In case of a major cyber incident, organizations usually rely on external providers of Cyber Incident Response (CIR) services. CIR consultants operate in a dynamic and constantly changing environment in which they must actively engage in information management and problem solving while adapting to complex circumstances. In this challenging environment CIR consultants need to make critical decisions about what to advise clients that are impacted by a major cyber incident. Despite its relevance, CIR decision making is an understudied topic. The objective of this preliminary investigation is therefore to understand what decision-making strategies experienced CIR consultants use during challenging incidents and to offer suggestions for training and decision-aiding. A general understanding of operational decision making under pressure, uncertainty, and high stakes was established by reviewing the body of knowledge known as Naturalistic Decision Making (NDM). The general conclusion of NDM research is that experts usually make adequate decisions based on (fast) recognition of the situation and applying the most obvious (default) response pattern that has worked in similar situations in the past. In exceptional situations, however, this way of recognition-primed decision-making results in suboptimal decisions as experts are likely to miss conflicting cues once the situation is quickly recognized under pressure. Understanding the default response pattern and the rare occasions in which this response pattern could be ineffective is therefore key for improving and aiding cyber incident response decision making. Therefore, we interviewed six experienced CIR consultants and used the critical decision method (CDM) to learn how they made decisions under challenging conditions. The main conclusion is that the default response pattern for CIR consultants during cyber breaches is to reduce uncertainty as much as possible by gathering and investigating data and thus delay decision making about eradication until the investigation is completed. According to the respondents, this strategy usually works well and provides the most assurance that the threat actor can be completely removed from the network. However, the majority of respondents could recall at least one case in which this strategy (in hindsight) resulted in unnecessary theft of data or damage. Interestingly, this finding is strikingly different from other operational decision-making domains such as the military, police and fire service in which there is a general tendency to act rapidly instead of searching for more information. The main advice is that training and decision aiding of (novice) cyber incident responders should be aimed at the following: (a) make cyber incident responders aware of how recognition-primed decision making works; (b) discuss the default response strategy that typically works well in several scenarios; (c) explain the exception and how the exception can be recognized; (d) provide alternative response strategies that work better in exceptional situations.
Computer security incident response teams (CSIRTs) respond to a computer security incident when the need arises. Failure of these teams can have far-reaching effects for the economy and national security. CSIRTs often have to work on an ad hoc basis, in close cooperation with other teams, and in time constrained environments. It could be argued that under these working conditions CSIRTs would be likely to encounter problems. A needs assessment was done to see to which extent this argument holds true. We constructed an incident response needs model to assist in identifying areas that require improvement. We envisioned a model consisting of four assessment categories: Organization, Team, Individual and Instrumental. Central to this is the idea that both problems and needs can have an organizational, team, individual, or technical origin or a combination of these levels. To gather data we conducted a literature review. This resulted in a comprehensive list of challenges and needs that could hinder or improve, respectively, the performance of CSIRTs. Then, semi-structured in depth interviews were held with team coordinators and team members of five public and private sector Dutch CSIRTs to ground these findings in practice and to identify gaps between current and desired incident handling practices. This paper presents the findings of our needs assessment and ends with a discussion of potential solutions to problems with performance in incident response. https://doi.org/10.3389/fpsyg.2017.02179 LinkedIn: https://www.linkedin.com/in/rickvanderkleij1/
MULTIFILE
Background: Advanced medical technologies (AMTs), such as respiratory support or suction devices, are increasingly used in home settings and incidents may well result in patient harm. Information about risks and incidents can contribute to improved patient safety, provided that those are reported and analysed systematically. Objectives: To identify the frequency of incidents when using AMTs in home settings, the effects on patient outcomes and the actions taken by nurses following identification of incidents. Methods: A cross-sectional study of 209 home care nurses in the Netherlands working with infusion therapy, parenteral nutrition or morphine pumps, combining data from a questionnaire and registration forms covering more than 13 000 patient contacts. Descriptive statistics were used. Results: We identified 140 incidents (57 adverse events; 83 near misses). The frequencies in relation to the number of patient contacts were 2.7% for infusion therapy, 1.3% for parenteral nutrition and 2.6% for morphine pumps. The main causes were identified as related to the product (43.6%), the organisation of care (27.9%), the nurse as a user (15.7%) and the environment (12.9%). 40% of all adverse events resulted in mild to severe harm to the patient. Incidents had been discussed in the team (70.7%), with the patient/informal caregiver(s) (50%), or other actions had been taken (40.5%). 15.5% of incidents had been formally reported according to the organisation's protocol. Conclusions: Most incidents are attributed to product failures. Although such events predominantly cause no harm, a significant proportion of patients do suffer some degree of harm. There is considerable underreporting of incidents with AMTs in home care. This study has identified a discrepancy in quality circles: learning takes place at the team level rather than at the organisational level.
