Security Incident Handling and Organisational Models

Hossein Hayati Karun

Autumn 2006

Gjøvik University College

Research questions

• How to measure the efficiency of routines for security incident handling in two organisational models?

• How to increase the efficiency of routines for handling security incidents?

Organisational models

Hierarchic Matrix

Organisation charts (1/2)

Samples of hierarchical structures• 12 employees with total capacity of 110

• 16 employees with total capacity of 165

• 25 employees with total capacity of 265

Organisation charts (2/2)

Samples of matrix structures• 12 employees with total capacity of 110

• 16 employees with total capacity of 165

• 25 employees with total capacity of 265

Network flow theorem

• Menger’s theorem can be interpreted in the network flow context in the following way:

The maximum amount of flow in a network is equal to the capacity of a minimum cut.

Graph capacity

Each edge is assigned with an integer

The integer indicates the edge’s capacity

For instance: a d = 5

Computing the max flow

1. S a = 5

2. a d = 5

3. d g = 5

4. g T = 5

Flow capacity = 5

Maximum flow

Computing the max flow

From To Capacity

S a 5

a d 5

d g 5

g T 5

S b 3

b e 3

e h 3

h T 3

S c 2

c e 2

e g 2

g T 2

From To Capacity

S c 2

c e 2

e h 2

h T 2

S c 1

c f 1

f h 1

H T 1

Max flow = 13

Minimum cut

Computing the min cut

• 9 min cuts (green lines)

• A = 5 + 3 + 5 = 13

• B = 5+3+4+1 = 13

• D = 1+5+2+5 = 13

• E = 1+4+3+0+5 = 13

• …

• Min cut = 13

Max flow – min cut

The maximum amount of flow in a network is equal to the capacity of a minimum cut.

Max flow = Min cut = 13

Ford-Fulkerson’s algorithm

Advantages:• Simplicity during

the implementation

• high speed of the algorithm requires little processor power

Disadvantage:• the insignificant

probability of not returning a value which means not being able to calculate the flow capacity

The prototype

Computes max flow

• Developed in C#

• Basen on FF’s algo

• Textual presentation

• Graphical presentation

2 sets of data files (12 files)

1. Solved security incidents

Employees: Same capacity as in 2.

Managers: Lower security incidents solving capacity than employees

2. Reported security incidents

Employees: same capacity as in 1.

Managers: Higher reporting capacity than solving security incidents

Results of our experiment

• Solved security incidents– Hierarchic structure– Matrix structure

• Reported security incidents– Hierarchic structure– Matrix structure

Nodes and edges

Solved security incidents in hierarchical structure

Solved security incidents in matrix structure

Reported security incidents in hierarchical structure

Reported security incidents in matrix structure

Solved security incidents inhierarchical and matrix structure

Reported security incidents inhierarchical and matrix structure

Conclusion

1. Matrix organisational model are a more efficient organisational model than the hierarchical model, both in solving and reporting security incidents.

2. Increasing the efficiency of routines for handling security incidents does not depend on the organisations’ size, but rather the organisations’ model.

1. Using network flow capacity2. Reorganise to matrix structure

Usefulness …

• Eases the computation of max flow• Personnel dealing with security organisation,

security management …• Computing max flow when any changes like

merging or dividing companies or department take place

• Testing other organisational models

Thanks to …

Professor Slobodan Petrovic

Monica Strand Kristiansen

Brita Vesterås

And all of you

Any question?