What are the Critical Success Factors Required for Supporting an Information Security Incident Reporting Maturity Model?

2017-01-05T11:37:11Z (GMT) by Mike Humphrey
<p>Poster presentation at the 2016 Defence and Security Doctoral Symposium.</p><p>It could be argued that in today’s world information is ubiquitous and, increasingly for individuals, organisations and nations, seen as an asset which has value. It may be the case that information has always been considered of value, as evidenced by early iterations of cyphers and encryption in Egyptian times, as well as Caesar cyphers and biblical cyphers (Singh, 1999).  The main difference between then and today is the sheer volume of information available and the numerous methods and devices that access that information. An ever increasing proportion of that information is now stored, processed and accessed via technology. Terms such as ‘the cloud’, ‘bring your own device  and ‘smart phone’ are part of everyday language.   A collective noun ‘Cyberspace’ commonly describes the widespread use and reliance upon computer networks and it may be possible to consider cyberspace as an increasing element of a new engine of economic growth and, to some extent, a contributory factor to the modern industrial revolution as described by Jenson, (1993).</p> <p>To counter the threats to information in cyberspace, and to exploit the benefits the internet can bring, requires a greater understanding of the threats and risks.  Unfortunately, with the growth of technology there are those who seek to exploit that information for financial gain and organised crime,  </p> <p> </p> <p>“If there is a single cross-cutting issue that has changed the landscape for serious and organised crime and our response against it, it is the growth in scale and speed of internet communication technologies.”(www.nationalcrimeagency.gov.uk)   </p> <p> </p> <p>Although high profile events involving cyberspace are reported in the media; it is strongly suspected many others are not.  Due to the uncertain nature of the true scale of information security incidents through under reporting, there is a subsequent lack of sufficient empirical data to make reasoned judgements for risk assessment and risk management.</p> <p>It is the author’s belief that due to the uncertain nature of the true scale of information security incidents through under reporting, there is a subsequent lack of sufficient empirical data to make reasoned judgements for risk assessment and risk management.</p> <p> </p> <p><sup>1</sup> The cloud definition is described in NIST Special Publication 800-146 Sept 2011. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.…viewed 8/3/15.</p> <p><sup>2</sup>  Bring your Own Device. The practice of allowing the employees of an organization to use their own computers, smartphones, or other devices for work purposes: http://www.oxforddictionaries.com/definition/english/BYOD last viewed 2/5/15</p> <p><sup>3 </sup> Smart phone. A mobile phone that performs many of the functions of a computer, typically having a touchscreen interface, internet access and an operating system capable of running downloaded apps. http://www.oxforddictionaries.com/definition/english/smartphone   8/3/15</p> <p><sup>4</sup> Cyberspace. The notional environment in which communication over computer networks occurs. http://www.oxforddictionaries.com/definition/english/cyberspace       viewed 8/3/15 </p> <p>Extract References</p> <p>Great Britain (2014) National Crime Agency Strategic Assessment of Serious and Organised Crime http://www.nationalcrimeagency.gov.uk/publications/207-nca-strategic-assessment-of-serious-and-organised-crime/fileNational Strategic Assessment 1<sup>st</sup> of May 2014, p4</p> <p>Jensen, M. C. (1993), The Modern Industrial Revolution, Exit, and the Failure of Internal Control Systems. The Journal of Finance, 48: 831–880. doi:10.1111/j.1540-6261.1993.tb04022.x         http://onlinelibrary.wiley.com/enhanced/doi/10.1111/j.1540-6261.1993.tb04022.x/last viewed 9/3/15</p> <p>Singh, S. (1999). The Code Book. The Secret History of Codes and Code-Breaking. Fourth Estate, Harper Collins London</p> <p> </p>