Limits to Effectiveness in Computer Security Incident Response Teams
August 2005 • White Paper
Johannes Wiik (Agder University College Norway), Jose J. Gonzalez (Agder University College Norway)
In this paper, the authors present an attempt to gain a better understanding of how a CSIRT can handle a growing work load with limited resources.
Abstract
In a continuously changing environment, a Computer Security Incident Response Team (CSIRT) has to evolve to sustain or improve its effectiveness. The main task of a CSIRT is to mitigate the effects of computer security incidents. A frequently identified problem is that CSIRTs are over-worked, under-staffed and under-funded. We present a System Dynamics simulation model of such conditions based on a case study. The model is a first attempt to understand the main factors influencing a CSIRT’s effectiveness, and to improve its performance. Based on theory from process improvement and information from the case study, we identified that short-term pressure from a growing incident work load prevents attempts for developing more response capability long-term, leading the CSIRT into a “capability trap”. Fundamental solutions will typically involve a worse-before-better trade-off for management.