abstract:Most small to medium health care organizations do not have the capability to address cyber incidents within the organization. Those that do are poorly trained and ill equipped. These health care organizations are subject to various laws that address privacy concerns, proper handling of financial information, and Personally Identifiable Information. Currently an IT staff handles responses to these incidents in an Ad Hoc manner. A properly trained, staffed, and equipped Cyber Incident Response Team is needed to quickly respond to these incidents to minimize data loss, and provide forensic data for the purpose of notification, disciplinary action, legal action, and to remove the risk vector. This paper will use the proven Incident Command System model used in emergency services to show any sized agency can have an adequate CIRT

Cryptography and Security,Computers and Society

P M Maniscalco

Abstract:The problems posed by terrorism to not only the emergency response community, but to national security at large can be overwhelming. Adoption of what would be considered prudent and effective business practices by implementing a disciplined and effectively structured central strategy cannot be overencouraged. The emerging strategy must take into account the existing emergency response infrastructures and build upon existing capacity in an effort to achieve greater readiness. This technique is no different than the training and issuance of radiological response equipment to emergency responders in the 1950s by the then Civil Defense Agency. The training that is offered, especially to EMS providers, needs to be institutionalized to ensure that our peers, on a regular basis, revisit curriculum content. Incorporating a training module within the existing DOT NHTSA initial and refresher EMT and paramedic educational curricula could easily achieve this goal. Implementing fiscal support to the local emergency response agencies in a sustainable manner is a must. The costs associated with training, equipping and servicing the equipment and medication stores are budget-busters. This is a threat to national security and, as such, the federal government needs to rise to the challenge of supporting the local response organizations that will meet this threat head-on during the aftermath of an attack. As previously mentioned, when the U.S. faced its last large national security threat (Soviet nuclear missiles), we witnessed the materialization of a comprehensive agenda that provided most of the attributes we desire with the contemporary problem of terrorism. There is no single solution to the problem of terrorism. In fact, it will take many individuals and functional areas to come together and stop viewing the threat as a "cash cow." The improved response capacity for acts of terrorism will have an inevitable "spillover benefit" of better trained and equipped emergency responders for everyday emergencies; which will inevitably be our "payday."

Michael L Timmins,Eric A Bone,Michael Hiller

Abstract:To establish true healthcare resiliency, and to better position healthcare organisations to provide effective response, continuity, resumption and recovery of fundamental services and operations during serious incidents and disasters, the disaster planning process must evolve into an integrated approach of four contingency planning disciplines that holistically examine the end-to-end, all-hazard response continuum. This process also needs to incorporate and scale multifarious organisational levels and, when required, the health sector. This paper is the first component of two independent, but related, pieces. It will examine the typical state of disaster preparedness and plans in healthcare, examine the worth and value of honing disaster plans, and will introduce two recommended contingency planning disciplines: enterprise risk management and emergency response planning. For each discipline, a case will be made for its inclusion into the overall disaster planning process, including examination of background information, benefits, how it improves disaster planning, and other resources helpful to the reader. The second paper, in afuture issue of the Journal of Business Continuity & Emergency Planning, will introduce business continuity management--including IT disaster recovery--and crisis communications as the third and fourth contingency planning disciplines needed for a fully integrated approach. The opinions expressed in this paper are those of the authors and may not be entirely those of the organisation.

Thea Riebe,Marc-André Kaufhold,Christian Reuter

DOI: https://doi.org/10.1145/3479865

2021-10-13

Abstract:Besides the merits of increasing digitization and interconnectedness in private and professional spaces, critical infrastructures and societies are more and more exposed to cyberattacks. In order to enhance the preventative and reactive capabilities against cyberattacks, Computer Emergency Response Teams (CERTs) are deployed in many countries and organizations. In Germany, CERTs in the public sector operate on federal and state level to provide information security services for authorities, citizens, and enterprises. Their tasks of monitoring, analyzing, and communicating threats and incidents is getting more complex due to the increasing amount of information disseminated into public channels. By adopting the perspectives of Computer-Supported Cooperative Work (CSCW) and Crisis Informatics, we contribute to the study of organizational structures, technology use, and the impact on collaborative practices in and between state CERTs with empirical research based on expert interviews with representatives of German state CERTs (N=15) and supplementary document analyses (N=25). We derive design and policy implications from our findings, including the need for interoperable and modular architecture, a shift towards service level agreements, cross-platform monitoring and analysis of incident data, use of deduplication techniques and standardized threat exchange formats, a reduction of resource costs through process automation, and transparent reporting and tool structures for information exchange.

