Incident Handling: Where the need for planning is often not recognised Terence Tan Tobias Ruighaver Atif Ahmad Department of Information Systems, University of Melbourne, Parkville, Victoria. cctt@studentmail.dis.unimelb.edu.au e-mail: anthonie@unimelb.edu.au e-mail: atif@unimelb.edu.au Abstract While vulnerabilities to intrusions in organisations are on the increase, it becomes vital that organizations are able to handle security incidents and undertake security/forensic investigation. These investigations are necessary to identify potential weaknesses in the security and prevent future incidents or to deter future attackers. We performed several case studies to explore what factors have influenced managers in organizations in their decisions not to perform security/forensic investigations. The study identified that not having prior planning for any incident handling and being unaware of the importance to do so are major inhibitors to an organization’s ability in reacting to security incidents. Keywords Forensic investigations, planning, decision making, management of incident handling INDTRODUCTION Current studies in the area of information security and computer crime clearly indicate an increase in the number of attacks on organizations. Research studies performed by the Computer Security Institute (CSI), the Federal Bureau of Investigations (CSI/FBI Survey, 2002) and Auscert (AusCert et al, 2002) have indicated that the level of security incidents (including internal and external attacks) in organizations have risen over the last couple of years compared to earlier studies (KPMG Canada, 1997; KPMG Canada, 1998; The Association of Certified Fraud Examiners, 1996). This increase in attacks coincides with the explosive growth of the Internet and the availability and connect-ability (reach) that it provides (Hafner & Lyon, 1996; Levy, 1984; Bloombecker, 1990). The likelihood that an organization’s information systems are insufficiently secluded and protected against certain kinds of damage or loss, is known as “systems risk” (Straub & Welke, 1998). An underlying problem with systems risk, in the 90’s and more so today, is that managers and security personnel are generally unaware of the full range of actions that they can take to reduce risk and to manage incidents. Due to this lack of knowledge in risk management and incident handling, subsequent actions to plan for and cope with systems risk are far less effective than they need to be. Fortunately, there are a number of well-established behavioural theories and other conceptual models that offer insight into what influences managers in making decisions when dealing with systems risk and incident handling. This is one viable explanation as to why studies by the CSI and the FBI (CSI/FBI Survey, 2002) have shown evidence of a change in the way organizations are choosing to handle security incidents. Organizations are now beginning to realize the importance of having to handle attacks/incidents appropriately and effectively. Likewise, they are beginning to carry out security and/or forensics investigations in order to identify weaknesses in their security, improve overall security, prevent future occurrences, and to prosecute offenders (Braid, 2001; Haugen and Selin, 1999; Theunissen, 2001; Pasikowski, 2001). However, even with this emphasis on incident handling and security/forensics investigations, the majority of organizations nevertheless continue to react unfavourably to security incidents. That is, they often do not perform any investigations, but simply focus on business continuity (resuming production) (see AusCert et al, 2002: 23; D’Amico, 2002; Braid, 2001). This is not surprising as most firms would rather ignore or take care of security breaches themselves, than report them and risk negative publicity. Further, in certain industries, organizations even fear that the information provided to authorities may be used against them. This then leaves us with a puzzling picture. On the one hand, attacks on organizations are increasing and hence the emphasis placed on incident handling and investigations are higher. Although we see a higher awareness in Tan, Ruighaver, Ahmad (Paper #8) 1st Australian Computer, Network & Information Forensics Conference 2003 Page 1 25 November 2003, Perth, Western Australia