An empirical study on the use of the Generic Security Template for structuring the lessons from information security incidents

Ying He, Chris Johnson, Karen Renaud, Yu Lu, Salem Jebriel

Research output: Contribution to conferencePaperpeer-review

12 Citations (Scopus)

Abstract

The number of security incidents is still increasing. The re-occurrence of past breaches shows that lessons have not been effectively learned across different organisations. This illustrates important weaknesses within information security management systems (ISMS). The sharing of recommendations between public and private organisations has, arguably, not been given enough attention across academic and industry. Many questions remain, for example, about appropriate levels of detail and abstraction that enable different organisations to learn from incidents that occur in other companies within the same or different industries. The Generic Security Template has been proposed, aiming to provide a unified way to share the lessons learned from real world security incidents. In particular, it adapts the graphical Goal Structuring Notation (GSN), to present lessons learned in a structured manner by mapping them to the security requirements of the ISMS. In this paper, we have shown how a Generic Security Template can be used to structure graphical overviews of specific incidents. We have also shown the template can be instantiated to communicate the findings from an investigation into the US VA data breach. Moreover, this paper has empirically evaluated this approach to the creation of a Generic Security Template; this provides users with an overview of the lessons derived from security incidents at a level of abstraction that can help to implement recommendations in future contexts that are different from those in which an attack originally took place.

Original languageEnglish
Pages178-188
Number of pages11
DOIs
Publication statusPublished - 2014
Externally publishedYes
Event2014 6th International Conference on Computer Science and Information Technology, CSIT 2014 - Amman, Jordan
Duration: 26 Mar 201427 Mar 2014

Conference

Conference2014 6th International Conference on Computer Science and Information Technology, CSIT 2014
Country/TerritoryJordan
CityAmman
Period26/03/1427/03/14

Fingerprint

Dive into the research topics of 'An empirical study on the use of the Generic Security Template for structuring the lessons from information security incidents'. Together they form a unique fingerprint.

Cite this