使用Cube社会技术系统分析评估csirt中的事件响应

IF 3.1 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Standards & Interfaces Pub Date : 2025-01-02 DOI:10.1016/j.csi.2024.103970

Haula Sani Galadima , Cormac Doherty , Nick McDonald , Junli Liang , Rob Brennan

{"title":"使用Cube社会技术系统分析评估csirt中的事件响应","authors":"Haula Sani Galadima , Cormac Doherty , Nick McDonald , Junli Liang , Rob Brennan","doi":"10.1016/j.csi.2024.103970","DOIUrl":null,"url":null,"abstract":"<div><div>This paper provides a novel method for evaluating Incident Response (IR) teams through the application of the Cube Socio-technical Systems Analysis (STSA) methodology. Cube is a form of structured Human Factors enquiry and has previously been successfully applied in both aviation and healthcare. By utilising STSA, this study aims to understand and evaluate incident knowledge across the IR socio-technical domain. Traditional approaches to IR improvement often focus solely on technical aspects, neglecting social factors that may significantly influence IR effectiveness.</div><div>This research presents the results of extending the ARK platform for a cybersecurity IR Cube STSA of IR activities in a case study involving a large, accredited Computer Security Incident Response Team (CSIRT). It evaluates the IR system and team needs before the development of a technological intervention to improve IR learning and preparation capabilities. We present an extended Cube questionnaire, that defines specialised IR questions, an ontology, and terminology for the cybersecurity domain based on the ISO27000 series of standards. The case study demonstrates the ARK platform's capability to capture and analyse IR systems using a Multi-stage Cube STSA analysis shared in a reusable knowledge graph based on W3C standards. This provides a shared knowledge base based on FAIR (Findable, Accessible, Interoperable, Reusable) linked data, that may support generation of training materials, playbooks, and best practices to enhance IR capabilities and CSIRT operations. We show how this approach provides new insights and reusable artefacts for CSIRTs to enhance organisational cyber resilience and learning.</div></div>","PeriodicalId":50635,"journal":{"name":"Computer Standards & Interfaces","volume":"93 ","pages":"Article 103970"},"PeriodicalIF":3.1000,"publicationDate":"2025-01-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Evaluating Incident Response in CSIRTs using Cube Socio-technical Systems Analysis\",\"authors\":\"Haula Sani Galadima , Cormac Doherty , Nick McDonald , Junli Liang , Rob Brennan\",\"doi\":\"10.1016/j.csi.2024.103970\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>This paper provides a novel method for evaluating Incident Response (IR) teams through the application of the Cube Socio-technical Systems Analysis (STSA) methodology. Cube is a form of structured Human Factors enquiry and has previously been successfully applied in both aviation and healthcare. By utilising STSA, this study aims to understand and evaluate incident knowledge across the IR socio-technical domain. Traditional approaches to IR improvement often focus solely on technical aspects, neglecting social factors that may significantly influence IR effectiveness.</div><div>This research presents the results of extending the ARK platform for a cybersecurity IR Cube STSA of IR activities in a case study involving a large, accredited Computer Security Incident Response Team (CSIRT). It evaluates the IR system and team needs before the development of a technological intervention to improve IR learning and preparation capabilities. We present an extended Cube questionnaire, that defines specialised IR questions, an ontology, and terminology for the cybersecurity domain based on the ISO27000 series of standards. The case study demonstrates the ARK platform's capability to capture and analyse IR systems using a Multi-stage Cube STSA analysis shared in a reusable knowledge graph based on W3C standards. This provides a shared knowledge base based on FAIR (Findable, Accessible, Interoperable, Reusable) linked data, that may support generation of training materials, playbooks, and best practices to enhance IR capabilities and CSIRT operations. We show how this approach provides new insights and reusable artefacts for CSIRTs to enhance organisational cyber resilience and learning.</div></div>\",\"PeriodicalId\":50635,\"journal\":{\"name\":\"Computer Standards & Interfaces\",\"volume\":\"93 \",\"pages\":\"Article 103970\"},\"PeriodicalIF\":3.1000,\"publicationDate\":\"2025-01-02\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computer Standards & Interfaces\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0920548924001399\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Standards & Interfaces","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0920548924001399","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

