Conference PaperPDF Available

EXCON Teams in Cyber Security Training

Authors:
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
EXCON teams in cyber security training
Grethe Østby
NTNU
Department for Information Security
and Communication Technology
Gjøvik, Norway
ORCID: 0000-0002-7541-6233
Kieren Niĉolas Lovell
TalTech
CERT department
Tallin, Estonia
ORCID: 0000-0003-3978-8483
Basel Katt
NTNU
Department for Information Security
and Communication Technology
Gjøvik, Norway
ORCID: 0000-0002-0177-9496
Abstract: A cyber range is an arena where exercise will be
used to expose individuals, public and private organizations,
and government agencies to simulate socio-technical cyber
security events and situations in a realistic but safe environment.
Running these exercises is a demanding task, and the exercise
control (EXCON)-team have vast and detailed tasks to run and
coordinate during the exercise. Often the team-members in
EXCON sit upon tacit knowledge and inherited experience
rather than formal pedagogical knowledge. As cyber rangers
will provide full-scaled cyber exercises for different
organizations; on strategic, tactical and operational levels, there
will also be a need of bringing in diverse experts in the EXCON-
teams, such as experts from CERT’s and other real-life
stakeholders. These vast tasks require excellent capabilities to
manage such teams and will be one of the most important roles
to frame. In this paper we suggest a framework for EXCON-
team roles running full scaled cyber-incident exercises and want
to test this framework during running the exercises.
Keywords : EXCON roles, EXCON teams, cyber exercices,
cyber crisis exercices, cyber exercices management, cyber
exercices training roles, crisis training, sociétal cyber crisis
training
I. INTRODUCTION
The threat of cyber-attacks on critical infrastructure is
increasing, and there is an increase in the areas of the cyber-
security discipline to mitigate this threat (Protecting, Identify
threats and compromises, Auditing, Compliance, Legal
aspects etc.) [1]. One area which has been attracting an
increased attention is incident response procedures and
training for CERT’s/SOC’s, and another area is the command,
control and coordination (C3) skills for senior management
within the scope of IT-related incidents [2]. As a result, we
can see there is active work in each of these areas, working
independently to rise to the challenge. If this independent way
of work continues, it will only get more challenging as more
building management, IoT, and computers get added to the
mix.
The historic structure, within the civilian, military, and
government organizations, treats cybersecurity as an IT
problem - not an operational one. Whilst this has been
identified as a problem across borders, the way cyber threats
are approached from an incident response perspective is still
fixed in this approach, and not in the actual scope of
organizational full-scaled responsibility [3].
In most major incidents of classification of category 4 or
above in National Cyber Security center’s categorization to
improve England’s response to cyber incidents, the cyber IT
response would only be one part of the operational dynamics,
and some of the tactical calls it could make without clear
strategic direction could cause the incident response to make
the situation worse for other operational factors [4] [5] [6]. We
know within traditional more mature disciplines, that the
critical factor in an effective response to any threat is an
effective, clear, and well-practiced contingency plan, that
reinforces a clear C3 mission aim and priority [7] [8]. This
means that whilst incident response training is happening, it
mainly is within each silo without testing communication
pathways, and we are still seeing cyber exercises that only
focus on the technical departments, and not the full scale
organization. When they are practiced at a higher level, the
communication barrier between the strategic, operational and
technical layers are not practiced [9].
Additionally, according to the Cisco 2018 annual Cyber
Security report, the gap between supply and demand for
trained security personnel is growing [10]. To overcome this
shortage of trained personnel there is a need to expand our
knowledge in effective and efficient methods and tools to train
and work with cyber security incident management in all
organizations.
With the technical and operational communication
barriers mentioned and the statistics in mind, the approach of
this paper is to suggest a full scale organization exercise
approach. As stated previously, cybersecurity is a relatively
immature industry within crisis management, compared to
more mission-critical and established industries, like maritime
and aviation. As a result, the purpose of this paper to include
crisis management structure used by Flag Officer Sea
Training, Royal Navy, and a similar “whole ship” or full scale
approach to exercises, including legal, public relations,
technical, middle management, senior management, and
external actors, but within a safe environment.
In this paper we suggest combining red team-blue team
exercises with traditional table-top exercises to eventually
provide full-scale exercises. After presenting background and
relevant literature, in section III, we present our research
approach, before presenting our suggested full-scaled exercise
approach and EXCON-model in section IV. In section V our
conclusion and future research is presented.
II. BACKGROUND AND RELEVANT LITTERATURE
A key lesson learned from observing numerous exercises
in a study using information gathered from community based
cyber security exercises conducted in three cities in the US, is
that participant’s behavior towards incidents is driven by
previously planned responses. Determining the proper
responses to an incident is a task that is better performed in
advance of the event, when time is available for the entities
and actors to examine and determine appropriate alternatives
[11].
There has been considerable interest in the private and
public sectors (including military forces) in the development
of simulations of cyber-attacks and CNO for better training
and learning. Significant progress has already been made [12].
Security professionals fully anticipate that the threats facing
their organizations will remain complex and challenging
according to Cisco’s annual report of 2018 [10]. Regrettably
there appears to be very little coordination and cooperation
across private sector organizations and governments in the
development of effective cyber-attack simulations. Some
simulations share common traits and achieve similar results,
which suggests that redundant work and research is being
conducted [12].
An example is a study where empirical work on observing
and evaluating exercises, conducted between 2006 and 2015
in 12 Swedish municipalities varying in size from 6,000 to
50,000 inhabitants [13]. The study observed planning for
exercises, how the exercises was conducted, actual incidents
in the municipalities and next exercise, and how the
continuousness exercises improved over time. The exercises
did not focus on cyber in particular, but a range of scenarios.
The study did not focus on roles in crises either, and we want
to test exercises on cyber incidents in a similar long-term
context and focus on roles and responsibilities in special.
A. Red team blue team exercises
Red teamblue team exercises are commonly used in
education, including as training exercises in some of the
military academies. The benefit of red teamblue team
exercises is that some of the participants get experience (and
therefore training) in thinking like an attacker, while other
participants get experience in thinking like defenders, which
can be valuable for training defenders without much
experience [14].
An important aspect of a red-team blue-team exercise is to
define the entities that will compose it. In a general cyber
security exercise, there are mainly two sides: the attacker side
and the defender side. On each side there are computer
systems that are managed by teams of participants. Each side
must have at least one system to participate to the exercise and
the maximum number of participating systems is theoretically
infinite [15]. The components of the exercise is represented in
Figure 1.
Figure 1: The Components of a Cyber Defense Exercise
Each year NATO Cooperative Cyber Defense Centre of
Excellence organizes the international cyber defense exercises
Locked Shield. It is the biggest cyber defense exercise in the
world. Participants from many countries make some blue
teams. Typically, teams work from their country of origin as
they get online access to the system. Participants must
maintain networks and services and to defend them from
various types of attacks. The system simulates hundreds of
servers with different operating systems [16]. This exercise is
mainly operative. That means that there is no communication
or collaboration with strategic partners, and the decisions are
mainly defend or attack related. Such exercises train the
operative cyber-experts but has their shortages when it comes
to societal impacts and thereby crisis management
responsibilities. One would not know how strategic decisions
may impact the results in these exercises.
B. Table-top exercises
In crisis management training, traditional table-top teams
are running the exercises. These exercises are run outside of
full-scaled exercises. Even in the big NATO Trident Juncture
exercise 2018, the management training was run separately
[16].
Stakeholders of table-top exercises will usually sit down at
one table and execute the exercise. The injects in a table-top
exercise can be hypothetical [15], or based on scenarios root
cause analysis of previous incidents [16], and are usually
written down in a time lined input overview. Many
organizations use table top exercises to test the readiness of
response capabilities; and raise awareness within the IA
community [17].
Table-top exercises are best when the goal is to test
verbally procedures and plans by developing a scenario.
Careful observations of three disaster exercises in the UK,
prove that simple types of exercises, such as discussion-based
or table-top exercises, are employed as a rule prior to a large-
scale live exercise. For example, the exercise Saxon Shore
which was part of the Home Office National Counter
Terrorism Exercise Programme, started off as a table-top
exercise then followed by a live exercise sessions [18].
The main problem of current practice in table-top
exercises is that it is run in isolation from operative and
technical exercises. Also, the impact of operative decisions
done in real time will not be managed in these exercises.
