Demystifying analytical information processing capability: The case of cybersecurity incident response

https://doi.org/10.1016/j.dss.2020.113476Get rights and content

Highlights

  • Organizations exploit analytical information processing capability to generate analytical insights.

  • Organizations develop specific mechanisms to seek analytical information.

  • Organizations use analytical information to enhance their cybersecurity awareness.

  • Analytical information processing capability enables organizations to deal with dynamic cyber threat environment proactively.

Abstract

Little is known about how organizations leverage business analytics (BA) to develop, process, and exploit analytical information in cybersecurity incident response (CSIR). Drawing on information processing theory (IPT), we conducted a field study using a multiple case study design to answer the following research question: How do organizations exploit analytical information in the process of cybersecurity incident response by using business analytics? We developed a theoretical framework that explains how organizations respond to the dynamic cyber threat environment by exploiting analytical information processing capability in the CSIR process. This, in turn, leads to positive outcomes in enterprise security performance, delivering both strategic and financial benefits. Our findings contribute to the BA and cybersecurity literature by providing useful insights into BA applications and the facilitation of analytics-driven decision making in CSIR. Further, they contribute to IPT by providing new insights about analytical information needs, mechanisms to seek analytical information, and analytical information use in the process of CSIR.

Introduction

Organizations are leveraging business analytics (BA) capabilities to exploit data and secure competitive advantage [1,2]. Analytical information refers to the insights (quantitative or qualitative) used by business executives in their analysis and decision-making tasks [3]. The predominant use of analytical information has been to understand customer behaviors [4], design better marketing campaigns [5] and improve supply chain performance [6]. To date, there is limited research on exploitation of analytical information for cybersecurity incident response (CSIR). According to Kavanagh et al. [7,p.35], “The greatest area of unmet need is effective targeted attack and breach detection. Organizations are failing at early breach detection, with more than 92% of breaches undetected by the breached organization. The situation can be improved with better threat intelligence, the addition of behavior profiling and better analytics”. CSIR is an information intensive process which requires organizations to tap into all available information to help them discover the potential of a threat, detect the actual attack quickly, gather intelligence about the attack, and then execute an enterprise-wide response before the attack becomes significant.

Evidence of analytical information use in CSIR is mostly anecdotal [8] and application specific (see for example, studies of analytics use in developing situation awareness of cybersecurity incidents [9], monitoring cybersecurity alerts for anomaly detection [10], analyzing network traffic for detecting advanced persistent threats [11], and analysis of server logs for intrusion detection [12]). It is not yet sufficiently clear what analytical information is needed, which mechanisms should be used to seek analytical information for CSIR and how companies should evolve to develop and implement skills and procedures to leverage the analytical information and thereby compete in the evolving cyber threat environment.

Given this current state of analytical information use in CSIR, our study investigates the factors associated with a firm's exploitation of an overall analytical information processing capability (AIPC) for decision making in CSIR. Using information processing theory (IPT), we examine the role of BA capabilities in the exploitation of analytical information in CSIR. Our research question is How do organizations exploit analytical information in the process of cybersecurity incident response by using business analytics?

To answer this question, we compared in-depth data from three large global financial organizations as they used BA to exploit analytical information in their CSIR process. Integrating insights from this data with extant literature informed a framework that explains how strong BA capabilities enhance firms' AIPC which, in turn, improves overall enterprise security performance by delivering strategic and financial benefits.

In the next section of this paper, we discuss the theoretical background and develop a conceptualization of AIPC in CSIR. Then we illustrate our case study by describing details of the study design and the data analysis procedure. Subsequently, we present the results and a discussion of the research findings and limitations, as well as directions for future research.

Section snippets

Theoretical background

This section provides a review of the literature pertaining to the IPT as well as AIPC and CSIR. First, we explain the key concepts of IPT linking them with BA. Then we discuss the intersection of AIPC and BA as a research gap. Finally, we conceptualize AIPC in CSIR which provides the theoretical basis for our theoretical framework.

Research methodology

Given the nascent nature of research on exploiting analytical information in CSIR, we chose to use a multiple case study methodology based on the case study protocols and guidelines specified in [28,29]. The unit of analysis is the incident response function of each organization. We considered each case as a distinct analytical unit and built a theoretical framework from the case studies by recursive cycling among the case data, emerging theory, and extant literature [29,30].

According to Gioia

Backgrounds of case organizations

We describe the background on the development and exploitation of AIPC in each firm.

  • Firm A: Firm A employs more than 60,000 employees worldwide and is in the top 50 banks in the world. Approximately ten years ago, Firm A established a dedicated BA center that works collaboratively with the business functions. Additionally, Firm A also understands the importance of CSIR, with top management committed to achieving a distinctive analytical and CSIR capability that enables business units to perform

Findings

Fig. 2 shows the framework developed based on the analysis of our data.

The framework links the uncertainty in the cyber threat environment, analytical information needs, and AIPC with the enterprise security performance. Arrows show the direction of the relationship, with double headed arrows between the dynamic cyber threat environment and AIPC in incident response. Similarly, three key components of AIPC (analytical information needs, analytical information seeking mechanisms, and analytical

Discussion of results and conclusion

Cybersecurity has become one of the top issues at the forefront of every executive's mind. In this paper, we have investigated the underexplored perspective of exploiting AIPC using BA in the process of CSIR to address the dynamic and uncertain cybersecurity threat environment. Employing IPT as a lens, we conducted a multiple case study to gain a better understanding of the needs, seeking mechanisms and usage of analytical information in the CSIR process, the role that BA capabilities play in

Acknowledgements

This research was supported by the University of Melbourne International Research Scholarship.

References (31)

  • T. Saldanha et al.

    Leveraging customer involvement for fueling innovation: the role of relational and analytical information processing capabilities

    MIS Q.

    (2017)
  • T. Davenport et al.

    Designing and developing analytics-based data products

    MIT Sloan Manag. Rev.

    (2016)
  • M. Wedel et al.

    Marketing analytics for data-rich environments

    J. Mark.

    (2016)
  • K. Kavanagh et al.

    Magic quadrant for security information and event management

    Gart. Res.

    (2020)
  • R.A. Rothrock et al.

    The board’s role in cybersecurity

    MIT Sloan Manag. Rev.

    (2018)
  • Cited by (30)

    • Developing business process agility: Evidence from inter-organizational information systems of airlines and travel agencies

      2022, Journal of Air Transport Management
      Citation Excerpt :

      The analytical capabilities of IOS can be seen as the extent to which IOS provides inter-enterprise analytical capabilities to maintain decisions about supply chain functions (Lee et al., 2020; Liu et al., 2016). Analytical capabilities of IOS can enhance enterprises' develop professional knowledge through real-time information monitoring, pattern analysis, and simulation strategies (Naseer et al., 2021), to provide managers with more excellent strategic capabilities to discover emerging market opportunities and predict passenger needs and decide the timing to exercise specific strategic options to achieve agility of supply chain. As the analytical ability of knowledge-based IT, IOS can strengthen and support the enterprise's perception ability.

    View all citing articles on Scopus
    View full text