# Review of human decision-making during computer security incident   analysis

**Authors:** Jonathan M. Spring, Phyllis Illari

arXiv: 1903.10080 · 2019-03-26

## TL;DR

This paper reviews existing standards and practices for human decision-making in computer security incident response, highlighting strengths and identifying gaps in guidance for prioritization and reporting.

## Contribution

It provides a comprehensive review of current standards and practices, emphasizing the need for improved guidance on decision prioritization and interpretation during incident analysis.

## Key findings

- Existing advice covers many specific tasks
- Gaps in guidance on task prioritization under time constraints
- Lack of clear methods for interpreting and reporting results

## Abstract

We review practical advice on decision-making during computer security incident response. Scope includes standards from the IETF, ISO, FIRST, and the US intelligence community. To focus on human decision-making, the scope is the evidence collection, analysis, and reporting phases of response. The results indicate both strengths and gaps. A strength is available advice on how to accomplish many specific tasks. However, there is little guidance on how to prioritize tasks in limited time or how to interpret, generalize, and convincingly report results. Future work should focus on these gaps in explication and specification of decision-making during incident analysis.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1903.10080/full.md

## Figures

7 figures with captions in the complete paper: https://tomesphere.com/paper/1903.10080/full.md

## References

157 references — full list in the complete paper: https://tomesphere.com/paper/1903.10080/full.md

---
Source: https://tomesphere.com/paper/1903.10080