Detecting, Analyzing and Responding to Security Incidents: A Qualitative Analysis

This study develops categories of responses to security incidents, based on a grounded theory analysis of interviews with security practitioners, with a focus on the tasks performed during security incidents, and the necessary resources to perform these tasks. The results include a list of types of incidents, a model for the tasks, the skills employed, and the strategies used during security incidents. A security incident can be understood in terms of three stages: detection, analysis, and response. Each stage is comprised by tasks that are performed using different skills, strategies, and resources. We also recommend that development of security tools focus on: correlation of multiple sources of information, including the activities of different projects in distributed environments; and better trade-off between portability and visualization