pith. sign in

arxiv: 2607.02451 · v1 · pith:EX2FQTS3new · submitted 2026-07-02 · 💻 cs.CR

SoK: A Taxonomy for Cybersecurity Incident Response Influence Factors

Pith reviewed 2026-07-03 10:22 UTC · model grok-4.3

classification 💻 cs.CR
keywords cybersecurityincident responsetaxonomyinfluence factorssystematic reviewliterature classificationorganizational preparednesshuman factors
0
0 comments X

The pith

The CIR-IF Taxonomy organizes factors influencing cybersecurity incident response more comprehensively than prior frameworks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper conducts a systematic review of academic and non-scientific literature to create the Cybersecurity Incident Response Influencing Factor Taxonomy. The taxonomy integrates aspects from technology, human-computer interaction, organizational theory, and human factors that affect incident response. It classifies empirical findings from 1999 to mid-2024 and compares the result to seven established frameworks along with elements from the NIST framework. A reader would care because the taxonomy can help identify research gaps and support more effective studies on preparedness and response to cyber incidents.

Core claim

Through a systematic review of 417 academic and 40 non-scientific publications from 1999 to mid-2024, the authors derived the CIR-IF Taxonomy, which classifies existing empirical findings on factors influencing organizational preparedness and response to cybersecurity incidents. Systematic comparison with seven scientific frameworks and the NIST framework shows that the CIR-IF Taxonomy provides a richer, more rigorous, and more systematically organized view of the factors that drive and shape incident response.

What carries the argument

The CIR-IF Taxonomy, a structured classification of influence factors derived from the literature review and used to organize empirical findings across multiple domains.

If this is right

  • Researchers can use the taxonomy to identify underexplored areas in incident response studies.
  • The taxonomy enables more targeted empirical and theoretical investigations across technology, human factors, and organizational domains.
  • Existing findings can be classified within the taxonomy to maintain an up-to-date overview of knowledge from 1999 to mid-2024.
  • The comparison establishes that the taxonomy offers a richer and more systematically organized perspective than the seven prior frameworks.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Organizations could apply the taxonomy categories to audit gaps in their own incident response processes.
  • The taxonomy structure might reveal previously unexamined interactions between technological and human factors.
  • Periodic extensions of the taxonomy could incorporate literature published after mid-2024 to maintain relevance.
  • Standardized use of the taxonomy could support consistent reporting of incident response effectiveness across different settings.

Load-bearing premise

The chosen set of 417 academic and 40 non-scientific publications from 1999 to mid-2024 forms a sufficiently complete and unbiased sample from which all relevant influence factors can be extracted and categorized without material omission or double-counting.

What would settle it

Discovery of a major influence factor in incident response that is absent from all categories in the CIR-IF Taxonomy or a direct comparison demonstrating that one of the seven other frameworks is more comprehensive.

Figures

Figures reproduced from arXiv: 2607.02451 by Fabian Ising, Jonas Kaspereit, Lea Gr\"ober, Marius Brockhoff, Sebastian Schinzel, Thomas Biege.

Figure 1
Figure 1. Figure 1: CIR-IF Taxonomy the factors already identified in previous research. The following research questions were defined to guide us through our study: RQ 1: What categories of influencing factors have been examined in scientific papers? RQ 2: How can the factors that influence the response to cybersecurity incidents be categorized to provide a clear framework to advance research? RQ 3: Which categories are alre… view at source ↗
Figure 2
Figure 2. Figure 2: Research design overview. 4.1. Systematic Literature Review To find as much literature as possible on our topic, we adopted an open approach guided by the PRISMA 2020 checklist3 , starting with well-known databases and progressively filtering the results to a manageable set. This process was carried out in three phases by a team of four researchers, referred to as A, B, C, and S (senior researcher). 4.1.1.… view at source ↗
Figure 3
Figure 3. Figure 3: Number of Publications per Year — only years [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Comparison of our Taxonomy vs. NIST SP 800-61r3 for (a) Human Factors and (b) Context Factors. [PITH_FULL_IMAGE:figures/full_fig_p011_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Flowchart showing a indicated dependency chain of linked influencing factors. The chain begins in [PITH_FULL_IMAGE:figures/full_fig_p013_5.png] view at source ↗
read the original abstract