C. Combining Read team and blue team exercises with
table-top exercises
Looking at the organization’s vulnerabilities, what is
important to the cyber security operation of the entity is how
the vulnerabilities could be exploited. This can be compared
to an impact and risk assessment which is used to implement
security controls to mitigate possible threats [19]. This impact
assessment can then be used to provide the storyline for a table
top exercise combined with a technical exercise as shown in
figure 2. This type of exercise has been used in non cyber
security crisis management exercises for a long time but has
generally not been executed as a full scale organization
exercise before [20].
Figure 2: Exercise life cycle
The model is based on the technical & Open Source
Intelligence (OSINT) data and the impact it would have if the
incident really happened. In this proposed approach, we
instead start the exercise with the societal impact with
responsibilities of various stakeholders of a cyber-incident.
We suggest the full organizational focus for the exercises; in
the strategic, tactical and operational levels, and present a
proposed team to manage the exercise, i.e. the controllers and
the actors in the exercise [21].
III. RESEARCH APPROACH
In this paper, we propose an approach to cybersecurity
exercise management and control (EXCON) and evaluation
from a naive inductivism perspective. This approach starts by
first observing a phenomenon and then generalizing the
possible causes and results, from which leads to theories that
can be falsified or validated [22]. We will use the
methodology outlined by Design Science Research in
Information Systems (DSRIS) which is in alignment with the
inductivist approach [23]. This methodology uses artefact
design and construction at its core (learning through building)
to generate new knowledge and insights into a class of
problems.
DSRIS requires three general activities: (1) construction of
an artifact where construction is informed either by practice-
based insight or theory, (2) the gathering of data on the
functional performance of the artifact (i.e., evaluation), and
(3) reflection on the construction process and on the
implications the gathered data (from activity (2) have for the
artifact informing insight(s) or theory(s) [23].
How to work on these steps was presented in a thesis
written by Karokola [24]. He visualized this approach as
outlined in figure 3. As we are approaching our work in a
naive inductivist approach, we modified the logical formalism
in the model from abduction to induction.
Figure 3: Design research methodology modified
The awareness of the problem is based on observations
from the authors, running crisis management exercises and
cyber exercises (first step in the 2nd column of figure 3). To
propose an artifact in an inductive approach, we used the
observations to suggest three faces to define relevant EXCON
Teams: (1) What is the societal impact of the cyber crisis, (2)
identify the crisis organizations responsibility in the crisis to
identify who would need to be trained, and then (3) identify
the relevant EXCON Team to train the responsible
organization (second step in the 2nd column). Our main goal
in this paper is to build a best practice framework for roles in
EXCON Teams for running cyber-incident exercises.
A. Apply the case of EXCON responsibilities in training
cyber crisis
We start up by analyzing organizations responsibilities
when handling cyber crisis, who they collaborate with, and
how they escalate cyber incidents and apply contingency
work during crises. We then present an organization to handle
the crisis, before we suggest what cyber training and
exercises is needed and introduce training responsibilities in
EXCON-teams in a model to reach our goal, called EXCON-
trainers in teams.
IV. EXCON HANDLING ROLE MODEL A SOCIETAL
CYBER CRISIS TRAINING STUDY
ICT Personnel handles cyber-incidents every day, both on
their own and together with experts like SOC’s or CERT’s.
One key aspect of this approach is to show the society impact
of a cyber incident, not just the technical fallout. This could
e.g. be an attack on salary transactions from a diversity of
organizations in a bank, of which could affect a large amount
of households’ capacity to pay for mortgage, food and
gasoline, and consequently uncertainty and riots in the
society. We will focus on such cyber-incidents that would
impact society and identifies the crisis organizations
responsibility in these crises to identify who would need to
be trained to manage such crisis, and then a relevant EXCON-
team to train the responsible organization.
A. Societal Impact of the Cyber Crisis
The first step in our approach is to identify what societal
impact the cyber crisis will have. In the example presented
above, one would need to define what responsibility the bank
has. That would be defined based on what is regulated by law,
what is regulated in the bank’s contingency plans, and what
sectorial departments would be involved in handling such
crisis.
B. Responsibilities and roles in cyber crisis management
The goal for full scale exercises is to train responsibilities
on strategic, tactical and operational levels in an organization
(or on Gold, Silver and Bronze teams as used by UK and
USA), shown in figure 4. The crisis handling organization in
this bank example can be predefined for such crisis
management. Such responsibilities roles in societal crisis
management is presented in [25], and a modified version is
presented in figure 4.
