{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,12]],"date-time":"2026-03-12T07:31:59Z","timestamp":1773300719673,"version":"3.50.1"},"reference-count":67,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2021,6,28]],"date-time":"2021-06-28T00:00:00Z","timestamp":1624838400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2021,8,17]]},"abstract":"Purpose<\/jats:title>Collaborative-based national cybersecurity incident management benefits from the huge size of incident information, large-scale information security devices and aggregation of security skills. However, no existing collaborative approach has been able to cater for multiple regulators, divergent incident views and incident reputation trust issues that national cybersecurity incident management presents. This paper aims to propose a collaborative approach to handle these issues cost-effectively.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>A collaborative-based national cybersecurity incident management architecture based on ITU-T X.1056 security incident management framework is proposed. It is composed of the cooperative regulatory unit with cooperative and third-party management strategies and an execution unit, with incident handling and response strategies. Novel collaborative incident prioritization and mitigation planning models that are fit for incident handling in national cybersecurity incident management are proposed.<\/jats:p><\/jats:sec>Findings<\/jats:title>Use case depicting how the collaborative-based national cybersecurity incident management would function within a typical information and communication technology ecosystem is illustrated. The proposed collaborative approach is evaluated based on the performances of an experimental cyber-incident management system against two multistage attack scenarios. The results show that the proposed approach is more reliable compared to the existing ones based on descriptive statistics.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>The approach produces better incident impact scores and rankings than standard tools. The approach reduces the total response costs by 8.33% and false positive rate by 97.20% for the first attack scenario, while it reduces the total response costs by 26.67% and false positive rate by 78.83% for the second attack scenario.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-02-2020-0027","type":"journal-article","created":{"date-parts":[[2021,6,25]],"date-time":"2021-06-25T09:59:08Z","timestamp":1624615148000},"page":"457-484","source":"Crossref","is-referenced-by-count":11,"title":["A collaborative approach for national cybersecurity incident management"],"prefix":"10.1108","volume":"29","author":[{"given":"Oluwafemi","family":"Oriola","sequence":"first","affiliation":[]},{"given":"Adesesan Barnabas","family":"Adeyemo","sequence":"additional","affiliation":[]},{"given":"Maria","family":"Papadaki","sequence":"additional","affiliation":[]},{"given":"Eduan","family":"Kotz\u00e9","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2021,6,28]]},"reference":[{"key":"key2021081408083393000_ref001","doi-asserted-by":"crossref","unstructured":"Alberts, C., Dorofee, A., Killcrece, G., Ruefle, R. and Zajicek, M. (2004), \u201cDefining Incident Management Processes for CSIRTs: A Work in Progress\u201d, Technical Report CMU\/SEI-2004-TR-015 ESC-TR-2004-015, Carnegie Mellon Software Engineering Institute.","DOI":"10.21236\/ADA453378"},{"key":"key2021081408083393000_ref002","first-page":"33","article-title":"Alert prioritization in intrusion detection systems","volume-title":"Proceedings of the IEEE Network Operations and Management Symposium","year":"2008"},{"issue":"2","key":"key2021081408083393000_ref003","first-page":"321","article-title":"Towards building national cybersecurity awareness","volume":"66","year":"2020","journal-title":"Intl Journal of Electronics and Telecommunications"},{"key":"key2021081408083393000_ref004","volume-title":"The Logic and Limits of Trust","year":"1983"},{"key":"key2021081408083393000_ref005","article-title":"Ciphertext-policy attribute-based encryption","volume-title":"2007 IEEE Symposium on Security and Privacy (SP'07)","year":"2007"},{"key":"key2021081408083393000_ref006","volume-title":"Analyzing Texts with Natural Language Toolkit: Natural Language Processing with Python","year":"2009","edition":"1st ed."},{"key":"key2021081408083393000_ref007","unstructured":"Burks, D. (2014), \u201cPeel back the layers of your networks in minutes\u201d, Security Onion, available at: https:\/\/resources.sei.cmu.edu\/asset_files\/Presentation\/2014_017_001_90218.pdf (accessed 10 April 2015)."},{"issue":"3","key":"key2021081408083393000_ref008","doi-asserted-by":"crossref","first-page":"643","DOI":"10.1177\/014920639101700307","article-title":"Toward understanding and measuring conditions of trust: evolution of a conditions of trust inventory","volume":"17","year":"1991","journal-title":"Journal of Management"},{"key":"key2021081408083393000_ref009","unstructured":"Caswell, B. and Roesch, M. (1998), \u201cSnort: the open source network intrusion detection system\u201d, available at: www.snort.org (accessed 10 April 2014)."},{"key":"key2021081408083393000_ref010","unstructured":"CBN-NFF (2019), \u201cAnnual report 2018: Nigeria electronic fraud\u201d, available at: www.cbn.gov.ng\/Out\/2019\/CCD\/NeFF (accessed 10 November 2019)."},{"issue":"12","key":"key2021081408083393000_ref011","article-title":"Collaborative detection of DDoS attacks over multiple network domains","volume":"18","year":"2007","journal-title":"IEEE Transactions on Parallel and Distributed Systems"},{"issue":"1","key":"key2021081408083393000_ref013","doi-asserted-by":"crossref","first-page":"40","DOI":"10.1109\/TST.2013.6449406","article-title":"Cloud computing-based forensic analysis for collaborative network security management system","volume":"18","year":"2013","journal-title":"Tsinghua Science and Technology"},{"issue":"1","key":"key2021081408083393000_ref012","doi-asserted-by":"crossref","first-page":"82","DOI":"10.1109\/TST.2014.6733211","article-title":"Collaborative network security in multi-tenant data center for cloud computing","volume":"19","year":"2014","journal-title":"Tsinghua Science and Technology"},{"key":"key2021081408083393000_ref013a","unstructured":"DARPA (2014), \u201cDARPA intrusion detection data sets\u201d, Security Onion, available at: http:\/\/www.ll.mit.edu\/mission\/communications\/ist\/corpora\/ideval\/data\/index.html (accessed 30 April 2014)"},{"key":"key2021081408083393000_ref013b","doi-asserted-by":"crossref","unstructured":"Danyliw, R., Meijer, J. and Demchenko, Y. (2007), \u201cThe incident object description exchange format\u201d, Network Working Group, RFC 5070, available at: www.ietf.org, www.ietf.org (accessed 2 April 2014).","DOI":"10.17487\/rfc5070"},{"key":"key2021081408083393000_ref014","article-title":"A fuzzy risk calculations approach for a network vulnerability ranking system","year":"2009"},{"key":"key2021081408083393000_ref015","unstructured":"Elebeke, E. (2019), \u201cNCC regulation not in conflict with Nigeria data protection regulation \u2013 NITDA\u201d, Vanguard, available at: www.vanguardngr.com\/2019\/10\/ncc-regulation-not-in-conflict-with-nigeria-data-protection-regulation-nitda\/ (accessed 10 January 2020)."},{"key":"key2021081408083393000_ref016","unstructured":"ENISA (2013), \u201cDetect, share, protect solutions for improving threat data exchange among CERTs\u201d, European Union Agency for Cybersecurity, available at: www.enisa.europa.eu\/publications\/detect-share-protect-solutions-for-improving-threat-data-exchange-among-certs (accessed 8 July 2019)."},{"key":"key2021081408083393000_ref017","unstructured":"European Commission (2016), \u201cProposal for a directive of the European parliament and of the council concerning measures for a high common level of security of network and information systems across the union\u201d, available at: http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF (accessed 8 July 2019)."},{"issue":"2","key":"key2021081408083393000_ref018","first-page":"77","article-title":"Alert correlation and prediction using data mining and HMM","volume":"3","year":"2011","journal-title":"The ISCInt'l Journal of Information Security"},{"key":"key2021081408083393000_ref019","volume-title":"Tools and Standards for Cyber Threat Intelligence Projects","year":"2013"},{"key":"key2021081408083393000_ref020","article-title":"Detecting hate speech and offensive language on twitter using machine learning: an N-gram and TFIDF based approach","volume-title":"IEEE International Advance Computing Conference 2018","year":"2018"},{"key":"key2021081408083393000_ref021","unstructured":"GC CSEMP (2018), \u201cGovernment of Canada cyber security event management plan\u201d, Treasury Board of Canada Secretariat, available at: www.canada.ca\/en\/treasury-board-secretariat\/services\/access-information-privacy\/security-identity-management\/government-canada-cyber-security-event-management-plan.html (accessed 26 July 2019)."},{"key":"key2021081408083393000_ref022","unstructured":"Haslum, K. (2010), \u201cReal-time network intrusion prevention\u201d, Doctoral theses at NTNU, 2010:168."},{"key":"key2021081408083393000_ref023","article-title":"Developing effective risk responses","volume-title":"Proceedings of the 30th Annual Project Management Institute 1999 Seminars and Symposium","year":"1999"},{"key":"key2021081408083393000_ref059a","article-title":"Association rules mining using multi-objective co-evolutionary algorithm","year":"2007"},{"issue":"1","key":"key2021081408083393000_ref024","article-title":"Hybrid intrusion detection and prediction multiagent system, HIDPAS","volume":"5","year":"2009","journal-title":"IJCSIS) International Journal of Computer Science and Information Security"},{"key":"key2021081408083393000_ref025","unstructured":"Jumaat, A.N.B. (2012), \u201cIncident prioritization for intrusion response\u201d, University of Plymouth, Unpublished Ph.D. Thesis."},{"key":"key2021081408083393000_ref026","unstructured":"Kang, X., Zhou, D., Rao, D., Li, J. and Lo, V. (2004), \u201cSequoia \u2013 a robust communication architecture for collaborative security monitoring systems\u201d, available at: http:\/\/netsec.cs.uoregon.edu\/research\/sequoia.php (accessed 4 April 2014)."},{"issue":"3","key":"key2021081408083393000_ref027","doi-asserted-by":"crossref","first-page":"357","DOI":"10.1177\/002200277001400307","article-title":"Conceptual and methodological considerations in the study of trust and suspicion","volume":"14","year":"1970","journal-title":"Journal of Conflict Resolution"},{"key":"key2021081408083393000_ref028","first-page":"73","article-title":"Statistical causality analysis of INFOSEC alert data","volume-title":"Proceedings of the Recent Advances in Intrusion Detection","year":"2003"},{"key":"key2021081408083393000_ref029","article-title":"A data mining approach to generating network attack graph for intrusion prediction","volume":"29","year":"2007","journal-title":"Computer Communications"},{"key":"key2021081408083393000_ref030","unstructured":"LLDOS 1.0 (2000), \u201c2000 DARPA intrusion detection scenario specific datasets\u201d, available at: www.ll.mit.edu\/r-d\/datasets\/2000-darpa-intrusion-detection-scenario-specific-datasets (accessed 21 May 2020)."},{"key":"key2021081408083393000_ref031","unstructured":"Lobel, M. (2014), \u201cThe global state of information security survey 2014\u201d, PwC US, available at: www.pwc.com\/giss2014 (accessed 26 July 2019)."},{"key":"key2021081408083393000_ref032","volume-title":"Intrusion Detection1: Implementation and Operational Issues. CROSSTALK","year":"2001"},{"issue":"3","key":"key2021081408083393000_ref033","doi-asserted-by":"crossref","first-page":"709","DOI":"10.5465\/amr.1995.9508080335","article-title":"An integrative model of organisational trust","volume":"20","year":"1995","journal-title":"Academy of Management Review"},{"key":"key2021081408083393000_ref034","unstructured":"Mell, P., Scarfone, K. and Romanosky, S. (2009), \u201cA complete guide to the common vulnerability scoring system version 2.0\u201d, available at: www.first.org\/cvss\/cvss-guide.html (accessed 1 May 2014)."},{"key":"key2021081408083393000_ref035","doi-asserted-by":"crossref","unstructured":"Moriarty, K. (2012), \u201cReal-time inter-network defense (RID)\u201d, RFC 654, available at: www.ietf.org (accessed 1 April, 2014).","DOI":"10.17487\/rfc6545"},{"issue":"2","key":"key2021081408083393000_ref035a","first-page":"433","article-title":"Discovering association rules from incremental datasets","volume":"1","year":"2010","journal-title":"International Journal of Computer Science & Communication"},{"issue":"62","key":"key2021081408083393000_ref036","first-page":"A287","article-title":"Nigeria communications act","volume":"90","author":"NCA Act","year":"2003","journal-title":"Federal Republic of Nigeria Official Gazette"},{"key":"key2021081408083393000_ref037","doi-asserted-by":"crossref","unstructured":"NIST (2018), \u201cFramework for improving critical infrastructure cybersecurity version 1.1\u201d, available at: https:\/\/doi.org\/10.6028\/NIST.CSWP.04162018 (accessed 8 June 2019).","DOI":"10.6028\/NIST.CSWP.04162018"},{"issue":"99","key":"key2021081408083393000_ref038","article-title":"National information technology development agency act","volume":"94","author":"NITDA Act","year":"2007","journal-title":"The Federal Republic of Nigeria Official Gazette"},{"key":"key2021081408083393000_ref039","first-page":"320","article-title":"STORM \u2013 collaborative security management environment. Information security theory and practice. Security and privacy of mobile devices in wireless communication","volume":"6633","year":"2011","journal-title":"Lecture Notes in Computer Science"},{"key":"key2021081408083393000_ref040","unstructured":"NVD (2012), \u201cCVE-2012-4681 details\u201d, National Vulnerability Database, available at: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2012-4681 (accessed 3 February 2019)."},{"issue":"2","key":"key2021081408083393000_ref041","doi-asserted-by":"crossref","first-page":"1","DOI":"10.9734\/BJEMT\/2016\/24432","article-title":"Prospects of Nigeria\u2019s ICT infrastructure for E-Commerce and cashless economy","volume":"13","year":"2016","journal-title":"British Journal of Economics, Management and Trade"},{"key":"key2021081408083393000_ref042","unstructured":"Oracle (2010), \u201cSunScreeen skip release 1.5.1\u201d, Oracle Cooperation, available at: https:\/\/docs.oracle.com\/cd\/E19047-01\/sunscreen151\/806-5397\/howskipworks-4\/index.html (accessed 26 July 2019)."},{"key":"key2021081408083393000_ref043","article-title":"HogMap: using SDNs to incentivize collaborative security monitoring","volume-title":"ACM International Workshop on Security in Software Defined Networks and Network Function Virtualization, SDN-NFV Security 2016","year":"2016"},{"key":"key2021081408083393000_ref044","unstructured":"Pantami, I. (2020), \u201cThe federal ministry of communication and digital economy\u201d, Federal Republic of Nigeria, available at: www.commtech.gov.ng\/ (accessed 5 August 2020)."},{"key":"key2021081408083393000_ref045","first-page":"2825","article-title":"Scikit-learn: machine learning in python","volume":"12","year":"2011","journal-title":"Journal of Machine Learning Reserch"},{"key":"key2021081408083393000_ref046","first-page":"95","article-title":"A mission-impact-based approach to INFOSEC alarm correlation","volume-title":"Proceedings of the 5th International Symposium Recent Advances in Intrusion Detection","year":"2002"},{"key":"key2021081408083393000_ref047","doi-asserted-by":"crossref","first-page":"28","DOI":"10.1016\/j.ijcip.2017.11.005","article-title":"Nationwide critical infrastructure monitoring using a common operating picture framework","volume":"20","year":"2018","journal-title":"International Journal of Critical Infrastructure Protection"},{"key":"key2021081408083393000_ref048","article-title":"Sharing threat intelligence analytics","volume-title":"RSA Conference, Asia-Pacific, CLT-05 Intermediate Class","year":"2013"},{"key":"key2021081408083393000_ref049","volume-title":"Collaborative Computer Security and Trust Management","year":"2009"},{"key":"key2021081408083393000_ref050","unstructured":"SensePost (2011), \u201cSense modelling threat modelling\u201d, available at: www.slideshare.net\/sensepost\/corporate-threat-modelling (accessed 4 April 2014)."