Cybersecurity incident response has emerged as a critical area of interest for both researchers and practitioners. The corpus of literature on cybersecurity incident response is expanding, yet a unified framework for systematically organizing the accumulated knowledge remains absent. The aspects of incident response span multiple domains, including technology, human-computer interaction, organizational theory, and human factors. A comprehensive, integrative perspective on these factors can enable researchers to identify underexplored areas and more effectively target their empirical and theoretical investigations. Our study systematizes the factors that influence organizational preparedness for and response to cybersecurity incidents. Through a systematic review of academic literature (n = 417) and non-scientific publications (n = 40), we derived the "Cybersecurity Incident Response Influencing Factor Taxonomy" (\textit{CIR-IF Taxonomy}). Existing empirical findings were classified within this taxonomy, providing a comprehensive and up-to-date overview of knowledge from the period 1999 to mid-2024. The taxonomy categories were systematically compared with seven established scientific frameworks and with the \textit{NIST Cyber Security Framework} elements referenced in the \textit{NIST Special Publication 800-61r3} incident response profile. The results of this comparison show that the \textit{CIR-IF Taxonomy} delivers a richer, more rigorous, and more systematically organized view of the factors that drive and shape incident response.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 0 minor

Summary. The paper conducts a systematic review of 417 academic and 40 non-scientific publications (1999 to mid-2024) to derive the CIR-IF Taxonomy of factors influencing organizational cybersecurity incident response preparedness and response. It classifies existing empirical findings within the taxonomy and performs a side-by-side comparison against seven established scientific frameworks plus the NIST SP 800-61r3 incident response profile, concluding that the CIR-IF Taxonomy provides a richer, more rigorous, and more systematically organized view of the relevant factors spanning technology, HCI, organizational theory, and human factors.

Significance. If the taxonomy and comparison hold, the work supplies a comprehensive, up-to-date integrative map that can help researchers identify gaps and target investigations more effectively. Credit is given for the large literature sample, the inclusion of both academic and non-scientific sources, and the explicit benchmarking against independently published frameworks rather than circular self-validation.

major comments (1)
  1. [Methods] Methods section (literature review and taxonomy construction): the derivation of the CIR-IF Taxonomy from the 417+40 sources involves interpretive judgments on category boundaries and factor assignment, yet no quantitative inter-rater reliability statistic or sensitivity analysis is reported; this weakens the claim of 'more rigorous' organization relative to the compared frameworks.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the positive assessment and recommendation to accept. We address the single major comment below.

read point-by-point responses
  1. Referee: [Methods] Methods section (literature review and taxonomy construction): the derivation of the CIR-IF Taxonomy from the 417+40 sources involves interpretive judgments on category boundaries and factor assignment, yet no quantitative inter-rater reliability statistic or sensitivity analysis is reported; this weakens the claim of 'more rigorous' organization relative to the compared frameworks.

    Authors: We acknowledge that the taxonomy construction necessarily involved interpretive judgments and that no quantitative inter-rater reliability (IRR) statistic or sensitivity analysis was reported. The categories and factor assignments were developed iteratively through repeated discussions and consensus among the full author team rather than independent coding by multiple raters. We agree that greater transparency on this process would strengthen the manuscript and better support the comparative claim of rigor. In the revised version we will expand the Methods section with a detailed description of the iterative construction procedure, the criteria used for boundary decisions, and an explicit discussion of the interpretive character of the taxonomy as a limitation. This addition will not alter the core findings but will allow readers to evaluate the organization more directly against the compared frameworks. revision: yes

Circularity Check

0 steps flagged

No significant circularity identified

full rationale

The paper derives the CIR-IF Taxonomy via systematic review of 417 academic + 40 non-scientific external publications (1999–mid-2024), classifies empirical findings within it, and performs a direct side-by-side comparison against seven independent established frameworks plus NIST SP 800-61r3. No equations, fitted parameters, self-definitional loops, or load-bearing self-citations appear in the derivation chain. The central claim rests on external literature synthesis and external benchmarks rather than any reduction to the paper's own inputs by construction. This is a standard literature-based SoK with independent validation steps.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The taxonomy rests on the domain assumption that influence factors can be reliably identified and grouped from the selected literature without significant gaps or overlaps. No free parameters or invented entities are introduced.

axioms (1)
  • domain assumption A systematic review of the selected 457 publications captures the relevant influence factors on organizational incident response.
    The entire taxonomy and its claimed superiority depend on this coverage assumption stated in the abstract.

pith-pipeline@v0.9.1-grok · 5784 in / 1263 out tokens · 33910 ms · 2026-07-03T10:22:38.397766+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

