The Challenges of Performing IT Security Preparedness Exercises in Organizations
MetadataShow full item record
Organizations can take measures to secure their data to the best of their knowledge, but it is impossible to secure an organization 100 \% against attacks and incidents. This calls for the need to handle the incidents as they occur, and to do so successfully one needs to be prepared. That is why it is important to study if, how, and why organizations perform preparedness exercises. In this study the focus was on the challenges and effects of performing information security related preparedness exercises. The research was conducted as a case study where three Norwegian distribution system operators (DSOs) and two Norwegian preparedness exercise facilitators were interviewed. The study also includes a retrospective on an IT security preparedness exercise the three DSOs performed in the fall of 2014, and 14 of the participants were also interviewed. A background study of relevant material is also included. The findings from this study indicates that the organizations have improved on some challenges found in earlier studies, but that there is still a way to go. The findings indicate lack of use of definitions from the guidelines, and some lack of proper reporting mechanisms. Organizations have gotten better at collaboration and communication, but there is room for improvement. Performing IT related exercises are challenging due to time and resource restrictions, and technical challenges. Exercises and information security might not be prioritized by the management, and the organizations have some learning difficulties. The most important finding from this thesis is the lack of measured effect from exercises, which makes it hard to put an actual value on performing exercises versus the potential harm of letting be. Finally, some recommendations for organizations to get better at performing exercises and learning from exercises were provided. The recommendations are: to follow the established standards and guidelines, to set goals and measure them, to perform continual and consecutive exercises, to take actions for improving intra-organization communication and collaboration, to implement an organizational learning framework and apply learning techniques, and lastly; to learn from, or use, external exercise facilitators.