Improving the Effectiveness of CSIRTs
Global Cyber Security Capacity Centre, 2014
42 Pages Posted: 9 Sep 2020
Date Written: 2014
Following the pioneering work at Carnegie-Mellon University in the US, national Computer Emergency Response Teams (CERTs) have been established worldwide to try to address the ever-growing threats to information systems and their use. The problem they are designed to address is clearly real and formidable, although relatively little has been done to measure how effective such national responses are in mitigating the threats posed by cyber-criminals and state-sponsored cyber-attacks. The goal of this paper is to take a first step towards developing metrics which can be used to measure the effectiveness of CSIRTs. A primary motive for doing so is to enable more effective CSIRTs to be implemented, which focus on activities with the maximum impact on threat mitigation. More specifically, this paper aims to identify the ways in which a CSIRT might be deemed to be effective, and possible approaches towards developing CSIRT effectiveness metrics. It also identifies the issues that need to be addressed to realise the goal. Issues such as cooperation, data sharing and trust are discussed as crucial components of an effective CSIRT. Existing measurement types of computer security incident response (NIST, Carnegie Mellon's Software Engineering Institute) are presented before defining a set of suggested direct and indirect measures of the effectiveness of a CSIRT.
Suggested Citation: Suggested Citation