120 extracted references

  1. [1]

    The Morris worm: a fifteen-year perspective,

    H. Orman, “The Morris worm: a fifteen-year perspective,”IEEE Security & Privacy, vol. 1, no. 5, pp. 35–43, 2003

  2. [2]

    Handbook for computer security incident response teams (CSIRTs)

    M. West-brown, D. Stikvoort, and K.-P. Kossakowski, “Handbook for computer security incident response teams (CSIRTs).”

  3. [3]

    A common process model for incident response and computer forensics,

    F. C. Freiling and B. Schwittay, “A common process model for incident response and computer forensics,” inIT-Incidents Man- agement & IT-Forensics - IMF 2007, Conference Proceedings, September 11-13, 2007, Stuttgart, Germany, ser. LNI, S. Frings, O. Göbel, D. Günther, H. Hase, J. Nedon, D. Schadt, and A. Brömme, Eds., vol. P-114. GI, 2007, pp. 19–39

  4. [4]

    Al Sabbagh,Cybersecurity Incident Response: A Socio- Technical Approach

    B. Al Sabbagh,Cybersecurity Incident Response: A Socio- Technical Approach. Department of Computer and Systems Sciences, Stockholm University

  5. [5]

    The computer incident response framework (cirf) - ProQuest

    T. Pieterse, “The computer incident response framework (cirf) - ProQuest.”

  6. [6]

    A management model for building a computer security incident response capability,

    R. D. Mooi and R. A. Botha, “A management model for building a computer security incident response capability,” vol. 107, no. 2, pp. 78–91

  7. [7]

    A FRAMEWORK OF DYNAMIC CYBERSECU- RITY INCIDENT RESPONSE TO IMPROVE INCIDENT RE- SPONSE AGILITY

    H. Naseer, “A FRAMEWORK OF DYNAMIC CYBERSECU- RITY INCIDENT RESPONSE TO IMPROVE INCIDENT RE- SPONSE AGILITY.”

  8. [8]

    The agile incident response for industrial control systems (AIR4ics) framework,

    R. Smith, H. Janicke, Y . He, F. Ferra, and A. Albakri, “The agile incident response for industrial control systems (AIR4ics) framework,” vol. 109, p. 102398

  9. [9]

    Improving cybersecurity incident response team (CSIRT) skills, dynamics and effectiveness

    S. L. Pfleeger, “Improving cybersecurity incident response team (CSIRT) skills, dynamics and effectiveness.”

  10. [10]

    Managing the inevitable – a maturity model to establish incident response management capabilities,

    M. Bitzer, B. Häckel, D. Leuthe, J. Ott, B. Stahl, and J. Strobel, “Managing the inevitable – a maturity model to establish incident response management capabilities,” vol. 125, p. 103050

  11. [11]

    A method for taxonomy development and its application in information systems,

    R. C. Nickerson, U. Varshney, and J. Muntermann, “A method for taxonomy development and its application in information systems,”European Journal of Information Systems, vol. 22, no. 3, pp. 336–359, 2013, publisher: Taylor & Francis

  12. [12]

    Design and Evaluation for Situation Awareness Enhancement,

    M. R. Endsley, “Design and Evaluation for Situation Awareness Enhancement,”Proceedings of the Human Factors Society Annual Meeting, vol. 32, no. 2, pp. 97–101, 1988

  13. [13]

    Security operations center: A systematic study and open challenges

    M. Vilberth, F. Böhm, I. Fichtinger, and G. Pernul, “Security operations center: A systematic study and open challenges.”

  14. [14]

    Model for successful devel- opment and implementation of cyber security operations centre (SOC),

    M. A. Majid and K. A. Z. Ariffin, “Model for successful devel- opment and implementation of cyber security operations centre (SOC),” vol. 16, no. 11, p. e0260157

  15. [15]

    The NIST cy- bersecurity framework (CSF) 2.0,

    National Institute of Standards and Technology, “The NIST cy- bersecurity framework (CSF) 2.0,” p. NIST CSWP 29

  16. [16]

    The measurement of observer agreement for categorical data,

    J. R. Landis and G. G. Koch, “The measurement of observer agreement for categorical data,” vol. 33, no. 1, p. 159

  17. [17]

    Organizational security learning from incident response

    J. Webb, A. Ahmad, S. Maynard, R. Baskerville, and G. Shanks, “Organizational security learning from incident response.”

  18. [18]

