In case of a major cyber incident, organizations usually rely on external providers of Cyber Incident Response (CIR) services. CIR consultants operate in a dynamic and constantly changing environment in which they must actively engage in information management and problem solving while adapting to complex circumstances. In this challenging environment CIR consultants need to make critical decisions about what to advise clients that are impacted by a major cyber incident. Despite its relevance, CIR decision making is an understudied topic. The objective of this preliminary investigation is therefore to understand what decision-making strategies experienced CIR consultants use during challenging incidents and to offer suggestions for training and decision-aiding. A general understanding of operational decision making under pressure, uncertainty, and high stakes was established by reviewing the body of knowledge known as Naturalistic Decision Making (NDM). The general conclusion of NDM research is that experts usually make adequate decisions based on (fast) recognition of the situation and applying the most obvious (default) response pattern that has worked in similar situations in the past. In exceptional situations, however, this way of recognition-primed decision-making results in suboptimal decisions as experts are likely to miss conflicting cues once the situation is quickly recognized under pressure. Understanding the default response pattern and the rare occasions in which this response pattern could be ineffective is therefore key for improving and aiding cyber incident response decision making. Therefore, we interviewed six experienced CIR consultants and used the critical decision method (CDM) to learn how they made decisions under challenging conditions. The main conclusion is that the default response pattern for CIR consultants during cyber breaches is to reduce uncertainty as much as possible by gathering and investigating data and thus delay decision making about eradication until the investigation is completed. According to the respondents, this strategy usually works well and provides the most assurance that the threat actor can be completely removed from the network. However, the majority of respondents could recall at least one case in which this strategy (in hindsight) resulted in unnecessary theft of data or damage. Interestingly, this finding is strikingly different from other operational decision-making domains such as the military, police and fire service in which there is a general tendency to act rapidly instead of searching for more information. The main advice is that training and decision aiding of (novice) cyber incident responders should be aimed at the following: (a) make cyber incident responders aware of how recognition-primed decision making works; (b) discuss the default response strategy that typically works well in several scenarios; (c) explain the exception and how the exception can be recognized; (d) provide alternative response strategies that work better in exceptional situations.
In this thesis several studies are presented that have targeted decision making about case management plans in probation. In a case management plan probation officers describe the goals and interventions that should help offenders stop reoffending, and the specific measures necessary to reduce acute risks of recidivism and harm. Such a plan is embedded in a judicial framework, a sanction or advice about the sanction in which these interventions and measures should be executed. The topic of this thesis is the use of structured decision support, and the question is if this can improve decision making about case management plans in probation and subsequently improve the effectiveness of offender supervision. In this chapter we first sketch why structured decision making was introduced in the Dutch probation services. Next we describe the instrument for risk and needs assessment as well as the procedure to develop case management plans that are used by the Dutch probation services and that are investigated in this thesis. Then we describe the setting of the studies and the research questions, and we conclude with an overview of this thesis.
Hoofdstuk in Progression in forensic Psychiatry: About Boundaries van prof. mr. Marc Groenhuijsen en prof. dr. T.I. Oei. As a young adolescent the man started using soft drugs and as a result was expelled from school. Following a registration with RIAGG he was placed in a children’s home for some years. From the age of twenty he was a frequent substance user. He got hold of these substances because his father was a dealer. There were contacts with psychiatrists and psychologists and he was on an anti-psychotic medication that is prescribed with schizophrenia. Over a period of eight years he was admitted eight times to a psychiatric hospital with diagnoses such as recurring paranoid schizophrenia, recurring poly-hard drugs use and ADHD. During his hospitalizations he took no medication, did not satisfactorily comply with agreements and frequently withdrew from treatment prematurely in spite of advice to the contrary. He was ultimately given Tbs (1). In the introduction of a theme issue on Mental Health Care and Justice of Justitiële Verkenningen [Judicial explorations] from 1991 concerning such a track record it was stated that many stories can be told about it. “Two of them have farreaching consequences. From the point of view of the judiciary the track record is evaluated as to the degree of guilt casu quo attribution and the need to make society secure. From the point of view of mental health care a person with a mental disorder committed an offence as a result of his condition and needs help” (2) Dangerous or mad, that is the division that is sectorially made.
