Improving the Effectiveness of CSIRTs
This paper, by Maria Bada, Sadie Creese, Michael Goldsmith, and Chris J. Mitchell reports on research designed to measure the effectiveness of national Computer Security Incident Response Teams (CSIRTs). Specifically, the aims of reseachers is to identify: 1) the ways in which a CSIRT might be considered to be effective; 2) the issues which may limit the performance of a CSIRT; and 3) approaches towards developing CSIRT effectiveness metrics. A primary motive for doing so is to enable more effective CSIRTs to be implemented, focusing on activities with the maximum impact on threat mitigation.
The research was conducted using both online survey and interviews, in two phases. The study participants were experts within the existing CSIRT community. In total, 46 participants responded to the survey, from 27 countries in Europe, Africa, South and North America, and Asia. Three experts working for CSIRTs in the UK and USA were also interviewed. Questions asked during the interviews and the online survey queried the personal knowledge and experience of participants regarding CSIRTs. In the analysis, issues such as cooperation, data-sharing and trust are discussed as crucial components of an effective CSIRT. Existing measurement approaches for computer security incident response are presented, before a set of suggested direct and indirect measures of the effectiveness of a CSIRT is defined.
Download the paper here: