Replication Data for: A Model-Based Framework for Developing Security-Safety Incident Response Plans

This data set contains 33 modeling diagrams used to model incident response procedures in security-safety incident response from two Norwegian oil and gas companies. The file set includes all diagrams in .png format depicting different perspectives on role responsibilities and interactions during the incident response used for analysis. The diagrams were based on empirical findings using two case studies, conducting semi-structured interviews, document analysis, and multiple meetings. However, the empirical findings are not reported here since they are not permitted to be shared. Abstract from publication: Cyberattacks are increasingly affecting the safe operation of critical infrastructure (e.g., energy, manufacturing) and potentially endangering production, people, equipment, and the environment. A cyber-incident with physical consequences requires personnel responsible for aggregating log information, analyzing root cause (i.e., cybersecurity), and ensuring the production and safe operation of safety-critical systems (i.e., safety) to collaborate. For this, they must understand their own and each other's roles in the incident response process, as well as when and how to interact with different roles. To address this problem, this paper proposes a framework that utilizes a model-based approach to illustrate the critical roles and their interactions within a security-safety incident response plan. To demonstrate its applicability, the framework was applied in a qualitative study within the Norwegian oil and gas industry, involving two companies. This research sheds light on the relevance of applying a model-based approach to developing security and safety incident response plans for organizations. It investigates the relevance of using two modeling languages: a general-purpose software systems modeling language, the Unified Modeling Language (UML), and an enterprise process workflow modeling language, the Business Process Modeling Notation (BPMN), for visualizing the security-safety incident response plan. The findings indicate that the modeling languages are suitable and relevant for understanding and discussing the collaboration and coordination of different personnel's roles during security-safety incident response. The distinct diagrams highlight various aspects, including roles, transmitted information, tasks, and the sequence of tasks. Future work should consider how the diagrams can be applied during the training and learning of the incident response plans.