An empirical study on the use of the Generic Security Template for structuring the lessons from information security incidents

He, Y., Johnson, C. , Renaud, K., Lu, Y. and Jebriel, S. (2014) An empirical study on the use of the Generic Security Template for structuring the lessons from information security incidents. In: 6th International Conference on Computer Science and Information Technology (CSIT 2014), Amman, Jordan, 26-27 Mar 2014, pp. 178-188. (doi: 10.1109/CSIT.2014.6805998)

Full text not currently available from Enlighten.

Publisher's URL: http://dx.doi.org/10.1109/CSIT.2014.6805998

Abstract

The number of security incidents is still increasing. The re-occurrence of past breaches shows that lessons have not been effectively learned across different organisations. This illustrates important weaknesses within information security management systems (ISMS). The sharing of recommendations between public and private organisations has, arguably, not been given enough attention across academic and industry. Many questions remain, for example, about appropriate levels of detail and abstraction that enable different organisations to learn from incidents that occur in other companies within the same or different industries. The Generic Security Template has been proposed, aiming to provide a unified way to share the lessons learned from real world security incidents. In particular, it adapts the graphical Goal Structuring Notation (GSN), to present lessons learned in a structured manner by mapping them to the security requirements of the ISMS. In this paper, we have shown how a Generic Security Template can be used to structure graphical overviews of specific incidents. We have also shown the template can be instantiated to communicate the findings from an investigation into the US VA data breach. Moreover, this paper has empirically evaluated this approach to the creation of a Generic Security Template; this provides users with an overview of the lessons derived from security incidents at a level of abstraction that can help to implement recommendations in future contexts that are different from those in which an attack originally took place.

Item Type:Conference Proceedings
Keywords:Generic Security Template, lessons learned, security incident, Goal Structuring Notation
Status:Published
Refereed:Yes
Glasgow Author(s) Enlighten ID:Johnson, Professor Chris and Renaud, Professor Karen and He, Miss Ying and Lu, Mr Yu
Authors: He, Y., Johnson, C., Renaud, K., Lu, Y., and Jebriel, S.
Subjects:Q Science > QA Mathematics > QA75 Electronic computers. Computer science
College/School:College of Science and Engineering > School of Computing Science

University Staff: Request a correction | Enlighten Editors: Update this record