How Management Goes Wrong? – The Human Factor Lessons Learned from a Cyber Incident Handling Exercise

摘要

A cybersecurity hazard in a Critical Infrastructure (CI) is not only about computer malfunction, but is also affecting safety and business continuity of CI. The study on human contribution to cyber resilience is unexplored terrain in the field of critical infrastructure security. So far cyber resilience has been discussed as an extension of the IT security research. Although cybersecurity training is a common measure to implement because of its low cost, most of the training courses aim at improving security awareness of employees, in order to prevent the human-error. However, this approach does not address resilience in handling a cyber incident. The authors conducted observations in a full-scale adversarial cyber security training for CI, where participants are divided into an offensive and a defensive team. The latter acts as one organization and its members play assigned roles such as manager, factory operator and IT administrator. From our observations, some tendencies are found in the defensive team's negative social behaviors and the management issues that lead to malfunction of the team. In fact, these behaviors are perceived in every group of participants, regardless of the variation in their experience and in knowledge on the field. In this paper, the findings from the above mentioned observations are presented as possible challenges in real-world cyber incident management.