Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Cybersecurity Incident Response: A Socio-Technical Approach
Stockholm University, Faculty of Social Sciences, Department of Computer and Systems Sciences.ORCID iD: 0000-0002-5701-2569
2019 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

This thesis examines the cybersecurity incident response problem using a socio-technical approach. The motivation of this work is the need to bridge the knowledge and practise gap that exists because of the increasing complexity of cybersecurity threats and our limited capability of applying cybersecurity controls necessary to adequately respond to these threats. Throughout this thesis, knowledge from Systems Theory, Soft Systems Methodology and Socio-Technical Systems is applied to examine and document the socio-technical properties of cybersecurity incident response process. The holistic modelling of cybersecurity incident response process developed concepts and methods tested to improve the socio-technical security controls and minimise the existing gap in security controls.

The scientific enquiry of this thesis is based on pragmatism as the underpinning research philosophy.  The thesis uses a design science research approach and embeds multiple research methods to develop five artefacts (concept, model, method, framework and instantiation) outlined in nine peer-reviewed publications. The instantiated artefact embraces the knowledge developed during this research to provide a prototype for a socio-technical security information and event management system (ST-SIEM) integrated with an open source SIEM tool. The artefact relevance was validated through a panel of cybersecurity experts using a Delphi method. The Delphi method indicated the artefact can improve the efficacy of handling cybersecurity incidents.

Place, publisher, year, edition, pages
Stockholm: Department of Computer and Systems Sciences, Stockholm University , 2019. , p. 133
Series
Report Series / Department of Computer & Systems Sciences, ISSN 1101-8526 ; 19-007
Keywords [en]
cybersecurity incident response, SIEM, cybersecurity warning systems, socio-technical approach, organisation security culture
National Category
Computer Systems Information Systems, Social aspects
Research subject
Computer and Systems Sciences
Identifiers
URN: urn:nbn:se:su:diva-167873ISBN: 978-91-7797-715-5 (print)ISBN: 978-91-7797-716-2 (electronic)OAI: oai:DiVA.org:su-167873DiVA, id: diva2:1303567
Public defence
2019-06-07, L30, NOD-huset, Borgarfjordsgatan 12, Kista, 10:00 (English)
Opponent
Supervisors
Available from: 2019-05-15 Created: 2019-04-10 Last updated: 2019-05-15Bibliographically approved
List of papers
1. A cultural adaption model for global cyber security warning systems: A socio-technical proposal
Open this publication in new window or tab >>A cultural adaption model for global cyber security warning systems: A socio-technical proposal
2011 (English)Conference paper, Published paper (Refereed)
Abstract [en]

In this paper we explore the problems of developing a cyber security warning system both from a theoretical and practical perspective. We review some of the current development in warning systems around the world and we also examine the security metrics area. We then expanded on a proposed socio-technical coordinate system for global cyber security alerts and adapted it to an information security culture framework.

Place, publisher, year, edition, pages
Mosharaka for Researches and Studies, 2011
Keywords
cyber security, alert systems, security metrics, socio-technical security systems
National Category
Computer and Information Sciences
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-153287 (URN)
Conference
MIC-CNIT 2011 - Mosharaka International Conference on Communications, Networking and Information Technology, Dubai, United Arab Emirates, 2011
Available from: 2018-02-23 Created: 2018-02-23 Last updated: 2019-04-17
2. Developing social metrics for security: modeling the security culture of it workers individuals (Case study)
Open this publication in new window or tab >>Developing social metrics for security: modeling the security culture of it workers individuals (Case study)
2012 (English)In: Proceedings of the 5th International Conference on Communications, Computers and Applications (MIC-CCA2012), Institute of Electrical and Electronics Engineers (IEEE), 2012, p. 112-118Conference paper, Published paper (Refereed)
Abstract [en]

