Asymmetry of People’s Time When Handling Major Security Incidents

Successful cyber attacks often have an element of asymmetry, where the adversary’s effort or costs are significantly smaller than those of the target. Such dynamics are often manifested with respect to the time spent by attackers and defenders in the context of the incident.

Consider the situation where organizations experience a significant data breach or a denial-of-service attack. Caught unprepared, enterprises without mature incident response programs often work themselves into a frenzy, calling for all-hands-on-deck meetings, micromanaging investigative and recovery tasks, and asking responders to work night and day to deal with the situation. The aggregate time spent such organizations on the incident can be disproportionately higher to that expanded by the adversary.

The activities outlined above are costly, because people’s time is expensive, especially when you account for opportunity costs. The various employees involved in responding to the incident cannot pay attention to other responsibilities. Moreover, incident response can involve long work hours, which affects people’s productivity. Working under stressful conditions increases the likelihood of mistakes, which necessitates the need for additional time to recover from the errors. As the result, the cost of dealing with the incident can balloon very quickly.

The best way to avoid overreaction that will lead to spending too much time on the incident is to be prepared. By defining the incident handling plan, the role that people will play, the escalation procedures, communication expectations and related details, the organization can avoid drawing into the response process unnecessary personnel. This will also avoid performing unnecessary tasks or duplicate efforts that can further contribute to time waste. (In addition to defining the plan, the company should also exercise it.)

In the words of Delmore Schwartz, “time is the fire in which we burn.” So when deciding how your organization will respond to a security incident, make judicious use of the time people will spend dealing with the situation. If you need help preparing for or dealing with computer security incidents, take a look at some of the cheat sheets I prepared on this topic.


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more