Abstract
We studied the nature of incident response teams in seven Operations Centers of varying size and types including service providers, a Security Operations Center, a Data Center, and two military training Operations Centers. All responded to incidents by forming teams. We asked: what is the context of incident response work? how can we model incident response work? and what are the implications for tool developers? Activity theory guided our research throughout. Using an ethnographic approach to data collection, we shadowed 129 individuals for a total of 250 h of observations, conducted 38 interviews, and facilitated 11 meetings with executives of Operations Centers. We produced rich descriptions of the work of operators and a model of incident team formation called the Tailor-made Teams in Operations Centers (T-TOCs). We position our results relative to other ethnographic studies and standards in the industry, showing how incident team formation has changed over time. Today’s incident response team is ad hoc, i.e., tailor-made to the circumstances, and responsive to changing circumstances. Our model draws parallels between the incident response work of teams and human cognition. We conclude by pointing out that tools for tailor-made teams are in their infancy.
Similar content being viewed by others
References
Ahmad A, Hadgkiss J, Ruighaver AB (2012) Incident response teams-challenges in supporting the organisational security function. Comput Secur 31(5):643–652
AlSabbagh B, Kowalski S (2015) Security from a systems thinking perspective-applying soft systems methodology to the analysis of an information security incident. In: Proceedings of the 58th annual meeting of the ISSS-2014 United States
Botta D, Muldner K, Hawkey K, Beznosov K (2011) Toward understanding distributed cognition in IT security management: the role of cues and norms. Cognit Technol Work 13(2):121–134
Boylan D (2014) ITILtopia: The tyranny of tiers. http://itiltopia.com/?p=458
Brewster E, Griffiths R, Lawes A, Sansbury J (2012) IT service management: a guide for ITIL foundation exam candidates. BCS, The Chartered Institute for IT
Brown JM, Greenspan SL, Biddle RL (2013) Complex activities in an operations center: A case study and model for engineering interaction. In: Proceedings of the 5th ACM SIGCHI symposium on Engineering interactive computing systems, ACM, pp 265–274
Calder A (2013) ISO27001/ISO27002: A pocket guide. IT Governance Publishing, UK
Corbin J, Strauss A (2014) Basics of qualitative research: techniques and procedures for developing grounded theory. Sage publications, Californiya
Daniels H (2008) Vygotsky and research. Routledge, Abingdon
Duignan M, Noble J, Biddle R (2006) Activity theory for design from checklist to interview. Human work interaction design: designing for human work. Springer, Berlin, pp 1–25
Engestrom Y (2000) Activity theory as a framework for analyzing and redesigning work. Ergonomics 43(7):960–974
Flach JM (2012) Complexity: learning to muddle through. Cogn Technol Work 14(3):187–197
Gartner (2014) IT glossary. http://www.gartner.com/it-glossary/it-services
Gawande A, Lloyd JB (2010) The checklist manifesto: how to get things right. Metropolitan Books, New York
Grance T, Kent K, Kim B (2012) NIST special publication 800-61r2: Computer security incident handling guide. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Greenspan S, Brown J, Biddle R (2012) The Human in the Center: Agile decision-making in complex operations and command center. CA Labs Research, New York, p 12
Hove C, Tårnes M (2013) Information security incident management: An empirical study of current practice. Master’s thesis, Norwegian University of Science and Technology
Hove C, Tarnes M, Line M, Bernsmed K (2014) Information security incident management: identified practice in large organizations. In: 8th International conference on, IT security incident management IT forensics (IMF), 2014 pp 27–46. doi:10.1109/IMF.2014.9
Humphreys E (2011) Information security management system standards. Datenschutz und Datensicherheit-DuD 35(1):7–11
ISO/IEC (2013a) Information technology—security techniques—code of practice for information security controls. http://www.iso27001security.com/html/27002.html
ISO/IEC (2013b) Information technology–security techniques–information security management systems–requirements. http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54534
