A conceptual model for digital forensic readiness in security operation centres: a South African study

Thesis / Dissertation

2025

Permanent link to this Item
http://hdl.handle.net/11427/42557
Files
thesis_com_2025_nkwe boitumelo.pdf (2 MB)
Authors
Nkwe, Boitumelo
Supervisors
Kyobe, Michael
Journal Title
Link to Journal
Journal ISSN
Volume Title
Publisher
Publisher

University of Cape Town

Department
Department of Information Systems
Faculty
Faculty of Commerce
License
Series
Abstract
The increase in the adoption of technology has resulted in the number of cyber-attacks and security breaches also rising. These cyber-attacks and breaches have become advanced and can go undetected for months. With the rise in cyber-attacks, the need for organizations to tighten cybersecurity measures and be ready to investigate the breaches speedily has become crucial. These measures include the adoption of Security Operations Centres (SOC) that integrate digital forensic capabilities with various cybersecurity tools. The reviewed literature shows that having a well-defined digital forensic readiness (DFR) strategy in place is important to ensure quick and efficient investigations that do not have a huge impact on the organization. In addition, conducting internal investigations helps an organization reduce costs. While there are proposed frameworks that aim to help an organization become forensically ready, none have a specific focus on a SOC. SOCs are complex, making conducting a digital forensic investigation challenging. The objective of this study was to develop a conceptual model for DFR that focused on SOCs in South Africa. To achieve this, the study first analysed existing DFR frameworks and drew key factors that were common in all frameworks. Management support, policies, processes and procedures, forensic technologies, legal frameworks, technical skills, and training were identified as the key factors that have a potential influence on the forensic readiness of a SOC. The study was conducted using a quantitative research approach and a survey questionnaire. Data were collected from professionals who work in organizations running a SOC in South Africa through a survey. The data were analysed using statistical methods and the results of the study indicate that the digital forensic readiness of a SOC is dependent on management support, organizational policies, processes and procedures, the integration of forensic and cybersecurity technologies, understanding various legal requirements, technical skills, and continuous training. All participants had at least one form of formal qualification and one industry-related certificate. The proposed DFR conceptual model examined various factors that SOCs can use to assess their forensic readiness. The findings also highlight the importance of having a holistic approach to forensic readiness which also include continuous investment in both technology and technical skills to keep up with evolving technology. Furthermore, the findings can be used by SOCs to identify areas in their DFR plan they need to focus on to enhance their cyber-resilience.
Description
Keywords
Security operations centre
digital forensic readiness
conceptual models

Reference:

Nkwe, B. 2025. A conceptual model for digital forensic readiness in security operation centres: a South African study. . University of Cape Town ,Faculty of Commerce ,Department of Information Systems. http://hdl.handle.net/11427/42557

Collections
Masters