Incident Response Time Research Articles

Building capability and community through cyber-incident response exercises

While a natural disaster or related threat may impact an organisation at some point, it is more likely (even inevitable) that it will be the victim of a cyber attack. The solution to being better prepared for these imminent attacks is to undertake more lightweight and frequent incident response (IR) exercises to help build capabilities and community through a tighter, recurring cycle of planning, conducting and assessing. To boost the facilitation of IR exercises, organisations must leverage the established relationships between business continuity management (BCM) or resilience staff (both of which are familiar with business continuity and disaster recovery exercises), and their information security office. As BCM will ultimately be involved in response and recovery after a cyber attack, it is intuitively more effective to collaborate with BCM in advance. Indeed, it has been substantiated that BCM engagement improves incident response time and reduces incident response costs. This paper concludes that involving BCM or resilience departments in IR exercises contributes to more effective responses to actual incidents.

Design and deployment of zero-trust SMPC algorithm to enhance financial cybersecurity in small and medium scale supply chains in the United States

This study designs and deploys zero-trust secure multiparty computation (SMPC) algorithms to enhance financial cybersecurity in small and medium-sized enterprises (SMEs) within the U.S. supply chain. Utilizing TensorFlow for machine learning, Apache Kafka for real-time data processing, and SMPC protocols, the proposed solution aims to provide robust, scalable, and economically viable cybersecurity measures. The research involved developing advanced machine learning-based zero-trust algorithms using TensorFlow, integrating SMPC protocols for secure data computation, and utilizing Apache Kafka for real-time data processing. The algorithms were tested and validated in both simulated and real-world SME environments to evaluate their effectiveness. The implementation of zero-trust SMPC algorithms led to significant improvements in various cybersecurity metrics. The true positive rate (TPR) increased from 85% to 98%, and the false positive rate (FPR) decreased from 5% to 1%. Average incident response time was reduced from 4 hours to 1 hour, and the average cost per incident decreased by 80%, with data loss per incident reduced by 90%. Compliance with GDPR and CCPA standards improved by 35.71% and 38.46%, respectively. User satisfaction increased by 41.67%, and system availability improved from 95% to 99%, with network latency decreasing by 60%. The results demonstrate that zero-trust SMPC algorithms significantly enhance financial cybersecurity for SMEs, reducing security incidents and financial impacts, improving regulatory compliance, and increasing user satisfaction and system performance. These advancements are crucial for strengthening the resilience and stability of the U.S. supply chain, supporting economic growth.

Improving Incident Management Processes with Feature Models

A cybersecurity incident is any event that directly or indirectly affects the confidentiality, availability, or integrity of a system or a service (or its data). The aim of a cyber-incident management process is to restore normal service levels as quickly as possible, by mitigating or eliminating the effects of system service disruptions. During the different phases of a cyber-incident management process, the documentation can be confusing and difficult to comprehend, making it ineffective. This paper aims to improve cyber-incident management processes that already exist by introducing feature models in order to handle incident documentation, classification, prioritisation, and mitigation. An example of an improved cyber-incident process is evaluated with respect to its efficiency and effectiveness, by conducting two case studies. The results of this work reveal that the improved process increases efficiency in addressing and repairing cyber-incidents by reducing the incident response time.

Transforming Cybersecurity into Critical Energy Infrastructure: A Study on the Effectiveness of Artificial Intelligence

This work explores the integration and effectiveness of artificial intelligence in improving the security of critical energy infrastructure, highlighting its potential to transform cybersecurity practices in the sector. The ability of artificial intelligence solutions to detect and respond to cyber threats in critical energy infrastructure environments was evaluated through a methodology that combines empirical analysis and artificial intelligence modeling. The results indicate a significant increase in the threat detection rate, reaching 98%, and a reduction in incident response time by more than 70%, demonstrating the effectiveness of artificial intelligence in identifying and mitigating cyber risks quickly and accurately. In addition, implementing machine learning algorithms has allowed for the early prediction of failures and cyber-attacks, significantly improving proactivity and security management in energy infrastructure. This study highlights the importance of integrating artificial intelligence into energy infrastructure security strategies, proposing a paradigmatic change in cybersecurity management that increases operational efficiency and strengthens the resilience and sustainability of the energy sector against cyber threats.

Security Awareness Programs and Behavioral Patterns in Nigeria Deposit Money Banks: Adopting a Robust Cybersecurity Culture.

In an era marked by evolving cybersecurity threats, understanding the interplay between Security Awareness Programs, Behavioral Patterns, and Cybersecurity Culture is essential for safeguarding organizational assets and maintaining trust in financial institutions. This study investigated this relationship within Nigeria’s Deposit Money Banks, employing a comprehensive analysis of key variables such as Compliance Adherence, Security Policy Acknowledgements, Training Completion Rate, Risk Awareness and Management, Behavioral Analytics, Employee Feedback and Engagement, and Incident Response Time.Utilizing data gathered from a field survey, the study employed multiple regression analysis and tested for hypotheses. Specifically, the study revealed that Compliance Adherence, Training Completion Rate, and Risk Awareness and Management significantly influenced Employee Feedback and Engagement. Compliance Adherence increased Employee Feedback and Engagement by 0.065 (t-stat: 0.750, p = 0.014), Training Completion Rate by 0.397 (t-stat: 3.846, p < 0.001), and Risk Awareness and Management by 0.237 (t-stat: 2.031, p = 0.028). Similarly, Compliance Adherence, Security Policy Acknowledgements, Training Completion Rate, and Risk Awareness and Management significantly impacted Incident Response Time. Compliance Adherence increased Incident Response Time by 0.067 (t-stat: 0.721, p = 0.041), Security Policy Acknowledgements by 0.087 (t-stat: 0.911, p = 0.033), and Training Completion Rate by 0.188 (t-stat: 1.118, p < 0.001). However, Risk Awareness and Management didn’t show significant impact on Incident Response Time. Moreover, Compliance Adherence, Security Policy Acknowledgements, Training Completion Rate, and Risk Awareness and Management significantly contributed to Cybersecurity Culture. Compliance Adherence increased Cybersecurity Culture by 0.523 (t-stat: 0.101, p < 0.001), Security Policy Acknowledgements by 0.041 (t-stat: 0.279, p = 0.011), Training Completion Rate by 0.188 (t-stat: 1.139, p < 0.001), and Risk Awareness and Management by 0.239 (t-stat: 1.453, p = 0.041). These findings offered valuable insights for policymakers, bank management, cybersecurity professionals, and employees, informing the development of effective cybersecurity strategies and risk management policies. By understanding the intricate relationship between Security Awareness Programs, Behavioral Patterns, and Cybersecurity Culture, stakeholders could better navigate the complexities of the cybersecurity landscape and safeguard organizational interests.

The Analysis of Cyber security in Intelligent Transportation Systems Using Multi-Objective Optimization on the Basis of Ratio Analysis (MOORA) Method

Cyber security has become a critical concern in today's interconnected world, with the escalating frequency and sophistication of cyber threats. To effectively protect digital assets and sensitive information, organizations must adopt robust cybersecurity systems. The Multi-Objective Optimization on the basis of Ratio Analysis (MOORA) method has emerged as a promising approach for evaluating and improving cybersecurity systems.This research presents an innovative application of the MOORA method to enhance cybersecurity systems. The MOORA method is a Multi-Criteria Decision Analysis (MCDA) technique that enables decision-makers to rank alternatives based on multiple criteria, ultimately aiding in selecting the most suitable solution. In the context of cybersecurity, various evaluation criteria are considered, such as threat detection accuracy, incident response time, scalability, resource utilization, and cost-effectiveness.Through the integration of the MOORA method, this study offers a systematic and quantitative assessment of cybersecurity systems, addressing the limitations of traditional evaluation techniques that often overlook the complexity of cyber threats. By prioritizing the criteria most relevant to an organization's specific needs and risk profile, decision-makers can make informed choices about investing in the right cybersecurity measures.The practical implementation of the proposed MOORA-based cybersecurity system is demonstrated using real-world data from a diverse set of organizations. The results showcase the effectiveness of the method in guiding cybersecurity decision-making, leading to the identification of optimal solutions that strike the best balance between performance, cost, and resource allocation.The alternatives are A1 is Providing only essential information and continuing to use the service or product, A2 is Giving wrong or partially wrong information as personal data (misinformation), A3 is Closing the account, disposing of, or deactivating the smart device or application and A4 limiting the use of the application, financial institution, or device. The Evaluation parameters are C1 is Low trust in the firm, device, or application, C2 is Poor referrals or negative word-of-mouth from previous users about the service or app, C3 is Negative previous online experience, C4 is Being tech-savvy, experienced, and knowledgeable about recent trends in data privacy and cybersecurity, C5 is The firm or institution not meeting essential privacy and security expectations, such as privacy policies, notices (cookies), seals, etc and C6 is Perceiving that the benefits outweigh the risks of disclosing information.The final result is Limit the use of application, financial institution or device, etc (A4) is got first rank and Provision of strictly necessary Information and continue the use of service or product (A1) is got lowest rank.