Figure 4: Roles in cyber crisis management - modified
To train, on strategic level, the trainers would be all those
the crisis management team normally communicate with
externally. To train the CEO, the EXCON team needs to act
the board of Directors, County Governor, Media, Dependents
and Employees. To train the Crisis Manager, one needs
templates such as for briefs to cope with the command and
control of the crisis. To train the Sectorial Managers (e.g.
health department in a municipality), it is common practice
to bring in Tactical Management Teams and Operational
Managers into the EXCON Group. They would pretend to
oversee situational awareness at the affected sector. To train
the ICT Manager, the focus would be on the information flow
via tactical teams and operational teams and would be this
cyber incident situation in the crisis management. We suggest
training this information flow based on a red-team ongoing
attack scenario. Additionally, we need to act as CERT’s and
police investigators who is relevant for the organization. We
can choose to invite relevant CERT’s and police investigators
into the EXCON team, the same way as with sectorial teams.
Training the information management will also depend
upon information flow, but also the media policy. A lot of the
information input will come from the EXCON team as
external influenced parties as shown in figure 5. This
modified figure was presented without the orange outline, as
part of the crisis management information responsibilities,
presented in [25].
Figure 5: External actors modified information flow model
The trainers in the EXCON team will need to have
knowledge and be educated in different areas, and the
requirements will be diverse. We suggest dividing the
trainers in groups based on who they will train, as shown in
figure 6.
Figure 6: Grouping the participants for training
What is marked with orange would be trained by people
who can act as the public. Those marked with brown will be
trained by the information-team and those marked by red
would be trained by the traditional cyber exercise Red
Team. Additionally, we suggest training the green group
with life situational stakeholders. That means that we will
invite relevant SOC’s, CERT’s and police investigators to
join our exercises. This group will not have the tacit
knowledge to participate in exercises like this and will need
different lead than the other groups.
One of the reasons it is important to have this full scaled
approach is to make sure impacting actions from one
section’s commands are effectively simulated within the
exercise storyline, rather than just following a pure linear
timeline. This allows the exercise to be planned, but also to
be flexible enough to include changes to the scenario that
would be impacted upon decisions, actions or inactions that
would either make the situation worse, or easier to maintain
during the exercise. As our primary objective in this
exercise approach is to test both C3 and IT skills, this allows
participants to see their actions have a major impact to the
operation flow.
C. Relevant Training Team and Training Roles
In summary, we present suggested different training
groups as in figure 7. We suggest varying the actors based
on what organization we train, as e.g. some organizations
have SOC, and some use external CERT’s.
Figure 7: EXCON-trainers in teams
We hereby present the different roles to explain what is
important for the teams in general, and some challenges that
would be important to handle in the teams.
The EXCON Team Manager will coordinate
information among the teams and follow up on how to
handle inputs and decisions from the participants in the
exercise together with the white team. The EXCON Team
Manager will also be the link to the Instructor supporting
the crisis management in the exercise.
The White team will have the responsibility to
coordinate the scenario and pick up upon decisions, actions
or inactions that would change the scenario, and to make
the scenario still flow to and from the Teams.
They will also have the responsibility to follow up on
the collaborative actors Team, to support learning
processes for them as well.
We have separated this one
group of collaborative
actors/players to make sure they
get the focus they need when
entering the exercise-battle.
This group will be active each
time we get these external real-
time stakeholders to participate
in the exercise. They could be
acted by the Situational actors’
group, but if we get them to
participate, we keep the group
separated to pay attention to the
extra focus needed as “seldom”-
participants in such exercises.
The Red Team is based
on red team in traditional
cyber exercises. They
will not have a blue team
on the other side, but
operative responsible
from the organizations
which participate in the
exercise, and a copy of
their systems. It is
important that the system
developers are involved
in the exercise, as they
will be building the
system copy at the cyber
range.
This group is
separated, to have a free
role in the exercise. The
group will have three
main responsibilities:
Press interviewers, press
newspapers and social
media.
It will also be
important to follow up on
public decisions that the
organization can learn
from, both in terms of
continuous
communication, but also
the long-term end state of
the crises at hand.
V. CONCLUSION AND FUTURE RESEARCH
Based on our discussions in this paper we suggest a three
phases process to prepare relevant roles for EXCON Teams
for exercises: 1) Identify societal impact of the cyber crisis.
2) Identify responsibilities and roles in cyber crisis
management. 3) Building relevant training team and training
roles.
