Passing the Baton: Shift Handovers within Cybersecurity Incident Response Teams

TL;DR

This study develops preliminary guidelines for managing shift handovers in cybersecurity incident response teams, emphasizing signposting, adaptability, and streamlining to improve transition effectiveness.

Contribution

It introduces initial guidelines based on literature and practitioner insights, addressing a gap in structured shift handover practices for cybersecurity teams.

Findings

Signposting is crucial for effective handovers.

Procedures should evolve with experience and context.

Streamlining handovers improves efficiency.

Abstract

Effective shift transitions are crucial for cybersecurity incident response teams, yet there is limited guidance on managing these handovers. This exploratory study aimed to develop guidelines for such transitions through the analysis of existing literature and consultation with practitioners. Two draft guidelines (A and B) were created based on existing literature and online resources. Six participants from the UK and international incident response teams, with experience in shift handovers, were interviewed about handover structure, challenges, training practices, and their views on the draft guidelines. The collected data indicate the importance of signposting, evolving handover procedures, individual differences in handover style and detail, and streamlining the handover procedure. Participants agreed the drafts included all relevant details but suggested adding a post-incident review section and a service section for outages or technical difficulties. This study establishes a foundation for enhancing transition practices in cybersecurity incident response teams.