Web server auditing can go a long way in enforcing tighter security and ensuring business continuity. The power of log data

XXX-X-XXXX-XXXX-X/XX/$XX.00 ©2019 IEEE

Cybersecurity Culture in Computer Security Incident Response Teams

Investigating difficulties in communication and coordination

Marios Ioannou Applied Cybersecurity Research Lab

University of Central Lancashire Cyprus

Larnaka, Cyprus [email protected]

Dr. Eliana Stavrou Applied Cybersecurity Research Lab

University of Central Lancashire Cyprus

Larnaka, Cyprus [email protected]

Dr. Maria Bada The Department of Computer Science

and Technology Cambridge Cybercrime Centre

University of Cambridge Cambridge, UK

[email protected]

Abstract— This study aims to identify the factors related to developing a cybersecurity culture at an organizational context and the difficulties faced in communicating and cooperating within a CSIRT. Specifically, our aim is to identify: 1) The issues which may limit the communication and the coordination of incident management process inside a CSIRT, 2) the issues which may limit the cooperation from top management to employees and reverse and 3) approaches towards addressing the issues that limit the communication and the cooperation of a CSIRT. The research was conducted using an online survey and study participants were experts within the existing CSIRT community. In total, 25 participants responded to the questionnaire, from 23 different countries in the world. The questions of the survey queried the personal knowledge and experience of participants regarding CSIRTs. In our analysis, issues such as communication, cooperation, coordination, trust and information sharing are discussed as crucial factors that affect the development of a cybersecurity culture. Several issues and weaknesses in terms of communication, coordination and cooperation within CSIRT are outlined and a set of recommendations and key elements are defined.

Keywords—cybersecurity, culture, CSIRT, incident management, communication, cooperation

I. Introduction The number of attacks in recent years has risen

dramatically. Last year Equifax, one of the largest credit agencies in U.S. was breached and the personal information of approximately 143 million individuals were exposed. After the leak of NSA and the “Vault 7” database of exploits, a number of these exploits was widely used by popular ransomware, such as “WannaCry”, “NonPetya” etc., and the families of ransomware grew up dramatically. In 2016 there were 638 million incidents from ransomware, whereas in 2017 there were 2,2 billion incidents [1].

According to Ponemon Institute [2], financial costs of security breaches may include both direct costs (such as loss of data, intellectual property etc.) as well as indirect costs (such as loss of reputation etc.). To eliminate, or at least minimize the impact, organizations should have the capacity to effectively manage an incident, including implementing proactive and reactive measures. Incident Management is the process of detection and response to incidents related to computer security as well as the protection of data, assets and systems which are critical in order to prevent incidents from occurring. Incident management processes in an organization

are typically being managed and coordinated by a Computer Security Incident Response Team (CSIRT) [3].

The weakest link in the chain is still the humans. The investment and the development of a cybersecurity culture within organizations can minimize the risk from the human factor; this can provide a positive impact to security and efficiency and at the same time mitigate the financial risks. It is important to establish effective communication, collaboration and coordination within the CSIRT in order to have an effective and efficient incident handling. These targets are challenging to be achieved, so our aim with this work is to identify internally at a CSIRT: 1) The issues which may limit the communication and the coordination of incident management processes; 2) The issues which may limit the cooperation from top management to employees and reverse and 3) Approaches towards addressing the issues that limit the communication and cooperation of a CSIRT.

Section II discusses related work. Section III presents the methodology followed and section IV presents the results of this research work. Section V provides recommendations to address the issues identified and section VI concludes the work.

II. Related Work A. Cybersecurity Culture

A cybersecurity culture refers to the procedures laid down by an organization to all its employees, directing their course of action in all situations related to data integrity, whenever in the line of duty. The dominant part of information breaches inside the organizations are aftermath of human actors [4] and keeping in mind that cybersecurity policies are ordinary among the organizations. Against this background, the improvement of a cybersecurity culture accomplishes an adjustment in outlook, cultivates security mindfulness and hazard observation and keeps up a nearby hierarchical culture, instead of endeavoring to constrain secure conduct.

Developing a cybersecurity culture therefore starts with the formulation of policies which guide the employees who handle information, on how to react in the case of different situations. These policies or guidelines are then made aware to all employees, depending on the type of data they handle. Awareness is usually followed by a constant examination of compliance [5]. The development of a cybersecurity culture involves “addressing cyber threats using technology and complimentary factors such as policy guidelines, information

Authorized licensed use limited to: University of the Cumberlands. Downloaded on February 16,2022 at 00:34:03 UTC from IEEE Xplore. Restrictions apply.

sharing on threats and creating awareness” [6]. Also, the role of executive leaders should not be merely selecting a team to create awareness [7]. Rather, the executive leaders should actively take part in the training process.

B. Factors Affecting the Development of a Cybersecurity Culture The following are some of the factors which influence the

development of a cybersecurity culture:

a) Clarity of policies: For the cybersecurity culture to be effective, it is paramount for the organization’s management to create policies which clearly address the potential threats in the immediate working environment, the available preventive measures and how to respond in case a potential or actual attack has been detected [8].

b) Assumptions made by management members: The assumptions made by policy makers with regard to the roles played by different people in the culture development process could determine whether the culture becomes effective or not.

c) Points of focus for policy makers: In the development of a cybersecurity culture, the main aim of cybersecurity policies is to condition people within the organization into doing what is required so as to safeguard data integrity [9].

d) Communication development efforts: The efficiency of communication determines whether the policies will be perceived as laws which they must comply with or a culture which needs to be cultivated for the greater good of the organization [10]. A main component of organizational culture and managerial culture [11] is the managerial communication. Employee’ satisfaction and commitment is defined by the organizational culture [12]. Welch and Jackson [13] concentrate on the fourth dimension which is the internal corporate communication. The main role of this type of communication is to “transfer” the goals and the objectives of the organization and aims to reach four goals: the understanding of business environment, the belonging, the commitment and the awareness [13].

e) Cooperation development efforts: Cooperation is a basic component in order to aggregate activities, as well as to keep up a beneficial general workplace. The business workplace groups showing lack of teamwork may lead to unwanted results at business operations [14]. For every stakeholder to play their role in cultivating a cybersecurity culture, they must understand the dire importance of their role as well as the ultimate collective goal.

f) CSIRT’s effectiveness improvement: Bada et al. [15] argued that the measurement of the effectiveness of information security will assist in increasing accountability, improving the effectiveness of information security, as well as the demonstration of compliance. The researchers also argue that in order to improve the effectiveness of CSIRTs, relevant information issues such as trust, data-sharing, better communication and cooperation are necessary to be explored, which are important in achieving the highest levels of performance.

III. Methodology In order to investigate the factors that challenge the

communication and coordination efforts within a CSIRT, an online questionnaire was conducted. All the participants were

experts that were currently, or used to, work in a CSIRT at various positions. The participation in the study was voluntary. In total, 25 participants responded to the questionnaire, from 23 different countries across United States of America, Europe, Asia, Australia and Africa.

The information collected was considered sensitive, was treated as confidential and was immediately anonymized. The questions where grouped in various categories. Replies to the questionnaire ranged from 1 low level to 5 high level. In this paper, we will focus on the results concerning the team management, training and performance evaluation of a CSIRT. A descriptive analysis of the questionnaire’s results was performed to gain insights of CSIRTs’ operation, identify challenges and best practices.

IV. Results Following, the results are presented, and the challenges

faced by CSITRs regarding communication and coordination aspects are identified.

A. Team Management A key aspect to create a cybersecurity culture in CSIRTs

is team management. Managers need to have the ability to coach their teams, set goals, provide directions and coordinate each group of individuals to successfully complete a task, while maintaining a high level of teamwork spirit. All these aspects are primarily based on communication and coordination abilities of individuals.

The research revealed that despite the fact that CSIRT management tries to improve communication and coordination between the different teams within each organization, there are many obstacles that employees encounter during an event. These are listed in Table I.