In this short paper we present and discuss the findings of a case study aimed at developing social security metrics for modeling the security culture of certain individuals. Using these metrics we have modeled the security culture of IT workers individuals from Saudi Arabia. We suggest these metrics can be used for modeling and comparing different security cultures to develop a global security culture required for effective global response to cyber security issues. We start by reviewing the latest research on the social aspects of information security. Then we highlight the history of the under-development social security metrics. Afterward we discuss the setup of the case study and the methodology used. Finally, we discuss the experiment results and suggested further research work.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2012
Series
Mosharaka conference paper, E-ISSN 2227-331X
Keywords
Social Security Metrics, Security Mental Models, Security Culture, Risk Management, Security Controls
National Category
Information Systems
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-100726 (URN)978-1-4673-5230-7 (ISBN)978-1-938302-07-7 (ISBN)
Conference
The 5th International Conference on Communications, Computers and Applications (MIC-CCA2012), Istanbul, Turkey, 12-14 October, 2012
Available from: 2014-02-12 Created: 2014-02-12 Last updated: 2019-04-17Bibliographically approved
3. ST(CS)2 - Featuring socio-technical cyber security warning systems
Open this publication in new window or tab >>ST(CS)2 - Featuring socio-technical cyber security warning systems
2012 (English)In: Proceedings of the 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), Institute of Electrical and Electronics Engineers (IEEE), 2012, p. 312-316Conference paper, Published paper (Refereed)
Abstract [en]

In this short paper we propose a socio-technical framework for developing cyber security warning systems. We start by reviewing latest research and theories on socio-technical nature of information systems security. We then show the need to consider the social dimension of information systems security as recommended by number of global security consortiums. Afterward we review the development of some of the main currently existing global cyber security warning systems. Finally we present our suggested socio-technical coordination platform to feature socio-technical enabled cyber security warning systems.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2012
Keywords
Security culture, Socio-technical cyber security warning systems, cyber security, security mental models
National Category
Information Systems
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-100737 (URN)10.1109/CyberSec.2012.6246110 (DOI)978-1-4673-1425-1 (ISBN)978-1-4673-1426-8 (ISBN)
Conference
International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), Kuala Lumpur, Malaysia, 26-28 June, 2012
Available from: 2014-02-12 Created: 2014-02-12 Last updated: 2019-04-17Bibliographically approved
4. The Impact of Business-IT Alignment on Information Security Process
Open this publication in new window or tab >>The Impact of Business-IT Alignment on Information Security Process
2014 (English)In: HCI in Business: Proceedings / [ed] Fiona Fui-Hoon Nah, Springer, 2014, p. 25-36Conference paper, Published paper (Refereed)
Abstract [en]

Business-IT Alignment (BITA) has the potential to link with organi-zational issues that deal with business-IT relationships at strategic, tactical and operational levels. In such context, information security process (ISP) is one of the issues that can be influenced by BITA. However, the impact has yet not been researched. This paper investigates the BITA impact on ISP. For this in-vestigation, the relationships of elements of the Strategic Alignment Model and the components of Security Values Chain Model are considered. The research process is an in-depth literature survey followed by case study in two organiza-tions located in United States and the Middle East. The results show clear impact of BITA on how organizations would distribute allocated security budget and resources based on the needs and risk exposure. The results should support both practitioners and researchers to gain improved insights of the relationships between BITA and IT security components.

Place, publisher, year, edition, pages
Springer, 2014
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 8527
Keywords
Business-IT alignment, BITA, Information Security Process, Security Value Chain, Security Culture
National Category
Information Systems
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-111860 (URN)10.1007/978-3-319-07293-7_3 (DOI)978-3-319-07292-0 (ISBN)978-3-319-07293-7 (ISBN)
Conference
First International Conference, HCIB 2014, Held as Part of HCI International 2014, Heraklion, Crete, Greece, June 22-27, 2014
Available from: 2015-01-08 Created: 2015-01-08 Last updated: 2019-04-10Bibliographically approved
5. A Prototype For HI²Ping Information Security Culture and Awareness Training
Open this publication in new window or tab >>A Prototype For HI²Ping Information Security Culture and Awareness Training
2012 (English)In: 2012 International Conference on E-Learning and E-Technologies in Education (ICEEE), Institute of Electrical and Electronics Engineers (IEEE), 2012, p. 32-36Conference paper, Published paper (Refereed)
Abstract [en]