Human-Centric Cybersecurity: Understanding and Mitigating the Role of Human Error in Cyber Incidents

In this study, developments in cybersecurity continue to be treated as human deficiencies, such as the territory of policies, procedures and misconduct, mainly cultivating the floods of organizations. The important role of human factors in vulnerability To address this issue of negligence, the study presents a human-centered cybersecurity program that includes ongoing user training of the system, behavioral monitoring, and proposals including detection tools enhanced by AI. The research objectives are twofold: first, to examine how human actions contribute to cyber vulnerabilities, and second, to identify effective ways to mitigate these risks through user-centered approaches integration of roles found that the results show that human-centered policies significantly improve cybersecurity outcomes. Phishing error rates dropped from 15-20% to 5-10%, and password misuse dropped from 30-40% to 10-15%. The system reduced incident response time from 48-72 hours to even 24-36 hours, while increasing user engagement in safety actions. Additionally, the overall cost of a security breach is halved. This study emphasizes the need to address human behavior alongside technological processes to develop flexible and comprehensive cybersecurity policies.

Minimizing incident response time in real-world scenarios using quantum computing

AbstractThe Information Security Management Systems (ISMS) are global and risk-driven processes that allow companies to develop their cybersecurity strategy by defining security policies, valuable assets, controls, and technologies for protecting their systems and information from threats and vulnerabilities. Despite the implementation of such management infrastructures, incidents or security breaches happen. Each incident has associated a level of severity and a set of mitigation controls, so in order to restore the ISMS, the appropriate set of controls to mitigate their damage must be selected. The time in which the ISMS is restored is a critical aspect. In this sense, classic solutions are efficient in resolving scenarios with a moderate number of incidents in a reasonable time, but the response time increases exponentially as the number of incidents increases. This makes classical solutions unsuitable for real scenarios in which a large number of incidents are handled and even less appropriate for scenarios in which security management is offered as a service to several companies. This paper proposes a solution to the incident response problem that acts in a minimal amount of time for real scenarios in which a large number of incidents are handled. It applies quantum computing, as a novel approach that is being successfully applied to real problems, which allows us to obtain solutions in a constant time regardless of the number of incidents handled. To validate the applicability and efficiency of our proposal, it has been applied to real cases using our framework (MARISMA).

An Analytical Approach for Dispatch Operations of Emergency Medical Services: A Case Study of COVID-19

Emergency medical services (EMS) aims to deliver timely ambulatory care to incidents in communities. However, the operations of EMS may contend with suddenly increasing demands resulting from unexpected disasters such as disease outbreaks (e.g., COVID-19) or hurricanes. To this end, it usually requires better strategical decisions to dispatch, allocate, and reallocate EMS resources to meet the demand changes over time in terms of demographic and geographic distribution of incidents. In this study, we focus on the operation of the EMS resources (i.e., ambulance dispatch) in response to a demand disruption amid the COVID-19 pandemic. Specifically, we present a analytical framework to (1) analyze the underlying demographic and geographic patterns of emergency incidents and EMS resources; (2) develop a mathematical programming model to identify potential demand gaps of EMS coverage across different districts; and (3) provide a remedial reallocation solution to the EMS system with the existing ambulance capacity. The proposed method is validated with emergency response incident data in New York City for the first COVID-19 surge from March to April 2020. We found that it takes a long incident response time to scenes which reflects unexpected incident demands during COVID-19 surge. To cover such disruptive demands, ambulances need to be reallocated between service districts while meeting the response time standard. The proposed framework can be potentially applied to similar disruptive scenarios in the future and other operational systems disrupted by other disasters.HighlightsWe propose an analytical framework using optimization modeling and simulation techniques for EMS resource allocation in response to a demand disruption amid the COVID-19 pandemic.We propose mathematical programming models to identify potential demand gaps of EMS coverage across different districts.We provide a remedial reallocation solution to the EMS system with the existing ambulance capacity.

