Within large organizations, the defense of cyber assets generally involves the use of various mechanisms,such as intrusion detection systems, to alert cyber security personnel to suspicious network activity.Resulting alerts are reviewed by the organization’s cyber security personnel to investigate and assess thethreat and initiate appropriate actions to defend the organization’s network assets. While automatedsoftware routines are essential to cope with the massive volumes of data transmitted across data networks,the ultimate success of an organization’s efforts to resist adversarial attacks upon their cyber assets relieson the effectiveness of individuals and teams. This paper reports research to understand the factors thatimpact the effectiveness of Cyber Security Incidence Response Teams (CSIRTs). Specifically, asimulation is described that captures the workflow within a CSIRT. The simulation is then demonstrated ina study comparing the differential response time to threats that vary with respect to key characteristics(attack trajectory, targeted asset and perpetrator). It is shown that the results of the simulation correlatewith data from the actual incident response times of a professional CSIRT.
展开▼