Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type


Publication Date

White Paper

Limits to Effectiveness in Computer Security Incident Response Teams

  • Abstract

    In a continuously changing environment, a Computer Security Incident Response Team (CSIRT) has to evolve to sustain or improve its effectiveness. The main task of a CSIRT is to mitigate the effects of computer security incidents. A frequently identified problem is that CSIRTs are over-worked, under-staffed and under-funded. We present a System Dynamics simulation model of such conditions based on a case study. The model is a first attempt to understand the main factors influencing a CSIRT’s effectiveness, and to improve its performance. Based on theory from process improvement and information from the case study, we identified that short-term pressure from a growing incident work load prevents attempts for developing more response capability long-term, leading the CSIRT into a “capability trap”. Fundamental solutions will typically involve a worse-before-better trade-off for management.

  • Download

Part of a Collection

Resources for Creating a CSIRT