The Incident Prevention Team

A proactive approach to Information Security

Master thesis (2015)

Authors

N.M. Pereira

Contributors

J. Van den Berg (mentor)

W. Pieters (mentor)

D. Hadziosmanovic (mentor)

M.E. Warnier (mentor)

J. Tuin (mentor)

M. Hoeke (mentor)

Programme

Systems Engineering, Policy Analysis and Management () (TU Delft)

Information Security Risk Assessment Incident Response Incident Prevention

To reference this document use:

http://resolver.tudelft.nl/uuid:21c6b579-a25b-4395-ba88-786e5f1eb33c

More Info

expand_more

Published Date

20-01-2015

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Programme

Systems Engineering, Policy Analysis and Management

Abstract

Information Security is an important aspect of decision making in organisations today. Organisations use Information Security Risk Management to assess, respond to and monitor risk to its information systems. Information systems are complex technical systems and the management of Information Security depends on technology, processes and people. Incident Response Teams are set up to manage cyber incidents. However, the increasing trends in incidents reported, indicate that these controls are failing to achieve their goals, because, these controls primarily focus on information available after the occurrence of an incident. Despite the efforts in Information Security Risk Management, organisations are unable to implement effective Information Security controls based on dynamic information. In order for organisations to effectively mitigate risk, there is a need to also focus on incident prevention along with incident response practiced today. Therefore, in this research, we assess the Technical, Institutional and Process aspects of risk management and incident response process, using TIP Design for socio-technical systems. This is a systematic, design-oriented way of analysing the current state of organisation’s information system security. We conclude that the process is retrospective and unable to proactively prevent incidents, thereby Information Security controls lag incidents. Furthermore, precursors, i.e. information available before the incident occurs, are not effectively used to prevent incidents. The research goal, “How can an incident prevention process be developed to proactively use information available to complement Information Security Risk Management in organisations?” will be answered in this research. We structure this research using the Design Science Research Cycle. With the various requirements, generated from the analysis of the risk management and incident response process, we generate design ingredients. Firstly, we use precursors to determine the information available before the incident. Secondly, we use the concepts of trigger, template and twitch from Vigilant Information Systems and extend it with tweak, to interpret the information. Finally, this research proposes to establish “The Incident Prevention Team” to bridge the gap described in Information Security Risk Management. In this research, we use the Incident Response Lifecycle and extend it by developing the incident prevention process followed by the Incident Prevention Team in the preparation phase of this lifecycle. The Incident Prevention Team assesses the current Information Security status of the organisation using information affecting external organisations. The Incident Prevention Team scans and then prioritises the most relevant information for the risk assessment process. It then performs an Information Security risk assessment of the information system affected and finally recommends control strategies to the management. The incident prevention process was evaluated using two scenarios and by an interview with an Information Security expert. The validation encourages us to conclude that the proposed Incident Prevention Team and the incident prevention process provide a proactive method to achieve Information Security in organisations. The main limitation of this research is the lack of empirical testing, which is an opportunity for further research. Organisations can easily incorporate the Incident Prevention Team to fulfil both its strategic and operational requirements of Information Security Risk Management. By establishing the Incident Prevention Team, it creates an agile and structured process within the organisation to understand the risk to both the internal and external environment proactively. Therefore, the Incident Prevention Team will transform the organisation’s incident response process from being reactive to proactive, thereby making the organisation resilient against potential cyber incidents. This research contributes to the existing field of Information Security research, with the focus on Incident Prevention by scanning for precursors. We further combine, the elements of “trigger”, “template”, “twitch” and extends it by “tweak” to structure incident information. This also offers new ways for Information Security professionals to interpret information.

Files

Thesis_Report_NMPereira_Online... (pdf)

(pdf | 2.16 Mb)

Scientific_Paper_NMPereira_Fin... (pdf)

(pdf | 0.284 Mb)