Rodrigo Werlinger ; David Botta

13 June 2007

Abstract: This study develops categories of responses to security incidents, based on a grounded theory analysis of interviews with security practitioners, with a focus on the tasks performed during security incidents, and the necessary resources to perform these tasks. The results include a list of types of incidents, a model for the tasks, the skills employed, and the strategies used during security incidents. A security incident can be understood in terms of three stages: detection, analysis, and response. Each stage is comprised by tasks that are performed using different skills, strategies, and resources. We also recommend that development of security tools focus on: correlation of multiple sources of information, including the activities of different projects in distributed environments; and better trade-off between portability and visualization.

Keyword(s): hot admin ; security tasks ; resources ; collaborative work ; security incident

Published in: Rodrigo Werlinger, David Botta, "Detecting, Analyzing and Responding to Security Incidents: A Qualitative Analysis," in Workshop on Usable IT Security Management (USM'07), July 18, 2007, Pittsburgh, PA, USA.: