Robin Ruefle

Software Engineering Institute

Robin Ruefle is a member of the technical staff of the CERT Program at the Software Engineering Institute (SEI) at Carnegie Mellon University. Ruefle's focus is on the development of management, procedural, and technical guidelines and practices for the establishment, maturation, operation, and evaluation of Computer Security Incident Response Teams (CSIRTs) worldwide. As a member of the CSIRT Development Team, Ruefle develops and delivers courses for CSIRT managers and incident handling staff. Ruefle has co-authored: Handbook for CSIRTs 2nd Edition, Organizational Models for CSIRTs Handbook, CSIRT Services List, State of the Practice of CSIRTs, Defining Incident Management Processes for CSIRTs: A Work in Progress, and numerous other articles and guides. She is currently working with the rest of the CSIRT Development Team on developing a methodology for assessing CSIRT and incident management operations. As part of this work she co-authorized the beta version of the Federal Computer Network Defense (CND) Metrics. The Federal CND Metrics are being developed to provide federal, state, and local agencies with a method for evaluating the effectiveness of an agencys incident management or CSIRT capability (focusing on the Protect, Detect, Respond, and Sustain functions). Ruefle received a BS in political science and an MPIA (Master of Public and International Affairs) from the University of Pittsburgh. She has also taught courses in information technology, management information systems, and information retrieval and analysis as an adjunct faculty member in the both the Continuing Education and MBA programs at Chatham College and in the Graduate School of Public and International Affairs (GSPIA) at the University of Pittsburgh.

Publications by Robin Ruefle

Benchmarking Organizational Incident Management Practices

December 17, 2019 • Podcast

Robin Ruefle Mark Zajicek

Robin Ruefle and Mark Zajicek discuss recent work that provides a baseline or benchmark of incident management practices for an organization.
learn more
Incident Management Capability Assessment

December 19, 2018 • Technical Report

Audrey J. Dorofee Robin Ruefle Mark Zajicek

The capabilities presented in this report provide a benchmark of incident management practices.
read
Pattern-Based Design of Insider Threat Programs

December 09, 2014 • Technical Note

Andrew P. Moore Matthew L. Collins Dave Mundie

In this report, the authors describe a pattern-based approach to designing insider threat programs that could provide a better defense against insider threats.
read
An Incident Management Ontology

November 25, 2014 • Conference Paper

Dave Mundie Robin Ruefle Audrey J. Dorofee

In this paper, the authors describe the shortcomings of the incident management meta-model and how an incident management ontology addresses those shortcomings.
read
An Introduction to the Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC)

May 30, 2014 • Technical Note

Christopher J. Alberts Audrey J. Dorofee Robin Ruefle

The Mission Risk Diagnostic for Incident Management Capabilities revises the Incident Management Mission Diagnostic Method with updated and expanded drivers.
read
Components and Considerations in Building an Insider Threat Program

November 07, 2013 • Webinar

Carly L. Huth Robin Ruefle

In this November 2013 webinar, Carly Huth and Robin Ruefle discuss the key components you should consider when you're developing new insider threat programs.
watch
The Role of Computer Security Incident Response Teams in the Software Development Life Cycle

August 20, 2013 • White Paper

Robin Ruefle

In this paper, Robin Ruefle describes how an incident management can provide input to the software development process.
read
Building an Incident Management Body of Knowledge

September 07, 2012 • White Paper

Dave Mundie Robin Ruefle

In this paper, the authors describe the components of the CERT Incident Management Body of Knowledge (CIMBOK) and how they were constructed.
read
Competency Lifecycle Roadmap: Toward Performance Readiness

September 01, 2012 • Technical Note

Sandra Behrens Christopher J. Alberts Robin Ruefle

In this report, the authors describe the Competency Lifecycle Roadmap (CLR), a preliminary roadmap for understanding and building workforce readiness.
read
Incident Management Mission Diagnostic Method, Version 1.0

March 01, 2008 • Technical Report

Audrey J. Dorofee Georgia Killcrece Robin Ruefle

This report is superseded by the Mission Risk Diagnostic for Incident Management Capabilities, CMU/SEI-2014-TN-004.
read
The Real Secrets of Incident Management

April 03, 2007 • Podcast

Stephanie Losi Georgia Killcrece Robin Ruefle

In this podcast, participants explain that incident management is not just technical response, but a cross-enterprise effort.
learn more
Defining Computer Security Incident Response Teams

January 24, 2007 • White Paper

Robin Ruefle

In this paper, Robin Ruefle describes the purpose and goals of a computer security incident response team (CSIRT).
read
Defining Incident Management Processes for CSIRTs: A Work in Progress

October 01, 2004 • Technical Report

Christopher J. Alberts Audrey J. Dorofee Georgia Killcrece

In this report, the authors present a prototype best practice model for performing incident management processes and functions.
read
Organizational Models for Computer Security Incident Response Teams (CSIRTs)

December 01, 2003 • Handbook

Georgia Killcrece Klaus-Peter Kossakowski Robin Ruefle

This 2003 report describes different organizational models for implementing incident handling capabilities, including each model's advantages and disadvantages and the kinds of incident management services that best fit with it.
read
State of the Practice of Computer Security Incident Response Teams (CSIRTs)

October 01, 2003 • Technical Report

Georgia Killcrece Klaus-Peter Kossakowski Robin Ruefle

In this 2003 report, the authors provide a study of the state of the practice of incident response, based on how CSIRTs around the world are operating.
read
Handbook for Computer Security Incident Response Teams (CSIRTs)

April 01, 2003 • Handbook

Moira West Brown Don Stikvoort Klaus-Peter Kossakowski

In this 2003 handbook, the authors describe different organizational models for implementing incident handling capabilities.
read