Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

Operations-informed incident response playbooks

Shaked, Avi, Cherdantseva, Yulia ORCID: https://orcid.org/0000-0002-3527-1121, Burnap, Peter ORCID: https://orcid.org/0000-0003-0396-633X and Maynard, Peter 2023. Operations-informed incident response playbooks. Computers and Security 134 , 103454. 10.1016/j.cose.2023.103454

[thumbnail of Operations informed playbooks - Published Computers & Security 2023.pdf]
Preview
PDF - Published Version
Available under License Creative Commons Attribution.

Download (2MB) | Preview
License URL: http://creativecommons.org/licenses/by/4.0/
License Start date: 11 September 2023

Abstract

Cyber security incident response playbooks are critical for establishing an effective incident response capability within organizations. We identify a significant conceptual gap in the current research and practice of cyber security playbook design: the lack of ability to communicate the operational impact of an incident and of incident response on an organization. In this paper, we present a mechanism to address the gap by introducing the operational context into an incident response playbook. This conceptual contribution calls for a shift from playbooks that consist only of process models to playbooks that consist of process models closely linked with a model of operations. We describe a novel approach to embed a model of operations into the incident response playbook and link it with the playbook's incident response activities. This allows to reflect, in an accurate and systematic way, the interdependencies and mutual influences of incident response activities on operations and vice versa. The approach includes the use of a new metric for evaluating the change in operations in coordination with critical thresholds, supporting decision-making during cyber security incident response. We demonstrate the application of the proposed approach to playbook design in the context of a ransomware attack incident response, using a newly developed open-source tool.

Item Type: Article
Date Type: Publication
Status: Published
Schools: Computer Science & Informatics
Publisher: Elsevier
ISSN: 0167-4048
Date of First Compliant Deposit: 5 January 2024
Date of Acceptance: 22 August 2023
Last Modified: 18 Jan 2024 13:43
URI: https://orca.cardiff.ac.uk/id/eprint/165303

Actions (repository staff only)

Edit Item Edit Item

Downloads

Downloads per month over past year

View more statistics