TABLE I. OBSTACLES IN COMMUNICATION / COORDINATION DURING AN INCIDENT

Obstacles identified % Not all employees are being kept informed during an incident 48

The right information is not being sent to the right people 44

Functional Areas not collaborating 40

Roles are not clearly defined from Policy 36

Lack of Trust between the teams 32

Fear not to expose CSIRT from an incorrect initiative 32

Not very good relationships between the employees and the managers 20

Fear from an employee that is not approaching the right solution 16

People take roles that are not assigned to them 4

Most of the obstacles identified in Table I relate to communication and coordination issues. Communication and coordination issues are reported across two levels: between management and employees and between teams. The key issue identified across the two levels, is that there is lack of

Authorized licensed use limited to: University of the Cumberlands. Downloaded on February 16,2022 at 00:34:03 UTC from IEEE Xplore. Restrictions apply.

appropriate information flow about an incident that can assist employees to effectively and efficiently address it. Information sharing about an incident can solve this challenge not only internally but also within the trusted CSIRT community. The fact that a high percentage of answers (32%) reported that there is luck of trust, can explain the fact that there is lack of information sharing between people and that functional areas are not collaborating (40%). Also, a significant % has indicated that the relationships between the managers and employees are not appropriate, which further contributes to the problem. Moreover, people are taking up roles that are not supposed to be undertaking, which means that they are not fully prepared to perform certain tasks. This can explain the lack of confidence that is reported, as a high percentage of responders (36%) fear that they will expose their organization from an incorrect action taken.

In order to establish a successful collaboration, trust is necessary among the individuals of a team [16]. Managers need to be very careful when they are forming the various teams that compose an organization. Inherit relationships increase the chance of a successful team. New teams who are only staffed with new employees find it more difficult to collaborate than those with established relationships [16]. Newly formed teams are investing significant time and effort to build relationships of trust. However, when there are employees who already know and trust existing employees that are part of a new team, they can become nodes which evolve into networks overtime. Our study indicated that 36% of the CSIRTs have teams that are fully staffed by new employees (Fig. 1). This is a factor that further contributes to the obstacles identified in Table I and needs to be addressed accordingly to improve the communication and collaboration within CSIRTs.

Fig. 1. Percentage of CSIRTs that have teams fully staffed by new employees

B. Trainings Skills development is usually achieved through

appropriate trainings and through work experience. CSIRTs require the development of both hard and soft skills to successfully resolve an incident. Often, people might consider that it is more important to develop hard skills, but often this is not true; in the context of CSIRT operation, soft skills are equally important as hard skills. Survey results (Fig.2) indicated that there is a high percentage of CSIRTs (40%) that don’t offer training to their employees related to collaborative behaviour (e.g. appreciate others, productively and creatively resolve conflicts etc.). The lack of such training explains some of the obstacles that are listed in Table I. The main reasons, that were reported for the lack of collaborative training,

included insufficient funding (53.3%) and insufficient time (46.7%).

Fig. 2. Percentage of CSIRTs that carry out collaborative behaviour trainings

C. Performance Evaluation It is not only critical for an organization to have its

procedures documented and driven by appropriate security policies, but it is equally important to evaluate their effectiveness and efficiency. In the context of CSIRTs, it is vital to assess the performance of CSIRT incident management capabilities and improve them, if needed. A key evaluation aspect to consider, is the communication and coordination of the teams within the CSIRT, as these aspects play a key role in fulfilling successfully the mission of a CSIRT.

A performance measurement that can evaluate the success of a particular activity, are Key Performance Indicators (KPIs). Based on this, the participants were asked, if their CSIRT have KPIs about the effectiveness of internal communication/cooperation and the coordination for incident management. The results in Fig. 3 show that a high percentage of CSIRTs (44%) do not have KPIs and are not able to evaluate the internal communication and coordination of incident management processes. This is considered a major issue, as a CSIRT that does not utilize KPIs cannot identify the factors that lead to a poor performance and unresolved incidents.

Fig. 3. Percentage of CSIRTs that have KPIs for communication and coordination

V. Recommendations Αs outlined above, the current study has revealed several

issues and weaknesses in terms of communication, coordination and cooperation within a CSIRT that can affect the efforts of the organization to build a cybersecurity culture. Below we summarize the challenges that have been identified along relevant suggestions to address them.

