In case of a major cyber incident, organizations usually rely on external providers of Cyber Incident Response (CIR) services. CIR consultants operate in a dynamic and constantly changing environment in which they must actively engage in information management and problem solving while adapting to complex circumstances. In this challenging environment CIR consultants need to make critical decisions about what to advise clients that are impacted by a major cyber incident. Despite its relevance, CIR decision making is an understudied topic. The objective of this preliminary investigation is therefore to understand what decision-making strategies experienced CIR consultants use during challenging incidents and to offer suggestions for training and decision-aiding. A general understanding of operational decision making under pressure, uncertainty, and high stakes was established by reviewing the body of knowledge known as Naturalistic Decision Making (NDM). The general conclusion of NDM research is that experts usually make adequate decisions based on (fast) recognition of the situation and applying the most obvious (default) response pattern that has worked in similar situations in the past. In exceptional situations, however, this way of recognition-primed decision-making results in suboptimal decisions as experts are likely to miss conflicting cues once the situation is quickly recognized under pressure. Understanding the default response pattern and the rare occasions in which this response pattern could be ineffective is therefore key for improving and aiding cyber incident response decision making. Therefore, we interviewed six experienced CIR consultants and used the critical decision method (CDM) to learn how they made decisions under challenging conditions. The main conclusion is that the default response pattern for CIR consultants during cyber breaches is to reduce uncertainty as much as possible by gathering and investigating data and thus delay decision making about eradication until the investigation is completed. According to the respondents, this strategy usually works well and provides the most assurance that the threat actor can be completely removed from the network. However, the majority of respondents could recall at least one case in which this strategy (in hindsight) resulted in unnecessary theft of data or damage. Interestingly, this finding is strikingly different from other operational decision-making domains such as the military, police and fire service in which there is a general tendency to act rapidly instead of searching for more information. The main advice is that training and decision aiding of (novice) cyber incident responders should be aimed at the following: (a) make cyber incident responders aware of how recognition-primed decision making works; (b) discuss the default response strategy that typically works well in several scenarios; (c) explain the exception and how the exception can be recognized; (d) provide alternative response strategies that work better in exceptional situations.
DOCUMENT
Computer security incident response teams (CSIRTs) respond to a computer security incident when the need arises. Failure of these teams can have far-reaching effects for the economy and national security. CSIRTs often have to work on an ad hoc basis, in close cooperation with other teams, and in time constrained environments. It could be argued that under these working conditions CSIRTs would be likely to encounter problems. A needs assessment was done to see to which extent this argument holds true. We constructed an incident response needs model to assist in identifying areas that require improvement. We envisioned a model consisting of four assessment categories: Organization, Team, Individual and Instrumental. Central to this is the idea that both problems and needs can have an organizational, team, individual, or technical origin or a combination of these levels. To gather data we conducted a literature review. This resulted in a comprehensive list of challenges and needs that could hinder or improve, respectively, the performance of CSIRTs. Then, semi-structured in depth interviews were held with team coordinators and team members of five public and private sector Dutch CSIRTs to ground these findings in practice and to identify gaps between current and desired incident handling practices. This paper presents the findings of our needs assessment and ends with a discussion of potential solutions to problems with performance in incident response. https://doi.org/10.3389/fpsyg.2017.02179 LinkedIn: https://www.linkedin.com/in/rickvanderkleij1/
MULTIFILE
Cybersecurity threat and incident managers in large organizations, especially in the financial sector, are confronted more and more with an increase in volume and complexity of threats and incidents. At the same time, these managers have to deal with many internal processes and criteria, in addition to requirements from external parties, such as regulators that pose an additional challenge to handling threats and incidents. Little research has been carried out to understand to what extent decision support can aid these professionals in managing threats and incidents. The purpose of this research was to develop decision support for cybersecurity threat and incident managers in the financial sector. To this end, we carried out a cognitive task analysis and the first two phases of a cognitive work analysis, based on two rounds of in-depth interviews with ten professionals from three financial institutions. Our results show that decision support should address the problem of balancing the bigger picture with details. That is, being able to simultaneously keep the broader operational context in mind as well as adequately investigating, containing and remediating a cyberattack. In close consultation with the three financial institutions involved, we developed a critical-thinking memory aid that follows typical incident response process steps, but adds big picture elements and critical thinking steps. This should make cybersecurity threat and incident managers more aware of the broader operational implications of threats and incidents while keeping a critical mindset. Although a summative evaluation was beyond the scope of the present research, we conducted iterative formative evaluations of the memory aid that show its potential.
DOCUMENT
Critical incident response (CIR) has evolved to require a high level of cultural competence, customization, and adaptability to meet the needs of client organizations while incorporating clinical best practices and current research. The Critical Incident Outcome Measure (CIOM) is a timely and pioneering evidence-based evaluative tool developed by Morneau Shepell over the course of a four-year period. The CIOM tool, based on the Workplace Outcomes Suite (WOS) tool originally developed in 2010, was developed in 2016 [Herlihy et.al., 2018]; beta tests and modifications, along with the publication of a validation paper, were completed in 2017; further feedback was incorporated and an implementation plan developed in 2018; and full program implementation began in 2019.
LINK
Limited evidence is available about (non)-representativeness of participants in health-promoting interventions. The Dutch Healthy Primary School of the Future (HPSF)-study is a school-based study aiming to improve health through altering physical activity and dietary behaviour, that started in 2015 (registered in ClinicalTrials.gov on14-06-2016, NCT02800616). The study has a response rate of 60%. A comprehensive non-responder analysis was carried out, and responders were compared with schoolchildren from the region and the Netherlands using a cross-sectional design. External sources were consulted to collect non-responder, regional, and national data regarding relevant characteristics including sex, demographics, health, and lifestyle. The Chi-square test, Mann-Whitney U test, or Student's t-test were used to analyse differences.
DOCUMENT
"Probation is a fast-developing field that plays an important role in the response to crime and the prevention of reoffending. Probation covers various sanctions and community-based measures, including supervision and community service, designed to promote community safety and the social inclusion of offenders. This brochure is intended for justice ministers, other politicians and senior civil servants interested in setting up or upgrading a probation service. The ‘key message’ highlights the main topics and messages in this brochure. Readers who want to learn more about the benefits of probation and about how to bring these into practice should read the full text."
DOCUMENT
"Probation is a fast-developing field that plays an important role in the response to crime and the prevention of reoffending. Probation covers various sanctions and community-based measures, including supervision and community service, designed to promote community safety and the social inclusion of offenders. This brochure is intended for justice ministers, other politicians and senior civil servants interested in setting up or upgrading a probation service. The ‘key message’ highlights the main topics and messages in this brochure. Readers who want to learn more about the benefits of probation and about how to bring these into practice should read the full text."
DOCUMENT
OBJECTIVE: To determine the value of training for the Emergency Management of Severe Burns (EMSB) for medical and nursing staff working in emergency care as measured by their performance in a simulated burn incident online program.METHODS: An Internet-based questionnaire, which included a simulated burn incident, was developed. All of the medical and nursing staff in hospital emergency departments and ambulance services in the Netherlands were invited to complete this questionnaire. The effect of EMSB training on the individual's knowledge of and performance in the emergency management of a burn victim was evaluated because some of the respondents had participated in EMSB training, whereas others had not.RESULTS: Of the 280 responses received, 198 questionnaires were included in the analysis. The analyzed questionnaires were submitted by nurses (43%), ambulance workers (33%), and physicians (23%). Only 14% of the people in the study had participated in EMSB training, whereas 78% had received other or additional life support training and 22% of respondents had no additional life support training. Medical and nursing staff who had participated in EMSB training performed better in the following subjects: mentioning hypothermia as a focus of attention (70% versus 53%, p=0.085), correct use of hand size (70% versus 36%, p=0.001) and use of the correct hand percentage in the estimation of total body surface area (TBSA, 82% versus 57%, p=0.015), suspicion of no airway obstruction in an outdoor trauma (93% versus 63%, p = 0.002) and referral of functional area burns to a burn center (22% versus 8%, p = 0.04). However, both groups overestimated the TBSA (34% of the total group overestimated ≥ 20%) and did not know the correct formula for fluid resuscitation (87% of the total group).CONCLUSION: There is some evidence that medical staff members who have participated in EMSB training have a better knowledge of emergency management and are more effective in the management of a simulated burn case. However, both individuals who had participated in EMSB as well as those who had not participated in EMSB needed additional training in EMSB.
DOCUMENT
from the repository of Utrecht University: "PURPOSE: Previously, a high prevalence of certain psychiatric disorders was shown among non-Western immigrants. This study explores whether this results in more prescriptions for psychotropic medication. METHODS: Data on dispensing of medication among adults living in the four largest Dutch cities in 2013 were linked to demographic data from Statistics Netherlands. Incident (i.e., following no dispensing in 2010-2012) and prevalent dispensing among immigrants was compared to that among native Dutch (N = 1,043,732) and analyzed using multivariable Poisson and logistic regression. RESULTS: High adjusted Odds Ratios (ORadj) of prevalent and high Incidence Rate Ratios (IRRadj) of incident dispensing of antipsychotics were found among Moroccan (N = 115,455) and Turkish individuals (N = 105,460), especially among young Moroccan males (ORadj = 3.22 [2.99-3.47]). Among Surinamese (N = 147,123) and Antillean individuals (N = 41,430), slightly higher rates of dispensed antipsychotics were found and the estimates decreased after adjustment. The estimates for antipsychotic dispensing among the Moroccan and Turkish increased, following adjustment for household composition. Rates for antidepressant dispensing among Turkish and Moroccan subjects were high (Moroccans: ORadj = 1.74 [1.70-1.78]). Among Surinamese and Antillean subjects, the rates for antidepressant dispensing were low and the ORadjlagged behind the IRRadj(Surinamese: 0.69 [0.67-0.71] vs. 1.06 [1.00-1.13]). Similar results were found for anxiolytics. For ADHD medication, lower dispensing rates were found among all migrant groups. CONCLUSIONS: The findings agree with earlier reports of more mental health problems among Moroccan and Turkish individuals. Surinamese/Antillean individuals did not use psychotropic drugs at excess and discontinued antidepressants and anxiolytics earlier. The data strongly suggest under-treatment for ADHD in all ethnic minority groups."
LINK
