Abstract
SEI’s Incident Management Capability Metrics provides an overview of how the metrics can be used to evaluate and improve organizations’ information security incident management capability. However, there still exist several deficiencies when using SEI’s Metrics to measure the function areas of security incident management capability. An importance-performance analysis based evaluation method for measuring and improving organizations’ information security incident management capability was proposed in this paper. The evaluation method produces a four-quadrant IPA matrix that considers both importance and performance simultaneously for better identifying function areas needing improvement. A numerical example of the evaluation method showed that the proposed method is efficient for deploying continuous improvement program and better allocating limited resources.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Martilla, J.A., James, J.C.: Importance-performance analysis. J. Mark. 41(1), 77–79 (1997)
Crompton, J.L., Duray, N.A.: An investigation of the relative efficacy of four alternative approaches to importance-performance analysis. J. Acad. Mark. Sci. 13(4), 69–80 (1985)
Shia, B.C., Chen, M., Ramdansyah, A.D.: Measuring customer satisfaction toward localization website by WebQual and importance performance analysis (case study on AliexPress site in Indonesia). Am. J. Ind. Bus. Manag. 6(2), 117–128 (2016)
Office of Government Commerce (OGC): ITIL V3-Service Design Book, The Stationery Office, UK (2007)
Howard, J.D., Longstaff, T.A.: A Common Language for Computer Security Incidents, SANDIA REPORT, SAND98-8667, Sandia National Laboratories, CA, USA, October 1998
Sahibudin, S., Sharifi, M., Ayat, M.: Combining ITIL, COBIT and ISO/IEC 27002 in order to design a comprehensive IT framework in organizations. In: Proceedings of the 2nd Asia International Conference on Modelling & Simulation (2008)
Alberts, C., Dorofee, A., Killcrece, G., Ruefle, R., Zajicek, M.: Defining incident management processes for CSIRTs: a work in progress, Technical report CMU/SEI-2004-TR-015, ADA453378, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA (2004)
Alberts, C.J., Dorofee, A.J., Ruefle, R., Zajicek, M.: An introduction to the mission risk diagnostic for incident management capabilities (MRD-IMC), Technical report CMU/SEI-2014-TN-005, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA, May 2014
West-Brown, M.J., Stikvoort, D., Kossakowski, K.P., Killcrece, G., Ruefle, R., Zajicek, M.: Handbook for computer security incident response teams (CSIRTs), CMU/SEI-2003-HB-002, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA (2003)
Dorofee, A., Killcrece, G., Ruefle, R., Zajicek, M.: Incident management capability metrics, version 0.1, Technical report CMU/SEI-2007-TR-008, ESC-TR-2007–008, CERT Program, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA, April 2007
ISO/IEC 13335-1: Information technology—Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management (2004)
ISO/IEC TR 18044: Information technology—Security techniques—Information security incident management, International Organization for Standardization/International Electrotechnical Commission (2004)
ISO/IEC 27001:2013(E): Information technology–Security techniques–Information security management systems–Requirements, International Organization for Standardization/International Electrotechnical Commission (2013)
ISO/IEC 27002: Information Technology—Security Techniques—Code of Practice for Information Security Management, International Organization for Standardization/International Electrotechnical Commission (2013)
ISO/IEC 27035: Information Technology—Security Techniques—Information Security Incident Management, International Organization for Standardization/International Electrotechnical Commission (2011)
NIST SP 800-61 Revision 2: Computer Security Incident Handling Guide, National Institute of Standards and Technology, U.S. Department of Commerce, August 2012
ISO/IEC JTC 1 SC27: IT Security techniques, International Organization for Standardization/International Electrotechnical Commission (2015)
Killcrece, G., Kossakowski, K.P., Ruefle, R., Zajicek, M.: Organizational models for computer security incident response teams (CSIRTs), Technical report CMU/SEI-2003-HB-001, ADA421684, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA (2003)