Challenge 1: Lack of teamwork spirit & trust

Recommendation 1: Managers should invest in creating a culture of collaboration but also make this type of behavior

Authorized licensed use limited to: University of the Cumberlands. Downloaded on February 16,2022 at 00:34:03 UTC from IEEE Xplore. Restrictions apply.

visible to everyone in the CSIRT. They should spend time within the teams during their work, provide the employees with advice, “listen” to them and enhance the feeling of trust and support that each employee should feel with their manager.

Furthermore, human resources in cooperation with the leaders of the CSIRT should organize as many team building activities as possible, outside of the working environment, such as team games, excursions, social nights etc.

Challenge 2: Lack of confidence & fear of personal exposure

Recommendation 2: Staff working in a CSIRT and dealing with specialized technical issues should be accredited with internationally recognized certifications in this field and be fully trained. The CSIRT should ensure that all staff are continuously trained and certified in accordance with their position and duties. In addition, specialized trainings should be organized in such a way to educate all employees involved in a specific issue and not selectively educate only few members of a team. By providing a holistic training to staff, the experience and constant improvement of staff skills is ensured, as well as ensuring that the staff itself feels confident to perform their duties.

Challenge 3: New teams do not include existing staff

Recommendation 3: Managers must not create teams that consist of new employees only. New teams should consist of a sufficient percentage of existing CSIRT employees, who can become nodes and promote the development of relationships of trust between new and existing employees.

Challenge 4: Lack of collaborative behaviour training

Recommendation 4: It is vital for CISRTs to consider that the combination of technical and collaborative behaviour training, can produce an overall knowledgeable staff. Such a training can also produce employees who can work on teams without continuously supervision from the management.

Leaders of CSIRTs should focus on providing trainings and seminars on collaborative behavior at least once every six months. They should target to cultivate a culture of collaboration to every employee and provide them with the social skills needed to achieve it.

Challenge 5: Lack of KPIs related to communication and coordination

Recommendation 5: Establishment of KPIs (e.g. amount of time to resolve an incident, downtime during an incident etc.) related to the internal communication / cooperation and coordination for incident management. This is necessary in order to evaluate the CSIRT's success in implementing the cooperation, communication and coordination processes.

Moreover, CSIRTs should perform frequent audits on incident management mechanisms and compare them to the results of unsolved or partially solved incidents to identify weaknesses in knowledge, personnel, software, hardware, etc., and take actions to improve them.

VI. Conclusion The cyber threat environment is continuously changing with threats constantly increasing in an arms race, while cyber threat actors are following the evolution of technology and develop new tactics, techniques and procedures to achieve their purpose. It is crucial therefore, to counter these threats by trying to stay one step ahead and actively defend ourselves. CSIRTs can assist this process but their tasks are challenging due to communication, cooperation and coordination issues. Our research identified a number of issues, which are all related to the human factor. CSIRTs should focus on addressing the identified issues, by starting with building a feeling of trust and teamwork among their personnel.

Acknowledgment We would like to thank all the staff members of CSIRTs

that have supported us by completing the questionnaire.

References [1] Zerto, “The growing threat of ransomware”, 2018. [Online], (Retrieved

3rd of July 2018, from: https://www.zerto.com/the-growing-threat-of- ransomware-infographic/

[2] Ponemon Institute, “Cost of cyber crime study and the risk of business innovation” p. 12, 2016. [Online], (Retrieved on 1st July 2018, from:http://www.ignitewestcoast.co.uk/media/Cost%20of%20Cyberc rime.pdf?utm_source=HPEBlogPost&utm_medium=Social&utm_ca mpaign=HPEServers)

[3] A. J., Dorofee, G., Killcrece, R., Ruefle, and M., Zajicek, “Incident management metrics version 0.1. Software Engineering Institute” 2007.

[4] Ponemon Institute, ”The human factor in data protection”, 2012 [Online]. (Retrieved on 2nd July 2018, from: https://www.ponemon.org/local/upload/file/The_Human_Factor_in_d ata_Protection_WP_FINAL.pdf)

[5] C., Veltsos, ”Building a cybersecurity culture around layer 8”, Security Intelligence, 2017.