    Burnout in cybersecurity incident responders: Exploring the factors that light the fire,

    S. Nepal, J. Hernandez, R. Lewis, A. Chaudhry, B. Houck, E. Knudsen, R. Rojas, B. Tankus, H. Prafullchandra, and M. Czer- winski, “Burnout in cybersecurity incident responders: Exploring the factors that light the fire,” vol. 8, pp. 27:1–27:35, 2024

  19. [19]

    Nyre-Yu,Identifying Expertise Gaps in Cyber Incident Re- sponse: Cyber Defender Needs vs

    M. Nyre-Yu,Identifying Expertise Gaps in Cyber Incident Re- sponse: Cyber Defender Needs vs. Technological Development

  20. [20]

    Bulgurcu and A

    B. Bulgurcu and A. A. Mashatan,Environmental Factors that Hinder an Organization’s Ability to Learn from Cyber Incidents: A Case Study on SolarWinds

  21. [21]

    A human capital model for mitigating security analyst burnout,

    S. C. Sundaramurthy, A. G. Bardas, J. Case, X. Ou, M. Wesch, J. McHugh, and S. R. Rajagopalan, “A human capital model for mitigating security analyst burnout,” pp. 347–359

  22. [22]

    Incident Response Recommendations and Considerations for Cybersecu- rity Risk Management: A CSF 2.0 Community Profile,

    A. Nelson, S. Rekhi, M. Souppaya, and K. Scarfone, “Incident Response Recommendations and Considerations for Cybersecu- rity Risk Management: A CSF 2.0 Community Profile,” National Institute of Standards and Technology, Tech. Rep. NIST Special Publication (SP) 800-61 Rev. 3, 2025

  23. [23]

    How ready is your ready? as- sessing the usability of incident response playbook frameworks,

    R. Stevens, D. V otipka, J. Dykstra, F. Tomlinson, E. Quartararo, C. Ahern, and M. L. Mazurek, “How ready is your ready? as- sessing the usability of incident response playbook frameworks,” inProceedings of the 2022 CHI Conference on Human Factors in Computing Systems, ser. CHI ’22. Association for Computing Machinery, 2022, pp. 1–18

  24. [24]

    Matched and mismatched SOCs: A qualitative study on security operations center issues,

    F. B. Kokulu, A. Soneji, T. Bao, Y . Shoshitaishvili, Z. Zhao, A. Doupé, and G.-J. Ahn, “Matched and mismatched SOCs: A qualitative study on security operations center issues,” inPro- ceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’19. Association for Computing Machinery, 2019, pp. 1955–1970

  25. [25]

    Towards more insight into cyber incident response decision making and its implications for cyber crisis management

    J. Groenendaal, I. Helsloot, and C. Reuter, “Towards more insight into cyber incident response decision making and its implications for cyber crisis management.”

  26. [26]

    Understanding information security incident man- agement practices: a case study in the electric power industry

    M. B. Line, “Understanding information security incident man- agement practices: a case study in the electric power industry.”

  27. [27]

    Observing cyber security incident response: Qualitative themes from field research,

    M. Nyre-Yu, R. S. Gutzwiller, and B. S. Caldwell, “Observing cyber security incident response: Qualitative themes from field research,” vol. 63, no. 1, pp. 437–441

  28. [28]

    Impact of comprehensive information security awareness and cognitive char- acteristics on security incident management – an empirical study,

    M. Thangavelu, V . Krishnaswamy, and M. Sharma, “Impact of comprehensive information security awareness and cognitive char- acteristics on security incident management – an empirical study,” vol. 109, p. 102401

  29. [29]

    Limits to effectiveness in computer security incident response teams

    J. Wiik, “Limits to effectiveness in computer security incident response teams.”

  30. [30]

    Andrade, M

    R. Andrade, M. Cazares, L. Tello Oquendo, W. Fuertes, G. N. Samaniego Erazo, S. Cadena, F. Tapia Leon, and E. Nacional, From Cognitive Skills to Automated Cybersecurity Response

  31. [31]

    The future of information security incident management training: A case study of electrical power companies,

    M. Bartnes, N. B. Moe, and P. E. Heegaard, “The future of information security incident management training: A case study of electrical power companies,” vol. 61, pp. 32–45

  32. [32]

    Sociometrics and observational assessment of teaming and leadership in a cyber security defense competition,

    N. Buchler, P. Rajivan, L. R. Marusich, L. Lightner, and C. Gon- zalez, “Sociometrics and observational assessment of teaming and leadership in a cyber security defense competition,” vol. 73, pp. 114–136

  33. [33]

    A phenomenological study of information secu- rity incidents experienced by information security professionals providing corporate information security incident management

    R. Burkhead, “A phenomenological study of information secu- rity incidents experienced by information security professionals providing corporate information security incident management.”

