Asymmetry of People's Time in Security Incidents

Asymmetry of People’s Time in Security Incidents

Successful attacks often have an element of asymmetry, where the threat agent’s effort or costs are significantly smaller than those of the target. One of the ways in which this characteristic occurs in computer security incidents is related to people’s time.

Consider the situation where organizations experience a data breach or a denial-of-service attack. Caught unprepared, enterprises often work themselves into a frenzy, calling for all-hands-on-deck meetings, micromanaging investigative and recovery tasks, and asking responders to work night and day to deal with the situation. The aggregate time spend by the enterprise on the incident can be disproportionately higher to that expanded by the attacker.

The activities outlined above are costly, because people’s time is expensive. The employees responding to the incident cannot pay attention to other responsibilities and also cannot function effectively without rest. Moreover, working under such stressful conditions increases the likelihood of mistakes, which necessitates the need for additional time to recover from the errors. As the result, the cost of dealing with the incident can balloon very quickly.

The best way to avoid overreaction that will lead to spending too much time on the incident is to be prepared. By defining the incident handling plan, the role that people will play, the escalation procedures, communication expectations and related details, the organization can avoid drawing into the response process unnecessary personnel. This will also avoid performing unnecessary tasks or duplicate efforts that can further contribute to time waste. (In addition to defining the plan, the company should also exercise it.)

In the words of Delmore Schwartz, “time is the fire in which we burn.” So when deciding how your organization will respond to a security incident, make judicious use of the time people will spend dealing with the situation. If you need help preparing for or dealing with computer security incidents, take a look at some of the cheat sheets I prepared on this topic.

— Lenny Zeltser