1.1
1
xml
info:srw/schema/1/mods-v3.2
Towards More Insight into Cyber Incident Response Decision Making and its Implications for Cyber Crisis Management
Jelle Groenendaal
author
Ira Helsloot
author
Christian Reuter
author
2022
Tarbes, France
English
Organizations affected by a cyber-attack usually rely on external Cyber Incident Response (CIR) consultants to conduct investigations and mitigate the impact. These CIR consultants need to make critical decisions that could have major impact on their clients. This preliminary investigation aims to get a better understanding of CIR decision -making and answers the following questions: (1.) To what extent do experienced CIR consultants use a Recognition-Primed Decision (RPD) Making strategy during their work? (2.) What are the implications for cyber crisis management as well as for training and decision -making? To answer these questions, we conducted a literature review and interviewed six experienced CIR consultants using the Critical Decision Method. Our analysis reveals that CIR consultants recognize situations based on past experiences and apply a course of action that has worked effectively in the past. This course of action is mainly aimed at collecting and evaluating more data. This finding differs from other operational domains, such as the military and fire department, where recognition is usually followed immediately by action. For cyber crisis management, this means that crisis management teams should decide to what extent and in what ways they want to mitigate the risk of responding belatedly to cyber events, which could potentially lead to unnecessary data theft and sustained business disruption. Another implication is that crisis management teams should consider whether additional forensic investigations outweigh the expected benefits throughout the response process. For instance, if the likely entry-point of the attacker has been discovered, how much effort should be devoted to exclude other potential entry-points. Reflecting on the status-quo, several implications for training and decision making are provided.
Cyber Incident Response
Cyber Crisis Management
Naturalistic Decision-making
exported from refbase (http://idl.iscram.org/show.php?record=2468), last updated on Thu, 03 Nov 2022 22:08:47 +0100
text
http://idl.iscram.org/files/jellegroenendaal/2022/2468_JelleGroenendaal_etal2022.pdf
JelleGroenendaal_etal2022
ISCRAM 2022 Conference Proceedings – 19th International Conference on Information Systems for Crisis Response and Management
Iscram 2022
Rob Grace
editor
Hossein Baharmand
editor
2022
Tarbes, France
conference publication
1025
1036
978-82-8427-099-9
2411-3387
1