Internet of Things-Based Fire Alarm Navigation System: A Fire-Rescue Department Perspective

In the past few years, fire alarm systems have become increasingly sophisticated and more capable and reliable. The two main objectives are the protection of life and property. As a result of state and local codes, fire protection has become more concerned with life safety over the past two decades. Several safety measures have been implemented to address the problems caused by the fires and reduce the number of fatalities and property damage. Our project is to develop and review a fire alarm navigation system and application that uses the internet of things. Fire alarm systems are designed to warn people about fires in advance so that they can evacuate the fire-affected area and take immediate action to control the fire. There will be a GPS module, a flame sensor, a smoke sensor, buzzers, LEDs, and a GSM module to ensure early notification to authorities and fire stations. The aim is to reduce the loss of lives and property. A questionnaire was designed to conduct a brief survey in a multinational sports production company in Sialkot, Pakistan, regarding the IoT fire alarm navigation system. Besides installing the system in the factory, we compare the results with fire incident response time with and without this system at rescue 1122 fire head station.

Patrol Regimes for Traffic Officers in Transportation Asset Monitoring

In this paper, we investigate the feasibility of using highway traffic officers (TOs) for transportation asset management (TAM) alongside their primary role of incident response. Asset data, typically captured via highway surveys on an annual basis, are unsuitable for those assets whose condition might rapidly change, such as vegetation, streetlights, guardrails, or drainage systems. Therefore, we considered as a proof-of-concept, whether data collected from dashboard cameras installed in TO vehicles might provide analysts with near real-time asset data across an entire highway network. We considered a case study of a dedicated TO fleet deployed on the strategic road network (SRN) in England, UK, and developed a simulation based on publicly available data sets. Within the simulation, TOs patrolled under two distinct regimes and responded to dynamically generated incidents. The first regime aimed to minimize the the fleet’s incident response time, and the second aimed to maximize the fleet’s coverage, with the aim of capturing asset data across the entire highway network. Overall, our simulations showed that the TOs deployed for TAM reduced the SRN junction-to-junction section intervisit time by around 1 h 45 min, whereas their incident response time only increased by about 4 min. Moreover, 17% of SRN sections were not visited at all when the TOs prioritized fast incident response, which was reduced to 2% when the TOs prioritized the capture of asset data.

Proposed Management System and Response Estimation Algorithm for Motorway Incidents

Motorway’s personnel tasks management and incidents monitoring, and response are critical processes that contribute to the motorway’s orderly and smooth operation. Existing management practices utilize SCADA technologies that control motorway actuator systems as well as various means of personnel communications mobile technologies. Nevertheless, contemporary motorways lack a unified incident response solution that tracks resources, sends notification alerts when necessary, and automates incident resolution. This paper presents a new holistic and unified management and response system called Resources Management System (RMS). This system was originally implemented as a generic motorways resources management system for the EGNATIA ODOS motorway that uses it in Greece. The implemented RMS provides real-time resources tracking, personnel utilization algorithms, and data mining capabilities towards incident confrontation. It operates as an incidents’ collection and resources central communication interface. It is also capable of incident response and completion time categorization; real-time tunnel exits sensory monitoring, staff mobilization, and tracking system. Furthermore, the RMS includes machine learning methodologies and smart agents (bots) for solving the problem of estimating and evaluating the response and completion time of incidents based on previous successful incidents’ confrontations.

Severity of emergency natural gas distribution pipeline incidents: Application of an integrated spatio-temporal approach fused with text mining

The transportation of natural gas often relies on pipelines which require constant monitoring and regular maintenance to prevent spills or leaks. Pipeline incidents could pose a huge adverse impact on people, the environment, and society. Numerous efforts have been invested to identify contributing factors to pipeline incidents so that countermeasures could be developed to proactively prevent some incidents and reduce incident severities or impacts. However, the countermeasures may need to vary for different incidents due to the potential heterogeneity between incidents, and such heterogeneity is likely related to the geology, weather, and built environment which vary across space and time domain. The objective of this study is to revisit the correlates of pipeline incidents, focusing on the spatial and temporal patterns of the correlations between natural gas pipeline incident severity and contributing factors. This study leveraged an integrated spatio-temporal modeling approach, namely the Geographically and Temporally Weighted Ordered Logistic Regression (GTWOLR) to model the natural gas pipeline incident report data (2010–2019) from the U.S. Pipeline and Hazardous Material Safety Administration. Text mining was performed to extract additional information from the narratives in reports. Results show several factors have significant spatiotemporally varying correlations with the pipeline incident severity, and these factors include excavation damage, gas explosion, iron pipes, longer incident response time, and longer pipe lifetime. Findings from this study are valuable for pipeline operators, end-users, responders to jointly develop localized strategies to maintain the natural gas distribution system. More implications are discussed in the paper.

