A Maturity Model for Measuring Organizations Escalation Capability of IT-related Security Incidents

Sammanfattning: An inability to handle IT-related security incidents can have devastating effects on both organizations and society at large. The European Union Agency for Network and Information Security (ENISA) emphasizes that cyber-security incidents affecting critical information infrastructures may simultaneously create significant negative impacts for several countries, and when incidents strike, the primary business processes of many organizations may be jeopardized. For example, the Swedish civil contingencies agency, MSB, reported in 2011 that a major Swedish IT services provider caused an IT-related security incident which in turn created large operational disruptions for a number of public and private organizations in Sweden. The management of IT-related security incidents is therefore an important issue facing most organizations today. Such incidents may threaten the organization as a whole and are not purely an IT issue; when handling incidents, escalation to the correct individual or groups of individuals for decision making is very important, as the organization must react quickly. Consequently, the major research goal of this thesis is to examine if the ability of an organization to escalate IT-related security incidents can be modeled, measured and improved. To achieve this goal, an artifact that can be used within an organization to model and measure its capability to escalate IT-related security incidents was designed, implemented and tested. This artifact consists of a maturity model whose purpose is to measure the level of maturity of the various attributes identified as necessary for an organization to handle escalations. In this thesis, a design science approach is applied, and the research project is divided into three design cycles, with the artifact being gradually developed and evaluated in each cycle. Evaluations were performed via interviews with representatives of 13 different organizations, including both private and public entities, and five different surveys with 78 individual participants. The conclusions of the research are that the use of the proposed self-assessment artifact can allow organizations to predict their ability to handle the escalation of IT-related security incidents with improved certainty.