The CIRP™ programme consists of three phases and is delivered in a fixed sequence (Phase I-III), with Phase I self-paced over a period of four weeks, Phase II scheduled and delivered over two weeks, and Phase III scheduled and delivered over two weeks.
Participants can only progress to a next phase after a positive (incremental) phase related assessment.
The CIRP™ programme contains collaborative learning, both in the exploration of the content in Phase II, as well as during the practice in Phase III. Collaboration is designed to reflect operational circumstances. Although theoretical models may be used for instructional purposes, those models are adapted in the exercises to practical critical incident management.
The CIRP™ programme has applied the findings of the 2001 Bloom taxonomy revision and has graded all learning activities as such.
-
Phase I will aim to bring the participant to the level of understanding the body of knowledge related to the programme in eight on-line self-paced learning modules.
Module 1
- Foundation
- The world of cybersecurity
- Defining cybercrime
- Varieties of cybercrime
- Threat actors
- Methods of attack
- Social engineering
- Cyber digital world & cloud
Module 2
- Engagement
- Cyber risk management
- ISO 31000
- Security risk strategies
- The security triangle
- The importance of prevention
- The importance of mitigation
- Protecting the Crown Jewels
- Personal cybersecurity hygiene
- Cybersecurity protocols
- Cyber defense frameworks
- Collaboration & compliance
- Lines of Defense – the 3 LoD Model
- Cybersecurity allies
Module 3
- Preparation
- Preparing for a cybersecurity incident
- Scenario-based or capacity-based preparation
- Traditional Planning Instruments
- The Black Swan vs. Grey Rhino
- Cybersecurity incident management governance
- Four models of critical incident management
- Hybrid models
- Technical preparation
Module 4
- Incident Management
- Cybersecurity incident response
- Building a CSIRT: the Cyber Security Incident Response Team
- CSIRT technical skills
- Cyber forensics
- Training, exercises, and drills
Module 5
- Incident Support
- Insurance
- Working with expert teams
- Cyberpsychology
- Fight-Flight-Freeze
- Stress & cybersecurity
- The Blame Game
- The psychology of an organization under attack
- Why we do not ‘hack back’
- Leading from the middle
- Management or leadership
Module 6
- Stakeholders
- Owners & stakeholders
- The executive manager or the owner as attack surface
- The role of the police
- Police assessment tool
- Vendors and network partners
- Third-party supplier risk
- Media and social media
- Understanding the media
Module 7
- Managing Ransomware Attacks
- Background ransomware attacks
- The Modus Operandi of ransomware attackers
- Responding to a ransomware attack
- The response strategy
- To pay ransom: yes, or no?
- Legal implications
- Ransom payment
- The attackers’ Profit/Loss Line
- Negotiations
- Influencing
- Ransomware attacks and cryptocurrency
Module 8
- Recovery
- What happens after a cybersecurity incident?
- Immediate actions or the incident ‘Post-Mortem’ exercise
- The four post-incident or aftermath components
- Providing psychological support in the aftermath
- Organizational growth as result of the cybersecurity Incident
- Board of inquiry
- Public inquiry
- Stress and cybersecurity incidents revisited
- Dealing with stress during a cybersecurity incident
-
Phase II aims to bring the participant to the level of application of the concepts that were presented in phase I, through the presentation, analysis and discussion of three case studies.
-
Phase III presents a cybersecurity incident simulation, which challenges the participants to analyze, combine, evaluate and activate concepts from the previous phases, which includes academic reflection on the participant’s role as a manager of a complex critical incident and the required communicative, collaborative and leadership skills.
Each phase and module are based on a learning plan, containing objectives, review of relevant earlier studied materials, overview of new materials, delivery and testing plans.
