In case of a major cyber incident, organizations usually rely on
external providers of Cyber Incident Response (CIR) services.
CIR consultants operate in a dynamic and constantly changing
environment in which they must actively engage in information
management and problem solving while adapting to complex
circumstances. In this challenging environment CIR consultants
need to make critical decisions about what to advise clients
that are impacted by a major cyber incident.
Despite its relevance, CIR decision making is an understudied
topic. The objective of this preliminary investigation is therefore
to understand what decision-making strategies experienced
CIR consultants use during challenging incidents and to offer
suggestions for training and decision-aiding.
A general understanding of operational decision making
under pressure, uncertainty, and high stakes was established
by reviewing the body of knowledge known as Naturalistic
Decision Making (NDM). The general conclusion of NDM
research is that experts usually make adequate decisions
based on (fast) recognition of the situation and applying the
most obvious (default) response pattern that has worked in
similar situations in the past. In exceptional situations, however,
this way of recognition-primed decision-making results in
suboptimal decisions as experts are likely to miss conflicting
cues once the situation is quickly recognized under pressure.
Understanding the default response pattern and the rare
occasions in which this response pattern could be ineffective is
therefore key for improving and aiding cyber incident response
decision making. Therefore, we interviewed six experienced
CIR consultants and used the critical decision method (CDM) to
learn how they made decisions under challenging conditions.
The main conclusion is that the default response pattern for
CIR consultants during cyber breaches is to reduce uncertainty
as much as possible by gathering and investigating data
and thus delay decision making about eradication until the
investigation is completed. According to the respondents, this
strategy usually works well and provides the most assurance
that the threat actor can be completely removed from the
network. However, the majority of respondents could recall at
least one case in which this strategy (in hindsight) resulted in
unnecessary theft of data or damage.
Interestingly, this finding is strikingly different from other
operational decision-making domains such as the military,
police and fire service in which there is a general tendency to
act rapidly instead of searching for more information.
The main advice is that training and decision aiding of
(novice) cyber incident responders should be aimed at the
following: (a) make cyber incident responders aware of how
recognition-primed decision making works; (b) discuss the
default response strategy that typically works well in several
scenarios; (c) explain the exception and how the exception can
be recognized; (d) provide alternative response strategies that
work better in exceptional situations.