George Grispos,William Bradley Glisson,Tim Storer

DOI: https://doi.org/10.48550/arXiv.1408.2431

2014-08-11

Cryptography and Security

Abstract:In today's globally networked environment, information security incidents can inflict staggering financial losses on organizations. Industry reports indicate that fundamental problems exist with the application of current linear plan-driven security incident response approaches being applied in many organizations. Researchers argue that traditional approaches value containment and eradication over incident learning. While previous security incident response research focused on best practice development, linear plan-driven approaches and the technical aspects of security incident response, very little research investigates the integration of agile principles and practices into the security incident response process. This paper proposes that the integration of disciplined agile principles and practices into the security incident response process is a practical solution to strengthening an organization's security incident response posture.

Russ Stewart,Peter Thorne

Abstract:The paper proposes that there are a number of low-probability, but not insignificant, physical threat scenarios relating to the office environment that warrant an initial response capability (in addition to fire evacuation drill). Explosive, contamination and intruder scenarios are included in the threats' scope. The term 'initial response' essentially refers to first actions relating to how and where to direct people to preserve life safety. Given the likelihood that an organisation would not have any emergency services support in the early stages of an incident, it follows that it is likely that the organisation would be 'on its own' to assess, decide and execute the initial response. Aside from any moral obligations, the paper proposes that there are potential legal obligations to compel an organisation to be so prepared. An important consideration explored is the feasibility of having an effective initial response capability. The relative simplicity and low cost of implementation and maintenance of a response is described. Lastly, the point is made that, aside from fire evacuation (which is a drill), all the other threat scenarios discussed require some decision making. It is not possible to be 100 per cent correct 100 per cent of the time. A decision support matrix is described with the objective of increasing the percentage chance of making the most appropriate decision most of the time. In particular, this is seen as an area for further discussion.

Ria Thomas

2024-01-01

Abstract:Resilience is deeper than maintaining a company's operations and services in the face of significant disruptions. It is the ability of a business to withstand, pivot and continue to grow in the face of a significant threat. To achieve resilience, companies must have an integrated, end-to-end understanding of how a specific threat magnifies the risks identified on their risk register, and what measures are needed across the enterprise to address the amplification of those risks. This paper details how the need for a holistic approach is especially important for cyber crises, compared with other types of crises, because they tend to have more broad-ranging impacts and complexities, such as: unclear timelines, lack of public empathy, unpredictable human threat actor(s), as well as a broader set of internal and external stakeholders that need to be engaged. Unlike other crises, cyber crises have the potential to magnify most - if not all - of the risks on the risk register. As such, cyber resilience requires ensuring that key stakeholders, whether shareholders, customers, regulators, business partners, employees, etc, stay resolute in their faith in a company and its leadership's ability to navigate the increasingly complex issues related to cyber risks and how these issues are addressed enterprise-wide, not purely seen through the lens of technical or operational resilience. To achieve cyber resilience, organisations must develop and implement programmes that integrate both the technical and the broader business measures needed to limit fallout, demonstrate leadership through cyber crises, and deepen trust regardless of the potential severity of the impact.

Tim McCreight

2024-01-01

Abstract:Enterprise security risk management (ESRM) has continued to gain global acceptance as a management philosophy for the development and implementation of an enterprise-wide corporate security programme. As organisations continue to rebuild and recover from COVID-19, the value of assessing the resilience of an organisation through regular testing of its response to events has gained prominence. There are opportunities to link the development and implementation of a risk-based approach for designing a security programme, to assessing an organisation's resilience to future events. Organisations can benefit from the complementary approaches of ESRM and organisational resilience once the commonalities are identified and embraced. This paper expands upon the ESRM management approach, linking the concepts of ESRM to the design of a resilient enterprise.

