Enhancement of a Company-Wide Information Security Management System Through Incident Learning

We propose the Delta ISMS method that strengthens the company-wide information security management system (ISMS) through incident learning. International standards of ISMS have been established to provide useful guidelines for information security risk management to organisations so they can respond appropriately to information security incidents. When the ISMS is first introduced to an organisation, the organisation is strengthened by introducing standard requirements. However, predicting everything and implementing a perfect ISMS may not be possible for each organisation. Thus, even in ISMS-certified organisations, information security incidents do not always diminish. This indicates that these organisations do not effectively carry out the PDCA cycle of the ISMS. We recognise that ISMS requires feedback and learning from incidents, while a sufficient explanation of learning procedures is not provided. Also, the Cyber Security Incident Response Team guidelines do not provide specific procedures for ‘incident learning’ explicitly. For incident learning, regularising informal knowledge (the formalisation of experience data) and double-loop learning (acquisition of company-wide knowledge from incident responses) is effective. Therefore, this study aims to develop detailed procedures for incident learning to run the second and subsequent rounds of the ISMS’s PDCA cycles. We propose an incident database operation method for regularising informal knowledge and a gold–silver–bronze communication method for implementing double loops. The procedures are routinely applied by headquarters under the supervision of the Chief Information Security Officer. By changing the safety factor in the damage reduction rate, it is possible to obtain multiple countermeasure candidate sets by considering the investment effect.