A deep-dive study on the inner workings of incident response teams leads to a framework to apply behavioral psychology principles to CSIRTs.

Kelly Sheridan, Former Senior Editor, Dark Reading

October 11, 2021

4 Min Read
Two women strategizing in front of a wall of Post-it notes
Source: Aleksandr Davydov via Alamy Stock Photo

Cybersecurity incident response teams (CSIRTs) rely on technical and social skills. But focusing mostly on technical knowledge can come at the expense of communication and teamwork, according to a new study.

This idea was the focus of a five-year study analyzing incident response teams from a social-behavioral perspective. From 2012 to 2017, a team of researchers funded by the US Department of Homeland Security interviewed more than 200 people and led 80 focus groups across 17 international organizations to identify the key drivers of teamwork within and between teams.

The researchers included several people from George Mason University (GMU) who teamed up with Dartmouth and HP, and received funding from the Swedish and Dutch governments, says Dr. Daniel Shore, chief research officer at Leadership & Effective Teamwork Strategies (LETS), who worked on the study while he was at GMU.

"Across our team of researchers and practitioners, we put in over 56,000 hours of analysis and interviewing, to data gathering and analysis, to understand … not only what an individual on the team does but the team they represent, or the multiteam system they represent," Shore says.

Bionic CEO Mark Orlando discovered this research as part of his own work looking into how security teams can better work together. "It really resonated with me," he says. "I thought the research was great; there were a lot of very practical things in there that I was able to use in my work." He began to reference the research and as a result, he was later connected to Shore.

"What was identified early on that spurred that research … was the idea that in cybersecurity, there are lots of analysts and front-line eyes-on-glass people who are very egocentric — not to say they're egotistical, but egocentric," Shore explains. "They see things from their own perspective; they're used to being able to say, 'I can handle this challenge on my own.'"

It makes sense, he continues. Many security pros are trained individually; they learn how to hack, investigate, and test on their own. Then they're dropped into situations in which they face complex problems and challenges that require collaboration, but they don't have the background and habits that come with working collaboratively in a multiteam system.

Orlando says it's natural for relationships to form, and for trust to form, in an incident response team and within a larger organization. In his experience, he often encounters what he calls the "rock star problem."

"You've got one or a few people [who are] very, very capable, very knowledgeable, and the team sort of coalesces around those individuals," he says. "Which is not necessarily a bad thing, but it can create issues when those individuals inevitably move on, or maybe they [have] less than optimal work habits, or behaviors, or things we want to try to account for."

Compounding CSIRTs' collaboration issues is a prominent focus on technical tools and skills, Orlando adds. Incident response teams are "often inundated" with tools to address technical problems in security and incident response; however, there is a "definite lack" of tools to address some of the social and collaboration challenges CSIRTs face in operating within the context of a multigroup, multiteam system as they need to do.

A Framework to Tackle the Problem
In their upcoming Black Hat Europe briefing, "Building Better CSIRTs Using Behavioral Psychology," Orlando and Shore will discuss these challenges in depth and provide a framework for applying behavioral psychology principles to improve CSIRTs' social maturity, as well as tools to improve the skills defenders need to more effectively work together.

"You can be a little bit more deliberate, and a little bit more focused, about how those relationships form and about how knowledge is shared," says Orlando, noting the importance of how CSIRTs work together with other teams across the business. Having an effective incident response team doesn't necessarily mean you'll be successful as a security organization, he adds.

"You have to work as part of a larger ecosystem; security doesn't just happen in a vacuum," Orlando says.

One of these tools, for example, is called a goal hierarchy. Everybody has their own goals, team goals, and organizational goals, says Shore. Most people have already thought about this concept, but the idea here is to expand on the way businesses think about these goals from an individual's perspective.

"The team goals don't matter to the individual if the individual's not part of the team goals," he explains. "When you structure this goal hierarchy, it's all stemming from the individual perspective. So what is the individual's opportunity to give input to their own goals, to the team's goals, to the organization's goals?"

An individual can be given chances to understand this through all-hand meetings, cross-training, and shadowing other people's work. At the organizational level, consider where there are opportunities for a person to be involved and feel invested in the organization's goals.

"What happens is we end up in crisis after crisis," Shore says, "and if we're reactively trying to involve people in setting goals and validating those goals, it doesn't play into the strength of what could be done proactively."

Read more about:

Black Hat News

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights