Informationselement i incidentbeskrivningar. Framtagning och utvärdering under övningen iPILOT

In cybersecurity incidents one of the most important tasks is to report what has occurred. Several frameworks have been developed to support documentation work, all with their pros and cons. As a first step in developing a practically useful incident description standard, traceability and analysis needs have been studied to identify what information is appropriate to report. This report presents a concrete proposal with 16 information elements to include in an incident description. The proposal was then evaluated during an exercise with 30 participants regarding the extent to which suggested information elements were used, if the elements matched the quality of the incident descriptions and the participants' subjective experiences of using the elements. The results show that the use of information elements varies a lot, which was expected because it is much easier to describe what was observed and what node was attacked than to describe the attacker. The analysis also showed that the completion of the information elements correlated with the quality of the incident descriptions, i.e. the incident descriptions with more completed elements were judged to be of higher quality. Also, there was a training effect from day one to day two, where the score increased significantly per submitted report. Although the overall assessment of the simplified incidence description was positive, participants' subjective estimation of whether the right information elements were included in the incident descriptions during the exercise suggests that the question should be further investigated.