To train and develop such diverse teams requires
excellent training skills and the capability to have a strategic
approach to the task. As the group vary in competence and
will vary in participants from exercise to exercise, there will
be necessary to develop the different tasks at hand for the
different roles in the groups. Scenario-planning to present
what each person should do, and how to act and collaborate,
will also be an important task at hand for the trainers. To do
this training, we suggest sessions lead by the EXCON
Leader, supported by instructor, and we want to test and
develop this approach beforehand the coming exercises.
It will also be important to observe how the different
roles in the EXCON Team is relevant throughout the
exercise. We have suggested a master-thesis to observe and
analyze our proposed EXCON teamwork included the
relevancy in different faces, and to compare this to what is
done in other full-scaled exercises.
Before the exercises, we will also provide maturity-
research for the participants in the exercise, to see if the
exercise will provide maturity improvement when providing
maturity-research sometime after the exercise.
We plan to test our framework when planning, executing
and evaluating exercises at the Norwegian Cyber range
(NCR), and through the Open Cyber range collaboration
between Estonia and Norway. Cyber-ranges are relevant
test-beds for improving simulations, combining systems and
people’s cyber skills. Cyber-range events vary in complexity
and in their objectives and cover a broad spectrum of event
types. For example, some events are conducted for training
cyber protection forces, and some are conducted for
evaluation of people, process, and technology through large
scale exercises, and yet others are conducted for
developmental testing (DT) or operational testing (OT).
Events may also be conducted for experimentation with
technology or tactics, or to assess mission readiness [25].
We also keep in mind that the participants in our
exercises are real life stakeholders, and as we conduct the
"whole organization approach" live fire exercise,
differentiating between a real incident that is happening at
the time, and exercise injects, we would need to be prepared
to stop the exercise. In the military, it is called the
SAFEGUARD procedure. Future work will consider how to
create a similar process within large scale crisis
management and cyber exercises, to shut down the exercise
during a live incident that happens during the exercise.
VI. REFERENCES
[1] (2019). Annual Cyber Security Assessment 2019. [Online]
Available: https://www.ria.ee/sites/default/files/content-
editors/kuberturve/ktt_aastaraport_eng_web.pdf
[2] (2004). Emergency Response and Recovery, Non
statutory guidance accompanying the Civil Contingencies
Act 2004. [Online] Available:
https://assets.publishing.service.gov.uk/government/uploa
ds/system/uploads/attachment_data/file/253488/Emergen
cy_Response_and_Recovery_5th_edition_October_2013.
pdf
[3] S. Dumitru Ducaru, "THE CYBER DIMENSION OF
MODERN HYBRID WARFARE AND ITS
RELEVANCE FOR NATO," EUROPOLITY, vol. 10,
2016. [Online]. Available: http://europolity.eu/wp-
content/uploads/2016/07/Vol.-10.-No.-1.-2016-editat.7-
23.pdf.
[4] N. C. S. Centre. "New Cyber Attack categorisation
system to improve UK response to incidents."
https://www.ncsc.gov.uk/news/new-cyber-attack-
categorisation-system-improve-uk-response-incidents
(accessed.
[5] A. S. Elmagrababy and M. M. Losavio, "Cyber security
challenges in Smart Cities: Safety, security and privacy,"
Journal of Advanced Research, vol. 5, 2014. [Online].
Available:
https://reader.elsevier.com/reader/sd/pii/S2090123214000
290?token=5AB7443E478B47F17290AFE7115FA7EFC
ED0AC8EE4E64796E75AD5DE126A379952C022F72E
E89C6924767AF9929A7549.
[6] A. Boin and P. t. Hart, "Organising for Effective
Emergency Management: Lessons from Research,"
Australian Journal of public administration, vol. 69, no.
4, 2010. [Online]. Available:
https://onlinelibrary.wiley.com/doi/epdf/10.1111/j.1467-
8500.2010.00694.x.
[7] F. Wex and G. Schryen, "Intelligent Decision Support for
Centralized Coordination during Emergency Response,"
presented at the ISCRAM Conference, Lisbon, 2011.
[Online]. Available: https://epub.uni-
regensburg.de/21242/1/ISCRAM_2011_-
_Intelligent_Decision_Support_for_Centralized_Coordina
tion_during_Emergency_Response.pdf.
[8] M. K. Jeffery, THE HUMAN IN COMMAND,
EXPLORING THE MODERN MILITARY EXPERIENCE.
