Shaked, Avi, Cherdantseva, Yulia ORCID: https://orcid.org/0000-0002-3527-1121, Burnap, Peter ORCID: https://orcid.org/0000-0003-0396-633X and Maynard, Peter 2023. Operations-informed incident response playbooks. Computers and Security 134 , 103454. 10.1016/j.cose.2023.103454 |
Preview |
PDF
- Published Version
Available under License Creative Commons Attribution. Download (2MB) | Preview |
Abstract
Cyber security incident response playbooks are critical for establishing an effective incident response capability within organizations. We identify a significant conceptual gap in the current research and practice of cyber security playbook design: the lack of ability to communicate the operational impact of an incident and of incident response on an organization. In this paper, we present a mechanism to address the gap by introducing the operational context into an incident response playbook. This conceptual contribution calls for a shift from playbooks that consist only of process models to playbooks that consist of process models closely linked with a model of operations. We describe a novel approach to embed a model of operations into the incident response playbook and link it with the playbook's incident response activities. This allows to reflect, in an accurate and systematic way, the interdependencies and mutual influences of incident response activities on operations and vice versa. The approach includes the use of a new metric for evaluating the change in operations in coordination with critical thresholds, supporting decision-making during cyber security incident response. We demonstrate the application of the proposed approach to playbook design in the context of a ransomware attack incident response, using a newly developed open-source tool.
Item Type: | Article |
---|---|
Date Type: | Publication |
Status: | Published |
Schools: | Computer Science & Informatics |
Publisher: | Elsevier |
ISSN: | 0167-4048 |
Date of First Compliant Deposit: | 5 January 2024 |
Date of Acceptance: | 22 August 2023 |
Last Modified: | 18 Jan 2024 13:43 |
URI: | https://orca.cardiff.ac.uk/id/eprint/165303 |
Actions (repository staff only)
Edit Item |