Asymmetry of People’s Time When Handling Major Security Incidents

Successful cyber attacks often have an element of asymmetry, where the adversary's effort or costs are significantly smaller than those of the target. Such dynamics are often manifested with respect to the time spent by attackers and defenders in the context of the incident.

Consider the situation where organizations experience a significant data breach or a denial-of-service attack. Caught unprepared, enterprises without mature incident response programs often work themselves into a frenzy, calling for all-hands-on-deck meetings, micromanaging investigative and recovery tasks, and asking responders to work night and day to deal with the situation. The aggregate time spent such organizations on the incident can be disproportionately higher to that expanded by the adversary.

The activities outlined above are costly, because people's time is expensive, especially when you account for opportunity costs. The various employees involved in responding to the incident cannot pay attention to other responsibilities. Moreover, incident response can involve long work hours, which affects people's productivity. Working under stressful conditions increases the likelihood of mistakes, which necessitates the need for additional time to recover from the errors. As the result, the cost of dealing with the incident can balloon very quickly.

The best way to avoid overreaction that will lead to spending too much time on the incident is to be prepared. By defining the incident handling plan, the role that people will play, the escalation procedures, communication expectations and related details, the organization can avoid drawing into the response process unnecessary personnel. This will also avoid performing unnecessary tasks or duplicate efforts that can further contribute to time waste. (In addition to defining the plan, the company should also exercise it.)

In the words of Delmore Schwartz, "time is the fire in which we burn." So when deciding how your organization will respond to a security incident, make judicious use of the time people will spend dealing with the situation. If you need help preparing for or dealing with computer security incidents, take a look at some of the cheat sheets I prepared on this topic.

Updated July 21, 2016
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more