ArticlePublisher preview available

Enhancement of a Company-Wide Information Security Management System Through Incident Learning

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract and Figures

We propose the Delta ISMS method that strengthens the company-wide information security management system (ISMS) through incident learning. International standards of ISMS have been established to provide useful guidelines for information security risk management to organisations so they can respond appropriately to information security incidents. When the ISMS is first introduced to an organisation, the organisation is strengthened by introducing standard requirements. However, predicting everything and implementing a perfect ISMS may not be possible for each organisation. Thus, even in ISMS-certified organisations, information security incidents do not always diminish. This indicates that these organisations do not effectively carry out the PDCA cycle of the ISMS. We recognise that ISMS requires feedback and learning from incidents, while a sufficient explanation of learning procedures is not provided. Also, the Cyber Security Incident Response Team guidelines do not provide specific procedures for ‘incident learning’ explicitly. For incident learning, regularising informal knowledge (the formalisation of experience data) and double-loop learning (acquisition of company-wide knowledge from incident responses) is effective. Therefore, this study aims to develop detailed procedures for incident learning to run the second and subsequent rounds of the ISMS’s PDCA cycles. We propose an incident database operation method for regularising informal knowledge and a gold–silver–bronze communication method for implementing double loops. The procedures are routinely applied by headquarters under the supervision of the Chief Information Security Officer. By changing the safety factor in the damage reduction rate, it is possible to obtain multiple countermeasure candidate sets by considering the investment effect.
This content is subject to copyright. Terms and conditions apply.
Vol.:(0123456789)
SN Computer Science (2023) 4:211
https://doi.org/10.1007/s42979-023-01691-7
SN Computer Science
ORIGINAL RESEARCH
Enhancement ofaCompany‑Wide Information Security Management
System Through Incident Learning
HiroshiHorikawa1 · HisamichiOhtani2· YujiTakahashi3· TakehisaKato4· FumihikoMagata5·
YoshimiTeshigawara6· RyoichiSasaki3· MasakatsuNishigaki1
Received: 15 March 2022 / Accepted: 12 January 2023 / Published online: 17 February 2023
© The Author(s), under exclusive licence to Springer Nature Singapore Pte Ltd 2023
Abstract
We propose the Delta ISMS method that strengthens the company-wide information security management system (ISMS)
through incident learning. International standards of ISMS have been established to provide useful guidelines for informa-
tion security risk management to organisations so they can respond appropriately to information security incidents. When
the ISMS is first introduced to an organisation, the organisation is strengthened by introducing standard requirements.
However, predicting everything and implementing a perfect ISMS may not be possible for each organisation. Thus, even in
ISMS-certified organisations, information security incidents do not always diminish. This indicates that these organisations
do not effectively carry out the PDCA cycle of the ISMS. We recognise that ISMS requires feedback and learning from
incidents, while a sufficient explanation of learning procedures is not provided. Also, the Cyber Security Incident Response
Team guidelines do not provide specific procedures for ‘incident learning’ explicitly. For incident learning, regularising
informal knowledge (the formalisation of experience data) and double-loop learning (acquisition of company-wide knowl-
edge from incident responses) is effective. Therefore, this study aims to develop detailed procedures for incident learning
to run the second and subsequent rounds of the ISMS’s PDCA cycles. We propose an incident database operation method
for regularising informal knowledge and a gold–silver–bronze communication method for implementing double loops.
The procedures are routinely applied by headquarters under the supervision of the Chief Information Security Officer. By
changing the safety factor in the damage reduction rate, it is possible to obtain multiple countermeasure candidate sets by
considering the investment effect.
Keywords Incident learning· Information security management system (ISMS)· Incident database· Information security
incident· Chief Information Security Officer (CISO)
Introduction
Today, organisations are tasked with managing many differ-
ent types of knowledge. Almost all organisations are already
connected to the Internet. However, in recent years, digital
transformation has finally exposed every part of these organ-
isations to the threat of cyber incidents. This implies that it
has become necessary for all organisations to possess and
manage cyber security knowledge on a company-wide basis.
A typical cybersecurity knowledge management system
in organisations is the information security management sys-
tem (ISMS) [1]. In ISMS, the assets in each target depart-
ment of organisation are identified, threats to be protected
against are determined (risk assessment), and necessary
countermeasures are decided on (countermeasure selec-
tion). When the ISMS is first introduced to an organisation,
* Hiroshi Horikawa
hholy0403@gmail.com
1 Faculty ofInformatics, Shizuoka University, 3-5-1, Johoku
Naka-ku, HamamatsuCity432-8011, Japan
2 Information Security Office, NTT DATA Corporation,
Koto-kuTokyo135-6033, Japan
3 The Research Institute ofScience andTechnology,
Tokyo Denki University, 5, Senjuasahicho,
Adachi-ku,Tokyo120-8551, Japan
4 Hitachi, Ltd., Chiyoda-ku,Tokyo100-8280, Japan
5 NTT Communications Corporation, 2-3-1, Otemachi,
Chiyoda-ku,Tokyo100-8019, Japan
6 Soka University, 1-236, Tangimachi,
HachiojiCity,Tokyo192-8577, Japan
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
... The advantage of the approach for data processing as a condition for business agility (quality) is that managers are fully aware of the data as they directly collect it, which speeds up analytics (Chen et al., 2023;Curnin et al., 2023). The advantage of data preservation (resilience) is the low risk of data leakage due to the disparate nature of the data and the difficulty of copying it from different media (Ameri et al., 2023;Horikawa et al., 2023). ...
... Low risk of data leakage due to data fragmentation and difficulty in copying from different media (Ameri et al., 2023;Horikawa et al., 2023). ...
... The second benefit is data security (resilience). In contrast to Ameri et al. (2023) and Horikawa et al. (2023), low risk of data leakage is ensured in the dataset approach not because of their disparate nature and difficulty of copying from different media but because they are combined into a common dataset, which simplifies the task of ensuring cybersecurity. ...
Article
Full-text available
Cyber security increasingly focuses on the challenges faced by network defenders. Cultural and security-driven sentiments about external observation, as well as publication concerns, limit the ability of researchers to understand the context surrounding incident response. Context awareness is crucial to inform design and engineering. Furthermore, these perspectives can be heavily influenced by the targeted sector or industry of the research. Together, a lack of broad contextual understanding may be biasing approaches to improving operations, and driving faulty assumptions in cyber teams. A qualitative field study was conducted in three computer security incident response teams (CSIRTs) and included perspectives of government, academia, and private sector teams. Themes emerged and provide insights across multiple aspects of incident response, including information sharing, organization, learning, and automation. The need to focus on vertical integration of issues at different levels of the incident response system is also discussed. Future research will build upon these results, using them to inform technology advancement in CSIR settings.
Conference Paper
Full-text available
The modern organisation operates within a sophisticated and evolving security threat landscape that exposes its information infrastructure to a range of security risks. Unsurprisingly, despite the existence of industry ‘best-practice’ security standards and unprecedented levels of investment in security technology, the rate of incidents continues to escalate. Furthermore, a review of security literature reveals an apparent lack of strategic perspective in the field of information security management (ISM) which results in a number of strategic challenges for ISM function in organisations. The level of sophistication and dynamism of threat requires organisations to develop novel security strategies that draw on creative and lateral thinking approaches. Such a security campaign requires the Chief Information Security Officer (CISO) to function as a ‘strategist’. However, there is little or no evidence in security literature to show that the security leader is required to function as a strategist. In this research, we set out to identify the specific competencies required by CISOs to become effective strategists by performing a systematic literature review of both security and strategic management literature. We thematically analysed and coded the characteristics extracted from strategic management literature into the five dimensions of the strategist. We discuss these macro competencies in the context of ISM, and argue that CISOs with these five dimensions of a strategist will be able to overcome the existing strategic challenges facing ISM in organisations.
Article
Full-text available
This paper reports results of a systematic literature review on current practice and experiences with incident management, covering a wide variety of organisations. Identified practices are summarised according to the incident management phases of ISO/IEC 27035. The study shows that current practice and experience seem to be in line with the standard. We identify some inspirational examples that will be useful for organisations looking to improve their practices, and highlight which recommended practices generally are challenging to follow. We provide suggestions for addressing the challenges, and present identified research needs within information security incident management.
