Abstract
In today's culture organizations have come to expect that information security incidents and breaches are no longer a matter of if but when. This shifting paradigm has brought increased attention, not to the defenses in place to prevent an incident but, to how companies manage the aftermath. Using a phenomenological model, organizations can reconstruct events focused on the human aspects of security with forensic technology providing supporting information. This can be achieved by conducting an after action review for incidents using a phenomenological model. Through this approach the researcher can discover the common incident management cycle attributes and how these attributes have been applied in the organization. An interview guide and six steps are presented to accomplish this type of review. By understanding what happened, how it happened, and why it happened during incident response, organizations can turn their moment of weakness into a pillar of strength.
TopPrevious Research
There is a lot of existing research on the topic of cyber security ranging from war applications to criminal activities. There are published standards for IT security including industry regulations like the Payment Card Industry Data Security Standard (PCI-DSS), government sponsored standards like United States National Institute for Standards and Technology (NIST) special publication 800-53, laws and regulations such as the Health Information Privacy and Accountability Act (HIPAA), and international cyber security standards such as International Standard Organization (ISO) 2700 and Information Technology Infrastructure Library (ITIL). Each of these standards has processes and procedures for incident response; but they each have only limited instructions for how to build an incident response program. There is very little research into the phenomenon of IT security incidents and incident management in the field.
Key Terms in this Chapter
Information Security: The field of information security contains many important elements that influence information security incident management. Information security is the identification of technology assets and targets, the processes of defending or attacking those technology assets and targets, and the social constructs influencing attackers and defenders ( Pieters, 2011 ; Thomas & Dhillon, 2012 ; Vorobiev & Bekmamedova, 2010 ; Vuorinen & Tetri, 2012 ). These elements inform all aspects of information security as a common ontological framework.
Information Security Incident Management: The management of information security incidents is the primary phenomenon under investigation. Information security incident management is identifying technology, processes, and people responsible for attacks and infiltrations against assets to violate the confidentiality, integrity, or availability of the asset and using that information to diagnose, contain, and recover from incidents ( Burkhead, 2014 ; Kadlec & Shropshire, 2010 ; Rajakumar & Shanthi, 2014 ; Werlinger et al., 2010 ). The management of these incidents occurs at the intersection of offensive and defensive information security concepts.
Source and Intent: Identifying the source and intent of an information security incident may provide valuable information for the management of the information security incident. The source and intent of an information security incident is any combination of internal or external actors with purposeful or accidental intentions be they malicious or benign ( Halfond, Choudhary, & Orso, 2011 ; Hua & Bapna, 2013 ). These two factors impact incident response in unique ways as each potential attacker and intention changes the course of investigations.
Defensive Information Security: Defending information covers a wide area of preventive and reactive tasks that contribute to the security of information and systems. Defensive information security consists of the preventive management of risk as well as the reactive management of information security incidents ( Fenz, Ekelhart, & Neubauer, 2011 ; Kadlec & Shropshire, 2010 ; Rajakumar & Shanthi, 2014 ; Schuesster, 2013 ; Tohidi, 2011 ; Werlinger et al., 2010 ). These defensive processes and procedures each cover a wide variety of tasks directly related to the security of information and systems.
Perception: Perception and identification are important concepts in the decision-making process for information security incident management. Heuer (1999) described a process of intelligence analysis in which the analyst, through self-awareness, removes his or her worldviews and biases from the assessment of situations. The perception and identification of information security incidents leads to subsequent actions. The perception and identification of events is a central concept of this the phenomenological framework.
Risk Management: Risk management covers the implementation of information security in practice. Risk management is how information security is performed in modern organizations through the analysis and evaluation of vulnerabilities against threats to determine risk and the mitigation of that risk based on organizational priorities ( Fenz et al., 2011 ; Schuesster, 2013 ; Tohidi, 2011 ). This is primarily a preventive framework designed to prevent information security incidents from occurring in secure networks.
Offensive Information Security: Offensive information security is just as broad as defensive information security. Offensive information security is the identification of targets, the processes of attacking those targets, and the social constructs influencing attackers ( Bowles, 2012 ; Chan, Hyung, & Hoon, 2013 ; Geers, 2010 ). These elements are not well established but have an impact on information security incident management.
Information Security Incident: Information security incidents come in many forms. An incident, an event that adversely affects technology systems or services, must relate to the elements of information security, including the identification of assets, processes for attack and defense, and human attackers and defenders, in order to be considered an information security incident ( Ayyagari, 2012 ; Burkhead, 2014 ; Drtil, 2013 ). Incidents that meet these criteria can be termed information security incidents.
Asset: There are many different targets that attackers may select during an information security incident. An asset can be a technology system or application, digital information, or the people associated with these elements ( Pieters, 2011 ; Vuorinen & Tetri, 2012 ). All of these assets can be targeted and should be protected from attack.
Cyber Crime: Cyber crime is one potential classification of an information security incident. An information security incident is termed cyber crime when it is a combination of illegal actions such as those defined in Section 18 of the United States Code, part 1030, but the effects are less than the threshold of cyber war ( Brenner, 2004 ). This definition encompasses a wide range of potential information security incidents.
Phenomenology: Phenomenology is the qualitative research method presented in this chapter. Phenomenology is a research process that is focused on the unique lived experiences of participants using creative methods and processes to collect and analyze data ( Van Manen, 2014 ; Gigori, 2009 AU33: The in-text citation "Gigori, 2009" is not in the reference list. Please correct the citation, add the reference to the list, or delete the citation. ). Phenomenology in relation to the work presented in this chapter is a multipart process that starts with an epoche in order to identify and be aware of bias and includes the phenomenological reduction in which data is broken down and then reconstructed in order to answer the scope of the project with the discovered conclusions.