INTRODUCTION 13 Relevant authoritative resources have been identified for the study and

in-clude standards bodies and information security or CSIRT authorities. Part II, Related Work, attempts to sanitise and present the requirements for es-tablishing a CSIRT as extracted from these sources in a meaningful way.

Chapter 3 describes CSIRTs in more detail including the basic requirements for CSIRTs as a foundation to the following chapters. Requirements from literature are presented according to ITIL’s four Ps — People, Processes, Products and Partners — in chapters 4 to 7, concluding Part II.

The strength of the 4P-analysis done lies in uncovering the relationships of the four Ps to one another. The Model Development (Part III) is initiated by highlighting the relationships between the Ps in chapter 8. Chapter 9 is where the actual model development takes place by combining the information in the previous chapters to produce a model for establishing a CSIRT.

Part IV, Model Demonstration, commences with a survey performed within the SA NREN beneficiaries in chapter 10 — SA NREN Status Quo.

This chapter confirms the need for a CSIRT capability and hence this re-search. Chapter 11 serves as an instantiation of the generic CSIRT model in the SA NREN environment, thereby demonstrating the utility of the model.

Finally, chapter 12 concludes by reflecting on the research, describing the contributions and providing suggestions for the “road ahead”.

1.8 What’s next?

This chapter has served as an introduction to the dissertation by providing background on IT security incidents and the modern approach to dealing with these incidents. The concept of a National Research and Education Network (NREN) has been explained as well as the nature of the South African NREN. This was followed by the problem area and research problems, together with objectives set to address these problems. The chapter layout for the remainder of the dissertation rounded off this introduction.

Next, the methodology used to approach these research problems and propose a solution will be explained.

12. Conclusion

11. Model for the SA NREN CSIRT 10. SA NREN Status Quo

9. Model for establishing a CSIRT

II. Related Work III. Model Development

Part Chapter

8. Integrating the 4 Ps

6. Services, Toolsand Technologies 5. Policies andProcesses 4. People: Teammodel and Staff

7. CSIRT Partners

3. CSIRTs today IV. Model Demonstration

2. Methodology 1. Introduction I. Prologue

V. Epilogue

14

Chapter 2

Methodology

The methodology is intended to serve as a map — guiding the research process and providing structure.

—Hofstee (2006, p. 107) The previous chapter gave some background to the study by introducing mechanisms used to deal with IT security incidents as well as NRENs and the South African NREN environment. In addition, it defined the problem area and specific research problem addressed by this research. Objectives for a solution to this problem as well as a chapter layout for the dissertation were provided.

This chapter continues by explaining the methodology used to solve these problems of

a. defining a model to establish a CSIRT, and

b. realising this model through application in the SA NREN environment.

A Design Science Research (DSR) process is proposed as the methodology for this study. Design science “attempts to create things that serve human purposes” (March & Smith, 1995, p. 253). As a problem-solving paradigm (Hevner et al., 2004, p. 76), design science is well suited for providing a solution to this problem. DSR seeks to address the questions of “ ‘What util-ity does the new artifact provide?’ and ‘What demonstrates that utilutil-ity?’ ” (Hevner et al., 2004, p. 91).

The use of this method is further motivated by the engineering experience of the author, particularly in software design, meaning that the “build” and

“evaluate” steps of DSR have a familiar feel.

15

CHAPTER 2. METHODOLOGY 16

2.1 Research design overview

The primary technique used for this study is Design science Research (DSR).

It was used to create an effective artefact, a model in this instance, through the application of knowledge (March & Smith, 1995, p. 253). This knowledge was obtained via a comprehensive study of the relevant literature utilising a concept matrix for categorisation (Webster & Watson, 2002). DSR outputs are evaluated using criteria of value and utility: does the artefact work and (if applicable) is it an improvement over previous solutions? (March & Smith, 1995, p. 253). In order to perform this evaluation, the model needed to be

“instantiated” in a suitable environment. The SA NREN was selected as this environment. A survey was subsequently utilised in order to solicit the required information for implementation and assess the environment as a case study.

The format of DSR products (constructs, models, methods and instan-tiations) suited this research particularly well. Constructs related to estab-lishing a CSIRT are uncovered in chapters 3 to 7, forming the vocabulary of the domain (March & Smith, 1995, p. 256; Hevner et al., 2004, p. 77).

These are combined to form a model, describing the task of establishing a CSIRT and expressing the relationships between the constructs (March &

Smith, 1995, pp. 253, 256), in chapters 8 and 9. “The concern of models is utility” (March & Smith, 1995, p. 256). Therefore, this model was applied to the SA NREN environment in chapter 11, with the purpose of determining if the model works (March & Smith, 1995, pp. 254, 261). “Instantiations demonstrate the feasibility and effectiveness of the models. . . they contain”

(March & Smith, 1995, p. 258).

The survey, used to determine the status quo with respect to malicious activity and incident response in the SA NREN environment, was implemen-ted in the form of a questionnaire (chapter 10). Questionnaires, as with all research techniques, have their strengths and weaknesses. Relevant strengths include the ability to show correlation, choices of measurement types (ways of asking questions) (Olivier, 2008, pp. 78–84) as well as structure, facili-tating quantitative analysis and volume (they can be sent to more people than interviews) (Hofstee, 2006, pp. 132–133). The last benefit, i.e. being able to distribute the survey to a large number of possible respondents in a resource-efficient manner, was particularly attractive for the purpose of this survey.

CHAPTER 2. METHODOLOGY 17