Evaluating Incident Response in CSIRTs using Cube Socio-technical Systems Analysis

IF 4.1 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Standards & Interfaces Pub Date : 2025-01-02 DOI:10.1016/j.csi.2024.103970

Haula Sani Galadima , Cormac Doherty , Nick McDonald , Junli Liang , Rob Brennan

{"title":"Evaluating Incident Response in CSIRTs using Cube Socio-technical Systems Analysis","authors":"Haula Sani Galadima , Cormac Doherty , Nick McDonald , Junli Liang , Rob Brennan","doi":"10.1016/j.csi.2024.103970","DOIUrl":null,"url":null,"abstract":"<div><div>This paper provides a novel method for evaluating Incident Response (IR) teams through the application of the Cube Socio-technical Systems Analysis (STSA) methodology. Cube is a form of structured Human Factors enquiry and has previously been successfully applied in both aviation and healthcare. By utilising STSA, this study aims to understand and evaluate incident knowledge across the IR socio-technical domain. Traditional approaches to IR improvement often focus solely on technical aspects, neglecting social factors that may significantly influence IR effectiveness.</div><div>This research presents the results of extending the ARK platform for a cybersecurity IR Cube STSA of IR activities in a case study involving a large, accredited Computer Security Incident Response Team (CSIRT). It evaluates the IR system and team needs before the development of a technological intervention to improve IR learning and preparation capabilities. We present an extended Cube questionnaire, that defines specialised IR questions, an ontology, and terminology for the cybersecurity domain based on the ISO27000 series of standards. The case study demonstrates the ARK platform's capability to capture and analyse IR systems using a Multi-stage Cube STSA analysis shared in a reusable knowledge graph based on W3C standards. This provides a shared knowledge base based on FAIR (Findable, Accessible, Interoperable, Reusable) linked data, that may support generation of training materials, playbooks, and best practices to enhance IR capabilities and CSIRT operations. We show how this approach provides new insights and reusable artefacts for CSIRTs to enhance organisational cyber resilience and learning.</div></div>","PeriodicalId":50635,"journal":{"name":"Computer Standards & Interfaces","volume":"93 ","pages":"Article 103970"},"PeriodicalIF":4.1000,"publicationDate":"2025-01-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Standards & Interfaces","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0920548924001399","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

This paper provides a novel method for evaluating Incident Response (IR) teams through the application of the Cube Socio-technical Systems Analysis (STSA) methodology. Cube is a form of structured Human Factors enquiry and has previously been successfully applied in both aviation and healthcare. By utilising STSA, this study aims to understand and evaluate incident knowledge across the IR socio-technical domain. Traditional approaches to IR improvement often focus solely on technical aspects, neglecting social factors that may significantly influence IR effectiveness.

This research presents the results of extending the ARK platform for a cybersecurity IR Cube STSA of IR activities in a case study involving a large, accredited Computer Security Incident Response Team (CSIRT). It evaluates the IR system and team needs before the development of a technological intervention to improve IR learning and preparation capabilities. We present an extended Cube questionnaire, that defines specialised IR questions, an ontology, and terminology for the cybersecurity domain based on the ISO27000 series of standards. The case study demonstrates the ARK platform's capability to capture and analyse IR systems using a Multi-stage Cube STSA analysis shared in a reusable knowledge graph based on W3C standards. This provides a shared knowledge base based on FAIR (Findable, Accessible, Interoperable, Reusable) linked data, that may support generation of training materials, playbooks, and best practices to enhance IR capabilities and CSIRT operations. We show how this approach provides new insights and reusable artefacts for CSIRTs to enhance organisational cyber resilience and learning.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Standards & Interfaces 工程技术-计算机：软件工程

CiteScore

11.90

自引率

16.00%

发文量

审稿时长

6 months

期刊介绍： The quality of software, well-defined interfaces (hardware and software), the process of digitalisation, and accepted standards in these fields are essential for building and exploiting complex computing, communication, multimedia and measuring systems. Standards can simplify the design and construction of individual hardware and software components and help to ensure satisfactory interworking. Computer Standards & Interfaces is an international journal dealing specifically with these topics. The journal • Provides information about activities and progress on the definition of computer standards, software quality, interfaces and methods, at national, European and international levels • Publishes critical comments on standards and standards activities • Disseminates user''s experiences and case studies in the application and exploitation of established or emerging standards, interfaces and methods • Offers a forum for discussion on actual projects, standards, interfaces and methods by recognised experts • Stimulates relevant research by providing a specialised refereed medium.