Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Connect Directly

Applying Behavioral Psychology to Strengthen Your Incident Response Team

A deep-dive study on the inner workings of incident response teams leads to a framework to apply behavioral psychology principles to CSIRTs.

Cybersecurity incident response teams (CSIRTs) rely on technical and social skills. But focusing mostly on technical knowledge can come at the expense of communication and teamwork, according to a new study.

This idea was the focus of a five-year study analyzing incident response teams from a social-behavioral perspective. From 2012 to 2017, a team of researchers funded by the US Department of Homeland Security interviewed more than 200 people and led 80 focus groups across 17 international organizations to identify the key drivers of teamwork within and between teams.

The researchers included several people from George Mason University (GMU) who teamed up with Dartmouth and HP, and received funding from the Swedish and Dutch governments, says Dr. Daniel Shore, chief research officer at Leadership & Effective Teamwork Strategies (LETS), who worked on the study while he was at GMU.

"Across our team of researchers and practitioners, we put in over 56,000 hours of analysis and interviewing, to data gathering and analysis, to understand … not only what an individual on the team does but the team they represent, or the multiteam system they represent," Shore says.

Bionic CEO Mark Orlando discovered this research as part of his own work looking into how security teams can better work together. "It really resonated with me," he says. "I thought the research was great; there were a lot of very practical things in there that I was able to use in my work." He began to reference the research and as a result, he was later connected to Shore.

"What was identified early on that spurred that research … was the idea that in cybersecurity, there are lots of analysts and front-line eyes-on-glass people who are very egocentric — not to say they're egotistical, but egocentric," Shore explains. "They see things from their own perspective; they're used to being able to say, 'I can handle this challenge on my own.'"

It makes sense, he continues. Many security pros are trained individually; they learn how to hack, investigate, and test on their own. Then they're dropped into situations in which they face complex problems and challenges that require collaboration, but they don't have the background and habits that come with working collaboratively in a multiteam system.

Orlando says it's natural for relationships to form, and for trust to form, in an incident response team and within a larger organization. In his experience, he often encounters what he calls the "rock star problem."

"You've got one or a few people [who are] very, very capable, very knowledgeable, and the team sort of coalesces around those individuals," he says. "Which is not necessarily a bad thing, but it can create issues when those individuals inevitably move on, or maybe they [have] less than optimal work habits, or behaviors, or things we want to try to account for."

Compounding CSIRTs' collaboration issues is a prominent focus on technical tools and skills, Orlando adds. Incident response teams are "often inundated" with tools to address technical problems in security and incident response; however, there is a "definite lack" of tools to address some of the social and collaboration challenges CSIRTs face in operating within the context of a multigroup, multiteam system as they need to do.

A Framework to Tackle the Problem
In their upcoming Black Hat Europe briefing, "Building Better CSIRTs Using Behavioral Psychology," Orlando and Shore will discuss these challenges in depth and provide a framework for applying behavioral psychology principles to improve CSIRTs' social maturity, as well as tools to improve the skills defenders need to more effectively work together.

"You can be a little bit more deliberate, and a little bit more focused, about how those relationships form and about how knowledge is shared," says Orlando, noting the importance of how CSIRTs work together with other teams across the business. Having an effective incident response team doesn't necessarily mean you'll be successful as a security organization, he adds.

"You have to work as part of a larger ecosystem; security doesn't just happen in a vacuum," Orlando says.

One of these tools, for example, is called a goal hierarchy. Everybody has their own goals, team goals, and organizational goals, says Shore. Most people have already thought about this concept, but the idea here is to expand on the way businesses think about these goals from an individual's perspective.

"The team goals don't matter to the individual if the individual's not part of the team goals," he explains. "When you structure this goal hierarchy, it's all stemming from the individual perspective. So what is the individual's opportunity to give input to their own goals, to the team's goals, to the organization's goals?"

An individual can be given chances to understand this through all-hand meetings, cross-training, and shadowing other people's work. At the organizational level, consider where there are opportunities for a person to be involved and feel invested in the organization's goals.

"What happens is we end up in crisis after crisis," Shore says, "and if we're reactively trying to involve people in setting goals and validating those goals, it doesn't play into the strength of what could be done proactively."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-23
A Stored Cross-Site Scripting (XSS) vulnerability in DivvyDrive's "aciklama" parameter could allow anyone to gain users' session informations.
PUBLISHED: 2022-05-23
CSZCMS v1.3.0 allows attackers to execute a Server-Side Request Forgery (SSRF) which can be leveraged to leak sensitive data via a local file inclusion at /admin/filemanager/connector/.
PUBLISHED: 2022-05-23
Xlight FTP v3.9.3.2 was discovered to contain a stack-based buffer overflow which allows attackers to leak sensitive information via crafted code.
PUBLISHED: 2022-05-23
Improper Access Control in GitHub repository publify/publify prior to 9.2.9.
PUBLISHED: 2022-05-23
A vulnerability, which was classified as problematic, has been found in Zoo Management System 1.0. Affected by this issue is /zoo/admin/public_html/view_accounts?type=zookeeper of the content module. The manipulation of the argument admin_name with the input <script>alert(1)</script> lea...