摘要

本文通过应用Cube社会技术系统分析（STSA）方法，提供了一种评估事件响应（IR）团队的新方法。Cube是结构化人为因素查询的一种形式，以前已经成功地应用于航空和医疗保健领域。通过使用STSA，本研究旨在了解和评估IR社会技术领域的事件知识。传统的红外改进方法通常只关注技术方面，而忽略了可能显著影响红外有效性的社会因素。本研究展示了在一个涉及大型、经过认证的计算机安全事件响应小组（CSIRT）的案例研究中，为网络安全IR Cube的IR活动STSA扩展ARK平台的结果。在开发技术干预措施以提高红外学习和准备能力之前，评估红外系统和团队需求。我们提出了一个扩展的Cube问卷，它定义了基于ISO27000系列标准的网络安全领域的专门IR问题、本体和术语。该案例研究展示了ARK平台使用基于W3C标准的可重用知识图共享的多级立方体STSA分析来捕获和分析红外系统的能力。这提供了一个基于FAIR（可查找、可访问、可互操作、可重用）链接数据的共享知识库，可以支持培训材料、剧本和最佳实践的生成，以增强IR能力和CSIRT操作。我们展示了这种方法如何为csirt提供新的见解和可重用的工件，以增强组织的网络弹性和学习能力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Evaluating Incident Response in CSIRTs using Cube Socio-technical Systems Analysis

This paper provides a novel method for evaluating Incident Response (IR) teams through the application of the Cube Socio-technical Systems Analysis (STSA) methodology. Cube is a form of structured Human Factors enquiry and has previously been successfully applied in both aviation and healthcare. By utilising STSA, this study aims to understand and evaluate incident knowledge across the IR socio-technical domain. Traditional approaches to IR improvement often focus solely on technical aspects, neglecting social factors that may significantly influence IR effectiveness.

This research presents the results of extending the ARK platform for a cybersecurity IR Cube STSA of IR activities in a case study involving a large, accredited Computer Security Incident Response Team (CSIRT). It evaluates the IR system and team needs before the development of a technological intervention to improve IR learning and preparation capabilities. We present an extended Cube questionnaire, that defines specialised IR questions, an ontology, and terminology for the cybersecurity domain based on the ISO27000 series of standards. The case study demonstrates the ARK platform's capability to capture and analyse IR systems using a Multi-stage Cube STSA analysis shared in a reusable knowledge graph based on W3C standards. This provides a shared knowledge base based on FAIR (Findable, Accessible, Interoperable, Reusable) linked data, that may support generation of training materials, playbooks, and best practices to enhance IR capabilities and CSIRT operations. We show how this approach provides new insights and reusable artefacts for CSIRTs to enhance organisational cyber resilience and learning.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computer Standards & Interfaces 工程技术-计算机：软件工程

CiteScore

11.90

自引率

16.00%

发文量

审稿时长

6 months

期刊介绍： The quality of software, well-defined interfaces (hardware and software), the process of digitalisation, and accepted standards in these fields are essential for building and exploiting complex computing, communication, multimedia and measuring systems. Standards can simplify the design and construction of individual hardware and software components and help to ensure satisfactory interworking. Computer Standards & Interfaces is an international journal dealing specifically with these topics. The journal • Provides information about activities and progress on the definition of computer standards, software quality, interfaces and methods, at national, European and international levels • Publishes critical comments on standards and standards activities • Disseminates user''s experiences and case studies in the application and exploitation of established or emerging standards, interfaces and methods • Offers a forum for discussion on actual projects, standards, interfaces and methods by recognised experts • Stimulates relevant research by providing a specialised refereed medium.