Mind the Gap - An Exploratory Study of Commercial and Military Computer Security Incident Response Teams (CSIRTs) - Are Incident Response (IR) and Computer Security Incident Response Teams (CSIRTs) Forensic ready in the information domain?

Abstract

The challenges related to overwhelming amounts of data and information are emerging in the cybersecurity profession. Operators and decision makers need to process vast amounts of information to get the best basis possible for identifying and handling cyber security incidents. Improved collaboration and sharing of information are recognized as one of the most important areas to make progress in this work. Planning and preparations for improved information utilization when fighting cybercrime are described in literature on digital forensic readiness. The thesis investigates possible gaps in the exploitation of information by application of digital forensic readiness to cyber security in general. Such gaps are identified as differences between commercial and military cyber incident actors, by a survey of governing documents, open sources and observation of a military cyber defence exercise. A framework for digital forensic readiness is adapted, and used to identify the maturity levels of cybersecurity actors. The assessment of cybersecurity actors maturity levels is supported of an exploratory literature study. This thesis seeks to contribute to the cybersecurity communities need for better utilization of information. Thus, the thesis concludes with measures for improved information processing in the organizations responsible for handling of cyber incidents.