Cybersecurity Incident Response A Socio-Technical Approach

University dissertation from Stockholm : Department of Computer and Systems Sciences, Stockholm University

Abstract: This thesis examines the cybersecurity incident response problem using a socio-technical approach. The motivation of this work is the need to bridge the knowledge and practise gap that exists because of the increasing complexity of cybersecurity threats and our limited capability of applying cybersecurity controls necessary to adequately respond to these threats. Throughout this thesis, knowledge from Systems Theory, Soft Systems Methodology and Socio-Technical Systems is applied to examine and document the socio-technical properties of cybersecurity incident response process. The holistic modelling of cybersecurity incident response process developed concepts and methods tested to improve the socio-technical security controls and minimise the existing gap in security controls.The scientific enquiry of this thesis is based on pragmatism as the underpinning research philosophy.  The thesis uses a design science research approach and embeds multiple research methods to develop five artefacts (concept, model, method, framework and instantiation) outlined in nine peer-reviewed publications. The instantiated artefact embraces the knowledge developed during this research to provide a prototype for a socio-technical security information and event management system (ST-SIEM) integrated with an open source SIEM tool. The artefact relevance was validated through a panel of cybersecurity experts using a Delphi method. The Delphi method indicated the artefact can improve the efficacy of handling cybersecurity incidents.