Asymmetry of People’s Time When Handling Major Security Incidents

Successful cyber attacks often have an element of asymmetry, where the adversary’s effort or costs are significantly smaller than those of the target. Such dynamics are often manifested with respect to the time spent by attackers and defenders in the context of the incident.

Consider the situation where organizations experience a significant data breach or a denial-of-service attack. Caught unprepared, enterprises without mature incident response programs often work themselves into a frenzy, calling for all-hands-on-deck meetings, micromanaging investigative and recovery tasks, and asking responders to work night and day to deal with the situation. The aggregate time spent such organizations on the incident can be disproportionately higher to that expanded by the adversary.

The activities outlined above are costly, because people’s time is expensive, especially when you account for opportunity costs. The various employees involved in responding to the incident cannot pay attention to other responsibilities. Moreover, incident response can involve long work hours, which affects people’s productivity. Working under stressful conditions increases the likelihood of mistakes, which necessitates the need for additional time to recover from the errors. As the result, the cost of dealing with the incident can balloon very quickly.

The best way to avoid overreaction that will lead to spending too much time on the incident is to be prepared. By defining the incident handling plan, the role that people will play, the escalation procedures, communication expectations and related details, the organization can avoid drawing into the response process unnecessary personnel. This will also avoid performing unnecessary tasks or duplicate efforts that can further contribute to time waste. (In addition to defining the plan, the company should also exercise it.)

In the words of Delmore Schwartz, “time is the fire in which we burn.” So when deciding how your organization will respond to a security incident, make judicious use of the time people will spend dealing with the situation. If you need help preparing for or dealing with computer security incidents, take a look at some of the cheat sheets I prepared on this topic.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more