A coordinated communication and awareness approach towards the enhancement of information security incident management : an empirical study of Ethiopian organisations

Abstract

Information Security Incident Management is an essential process within an organisational context, as it provides a strategic approach towards monitoring and containing incidents and vulnerabilities. The coordination of communication and awareness efforts in the process of Information Security Incident Management has been identified as a critical means of enhancing information security protection in organisations. However, the arbitrary process involved in creating a shared understanding within the context of Information Security Incident Management often negates the effective containment of incidents. This study aims to explore the nuances of organisational information security concerning the coordination of communication and awareness efforts among organisational stakeholders towards achieving a shared, interactive, and participatory management of information security incidents in organisations. The Design Science Research methodology was applied to conceptualise and design an appropriate artefact to respond to the core research questions. The major research question considered was: How can the coordination of awareness and communication efforts be enhanced to support the processes of ISIM? The study involved two distinct phases – the first phase (Phase I) involved conducting an exploratory study to assess the extent of the application of communication and awareness efforts within purposively selected organisations in Ethiopia, while Phase II involved the design and development of an artefact to address the problem domain identified in Phase I. Ethiopia was selected for this study as it typifies regions where the level of cyber security advancement is limited and because a study in this context would be more relevant in providing applicable empirical data to the research problem. According to the findings of the exploratory study in the organisations sampled, it was identified that reporting, communication, and awareness efforts within Information Security Incident Management were largely uncoordinated. Moreover, digital systems to support information security communication were limited. The findings from the exploratory data (i.e., Phase I) prompted the basis for the proposal of a conceptual model designated a Coordinated Communication and Awareness approach towards enhancing Information Security Incident Management (CCAISIM) in order to address the core research problem (i.e., the basis of Phase II). The CCAISIM model unifies and subsumes a dyad of theories of situational awareness and the Interactive Model of Communication towards enhancing the coordination of awareness and communication efforts in Information Security Incident Management. The proof-of-concept of the conceptual model was verified via a simulated interface prototype in Phase II. The model and the proof-of-concept prototype were evaluated by a selection of experts and end-users from Ethiopian organisations. The sampling frame of participants for Phase II of the study was recalibrated as the original sample was deemed unsuitable for the subsequent phase. The evaluation necessitated the inclusion of expertise in information security. Therefore, the sampling frame for Phase II considered more mature organisations within the information security domain. The model and prototype were evaluated based on the established constructs of information systems acceptance proffered by the Technology Acceptance Model (TAM). Generally, the model and prototype achieved a good acceptability rating and can potentially be applied in organisations that are vulnerable to information security incidents. The CCAISIM model derived in this study has implications for both theory and practice, including underscoring the importance of the theories of Shared Situational Awareness and the Interactive Model of Communication with respect to unifying diverse stakeholders (including end-users) in order to promote a proactive and participatory approach in managing information security incidents. The application of the dyad concepts improves the reporting capacity of users in a coordinated manner in a continuum from individual to shared levels which aids in developing a unified understanding of the processes involved in an information security incident response. The research design also allowed for new empirical data to be captured with respect to Information Security Incident Management practices within several contexts. Moreover, this empirical evidence may assist organisations in evaluating their information security practices. The findings and recommendations may not be generalisable to all contexts. There is a need for further case studies to evaluate the model within a real-world context.