In this short paper, we propose a security culture and awareness training platform that suite different learning styles and preferences. The objective is to operationalize the platform for improving individuals security awareness and learn more about their security mental models as well as how their cultural background influence their perception of security. Useful application of the tool is to enhance the effectiveness of security knowledge transfer in a security incident response process management and to develop staff commitment to security policies at organizations. The tool can also help on enabling a global security culture by creating a common understanding of security best practices. Qualitative results show the tool can play a promising role in security education as it combines different mediums for communicating the required information to fit the audience different learning styles.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2012
Keywords
Security Culture, Security Mental Models, Learning Styles, Security Awareness
National Category
Information Systems
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-100722 (URN)10.1109/ICeLeTE.2012.6333397 (DOI)978-1-4673-1679-8 (ISBN)978-1-4673-1678-1 (ISBN)
Conference
2012 International Conference on e-Learning and e-Technologies in Education (ICEEE), Lodz, Poland, 24-26 September, 2012
Available from: 2014-02-12 Created: 2014-02-12 Last updated: 2019-04-17Bibliographically approved
6. Security from a Systems Thinking Perspective - Applying Soft Systems Methodology to the Analysis of an Information Security Incident
Open this publication in new window or tab >>Security from a Systems Thinking Perspective - Applying Soft Systems Methodology to the Analysis of an Information Security Incident
2014 (English)In: Proceedings of the 58th Meeting of ISSS, Washington DC, USA, July 2014, International Society for the Systems Sciences (ISSS) , 2014Conference paper, Published paper (Refereed)
Abstract [en]

Applying systems theory to information security enables security analysts to consider the socio-technical role of the security system instead of only focusing on the technical part. Systems theory can also equip security analysts with the skills required to have a holistic and an abstract level of understanding of the security problem in their organisations and to proactively define and evaluate existing risks. The Soft Systems Methodology (SSM) developed by Peter Checkland was created in order to deal with unstructured situations where human beings are part of the socio-technical system. In this paper, SSM is applied as a framework to diagnose a real case security incident in an organisation. The purpose of this application is to demonstrate how the methodology can be considered a beneficial tool for security analysts during security incident management and risk analysis. Literature review and experience indicate an existing lack of customisable incident response tools that facilitate communication and elaboration within organizations during incident management. In addition to the fact that these tools are mainly technical and don’t take the human factor into consideration. Using SSM as such, we define the security attack as a human activity transformation system that transforms a security event triggered by an attacker into a security breach that cause damage to the victim organisation. The attack system is then modelled to include a number of dependent activity sub-systems that interact with each other and their environment including the security control activity systems. By having such systemic perception of a security attack, security analysts, we suggest, can have a holistic perception under what conditions a security attack has succeeded and what elements of the socio-technical system and its environment should have been considered in order to mitigate and reduce the risk exposure.

Place, publisher, year, edition, pages
International Society for the Systems Sciences (ISSS), 2014
Series
Proceedings of the annual meeting of the ISSS, E-ISSN 1999-6918
Keywords
SSM, Socio-Technical Approach, Information Security, Security Approach, Security Incident
National Category
Information Systems
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-114736 (URN)978-1-5108-0371-8 (ISBN)
Conference
The 58th Meeting of ISSS, Washington DC, USA, 27 July – 1 August, 2014
Available from: 2015-03-09 Created: 2015-03-09 Last updated: 2019-04-17Bibliographically approved
7. A Socio-technical Framework for Threat Modeling a Software Supply Chain
Open this publication in new window or tab >>A Socio-technical Framework for Threat Modeling a Software Supply Chain
2015 (English)In: IEEE Security and Privacy, ISSN 1540-7993, E-ISSN 1558-4046, Vol. 13, no 4, p. 30-39Article in journal (Refereed) Published
Abstract [en]

A new framework performs security threat modeling for a global software supply chain. The threat modeling is based on a case study from the Swedish Armed Forces. After a review of current practices and theories for threat modeling of a software supply chain, the authors suggest a socio-technical framework for studying the software supply chain security problem from a systemic viewpoint. The framework addresses issues of modeling the target system, identifying threats, and analyzing countermeasures.

Keywords
security, threat modeling, software supply chain, sociotechnical framework, social-technical approach
National Category
Information Systems
Identifiers
urn:nbn:se:su:diva-120102 (URN)10.1109/MSP.2015.72 (DOI)000359253100006 ()
Available from: 2015-09-03 Created: 2015-09-01 Last updated: 2019-04-17Bibliographically approved
8. A Framework and Prototype for A Socio-Technical Security Information and Event Management System (ST-SIEM)
Open this publication in new window or tab >>A Framework and Prototype for A Socio-Technical Security Information and Event Management System (ST-SIEM)
2016 (English)In: 2016 European Intelligence and Security Informatics Conference: Proceedings / [ed] Joel Brynielsson, Fredrik Johansson, IEEE Computer Society, 2016, p. 192-195Conference paper, Published paper (Refereed)
Abstract [en]

In this short paper we present a socio-technical framework for integrating a security risk escalation maturity model into a security information and event management system. The objective of the framework is to develop the foundations for the next generation socio-technical security information and event management systems (ST-SIEMs) enabling socio-technical security operations centers (ST-SOCs). The primary benefit of the socio-technical framework is twofold: supporting organizations in overcoming the identified limitations in their security risk escalation maturity, and supporting SOCs in overcoming the limitations of their SIEMs. The risk escalation maturity level is quantified using metrics. These metrics are then used by SIEMs for cross correlating security events before they are disseminated to respective organizations. Typical SIEMs in use today calculate security events using generic risk factors not necessarily relevant for every organization. The proposed framework can enable security administrators to effectively and efficiently manage security warnings and to establish necessary countermeasures.

Place, publisher, year, edition, pages
IEEE Computer Society, 2016
Keywords
SIEM, Socio-Technical SIEM, SOC, Risk Escalation
National Category
Information Systems, Social aspects
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-153268 (URN)10.1109/EISIC.2016.049 (DOI)978-1-5090-2857-3 (ISBN)
Conference
2016 European Intelligence and Security Informatics Conference, Uppsala, Sweden, 17–19 August 2016
Available from: 2018-02-23 Created: 2018-02-23 Last updated: 2019-04-10Bibliographically approved
9. Socio-Technical SIEM (ST-SIEM): Towards Bridging the Gap in Security Incident Response
Open this publication in new window or tab >>Socio-Technical SIEM (ST-SIEM): Towards Bridging the Gap in Security Incident Response
2017 (English)In: International Journal of Systems and Society, ISSN 2327-3984, Vol. 4, no 2, article id 2Article in journal (Refereed) Published
Abstract [en]

This article discusses the design and specifications of a Socio-Technical Security Information and Event Management System (ST-SIEM). This newly-developed artifact addresses an important limitation identified in today incident response practice—the lack of sufficient context in actionable security information disseminated to constituent organizations. ST-SIEM tackles this limitation by considering the socio-technical aspect of information systems security. This concept is achieved by correlating the technical metrics of security warnings (which are generic in nature, and the sources of which are sometimes unknown) with predefined social security metrics (used for modeling the security culture of constituent organizations). ST-SIEM, accordingly, adapts the risk factor of the triggered security warning based on each constituent organization security culture. Moreover, the artifact features several socio-technical taxonomies with an impact factor to support organizations in classifying, reporting, and escalating actionable security information. The overall project uses design science research as a framework to develop the artifact.

Keywords
socio-technical, Security Information and Event Management System, SIEM, ST-SIEM, taxonomies, information systems security, incident response
National Category
Information Systems, Social aspects
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-149438 (URN)10.4018/IJSS.2017070102 (DOI)
Available from: 2017-11-30 Created: 2017-11-30 Last updated: 2019-04-10Bibliographically approved

Open Access in DiVA

Cybersecurity Incident Response(12211 kB)106 downloads
File information
File name FULLTEXT01.pdfFile size 12211 kBChecksum SHA-512
0fc066cd2f4bb5babe5ff48dc3f69feef35099b3e75c3a52f5abb94dd8d3945d4d5f74b75a63eabe51f7c0bb2fd5ec95b14c057b35b95304cab602f6e98cc58a
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Al Sabbagh, Bilal
By organisation
Department of Computer and Systems Sciences
Computer SystemsInformation Systems, Social aspects

Search outside of DiVA

GoogleGoogle Scholar
Total: 106 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 1318 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf