Test environment running 7.6.6

Cultural advice

The Australian National University acknowledges, celebrates and pays our respects to the Ngunnawal and Ngambri people of the Canberra region and to all First Nations Australians on whose traditional lands we meet and work, and whose cultures are among the oldest continuing cultures in human history.

Aboriginal and Torres Strait Islander peoples are advised that ANU Library collections may include images, names, voices, and other representations of deceased persons.

Material in the collection may contain terms, language or views that reflect the period in which the item was created and may be considered inappropriate today.

An empirical study on the use of the Generic Security Template for structuring the lessons from information security incidents

Loading...
Thumbnail Image

Date

Journal Title

Journal ISSN

Volume Title

Publisher

Access Statement

Research Projects

Organizational Units

Journal Issue

Abstract

The number of security incidents is still increasing. The re-occurrence of past breaches shows that lessons have not been effectively learned across different organisations. This illustrates important weaknesses within information security management systems (ISMS). The sharing of recommendations between public and private organisations has, arguably, not been given enough attention across academic and industry. Many questions remain, for example, about appropriate levels of detail and abstraction that enable different organisations to learn from incidents that occur in other companies within the same or different industries. The Generic Security Template has been proposed, aiming to provide a unified way to share the lessons learned from real world security incidents. In particular, it adapts the graphical Goal Structuring Notation (GSN), to present lessons learned in a structured manner by mapping them to the security requirements of the ISMS. In this paper, we have shown how a Generic Security Template can be used to structure graphical overviews of specific incidents. We have also shown the template can be instantiated to communicate the findings from an investigation into the US VA data breach. Moreover, this paper has empirically evaluated this approach to the creation of a Generic Security Template; this provides users with an overview of the lessons derived from security incidents at a level of abstraction that can help to implement recommendations in future contexts that are different from those in which an attack originally took place.

Description

Citation

Source

Book Title

Entity type

Publication

Access Statement

License Rights

Restricted until