NATO RTO Workshop on The Human in Command:
Springer Science+Business Media, LLC, 2000.
[9] V. Geaffray. "Your Biggest Cybersecurity Threat is Poor
Communication." Security today.
https://securitytoday.com/articles/2018/08/27/your-
biggest-cybersecurity-threat-is-poor-communication.aspx
(accessed Aug 28, 2018).
[10] CISCO, "Cisco annual cyber security report," 2018.
[Online]. Available:
https://www.cisco.com/c/dam/m/hu_hu/campaigns/securit
y-hub/pdf/acr-2018.pdf.
[11] A. Conklin and G. B. White, "e-Government and Cyber
Security: The Role of Cyber Security Exercises," vol. 4,
ed, 2006, pp. 79b-79b.
[12] S. P. Leblanc, A. Partington, I. Chapman, and M. Bernier,
"An Overview of Cyber Attack and Computer Network
Operations Simulation," presented at the MMS 11
Proceedings of the 2011 Military Modeling Simulation
Symposium, 92100., 2011. [Online]. Available:
http://dl.acm.org/citation.cfm?id=2048572.
[13] J. van Laere and J. Lindblom "Cultivating a longitudinal
learning process through recurring crisis management
training exercises in twelve Swedish municipalities.,"
Journal of Contingencies and Crisis Management, 2018.
[Online]. Available: https://doi.org/10.1111/1468-
5973.12230.
[14] D. S. Henshel et al., "Predicting Proficiency in Cyber
Defense Team Exercises," 2016.
[15] V.-V. Patriciu and A. C. Furtuna "Guide for Designing
Cyber Security Exercises," presented at the WSEAS,
2009. [Online]. Available: http://www.wseas.us/e-
library/conferences/2009/tenerife/EACT-ISP/EACT-ISP-
28.pdf.
[16] G. Østby, L. Berg, M. Kianpour, B. Katt, and S.
Kowalski, "A Socio-Technical Framework to Improve
cyber security training: A Work in Progress," presented at
the STPIS'19, 2019.
[17] J. Kick, Cyber Exercise playbook. The MITRE
Corporation, 2014.
[18] K. Hakkyong, "Learning from UK disaster exercises:
policy implications for effective emergency
preparedness," Disasters, vol. 38, 2014, doi:
doi:10.1111/disa.12084.
[19] K. N. Lovell, "Cyber Game to Cyber Exercise: A New
Methodology for Cybersecurity Simulations," in 5th
Interdisciplinary Cyber Research conference, Tallin,
Estonia, 2019: Tallinn University of Technology.
[Online]. Available:
https://www.taltech.ee/public/t/tarkvarateaduse-
instituut/CRW_2019/mobile/index.html#p=15. [Online].
[20] (2013). Emergency planning and preparedness: exercises
and training. [Online] Available:
https://www.gov.uk/guidance/emergency-planning-and-
preparedness-exercises-and-training
[21] (2013). Homeland Security Exercise and Evalutation
Program (HSEEP).
[22] J. S. Kowalski, "IT Insecurity: A Multi-disiplinary
Inquiry. ," Stockholm University, 1994.
[23] W. Kuechler and V. Vaishnavi, "A Framework for
Theory Development in Design Science Research:
Multiple Perspectives," Journal of the Association for
Information Systems, vol. 13, no. 6, pp. 395-423, 2012,
doi: 10.17705/1jais.00300.
[24] G. R. Karokola, "A Framework for Securing e-
Government Services: The Case of Tanzania," ed.
Stockholm: Stockholm: Department of Computer and
Systems Sciences, Stockholm University, 2012.
[25] G. Østby and B. Katt "Cyber crisis management roles a
municipality responsibility case study," presented at the
ITDRR 2019, Kiev, 2019.
... Cyber ranges can be used in many different contexts. As an example, the framework presented in [5] proposes a three phases process aimed at preparing roles for EXCON (EXercise CONtrol) teams. The authors' idea is to enable full scaled cyber-incident exercises. ...
Article
Full-text available
In this paper we present a framework for the dynamic deployment, configuration and orchestration of cyber ranges in a cloud-based environment. We propose a distributed architecture that is composed of a number of interacting components, each looking after a specific facet of the integrated set of requirements coming out of the design phase. The architecture in question is indeed capable of offering environment isolation, remote access management and control, procedures automation, secure operation and accountability. A formal description of the concept of a cyber range is provided in the paper, together with a taxonomy associated with the different kinds of resources it can involve. A complete implementation of the proposed framework through Amazon Web Services is also illustrated, so to help the reader figure out how the overall design can be easily mapped onto a specific provider of cloud resources.