Richard Smith,Helge Janicke,Ying He,Fenia Ferra,Adham Albakri

DOI: https://doi.org/10.1016/j.cose.2021.102398

IF: 5.105

2021-01-01

Computers & Security

Abstract:Cyber incident response within Industrial Control Systems (ICS) is characterised by high levels of uncertainty and unpredictability and requires a multi-disciplined team that encompasses personnel business operations, Operational Technology (OT), IT, security operations and media engagement to be effective. Such teams require a dynamic decision framework to allow ICS operators to maintain services during the recovery of full operating capability. There is empirical evidence that static incident response playbooks do not provide enough flexibility in their definition to support situations outside of the scope of their initial definition, and that they have been ignored when cyber incidents have occurred. A thematic analysis of semi-structured interviews with ICS incident response professional identified three main areas of concern: communication, information sharing between knowledge areas, and achieving external buy-in.The Agile Incident Response for Industrial Control Systems (AIR4ICS) framework has been developed to integrate Agile techniques into the Cyber Security domain of incident response. AIR4ICS provides a dynamic approach to improve situational awareness, information sharing, collective decision-making and response flexibility within the unique context of ICS. The techniques used in AIR4ICS were initially shaped by interviews with professionals with experience of protecting ICS, structured using the Scrum methodology, and refined through a series of Cyber Incident Response exercises with Incident Response professionals facing-off against specialist ICS Red Teams.AIR4ICS has resulted in a framework that provides a modular approach that can be adapted to fit the working practices, skillsets and priorities of individual organisations. The framework improves communication, promotes information sharing between knowledge areas, and increases external buy-in.Ultimately, AIR4ICS provides a dynamic decision framework that allows Incident Response Teams to manage uncertainty and unpredictability to reduce the time taken to restore normal operations.

Michelle M Buzzelli,Paula Morgan,Alexander G Muschek,Gavin Macgregor-Skinner

DOI: https://doi.org/10.5055/jem.2014.0207

Abstract:Lack of success in disaster recovery occurs for many reasons, with one predominant catalyst for catastrophic failure being flawed and inefficient communication systems. Increased occurrences of devastating environmental hazards and human-caused disasters will continue to promulgate throughout the United States and around the globe as a result of the continuous intensive urbanization forcing human population into more concentrated and interconnected societies. With the rapid evolutions in technology and the advent of Information and communication technology (ICT) interfaces such as Facebook, Twitter, Flickr, Myspace, and Smartphone technology, communication is no longer a unidirectional source of information traveling from the newsroom to the public. In the event of a disaster, time critical information can be exchanged to and from any person or organization simultaneously with the capability to receive feedback. A literature review of current information regarding the use of ICT as information infrastructures in disaster management during human-caused and natural disasters will be conducted. This article asserts that the integrated use of ICTs as multidirectional information sharing tools throughout the disaster cycle will increase a community's resiliency and supplement the capabilities of first responders and emergency management officials by providing real-time updates and information needed to assist and recover from a disaster.

Simon A Andrew,Vaswati Chatterjee,Kamesh Namuduri,Julie Winkler

DOI: https://doi.org/10.5055/jem.0577

Abstract:The motivation for developing, administering, and participating in full-scale disaster drills is multifold. Emergency drills not only test the capacity of emergency systems but also allow organizations to learn as well as improve processes and communication structures before disasters strike. They have been used as a platform to develop and maintain collaborative networks. This article examines the extent to which organizations collaborate with others during emergency/disaster drills. A social network analysis is employed to determine the patterns of communication and interorganizational networks during the planning and implementation of a full-scale emergency exercise. Specifically, we seek to understand the communication lines that stakeholders used to receive updated information, who they reached out to when standard communication channels were down, and what backup systems were in place. The research was conducted in a municipality located in north central Texas. This study was based on field observations and involved 14 face-to-face interviews with experienced public officials and first responders involved in a municipal government emergency drill/exercise. The interviews were administered after the 2017 full-scale emergency drill. Three major findings can be emphasized from this study. First, two types of organizations, namely, city fire departments and a university partaking in the exercise, played central role as a "bridge" between various organizations during the emergency drill. Second, the types of information considered important during the exercise can be categorized as strategic, procedural, and technical information. Finally, several back-up systems including ham radio, cellphones, internet back-up, and satellite were used to maintain communication channels.