InCReASE: A Dynamic Framework Towards Enhancing Situational Awareness in Cyber Incident Response

Abstract

Protecting valuable IT assets is one of the most significant challenges that organizations face today. Cyber criminals operating beyond physical boundaries, are able to disrupt and destroy cyber infrastructure, deny organizations access to IT services, and steal sensitive data. In response, enterprises organize security operations centres at the heart of their entities with the purpose of employing socio-technical systems with capabilities to detect, analyze and respond to these threats. This exploratory study examines how such capabilities are operationalized in leading “Managed Security Service Providers” (MSSPs) providing cybersecurity operations and incident response, and looks at how situation awareness knowledge is constructed through the organizational levels of the enterprise detection and response. In this context, situational awareness span over different levels in the organization starting from team personnel, ending at top management. Our work contributes to situational awareness theory in the context of cybersecurity operations and incident response. Thus, we advance the understanding of the organizational capabilities of MSSPs to develop awareness of the cyber-threat landscape and the broader operational dynamics. By introducing InCReASE, a dynamic framework towards enhancing situation awareness in Security Operations Centers (SOC) operations and incident response; we extend existing situational awareness models, combining elements of the existing body of knowledge and our empirical findings. The presented work is a reflection on the best practices adopted by MSSPs organizations operating in Norway.