[6] B., Contos, ”Cyber security culture is a collective effort”, IDG Contributor Network, 2015.

[7] F., Howarth, ”Top five tips for creating a culture of security awareness at work”, Security Intelligence, 2015.

[8] T., Sager, ”Developing a culture of cybersecurity with the CIS controls”, CIS- Center for Internet Security, 2017.

[9] M., Rajendran, ”Analysis of team effectiveness in software development teams working on hardware and software environments using Belbin Self-Perception Inventory”, Journal of Management Development, 24(8), 2005, pp. 738-753.

[10] D. M., Hasib, ”Cyber security, culture and compliance”, United States Cybersecurity Magazine, 2013, pp. 53-55.

[11] N., Burlacu, E., Graur, A., Morong, ”Comunicarea managerial, Editura Grafema Libris”, Chinu. US Department of Health and Human Services, 1979, The belmont report, 2003.

[12] R, Howard, ”Fostering a performance driven culture in the public sector, public manager”, The Manager's Musings, pp. 51-56, 2007.

[13] M., Welch, and P. R., Jackson, ”Rethinking internal communication: a stakeholder approach”, Corporate Communications An International Journal, pp. 177-198, 2007.

[14] S., Corbett, ”Teamwork: how does this relate to the operating room practitioner? ”, Journal of Perioperative Practice, pp.278-281, 2009.

[15] M., Bada, S., Creese, M., Goldsmith, and C. J., Mitchell, ”Improving the effectiveness of CSIRTs”, The Second International Conference on Cyber-Technologies and Cyber-Systems, pp. 53-58, 2017.

[16] L., Gratton, T. J., Erickson, ”Eight Ways to Build Collaborative Teams”, 2007.

Authorized licensed use limited to: University of the Cumberlands. Downloaded on February 16,2022 at 00:34:03 UTC from IEEE Xplore. Restrictions apply.

Evaluating Database Replication Mechanisms for Disaster Recovery in Cloud Environments

Júlio Mendonça∗, Wilson Medeiros†, Ermeson Andrade†, Ronierison Maciel∗, Paulo Maciel∗, Ricardo Lima∗ ∗Informatics Center, Federal University of Pernambuco, Recife, Brazil

†Department of Computing, Federal Rural University of Pernambuco, Recife, Brazil [email protected], {wilson.medeiros, ermeson.andrade}@ufrpe.br, {rsm4, prmm, rmfl}@cin.ufpe.br

Abstract—Relational databases are the most popular database system worldwide. The occurrence of failures in these systems may produce severe consequences for the business, such as data loss, customer dissatisfaction, and subsequent revenue loss. Consequently, many organizations have adopted disaster recovery (DR) solutions as an attempt to prevent data loss and ensure business continuity. Data replication for databases is one of the most used DR solution employed to guarantee data safety and availability. However, the analysis regarding DR aspects has been less explored. Therefore, in this paper, we present an integrated model-experiment approach to evaluate replication mechanisms in relational databases for DR purposes. We performed experiments in a geo-distributed cloud environment and developed analytic models to evaluate DR key-metrics such as availability, downtime, Recovery Time Objective (RTO), and Recovery Point Objective (RPO). The results revealed that the adoption of replication mechanisms could increase the system’s availability significantly. It also revealed that the replication mechanisms can guarantee RPO and RTO within seconds.

Index Terms—Disaster Recovery, Fault-Tolerance, Database Replication, Petri Nets

I. INTRODUCTION

Organizations are spending an unprecedented amount of money towards the cost of providing highly available IT services [1]. In a global market where going offline means a significant revenue loss, companies are looking for efficient DR solutions capable of keeping their data safe and IT systems running. The adoption of such solutions is essential for every business supported by IT systems. Even big companies such as British Airways, U.S. Government, and HSBC bank have experienced unexpected outages [2]. It shows that regardless of size, all companies are prone to catastrophic events and need to be prepared to them. Several solutions have been used to provide DR capabilities for IT systems (e.g., data replication, VM migration, and snapshots) [3]. However, there is not a single blueprint solution that works for all organization, since different organizations have unique needs (e.g., budget or availability).

