Developing decision support for cybersecurity threat and incident managers

Developing decision support for cybersecurity threat and incident managers

van der Kleij, R.
Schraagen, J.M.
Cadet, B.
Young, H.

2022

Cybersecurity threat and incident managers in large organizations, especially in the financial sector, are confronted more and more with an increase in volume and complexity of threats and incidents. At the same time, these managers have to deal with many internal processes and criteria, in addition to requirements from external parties, such as regulators that pose an additional challenge to handling threats and incidents. Little research has been carried out to understand to what extent decision support can aid these professionals in managing threats and incidents. The purpose of this research was to develop decision support for cybersecurity threat and incident managers in the financial sector. To this end, we carried out a cognitive task analysis and the first two phases of a cognitive work analysis, based on two rounds of in-depth interviews with ten professionals from three financial institutions. Our results show that decision support should address the problem of balancing the bigger picture with details. That is, being able to simultaneously keep the broader operational context in mind as well as adequately investigating, containing and remediating a cyberattack. In close consultation with the three financial institutions involved, we developed a critical-thinking memory aid that follows typical incident response process steps, but adds big picture elements and critical thinking steps. This should make cybersecurity threat and incident managers more aware of the broader operational implications of threats and incidents while keeping a critical mindset. Although a summative evaluation was beyond the scope of the present research, we conducted iterative formative evaluations of the memory aid that show its potential.

Cybersecurity
Cognitive task analysis
Cognitive work analysis
Decision support
Incident response
Information security risk management

http://resolver.tudelft.nl/uuid:21d52bef-3607-4cb6-9128-16408e085a31

https://doi.org/10.1016/j.cose.2021.102535

960989

Computers and Security, 113 (113)

article