Abstract
PurposeThe purpose of this paper is to examine security incident response practices of information technology (IT) security practitioners as a diagnostic work process, including the preparation phase, detection, and analysis of anomalies.Design/methodology/approachThe data set consisted of 16 semi‐structured interviews with IT security practitioners from seven organizational types (e.g. academic, government, and private). The interviews were analyzed using qualitative description with constant comparison and inductive analysis of the data to analyze diagnostic work during security incident response.FindingsThe analysis shows that security incident response is a highly collaborative activity, which may involve practitioners developing their own tools to perform specific tasks. The results also show that diagnosis during incident response is complicated by practitioners' need to rely on tacit knowledge, as well as usability issues with security tools.Research limitations/implicationsOwing to the nature of semi‐structured interviews, not all participants discussed security incident response at the same level of detail. More data are required to generalize and refine the findings.Originality/valueThe contribution of the work is twofold. First, using empirical data, the paper analyzes and describes the tasks, skills, strategies, and tools that security practitioners use to diagnose security incidents. The findings enhance the research community's understanding of the diagnostic work during security incident response. Second, the paper identifies opportunities for future research directions related to improving security tools.
Highlights
IntroductionDiagnosis is prevalent during security incident response, one of the primary responsibilities of security practitioners (Botta et al, 2007; Kandogan and Haber, 2005)
Our results extend the findings of Werlinger et al (2009), who identify nine activities that require security practitioners to interact with other stakeholders, one of which is security incident response
Before we present our results, we provide an overview of the diagnostic process during security incident response (see Figure 1 (A, B, C, and D), adapted from Werlinger et al (2009))
Summary
Diagnosis is prevalent during security incident response, one of the primary responsibilities of security practitioners (Botta et al, 2007; Kandogan and Haber, 2005). Spafford highlights that the security community has been unable to learn the importance of communication during incident response. He proposes that the security community should find better ways to coordinate during incidents, and to distribute incident-related information. While a number of organizations provide guidelines for the incident response process (e.g. Computer Emergency Response Team (CERT) and National Institute of Standards and Technology (NIST)), there are few empirical investigations on how security practitioners respond to incidents (for exceptions, see, for instance (Goodall et al, 2004a; Riden, 2006)). The research presented in this paper aims to fill this gap
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