According to different reports [4, 5], relational database man- agement systems (RDBMS) are still the most popular database (DB) systems worldwide. Even with the growing adoption of cloud computing and non-relational databases (NoSQL) such as MongoDB and Cassandra, the RDBMS still play an essential role in the market. In this way, ensuring DR and availability of these systems is crucial.

Data replication is one of the most used mechanisms to provide DR capabilities for database systems [3]. However,

most of the studies available in the literature focus on either improving the performance of database or comparing differ- ent database distributions [6, 7, 8]. Therefore, motivated by the current scenario of cloud computing expansion and high adoption of RDBMS, we extensively analyze the replication mechanisms of RDBMS in cloud environments focusing on DR aspects. We performed experiments in the cloud and developed analytic models to analyze DR key-metrics: avail- ability, downtime, RPO, and RTO. The developed models can help individuals or organizations to choose the appropriate mechanism, compare with existing solutions, and also provide useful information for the decision-making process. In this way, our key contributions are: (i) A model-experiment approach to evaluate replication mechanisms of RDBMS; (ii) DSPN models that represents cloud environments and database replication mechanisms; and (iii) Analysis of DR key-metrics through stochastic modeling.

The remainder of the paper is organized as follows. Section II presents the related work. Section III introduces fundamental concepts used in this paper. Section IV discusses the adopted experimental architecture. Section V presents the proposed analytic models. Section VI discusses the numerical results. Finally, Section VII presents the conclusions and briefly intro- duces the future work.

II. RELATED WORK Although the evaluation of database systems have been

addressed in the literature, there is a lack of studies that focus on DR [3]. To position our paper and indicate its contributions, we first summarize related work that has been done in the area. Then, we provide a comparison of our work and the literature in terms of the evaluation of database systems.

Jogi and Sinha [6] evaluated the performance of the MySQL, Cassandra, and HBase for massive write operations regarding the average number of transactions per seconds. As expected, the results showed that NoSQL databases had better perfor- mance in the executed experiments (Cassandra and HBase, respectively). Santana et al. [7] presented a replication database study to elastic cloud environments. The authors evaluated different replication techniques focusing on performance met- rics such as response time and abortion rate. Azim et al. [9] proposed an offsite two-way database replication for low- quality network connections. The proposed approach creates a modified file to trace the changes in the databases. By creating this trace, the approach could reduce the update log

2019 IEEE International Conference on Systems, Man and Cybernetics (SMC) Bari, Italy. October 6-9, 2019

978-1-7281-4569-3/19/$31.00 ©2019 IEEE 2358

Authorized licensed use limited to: University of the Cumberlands. Downloaded on February 16,2022 at 00:34:33 UTC from IEEE Xplore. Restrictions apply.

size, and consequently, reduce the time to replicate the data for all databases. Zhuang et al. [8] presented a model to forecast incoming traffic rates and predict the corresponding replication latency of LinkedIn database systems. The devel- oped approach could estimate the maximum replication latency for the database system and also the SLA (Service Level Agreement) of the service.

These studies presented above have mostly focused on ana- lyzing database systems regarding performance. However, none of them have analyzed relational database systems for DR purposes. Therefore, differently from these studies, we per- formed measurements using real-world cloud environments to analyze replication mechanisms in an RDBMS and developed analytic models to evaluate these mechanisms regarding DR key-metrics.

III. FUNDAMENTALS

A. Disaster Recovery

In modern business environments, IT systems should not spend hours or even minutes unavailable, in order to support business operations [10]. In order to achieve high-availability, an IT service should spend less than 5.25 minutes offline per year, meaning at least 99.999 % availability (commonly known as “five nines” availability). DR solutions have been employed to ensure normal business operation so that the IT system stays online and can sustain simultaneous failures and disasters [3]. Some studies state that the adoption of DR solutions is a determinant factor for a company’s survival and growth. [10, 11]. Two metrics

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.