Work zone traffic management in rehabilitation of M-2

Pakistan has a population of over 199 million and total road network of approximately 264,400 kilometers that serve about 16.2 million vehicles of all types. According to WHO estimates, there were approximately 30,000 annual Road Crash Fatalities (RCF) in Pakistan in year 2010. Work zone crashes account for significant proportion of all traffic crashes in Pakistan due to higher crash rate as compared to other parts of the highway network. Highway work zone is referred to road area where highway construction, maintenance or activity related to utility maintenance takes place. Workers in highway work zone are exposed to a variety of hazards and face risk of injury and death from construction equipment as well as passing motor vehicles. Safety measures and better understanding of risks involved while moving through the work zone have significant effects on the overall safety climate at work zones. Mismanaged work zone traffic increases the travel time delays, safety issues, vehicle operating costs (VOC) and other associated costs. Performance measures for the work zone traffic management includes user costs (travel time delay, crash cost, VOC), incident response and clearance time, queue length and community complaint. Different work Zone Traffic Management methodologies are being practiced worldwide and extensive research has been carried out at international level on country specific highway work zone safety but in Pakistan very few studies have been carried out on highway work zones. This research aims to critically analyze the impacts of the different Work Zone Traffic Management methods and recommend the best option for Expressways / Motorways in Pakistan. For the purpose of research, the author has selected a section of Motorway (M-2). Two different work zone traffic management methods are being followed in rehabilitation of M-2 .i.e. Parallel / Adjacent Method and Median Cross-Over Method. Performance measures selected for purpose of analysis are Travel Time Delay, Crash Cost (Safety) and VOC and data collected on section of M-2. After critical analysis, it is concluded that Parallel/ Adjacent Method results in lesser Travel Time delay and lesser VOC due to higher operating speeds and thus has higher savings, whereas Median Cross over Methods yield more Crash Cost savings. Keeping in view the driving habits / skills, poor maintenance of vehicles in Pakistan and risk of fatal accidents involved in parallel /adjacent method, median cross over method is preferred.

Genetic Algorithm for Optimizing Routing Design and Fleet Allocation of Freeway Service Overlapping Patrol

The freeway service patrol problem involves patrol routing design and fleet allocation on freeways that would help transportation agency decision-makers when developing a freeway service patrols program and/or altering existing route coverage and fleet allocation. Based on the actual patrol process, our model presents an overlapping patrol model and addresses patrol routing design and fleet allocation in a single integrated model. The objective is to minimize the overall average incident response time. Two strategies—overlapping patrol and non-overlapping patrol—are compared in our paper. Matrix encoding is applied in the genetic algorithm (GA), and to maintain population diversity and avoid premature convergence, a niche strategy is incorporated into the traditional genetic algorithm. Meanwhile, an elitist strategy is employed to speed up the convergence. Using numerical experiments conducted based on data from the Sioux Falls network, we clearly show that: overlapping patrol strategy is superior to non-overlapping patrol strategy; the GA outperforms the simulated annealing (SA) algorithm; and the computational efficiency can be improved when LINGO software is used to solve the problem of fleet allocation.

Bounded Rank Optimization for Effective and Efficient Emergency Response

Effective placement of emergency response vehicles (such as ambulances, fire trucks, police cars) to deal with medical, fire or criminal activities can reduce the incident response time by few seconds, which in turn can potentially save a human life. Owing to its adoption in Emergency Medical Services (EMSs) worldwide, existing research on improving emergency response has focused on optimizing the objective of bounded time (i.e. number of incidents served in a fixed time). Due to the dependence of this objective on temporal uncertainty, optimizing the bounded time objective is challenging. In this paper, we propose a new objective referred to as the bounded rank (which is the number of incidents served by a base station whose rank is below a bounded rank value) that has nice theoretical properties and serves as an indirect substitute for the bounded time objective. To understand the theoretical properties of this new objective in the context of the spatio-temporal uncertainty associated with emergency incidents, we first provide a Poisson Point Process (PPP) model of the emergency response problem. We then formally define the bounded rank objective in the context of the model and demonstrate that the bounded rank metric is monotone submodular. Due to the monotone submodularity of the objective, we can propose a greedy approach that can provide an {\em a priori} guarantee of 50\% from optimal and a much tighter {\em posteriori} guarantee. Practically and more importantly, we demonstrate that optimizing this bounded rank objective on simulators validated on real data (and not just on the abstract PPP model) provides better results than the best known approach for optimizing bounded time objective.