Article
Today, cybersecurity is a well-known concept systematically manipulated in the context of corporative and personal life. Many stormy debates on reducing cyberthreats are sparked off in every single IT security event. A multitude of techniques for preventing cyberattacks are utilized daily. However, most of these cyber considerations and appropriate methods are hyper-focused on threats and attacks themselves and have very little concern about how to make an adequate quantitative cybersecurity estimation. The article presents a mathematically valid approach for the cybersecurity assessment. Unlike the majority of cybersecurity analyses considering globally connected devices, the presented solution deals with industrial control systems and their local area networks and does not regard the Internet. Demonstrating availability as the most critical property of cybersecurity in the control system context and carrying out a survey of availability definitions, the IEC 62443 availability interpretation is elected as the most suitable for the quantitative evaluation. A delay of the signal transmission from a source to a receiver is used as a measure of the assessment. For calculations, a theory of deterministic queueing systems Network calculus is utilized. Two issues associated with delays are raised in the article. The first one, when the arrival flow is known, a standard technique for the delay calculation can be used. The second, when the arrival flow is unavailable, a delay calculation from a backlog bound can be carried out. The first technique helps to solve the general problem of how potential cyberattacks affect system availability, and the second, the problem of process scheduling.
Conference Paper
Full-text available
The increasing role that technology plays within society means our approach has to change from ‘how do we stop cyber attacks’ to ‘how do we response effectively’ when it happens? The purpose of this paper is to provide an exercise framework that trains incident response to deal with time pressure situations, and to deal with it from a risk perspective, and practising C3 (Command, Control and Communications) skills
Article
Full-text available
This study illustrates how crisis management capability is developed in series of recurring exercises, rather than in one single exercise. Over one hundred table‐top and role‐playing exercises were performed and evaluated in a longitudinal cross‐case action research study in 12 Swedish municipalities. By consciously adapting training formats, municipalities were lead through three learning phases: obtaining role understanding (phase 1: knowing what to do), developing information management skills (phase 2: knowing how to do it), and mastering self‐reflection in regular time‐outs (phase 3: knowing when and why to do something). This final learning outcome, being able to concurrently execute, evaluate, and reorganize an ongoing crisis management performance, may be the most valuable capability of a crisis management organization when crisis strikes.
Article
Full-text available
The world is experiencing an evolution of Smart Cities. These emerge from innovations in information technology that, while they create new economic and social opportunities, pose challenges to our security and expectations of privacy. Humans are already interconnected via smart phones and gadgets. Smart energy meters, security devices and smart appliances are being used in many cities. Homes, cars, public venues and other social systems are now on their path to the full connectivity known as the “Internet of Things.” Standards are evolving for all of these potentially connected systems. They will lead to unprecedented improvements in the quality of life. To benefit from them, city infrastructures and services are changing with new interconnected systems for monitoring, control and automation. Intelligent transportation, public and private, will access a web of interconnected data from GPS location to weather and traffic updates. Integrated systems will aid public safety, emergency responders and in disaster recovery. We examine two important and entangled challenges: security and privacy. Security includes illegal access to information and attacks causing physical disruptions in service availability. As digital citizens are more and more instrumented with data available about their location and activities, privacy seems to disappear. Privacy protecting systems that gather data and trigger emergency response when needed are technological challenges that go hand-in-hand with the continuous security challenges. Their implementation is essential for a Smart City in which we would wish to live. We also present a model representing the interactions among person, servers and things. Those are the major element in the smart city and their interactions are what we need to protect.
Article
Full-text available
Cyber security exercises are a very effective way of learning the practical aspects of information security. But designing such exercises is not an easy task and requires the work of several people. This paper presents a number of steps and guidelines that should be followed when designing a new cyber security exercise. The steps include: defining the objectives, choosing an approach, designing network topology, creating a scenario, establishing a set of rules, choosing appropriate metrics and learning lessons. The intended audience of this paper is persons who are in charge with design and organization of a new cyber security exercise and do not have the experience of previous exercises.