Killcrece, G., Kossakowski, K.P., Ruefle, R., Zajicek, M.: State of the practice of computer security incident response teams (CSIRTs), Technical report CMU/SEI-2003-TR-001, ESC-TR-2003-001, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA, October 2003
Zadeh, L.A.: Fuzzy sets. Inf. Control 8, 338–356 (1965)
Zadeh, L.A.: The concept of a linguistic variable and its application to approximate reasoning. Part I. Inf. Sci. 8, 199–249 (1975). Part II. 8, 301–357, Part III. 9, 4301–4308
Chen, S.H., Hsieh, C.H.: Graded mean integration representation of generalized fuzzy number. J. Chin. Fuzzy Syst. 5(2), 1–7 (1999)
Lin, K.S.: Fuzzy similarity matching method for interior design drawing recommendation. Rev. Socionetwork Strat. 10(1), 17–32 (2016)
Lin, K.S., Chiu, C.C.: A fuzzy similarity matching model for interior design drawing recommendation. In: Proceedings of the ASE BigData 2015 & SocialInformatics (2015)
Gacto, M.J., Alcalá, R., Herrera, F.: Interpretability of linguistic fuzzy rule-based systems: an overview of interpretability measures. Inf. Sci. 181, 4340–4360 (2011)
Chang, C.H., Wu, Y.C.: The genetic algorithm based tuning method for symmetric membership functions of fuzzy logic control systems. In: Proceedings of the IEEE Conference on Industrial Automation and Control: Emerging Technologies, pp. 421–428, May 1995
Nachtmann, H., Needy, K.L.: Fuzzy activity based costing: a methodology for handling uncertainty in activity based costing systems. Eng. Econ. 46(4), 245–273 (2001)
Chen, T.Y., Ku, T.C.: Importance-assessing method with fuzzy number-valued fuzzy measures and discussions on TFNs And TrFNs. Int. J. Fuzzy Syst. 10(2), 92–103 (2008)
Chen, M.S., Wang, S.W.: Fuzzy clustering analysis for optimizing fuzzy membership functions. Fuzzy Sets Syst. 103, 239–254 (1999)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
The incident management function areas and evaluation ratings
Graded mean of performance ratings | Graded mean of importance weightings | |
|---|---|---|
Interfaces | ||
0.1.1 Have well-defined, formal interfaces for conducting agency incident management activities been established and maintained? | 0.47 | 0.78 |
Risk assessment support: | ||
1.1.1 Are Risk Assessments (RAs) performed on constituent systems? | 0.52 | 0.78 |
1.1.2 Are the constituents assisted with correcting problems identified by Risk Assessment (RA) activities? | 0.56 | 0.48 |
1.1.3 Is proactive vulnerability scanning (VS) performed on constituent networks and systems? | 0.56 | 0.41 |
1.1.4 Is the constituent assisted with correcting problems identified by vulnerability scanning (VS) activities? | 0.53 | 0.41 |
1.1.5 Is trend analysis supported and conducted? | 0.32 | 0.78 |
Malware protection support: | ||
1.2.1 Is there an institutionalized Malware/Anti-Virus (AV) Program? | 0.57 | 0.78 |
Computer network defense operational exercises: | ||
1.3.1 Are operational exercises conducted to assess the security posture of the organization? | 0.58 | 0.43 |
1.3.2 Are lessons learned from operational exercises incorporated into the constituents’ network defenses? | 0.74 | 0.33 |
Constituent protection support and training: | ||
\( \vdots \) | ||
Respond | ||
Incident reporting: | ||
3.1.1 Are incidents reported to and coordinated with appropriate external organizations or groups in accordance with organizational guidelines? | 0.32 | 0.47 |
3.1.2 Are incidents reported to appropriate organization management in accordance with organizational guidelines? | 0.37 | 0. 47 |
⁞ | ||
Incident response: | ||
3.2.1 Is there an event/incident handling capability? | 0.32 | 0.78 |
3.2.2 Is there an operations log or record of daily operational activity? | 0.37 | 0.78 |
3.2.3 Is information on all events/incidents collected and retained in support of future analytical efforts and situational awareness? | 0.36 | 0.78 |
\( \vdots \) | ||
4.7.2 Is the constituency assisted with decisions regarding changes to local threat levels? | 0.46 | 0.68 |
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Chiu, CC., Lin, KS. (2017). Importance-Performance Analysis Based Evaluation Method for Security Incident Management Capability. In: Nguyen, N., Tojo, S., Nguyen, L., Trawiński, B. (eds) Intelligent Information and Database Systems. ACIIDS 2017. Lecture Notes in Computer Science(), vol 10192. Springer, Cham. https://doi.org/10.1007/978-3-319-54430-4_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-54430-4_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54429-8
Online ISBN: 978-3-319-54430-4
eBook Packages: Computer ScienceComputer Science (R0)