Routing design and fleet allocation optimization of freeway service patrol: Improved results using genetic algorithm

Freeway service patrol (FSP), is considered to be an effective method for incident management and can help transportation agency decision-makers alter existing route coverage and fleet allocation. This paper investigates the FSP problem of patrol routing design and fleet allocation, with the objective of minimizing the overall average incident response time. While the simulated annealing (SA) algorithm and its improvements have been applied to solve this problem, they often become trapped in local optimal solution. Moreover, the issue of searching efficiency remains to be further addressed. In this paper, we employ the genetic algorithm (GA) and SA to solve the FSP problem. To maintain population diversity and avoid premature convergence, niche strategy is incorporated into the traditional genetic algorithm. We also employ elitist strategy to speed up the convergence. Numerical experiments have been conducted with the help of the Sioux Falls network. Results show that the GA slightly outperforms the dual-based greedy (DBG) algorithm, the very large-scale neighborhood searching (VLNS) algorithm, the SA algorithm and the scenario algorithm.

Jointly analyzing freeway traffic incident clearance and response time using a copula-based approach

Understanding factors that influence the duration time of incidents are important for traffic incident management agencies to design effective mitigation strategies. Previous studies have proposed different approaches for examining the impact of influential factors on incident clearance and response time. However, very few studies have considered incident clearance and response time as two dependent variables and used a joint modeling framework. The objectives of this paper are to investigate the dependence between incident clearance and response time and to examine the applicability of the copula approach to the joint analysis of these two variables. To demonstrate advantages of the proposed copula modelling framework, incident clearance and response time data collected on freeway road sections in Seattle, Washington State are examined. Parameter estimation and prediction results from the proposed copula models are presented and compared with the conventional accelerated failure time model. The modeling results suggest that the proposed copula model can better describe the estimated conditional survival probability of incident clearance time, and can provide marginally more accurate prediction results. The proposed model can also provide different inferences about effects of factors on incident clearance and response time data. Overall, the findings in this paper provide a framework for jointly modeling incident clearance and response time by considering their dependence.

Prioritizing Influential Factors for Freeway Incident Clearance Time Prediction Using the Gradient Boosting Decision Trees Method

Identifying and quantifying the influential factors on incident clearance time can benefit incident management for accident causal analysis and prediction, and consequently mitigate the impact of non-recurrent congestion. Traditional incident clearance time studies rely on either statistical models with rigorous assumptions or artificial intelligence (AI) approaches with poor interpretability. This paper proposes a novel method, gradient boosting decision trees (GBDTs), to predict the nonlinear and imbalanced incident clearance time based on different types of explanatory variables. The GBDT inherits both the advantages of statistical models and AI approaches, and can identify the complex and nonlinear relationship while computing the relative importance among variables. One-year crash data from Washington state, USA, incident tracking system are used to demonstrate the effectiveness of GBDT method. Based on the distribution of incident clearance time, two groups are categorized for prediction with a 15-min threshold. A comparative study confirms that the GBDT method is significantly superior to other algorithms for incidents with both short and long clearance times. In addition, incident response time is found to be the greatest contributor to short clearance time with more than 41% relative importance, while traffic volume generates the second greatest impact on incident clearance time with relative importance of 27.34% and 19.56%, respectively.

Exploring the influential factors in incident clearance time: Disentangling causation from self-selection bias

Understanding the relationships between influential factors and incident clearance time is crucial to make effective countermeasures for incident management agencies. Although there have been a certain number of achievements on incident clearance time modeling, limited effort is made to investigate the relative role of incident response time and its self-selection in influencing the clearance time. To fill this gap, this study uses the endogenous switching model to explore the influential factors in incident clearance time, and aims to disentangle causation from self-selection bias caused by response process. Under the joint two-stage model framework, the binary probit model and switching regression model are formulated for both incident response time and clearance time, respectively. Based on the freeway incident data collected in Washington State, full information maximum likelihood (FIML) method is utilized to estimate the endogenous switching model parameters. Significant factors affecting incident response time and clearance time can be identified, including incident, temporal, geographical, environmental, traffic and operational attributes. The estimate results reveal the influential effects of incident, temporal, geographical, environmental, traffic and operational factors on incident response time and clearance time. In addition, the causality of incident response time itself and its self-selection correction on incident clearance time are found to be indispensable. These findings suggest that the causal effect of response time on incident clearance time will be overestimated if the self-selection bias is not considered.