Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/11/2021
11:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Applying Behavioral Psychology to Strengthen Your Incident Response Team

A deep-dive study on the inner workings of incident response teams leads to a framework to apply behavioral psychology principles to CSIRTs.

Cybersecurity incident response teams (CSIRTs) rely on technical and social skills. But focusing mostly on technical knowledge can come at the expense of communication and teamwork, according to a new study.

This idea was the focus of a five-year study analyzing incident response teams from a social-behavioral perspective. From 2012 to 2017, a team of researchers funded by the US Department of Homeland Security interviewed more than 200 people and led 80 focus groups across 17 international organizations to identify the key drivers of teamwork within and between teams.

The researchers included several people from George Mason University (GMU) who teamed up with Dartmouth and HP, and received funding from the Swedish and Dutch governments, says Dr. Daniel Shore, chief research officer at Leadership & Effective Teamwork Strategies (LETS), who worked on the study while he was at GMU.

"Across our team of researchers and practitioners, we put in over 56,000 hours of analysis and interviewing, to data gathering and analysis, to understand … not only what an individual on the team does but the team they represent, or the multiteam system they represent," Shore says.

Bionic CEO Mark Orlando discovered this research as part of his own work looking into how security teams can better work together. "It really resonated with me," he says. "I thought the research was great; there were a lot of very practical things in there that I was able to use in my work." He began to reference the research and as a result, he was later connected to Shore.

"What was identified early on that spurred that research … was the idea that in cybersecurity, there are lots of analysts and front-line eyes-on-glass people who are very egocentric — not to say they're egotistical, but egocentric," Shore explains. "They see things from their own perspective; they're used to being able to say, 'I can handle this challenge on my own.'"

It makes sense, he continues. Many security pros are trained individually; they learn how to hack, investigate, and test on their own. Then they're dropped into situations in which they face complex problems and challenges that require collaboration, but they don't have the background and habits that come with working collaboratively in a multiteam system.

Orlando says it's natural for relationships to form, and for trust to form, in an incident response team and within a larger organization. In his experience, he often encounters what he calls the "rock star problem."

"You've got one or a few people [who are] very, very capable, very knowledgeable, and the team sort of coalesces around those individuals," he says. "Which is not necessarily a bad thing, but it can create issues when those individuals inevitably move on, or maybe they [have] less than optimal work habits, or behaviors, or things we want to try to account for."

Compounding CSIRTs' collaboration issues is a prominent focus on technical tools and skills, Orlando adds. Incident response teams are "often inundated" with tools to address technical problems in security and incident response; however, there is a "definite lack" of tools to address some of the social and collaboration challenges CSIRTs face in operating within the context of a multigroup, multiteam system as they need to do.

A Framework to Tackle the Problem
In their upcoming Black Hat Europe briefing, "Building Better CSIRTs Using Behavioral Psychology," Orlando and Shore will discuss these challenges in depth and provide a framework for applying behavioral psychology principles to improve CSIRTs' social maturity, as well as tools to improve the skills defenders need to more effectively work together.

"You can be a little bit more deliberate, and a little bit more focused, about how those relationships form and about how knowledge is shared," says Orlando, noting the importance of how CSIRTs work together with other teams across the business. Having an effective incident response team doesn't necessarily mean you'll be successful as a security organization, he adds.

"You have to work as part of a larger ecosystem; security doesn't just happen in a vacuum," Orlando says.

One of these tools, for example, is called a goal hierarchy. Everybody has their own goals, team goals, and organizational goals, says Shore. Most people have already thought about this concept, but the idea here is to expand on the way businesses think about these goals from an individual's perspective.

"The team goals don't matter to the individual if the individual's not part of the team goals," he explains. "When you structure this goal hierarchy, it's all stemming from the individual perspective. So what is the individual's opportunity to give input to their own goals, to the team's goals, to the organization's goals?"

An individual can be given chances to understand this through all-hand meetings, cross-training, and shadowing other people's work. At the organizational level, consider where there are opportunities for a person to be involved and feel invested in the organization's goals.

"What happens is we end up in crisis after crisis," Shore says, "and if we're reactively trying to involve people in setting goals and validating those goals, it doesn't play into the strength of what could be done proactively."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41127
PUBLISHED: 2021-10-21
Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot...
CVE-2021-41169
PUBLISHED: 2021-10-21
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.
CVE-2021-27746
PUBLISHED: 2021-10-21
"HCL Connections Security Update for Reflected Cross-Site Scripting (XSS) Vulnerability"
CVE-2021-36869
PUBLISHED: 2021-10-21
Reflected Cross-Site Scripting (XSS) vulnerability in WordPress Ivory Search plugin (versions <= 4.6.6). Vulnerable parameter: &post.
CVE-2021-39352
PUBLISHED: 2021-10-21
The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrat...