Security builder & leader

Asymmetry of People's Time When Handling Major Security Incidents

Organizations without mature incident response programs overreact to breaches—calling all-hands meetings, micromanaging tasks, demanding night-and-day work—spending disproportionate time compared to what attackers invested. Preparation with defined plans, roles, and escalation procedures avoids drawing unnecessary personnel into the response.

Successful cyber attacks often have an element of asymmetry, where the adversary’s effort or costs are significantly smaller than those of the target. Such dynamics are often manifested with respect to the time spent by attackers and defenders in the context of the incident.

Consider the situation where organizations experience a significant data breach or a denial-of-service attack. Caught unprepared, enterprises without mature incident response programs often work themselves into a frenzy, calling for all-hands-on-deck meetings, micromanaging investigative and recovery tasks, and asking responders to work night and day to deal with the situation. The aggregate time spent such organizations on the incident can be disproportionately higher to that expanded by the adversary.

The activities outlined above are costly, because people’s time is expensive, especially when you account for opportunity costs. The various employees involved in responding to the incident cannot pay attention to other responsibilities. Moreover, incident response can involve long work hours, which affects people’s productivity. Working under stressful conditions increases the likelihood of mistakes, which necessitates the need for additional time to recover from the errors. As the result, the cost of dealing with the incident can balloon very quickly.

The best way to avoid overreaction that will lead to spending too much time on the incident is to be prepared. By defining the incident handling plan, the role that people will play, the escalation procedures, communication expectations and related details, the organization can avoid drawing into the response process unnecessary personnel. This will also avoid performing unnecessary tasks or duplicate efforts that can further contribute to time waste. (In addition to defining the plan, the company should also exercise it.)

In the words of Delmore Schwartz, “time is the fire in which we burn.” So when deciding how your organization will respond to a security incident, make judicious use of the time people will spend dealing with the situation.

If you need help preparing for or dealing with computer security incidents, take a look at some of the cheat sheets

I prepared on this topic.

More on
Incident ResponsePrivacy
2 min to read
Published: June 14, 2011
Updated: July 21, 2016

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →