Enhancing security incident response follow-up efforts with lightweight agile retrospectives

Grispos, G., Glisson, W. B. and Storer, T. (2017) Enhancing security incident response follow-up efforts with lightweight agile retrospectives. Digital Investigation, 22, pp. 62-73. (doi: 10.1016/j.diin.2017.07.006)

148323.pdf - Accepted Version
Available under License Creative Commons Attribution Non-commercial No Derivatives.



Security incidents detected by organizations are escalating in both scale and complexity. As a result, security incident response has become a critical mechanism for organizations in an effort to minimize the damage from security incidents. The final phase within many security incident response approaches is the feedback/follow-up phase. It is within this phase that an organization is expected to use information collected during an investigation in order to learn from an incident, improve its security incident response process and positively impact the wider security environment. However, recent research and security incident reports argue that organizations find it difficult to learn from incidents. A contributing factor to this learning deficiency is that industry focused security incident response approaches, typically, provide very little practical information about tools or techniques that can be used to extract lessons learned from an investigation. As a result, organizations focus on improving technical security controls and not examining or reassessing the effectiveness or efficiency of internal policies and procedures. An additional hindrance, to encouraging improvement assessments, is the absence of tools and/or techniques that organizations can implement to evaluate the impact of implemented enhancements in the wider organization. Hence, this research investigates the integration of lightweight agile retrospectives and meta-retrospectives, in a security incident response process, to enhance feedback and/or follow-up efforts. The research contribution of this paper is twofold. First, it presents an approach based on lightweight retrospectives as a means of enhancing security incident response follow-up efforts. Second, it presents an empirical evaluation of this lightweight approach in a Fortune 500 Financial organization's security incident response team.

Item Type:Articles
Glasgow Author(s) Enlighten ID:Storer, Dr Tim
Authors: Grispos, G., Glisson, W. B., and Storer, T.
College/School:College of Science and Engineering > School of Computing Science
Journal Name:Digital Investigation
ISSN (Online):1873-202X
Published Online:26 August 2017
Copyright Holders:Copyright © 2017 Elsevier Ltd.
First Published:First published in Digital Investigation 22:62-73
Publisher Policy:Reproduced in accordance with the copyright policy of the publisher

University Staff: Request a correction | Enlighten Editors: Update this record