Identifying a Shared Mental Model Among Incident Responders

Author

Floodeen, Robert ; Haller, John ; Tjaden, Brett

Author_Institution

Software Eng. Inst., Carnegie Mellon Univ., Pittsburgh, PA, USA

fYear

2013

fDate

12-14 March 2013

Firstpage

15

Lastpage

25

Abstract

Typically, there is a direct correlation between the time to resolve an incident and the damage sustained by an organization, with faster resolution of the incident resulting in less damage to the organization. Therefore, improving coordination between organizations experiencing the same or related incidents allows faster resolution and hence less damage to each organization. Coordination, however, means more than simply communicating during an incident - effective communication is critical. In this paper we explore how effective communication might be improved by the development of a mental model internalized by the group´s technical staff prior to an incident. In this paper, we present the results of an exercise we conducted to determine whether an ad-hoc group of incident responders share a schema for decision making, and, if not, what some of the decision criteria (questions) and types of values (answers) might be that would allow the creation of a shared mental model for incident response.

Keywords

cognition; computer network security; decision making; military computing; organisational aspects; CSIRT; ad-hoc incident responder group; decision criteria; decision making; effective communication improvement; group technical staff; military computer security incident response teams; organization coordination improvement; organizational damage; shared mental model; value types; Forensics; Security; Decision Criteria; Incident Response; Mental Models;

fLanguage

English

Publisher

ieee

Conference_Titel

IT Security Incident Management and IT Forensics (IMF), 2013 Seventh International Conference on

Conference_Location

Nuremberg

Print_ISBN

978-1-4673-6307-5

Type

conf

DOI

10.1109/IMF.2013.21

Filename

6568550