Demystifying analytical information processing capability: The case of cybersecurity incident response
Introduction
Organizations are leveraging business analytics (BA) capabilities to exploit data and secure competitive advantage [1,2]. Analytical information refers to the insights (quantitative or qualitative) used by business executives in their analysis and decision-making tasks [3]. The predominant use of analytical information has been to understand customer behaviors [4], design better marketing campaigns [5] and improve supply chain performance [6]. To date, there is limited research on exploitation of analytical information for cybersecurity incident response (CSIR). According to Kavanagh et al. [7,p.35], “The greatest area of unmet need is effective targeted attack and breach detection. Organizations are failing at early breach detection, with more than 92% of breaches undetected by the breached organization. The situation can be improved with better threat intelligence, the addition of behavior profiling and better analytics”. CSIR is an information intensive process which requires organizations to tap into all available information to help them discover the potential of a threat, detect the actual attack quickly, gather intelligence about the attack, and then execute an enterprise-wide response before the attack becomes significant.
Evidence of analytical information use in CSIR is mostly anecdotal [8] and application specific (see for example, studies of analytics use in developing situation awareness of cybersecurity incidents [9], monitoring cybersecurity alerts for anomaly detection [10], analyzing network traffic for detecting advanced persistent threats [11], and analysis of server logs for intrusion detection [12]). It is not yet sufficiently clear what analytical information is needed, which mechanisms should be used to seek analytical information for CSIR and how companies should evolve to develop and implement skills and procedures to leverage the analytical information and thereby compete in the evolving cyber threat environment.
Given this current state of analytical information use in CSIR, our study investigates the factors associated with a firm's exploitation of an overall analytical information processing capability (AIPC) for decision making in CSIR. Using information processing theory (IPT), we examine the role of BA capabilities in the exploitation of analytical information in CSIR. Our research question is How do organizations exploit analytical information in the process of cybersecurity incident response by using business analytics?
To answer this question, we compared in-depth data from three large global financial organizations as they used BA to exploit analytical information in their CSIR process. Integrating insights from this data with extant literature informed a framework that explains how strong BA capabilities enhance firms' AIPC which, in turn, improves overall enterprise security performance by delivering strategic and financial benefits.
In the next section of this paper, we discuss the theoretical background and develop a conceptualization of AIPC in CSIR. Then we illustrate our case study by describing details of the study design and the data analysis procedure. Subsequently, we present the results and a discussion of the research findings and limitations, as well as directions for future research.
Section snippets
Theoretical background
This section provides a review of the literature pertaining to the IPT as well as AIPC and CSIR. First, we explain the key concepts of IPT linking them with BA. Then we discuss the intersection of AIPC and BA as a research gap. Finally, we conceptualize AIPC in CSIR which provides the theoretical basis for our theoretical framework.
Research methodology
Given the nascent nature of research on exploiting analytical information in CSIR, we chose to use a multiple case study methodology based on the case study protocols and guidelines specified in [28,29]. The unit of analysis is the incident response function of each organization. We considered each case as a distinct analytical unit and built a theoretical framework from the case studies by recursive cycling among the case data, emerging theory, and extant literature [29,30].
According to Gioia
Backgrounds of case organizations
We describe the background on the development and exploitation of AIPC in each firm.
Firm A: Firm A employs more than 60,000 employees worldwide and is in the top 50 banks in the world. Approximately ten years ago, Firm A established a dedicated BA center that works collaboratively with the business functions. Additionally, Firm A also understands the importance of CSIR, with top management committed to achieving a distinctive analytical and CSIR capability that enables business units to perform
Findings
Fig. 2 shows the framework developed based on the analysis of our data.
The framework links the uncertainty in the cyber threat environment, analytical information needs, and AIPC with the enterprise security performance. Arrows show the direction of the relationship, with double headed arrows between the dynamic cyber threat environment and AIPC in incident response. Similarly, three key components of AIPC (analytical information needs, analytical information seeking mechanisms, and analytical
Discussion of results and conclusion
Cybersecurity has become one of the top issues at the forefront of every executive's mind. In this paper, we have investigated the underexplored perspective of exploiting AIPC using BA in the process of CSIR to address the dynamic and uncertain cybersecurity threat environment. Employing IPT as a lens, we conducted a multiple case study to gain a better understanding of the needs, seeking mechanisms and usage of analytical information in the CSIR process, the role that BA capabilities play in
Acknowledgements
This research was supported by the University of Melbourne International Research Scholarship.
References (31)
- et al.
The impact of business analytics on supply chain performance
Decis. Support. Syst.
(2010) - et al.
Exploratory security analytics for anomaly detection
Comput. Secur.
(2016) - et al.
Analysis of high volumes of network traffic for advanced persistent threat detection
Comput. Netw.
(2016) - et al.
Online anomaly detection using dimensionality reduction techniques for HTTP log analysis
Comput. Netw.
(2015) The role of decision support systems in an indeterminate world
Decis. Support. Syst.
(2007)- et al.
Data, information and analytics as services
Decis. Support. Syst.
(2013) Does data analytics use improve firm decision making quality ? The role of knowledge sharing and data analytics competency
Decis. Support. Syst.
(2019)- et al.
Incident-centered information security: managing a strategic balance between prevention and response
Inf. Manag.
(2014) - et al.
Creating strategic business value from big data analytics
J. Manag. Inf. Syst.
(2018) - et al.
How does business analytics contribute to business value?
Inf. Syst. J.
(2017)
Leveraging customer involvement for fueling innovation: the role of relational and analytical information processing capabilities
MIS Q.
Designing and developing analytics-based data products
MIT Sloan Manag. Rev.
Marketing analytics for data-rich environments
J. Mark.
Magic quadrant for security information and event management
Gart. Res.
The board’s role in cybersecurity
MIT Sloan Manag. Rev.
Cited by (30)
Enhancing cybersecurity capability investments: Evidence from an experiment
2024, Technology in SocietyOperations-informed incident response playbooks
2023, Computers and SecurityThe tensions of cyber-resilience: From sensemaking to practice
2023, Computers and SecurityCyber threat detection: Unsupervised hunting of anomalous commands (UHAC)
2023, Decision Support SystemsDeveloping business process agility: Evidence from inter-organizational information systems of airlines and travel agencies
2022, Journal of Air Transport ManagementCitation Excerpt :The analytical capabilities of IOS can be seen as the extent to which IOS provides inter-enterprise analytical capabilities to maintain decisions about supply chain functions (Lee et al., 2020; Liu et al., 2016). Analytical capabilities of IOS can enhance enterprises' develop professional knowledge through real-time information monitoring, pattern analysis, and simulation strategies (Naseer et al., 2021), to provide managers with more excellent strategic capabilities to discover emerging market opportunities and predict passenger needs and decide the timing to exercise specific strategic options to achieve agility of supply chain. As the analytical ability of knowledge-based IT, IOS can strengthen and support the enterprise's perception ability.