An empirical study on the use of the Generic Security Template for structuring the lessons from information security incidents

The number of security incidents is still increasing. The re-occurrence of past breaches shows that lessons have not been effectively learned across different organisations. This illustrates important weaknesses within information security management systems (ISMS). The sharing of recommendations between public and private organisations has, arguably, not been given enough attention across academic and industry. Many questions remain, for example, about appropriate levels of detail and abstraction that enable different organisations to learn from incidents that occur in other companies within the same or different industries. The Generic Security Template has been proposed, aiming to provide a unified way to share the lessons learned from real world security incidents. In particular, it adapts the graphical Goal Structuring Notation (GSN), to present lessons learned in a structured manner by mapping them to the security requirements of the ISMS. In this paper, we have shown how a Generic Security Template can be used to structure graphical overviews of specific incidents. We have also shown the template can be instantiated to communicate the findings from an investigation into the US VA data breach. Moreover, this paper has empirically evaluated this approach to the creation of a Generic Security Template; this provides users with an overview of the lessons derived from security incidents at a level of abstraction that can help to implement recommendations in future contexts that are different from those in which an attack originally took place.