Development and evaluation of information elements for simplified cyber-incident reports

摘要

One of the most important tasks in cyber security incident handling is to report what has occurred. Several frameworks have been developed to support this reporting, all with their own pros and cons. As a first step in the development of a practically useful incident description standard, we set to determine the appropriateness of sixteen plausible information elements relating to traceability and analysis. The information elements were evaluated during an exercise with 30 professional IT administrators and cyber security specialists with experience from cyber incident handling. In the exercise, the participants were instructed to report cyber threats and incidents in their assigned networks and evaluated based on their reporting. The evaluation assessed the extent to which the proposed information elements were used in the reports, if the sixteen information elements correlate with the quality of the incident reports, and the participants' subjective experiences of using the elements. The results show that the usage ratio of information elements varies a lot both between different reporters and between incidents. Further, the number of information elements used in a report correlated with the exercise management's quality assessments. Finally, the results reveal that although the overall assessment of content relevance of the simplified cyber-incident reporting template was positive, there is need for further validation of the template.