Jäntti M, Cater-Steel A, Shrestha A (2012) Towards an improved it service desk system and processes: a case study. Int J Adv Syst Measurements 5(3 and 4):203–215
Kapella V (2003) A framework for incident and problem management. International Network Services whitepaper
Killcrece G, Kossakowski KP, Ruefle R, Zajicek M (2003) Organizational models for computer security incident response teams (csirts). Tech. rep, DTIC Document
Kuutti K (1996) Activity theory as a potential framework for human-computer interaction research. In: Nardi B (ed) Context and consciousness, vol 2. MIT Press, Cambridge, pp 17–44
MacEachren AM, Jaiswal A, Robinson AC, Pezanowski S, Savelyev A, Mitra P, Zhang X, Blanford J (2011) Senseplace2: Geotwitter analytics support for situational awareness. In: IEEE conference on visual analytics science and technology (VAST), pp 181–190
Malega P (2014) Escalation management as the necessary form of incident management process. J Emerg Trends Comput Inf Sci 5(6):641–646
McDonald S (2005) Studying actions in context: a qualitative shadowing method for organizational research. Qual Res 5(4):455–473
Metzger S, Hommel W, Reiser H (2011) Integrated security incident management–concepts and real-world experiences. In: IEEE 6th International conference on IT security incident management and IT forensics (IMF) 2011, pp 107–121
Möller K (2007) Setting up a Grid-CERT: experiences of an academic CSIRT. Campus-Wide Inf Syst 24(4):260–270
Nardi BA (1998) Concepts of cognition and consciousness: Four voices. ACM SIGDOC Asterisk J Comput Doc 22(1):31–48
Norros L, Norros I, Liinasuo M, Seppänen K (2013) Impact of human operators on communication network dependability. Cogn Technol Work 15(4):363–372
Roth WM, Lee YJ (2007) Vygotsky’s neglected legacy: cultural-historical activity theory. Rev Educ Res 77(2):186–232
Sallé M (2004) IT service management and IT governance: review, comparative analysis and their impact on utility computing. Hewlett-Packard Company, California
Samaroo R, Brown JM, Biddle R, Greenspan S (2013) The day-in-the-life scenario: A technique for capturing user experience in complex work environments. In: 10th IEEE international conference and expo on emerging technologies for a smarter world (CEWIT) 2013, pp 1–7
Tøndel A, Line MB, Jaatun MG (2014) Information security incident management: current practice as reported in the literature. Comput Secur 45:42–57
Trusson CR, Doherty NF, Hislop D (2014) Knowledge sharing using it service management tools: conflicting discourses and incompatible practices. Inf Syst J 24(4):347–371
Turner P, Turner S (2001) A web of contradictions. Interact Comput 14(1):1–14
Vygotsky L (1934) Thinking and speech. The collected works of LS Vygotsky, vol. 1. New York, NY: Plenum
West-Brown MJ, Stikvoort D, Kossakowski KP, Killcrece G, Ruefle R (2003) Handbook for computer security incident response teams CSIRTs. Tech. rep, DTIC Document
Wiik J, Gonzalez JJ, Davidsen PI, Kossakowski KP (2009a) Chronic workload problems in CSIRTs. In: 27th International conference of the system dynamics society July, at Albuquerque, NM, USA
Wiik J, Gonzalez JJ, Davidsen PI, Kossakowski KP (2009b) Persistent instabilities in the high-priority incident workload of CSIRTs. In: 27th International conference of the system dynamics society
Wiik J, Gonzalez JJ, Davidsen PI, Kossakowski KP (2009c) Preserving a balanced CSIRT constituency. In: 27th International conference of the system dynamics society July, at Albuquerque, NM, USA
Zieba S, Polet P, Vanderhaegen F, Debernard S (2010) Principles of adjustable autonomy: a framework for resilient human-machine cooperation. Cogn Technol Work 12(3):193–203
Acknowledgments
Thanks to the Natural Sciences and Engineering Research Council of Canada (NSERC), ISSNet and SurfNET for funding. Also, special thanks to Mitacs and CA Technologies who funded this work with a Mitacs Elevate Grant. Thanks also to our study participants and the Operations Centers that allowed us access to their sites and employees.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Brown, J., Greenspan, S. & Biddle, R. Incident response teams in IT operations centers: the T-TOCs model of team functionality. Cogn Tech Work 18, 695–716 (2016). https://doi.org/10.1007/s10111-016-0374-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10111-016-0374-2