Informing Hybrid System Design in Cyber Security Incident Response

Abstract

Computer security incident response is a complex socio-technical environment that provides first line of defense against network intrusions, but struggles to obtain and keep qualified analysts at different levels of response. Practical approaches have focused on the larger skillsets and myriad supply channels for getting more qualified candidates. Research approaches to this problem space have been limited in scope and effectiveness, and may be partially or completely removed from actual security operations environments. As low-level incident response (IR) activities move towards automation, context-based research may provide valuable insights for developing hybrid systems that can both execute IR tasks and coordinate with human analysts. This paper presents insights originating from qualitative research with the analysts who currently perform IR functions, and discusses challenges in performing contextual inquiry in this setting. This article also acts as the first in a series of papers by the authors that translate these findings to hybrid system requirements.