Article
Full-text available
Incident response is a critical security function in organisations that aims to manage incidents in a timely and cost-effective manner. This research was motivated by previous case studies that suggested that the practice of incident response frequently did not result in the improvement of strategic security processes such as policy development and risk assessment. An exploratory in-depth case study was performed at a large global financial institution to examine shortcomings in the practice of incident response. The case study revealed the practice of incident response, in accordance with detailed best-practice guidelines, tended to adopt a narrow technical focus aimed at maintaining business continuity whilst neglecting strategic security concerns. The case study also revealed that the (limited) post-incident review process focused on ‘high-impact’ incidents rather than ‘high-learning’ (i.e. potentially useful incidents from a learning perspective) incidents and ‘near misses’. In response to this case study, we propose a new double-loop model for incident learning to address potential systemic corrective action in such areas as the risk assessment and policy development processes.
Article
Digital assets of organizations are under constant threat from a wide assortment of nefarious actors. When threats materialize, the consequences can be significant. Most large organizations invest in a dedicated information security management (ISM) function to ensure that digital assets are protected. The ISM function conducts risk assessments, develops strategy, provides policies and training to define roles and guide behavior, and implements technological controls such as firewalls, antivirus, and encryption to restrict unauthorized access. Despite these protective measures, incidents (security breaches) will occur. Alongside the security management function, many organizations also retain an incident response (IR) function to mitigate damage from an attack and promptly restore digital services. However, few organizations integrate and learn from experiences of these functions in an optimal manner that enables them to not only respond to security incidents, but also proactively maneuver the threat environment. In this article we draw on organizational learning theory to develop a conceptual framework that explains how the ISM and IR functions can be better integrated. The strong integration of ISM and IR functions, in turn, creates learning opportunities that lead to organizational security benefits including: increased awareness of security risks, compilation of threat intelligence, removal of flaws in security defenses, evaluation of security defensive logic, and enhanced security response.
Conference Paper
Cyber security increasingly focuses on the challenges faced by network defenders. Cultural and security-driven sentiments about external observation, as well as publication concerns, limit the ability of researchers to understand the context surrounding incident response. Context awareness is crucial to inform design and engineering. Furthermore, these perspectives can be heavily influenced by the targeted sector or industry of the research. Together, a lack of broad contextual understanding may be biasing approaches to improving operations, and driving faulty assumptions in cyber teams. A qualitative field study was conducted in three computer security incident response teams (CSIRTs) and included perspectives of government, academia, and private sector teams. Themes emerged and provide insights across multiple aspects of incident response, including information sharing, organization, learning, and automation. The need to focus on vertical integration of issues at different levels of the incident response system is also discussed. Future research will build upon these results, using them to inform technology advancement in CSIR settings.
Chapter
Knowledge management (KM) is a multidisciplinary subject, with contributions from such disciplines as information systems (IS) and information technology (IT), strategic management, organizational theory, human-resource management, education science, psychology, cognitive science, and artificial intelligence. In order to take full advantage of these various contributions, the necessity of a multidisciplinary approach to KM is currently widely acknowledged, particularly in the IS and IT, management, and artificial-intelligence communities (Alavi & Leidner, 2001; Dieng-Kuntz et al., 2001; Grover & Davenport, 2001; Nonaka & Konno, 1998; O’Leary & Studer, 2001; Zacklad & Grundstein, 2001).
Article
There are many barriers to the implementation of knowledge management (KM) strategies. These include the lack of time and financial resources allocated to sharing knowledge, a lack of organizational understanding of the philosophy and the benefits of KM, and a lack of skills in KM. However, survey data show that the greatest acknowledged obstacle to the implementation of a KM strategy is the management culture of the organization (Chase, 1997; Zyngier, 2001). These obstacles reveal a problem in the implementation of an organizational KM strategy. The problem lies not in the implementation of a given strategy per se, but in the lack of governance of that strategy. Purchase this chapter to continue reading all 8 pages > In conceptual modeling we need to consider a general level of abstraction where the domain of interest is formalized in an independent way with... A big amount of important, “economically relevant” information, is buried into unstructured “narrative” information resources: This is true, for...