Please use this identifier to cite or link to this item:
Title: Dynamic Cyber-Incident Response
Authors: Mepham, Kevin Douglas
Advisors: Louvieris, P
Ghinea, G
Keywords: Situational awareness;Intelligence value;Cyber response;Dynamic asset value;Cyber offensive
Issue Date: 2018
Publisher: Brunel University London
Abstract: Cyber-Incident Response (or, as it was initially called, Computer Incident response) has traditionally followed cyclic models such as the SEI Incident Response Cycle and SANS models, which aim to detect and identify incidents, stop, contain and eradicate them. Using the knowledge gained from the incidents, these models then advocate improving the capabilities to defend against subsequent attacks of the same nature. Although some later versions of these models, including the NIST model proposed in 2012, have nested the cycles to provide a more reactive response, they are neither demonstrably empirically founded nor do they represent the interests of all stakeholders within an organisation. This research addresses cyber-incident response from a broader perspective, looking from the viewpoint of a cross-functional set of stakeholders and ensures that incident response decisions are sensitive to temporal priorities, taken from an organisation-wide perspective and provide a range of responses rather than only containing and eradicating an incident. During this research, principal component analysis and structural equation modelling were used to develop the Dynamic Cyber Incident Response Model (DCIRM) which resulted in the development of a fielded prototype tool, the Cyber Operations Support Tool (COST). COST was then subjected to both controlled experimentation and operational validation. Empirical analysis of both of these activities confirmed the utility and effectiveness of the COST and the underlying DCIRM. The COST has since been used to train military cyber operational planners. The novel areas of this research are the dynamic nature of DCIRM which takes account of the changing asset values based on the point in the business/mission cycle, the trade-off between risk to the organisation and gathering intelligence during an incident, the flexibility in response options within organisational constraints and the abstraction of the information to allow a non-cyber specialist to make an appropriate incident response decision.
Description: Doctor of Philosophy and was awarded by Brunel University London
Appears in Collections:Electronic and Computer Engineering
Dept of Electronic and Computer Engineering Theses

Files in This Item:
File Description SizeFormat 
FulltextThesis.pdfFile available from 19/10/20213.88 MBAdobe PDFView/Open    Request a copy

Items in BURA are protected by copyright, with all rights reserved, unless otherwise indicated.