search menu icon-carat-right cmu-wordmark

Limits to Effectiveness in Computer Security Incident Response Teams

August 2005 White Paper
Johannes Wiik (Agder University College Norway), Jose J. Gonzalez (Agder University College Norway)

In this paper, the authors present an attempt to gain a better understanding of how a CSIRT can handle a growing work load with limited resources.


Software Engineering Institute


In a continuously changing environment, a Computer Security Incident Response Team (CSIRT) has to evolve to sustain or improve its effectiveness. The main task of a CSIRT is to mitigate the effects of computer security incidents. A frequently identified problem is that CSIRTs are over-worked, under-staffed and under-funded. We present a System Dynamics simulation model of such conditions based on a case study. The model is a first attempt to understand the main factors influencing a CSIRT’s effectiveness, and to improve its performance. Based on theory from process improvement and information from the case study, we identified that short-term pressure from a growing incident work load prevents attempts for developing more response capability long-term, leading the CSIRT into a “capability trap”. Fundamental solutions will typically involve a worse-before-better trade-off for management.