Chapter
In this paper we propose a role model that can be applied in societal cyber crisis management to build safety and standard procedures during cyber security crisis. We define societal cyber crisis as the cyber crisis which affect the society in which disaster is or might be the consequence. The process to create our model started by analyzing regulations and responsibilities in Norwegian municipalities, and we used steps of a design science research (DSR) research approach to create our suggested artifact. A combination of conventional crisis management and cyber crisis management is proposed to identify the interrelationships among diverse stakeholders when managing the preparation for and reaction to a cyber crisis incident. We present a cyber incident handling role model (CIHRM) which is usable for visualizing cyber crisis in a diversity of organizations. After our model has been reviewed by the cyber security research community, we plan to implement the model when analyzing crisis management in various organizations to prepare for instructions, training and exercises at our training environment - The Norwegian Cyber Range.
Article
One point of convergence in the many recent discussions on design science research in information systems (DSRIS) has been the desirability of a directive design theory (ISDT) as one of the outputs from a DSRIS project. However, the literature on theory development in DSRIS is very sparse. In this paper, we develop a framework to support theory development in DSRIS and explore its potential from multiple perspectives. The framework positions ISDT in a hierarchy of theories in IS design that includes a type of theory for describing how and why the design functions: Design-relevant explanatory/predictive theory (DREPT). DREPT formally captures the translation of general theory constructs from outside IS to the design realm. We introduce the framework from a knowledge representation perspective and then provide typological and epistemological perspectives. We begin by motivating the desirability of both directive-prescriptive theory (ISDT) and explanatory-predictive theory (DREPT) for IS design science research and practice. Since ISDT and DREPT are both, by definition, midrange theories, we examine the notion of mid-range theory in other fields and then in the specific context of DSRIS. We position both types of theory in Gregor's (2006) taxonomy of IS theory in our typological view of the framework. We then discuss design theory semantics from an epistemological view of the framework, relating it to an idealized design science research cycle. To demonstrate the potential of the framework for DSRIS, we use it to derive ISDT and DREPT from two published examples of DSRIS.
Article
With a view towards suggesting improvements to the official UK Guidance for disaster exercises, this paper critically examines a representative sample of recent disaster management exercises in the United Kingdom to determine how they are planned, conducted and assessed. Personal observations and in-depth qualitative interviews were used to study three representative multi-agency disaster exercises in the UK: (1) the Hitachi 395 Evacuation Workshop and Exercise Twin Bore, (2) Exercise Saxon Shore and (3) Exercise Operation Safe Return. The research demonstrates that disaster exercises in the UK generally consist of four main approaches: (1) disaster response and adaptability, (2) building-block approach, (3) citizen participation and (4) discussion-based debriefs. While the data demonstrates that each of these approaches has significant merit, it also elucidates key improvements that should be made to the official UK guidance and reflected in future exercises. In particular, the research suggests that the Guidance should highlight the importance of adaptability at the scene of a disaster, advance a building-block methodology to organising exercises and reiterate the need for better debriefings of volunteer participants.
Conference Paper
Automated coordination is regarded as a novel approaches in Emergency Response Systems (ERS), and especially resource allocation has been understudied in former research. The contribution of this paper is the introduction of two variants of a novel resource allocation mechanism that provide decision support to the centralized Emergency Operations Center (EOC). Two quantitative models are computationally validated using real-time, data-driven, Monte-Carlo simulations promoting reliable propositions of distributed resource allocations and schedules. Various requirements are derived through a literature analysis. Comparative analyses attest that the Monte-Carlo approach outperforms a well-defined benchmark.
Conference Paper
The current and emerging security threats poses a variety of security risks to e-government services. The Tanzanian national e-government strategy recognizes the importance and use of e-government maturity models (eGMMs) as a tool for guiding and benchmarking e-government implementation and service delivery. However, the models lack security services (technical and non-technical) in their maturity stages -- leading to misalignment of strategic objectives between e-government services and security services. To bridge the existing security services gap in eGMMs -- a framework for securing e-government services which integrates IT security services into maturity stages of eGMMs was proposed. The goal of this paper is to present an outline of the evaluation results for the proposed framework, in the context of a developing world environment. In the process, seven evaluation criteria were developed, thereafter, a case-study was conducted into six government organizations located in Tanzania. The overall results show that the framework was accepted in the studied environment. The framework usefulness was perceived highest at 95%; the framework dynamics & flexibility was perceived lowest at 76%.