Abstract: Societies need the ability to respond to crises such as terrorism, pandemics and natural disasters. Hence, it is essential to ensure that the capability of crisis management is attained, maintained, and developed. Since large crises cannot be handled by single organizations, collaborative crisis management capability is needed. The objective of this work was to provide support by an instrument for assessment of collaborative crisis management capability. The work was iteratively performed in a workgroup. The outcome was two templates with sets of generic questions, one for assessment of the actual capabilities and one for assessment of the preconditions of the capabilities. The templates mainly focus on assessment of collaborative crisis management capability. However, since the questions are generically formulated, they should be usable for assessments of any type of crisis management capability.

Abstract: Situation awareness is created through the dynamic process of perception and action and serves as a foundation of overall performance throughout many different domains, such as education, military operations, air traffic control, driving, search and rescue, and crisis management [Endsley, 2006]. Information sharing is an important factor to be consider in situation awareness. In this paper, we present how tools can support information sharing in crisis management. So, we study how crisis management team dealt with two exercises using firstly whiteboards and secondly, CRIMSON a digital decision support tool.

Abstract: Organizations affected by a cyber-attack usually rely on external Cyber Incident Response (CIR) consultants to conduct investigations and mitigate the impact. These CIR consultants need to make critical decisions that could have major impact on their clients. This preliminary investigation aims to get a better understanding of CIR decision -making and answers the following questions: (1.) To what extent do experienced CIR consultants use a Recognition-Primed Decision (RPD) Making strategy during their work? (2.) What are the implications for cyber crisis management as well as for training and decision -making? To answer these questions, we conducted a literature review and interviewed six experienced CIR consultants using the Critical Decision Method. Our analysis reveals that CIR consultants recognize situations based on past experiences and apply a course of action that has worked effectively in the past. This course of action is mainly aimed at collecting and evaluating more data. This finding differs from other operational domains, such as the military and fire department, where recognition is usually followed immediately by action. For cyber crisis management, this means that crisis management teams should decide to what extent and in what ways they want to mitigate the risk of responding belatedly to cyber events, which could potentially lead to unnecessary data theft and sustained business disruption. Another implication is that crisis management teams should consider whether additional forensic investigations outweigh the expected benefits throughout the response process. For instance, if the likely entry-point of the attacker has been discovered, how much effort should be devoted to exclude other potential entry-points. Reflecting on the status-quo, several implications for training and decision making are provided.