The future of information security incident management training: A case study of electrical power companies

Recent attacks and threat reports indicate that industrial control organizations are attractive targets for attacks. Emerging threats create the need for a well-established capacity for responding to unwanted incidents. Such a capacity is influenced by organizational, human, and technological factors. We have conducted extensive fieldwork for 2.5 years in Norwegian electric power companies with the aim of identifying challenges for improving information security incident management practices. Semi-structured interviews, document analysis, a survey and participant observations have been performed as part of this case study. We describe how training for responding to information security incidents is given low priority and that different types of personnel, such as business managers and technical personnel, have different perspectives and priorities in regard to information security. Moreover, there is a gap in how IT staff and control system staff understand information security. Furthermore, cross-functional teams need to be created to ensure a holistic view during the incident response process. To improve the capacity for responding to incidents, organizations need regular training sessions and systematic evaluations after such sessions. There is also the potential for improvement in evaluating minor incidents. A transition from an ad hoc approach to a systematic approach in training and learning requires a reorientation not only by the electric power companies but also by management. We found that learning to learn will enable the organizations to improve their incident response practices.