},{"key":"key2021081408083393000_ref051","doi-asserted-by":"crossref","first-page":"166","DOI":"10.1016\/j.jisa.2016.05.005","article-title":"A collaborative cyber incident management system for European interconnected critical infrastructures","volume":"34","year":"2017","journal-title":"Journal of Information Security and Applications"},{"key":"key2021081408083393000_ref052","volume-title":"A Mathematical Theory of Evidence","year":"1976"},{"key":"key2021081408083393000_ref053","article-title":"How to own the internet in your spare time","volume-title":"Proceedings of the 11th USENIX Security Symposium (Security \u201802)","year":"2002"},{"key":"key2021081408083393000_ref054","unstructured":"Symantec (2019), \u201cInternet security threat report\u201d, available at:www.symantec.com\/content (accessed 5 June 2019)."},{"key":"key2021081408083393000_ref055","unstructured":"Takahashi, T. (2013), \u201cIODEF-extension for structured cybersecurity information\u201d, available at: http:\/\/tools.ietf.org\/html (accessed 4 April, 2014)."},{"key":"key2021081408083393000_ref056","unstructured":"Ullrich, J. (2004), \u201cDshield home page\u201d, available at: www.dshield.org\/ (accessed 19 January 2014)."},{"key":"key2021081408083393000_ref057","article-title":"Legislation to facilitate cybersecurity information sharing: economic analysis","year":"2015"},{"key":"key2021081408083393000_ref058","unstructured":"Whitman, M.E. and Mattord, H.J. (2004), \u201cManagement of information security\u201d, Thompson Course Technology, available at: www.thomsonrights.com (accessed 19 January 2014)."},{"key":"key2021081408083393000_ref059","first-page":"1","article-title":"A game theory based collaborative security detection method for internet of things systems","volume":"99","year":"2018","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"key2021081408083393000_ref060","article-title":"A collaborative architecture for intrusion detection systems with intelligent agents and knowledge-based alert evaluation","volume-title":"Conference Proceeding on Computer Supported Cooperative Work in Design. The 8th International Conference on Volume: 2","year":"2004"},{"key":"key2021081408083393000_ref061","article-title":"Distributed change detection for worms, DDoS and other network attacks","volume-title":"Proceedings of the 2004 American Control Conference, June 30 -July 2, 2004","year":"2004"},{"key":"key2021081408083393000_ref062","first-page":"15","article-title":"Towards collaborative security and P2P intrusion detection","volume-title":"Proceedings of the 2005 IEEE Workshop on Information Assurance and Security T1B2 1555 United States Military Academy","year":"2005"},{"key":"key2021081408083393000_ref063","unstructured":"Wang, J. and Zhao, L. (2006), \u201cExperimental design for attack scenario traces to validate intrusion detection alert correlation\u201d, WSRC Paper 2006\/4-1, Whartson-SMU Research Centre."}],"container-title":["Information & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-02-2020-0027\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-02-2020-0027\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:42Z","timestamp":1753406562000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/29\/3\/457-484\/225480"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,6,28]]},"references-count":67,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2021,6,28]]},"published-print":{"date-parts":[[2021,8,17]]}},"alternative-id":["10.1108\/ICS-02-2020-0027"],"URL":"https:\/\/doi.org\/10.1108\/ics-02-2020-0027","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2021,6,28]]}}}