Review of human decision-making during computer security incident analysis
This work addresses gaps in decision-making guidance for security analysts during incident response, but it is incremental as it reviews and synthesizes existing standards without proposing new methods.
The paper reviews existing standards and advice on human decision-making in computer security incident response, identifying strengths in task-specific guidance but gaps in prioritization, interpretation, generalization, and reporting under time constraints.
We review practical advice on decision-making during computer security incident response. Scope includes standards from the IETF, ISO, FIRST, and the US intelligence community. To focus on human decision-making, the scope is the evidence collection, analysis, and reporting phases of response. The results indicate both strengths and gaps. A strength is available advice on how to accomplish many specific tasks. However, there is little guidance on how to prioritize tasks in limited time or how to interpret, generalize, and convincingly report results. Future work should focus on these gaps in explication and specification of decision-making during incident analysis.