  34. [34]

    Capturing tacit knowledge in security operation centers,

    S. Y . Cho, J. Happa, and S. Creese, “Capturing tacit knowledge in security operation centers,” vol. 8, pp. 42 021–42 041

  35. [35]

    A decision support model for situational awareness in national cyber operations centers,

    R. Graf, F. Skopik, and K. Whitebloom, “A decision support model for situational awareness in national cyber operations centers,” in2016 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (CyberSA). IEEE, pp. 1–6

  36. [36]

    Supporting the hu- man in cyber defence,

    K. Helkala, B. J. Knox, Ø. Jøsok, R. G. Lugo, S. Sütterlin, G. O. Dyrkolbotn, and N. K. Svendsen, “Supporting the hu- man in cyber defence,” inComputer Security: ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Oslo, Norway, September 14-15, 2017, Revised Selected Papers 3, S. K. Katsikas, F. Cuppens, N. Cuppens, C. Lambrinoudakis, C....

  37. [37]

    Consciousness of cyber defense: A collective activity system for developing organizational cyber awareness,

    S. M. Ho and M. Gross, “Consciousness of cyber defense: A collective activity system for developing organizational cyber awareness,” vol. 108, p. 102357

  38. [38]

    Cybersecurity culture in computer security incident response teams: Investigating difficul- ties in communication and coordination,

    M. Ioannou, E. Stavrou, and M. Bada, “Cybersecurity culture in computer security incident response teams: Investigating difficul- ties in communication and coordination,” in2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–4

  39. [39]

    A framework for incident response management in the petroleum industry,

    M. G. Jaatun, E. Albrechtsen, M. B. Line, I. A. Tøndel, and O. H. Longva, “A framework for incident response management in the petroleum industry,” vol. 2, no. 1, pp. 26–37

  40. [40]

    Success factors for designing a cybersecurity exercise on the example of incident response,

    S. Mäses, K. Maennel, M. Toussaint, and V . Rosa, “Success factors for designing a cybersecurity exercise on the example of incident response,” in2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 259–268

  41. [41]

    Cybersecurity incident response in organisations: A meta-level framework for scenario- based training

    A. O’Neill, A. Ahmad, and S. Maynard, “Cybersecurity incident response in organisations: A meta-level framework for scenario- based training.”

  42. [42]

    Incident handling: an orderly response to unexpected events,

    R. L. Rollason-Reese, “Incident handling: an orderly response to unexpected events,” inProceedings of the 31st annual ACM SIGUCCS fall conference, ser. SIGUCCS ’03. Association for Computing Machinery, pp. 97–102

  43. [43]

    Measuring expert and novice performance within computer security incident response teams,

    A. Silva, G. Emmanuel, J. T. McClain, L. Matzen, and C. Forsythe, “Measuring expert and novice performance within computer security incident response teams,” inFoundations of Augmented Cognition, D. D. Schmorrow and C. M. Fidopiastis, Eds. Springer International Publishing, pp. 144–152

  44. [44]

    A tale of three security operation centers,

    S. C. Sundaramurthy, J. Case, T. Truong, L. Zomlot, and M. Hoff- mann, “A tale of three security operation centers,” inProceedings of the 2014 ACM Workshop on Security Information Workers, ser. SIW ’14. Association for Computing Machinery, 2014, pp. 43– 50

  45. [45]

    How can organizations develop situation awareness for incident response: A case study of man- agement practice,

    A. Ahmad, S. B. Maynard, K. C. Desouza, J. Kotsias, M. T. Whitty, and R. L. Baskerville, “How can organizations develop situation awareness for incident response: A case study of man- agement practice,” vol. 101, p. 102122

  46. [46]

    A study of perceptions on incident response exercises, information sharing, situational awareness, and incident response planning in power grid utilities

    J. Garmon, “A study of perceptions on incident response exercises, information sharing, situational awareness, and incident response planning in power grid utilities.”

  47. [47]

    Dynamic cyber-incident response

    K. D. Mepham, “Dynamic cyber-incident response.”

  48. [48]

    CyberOps: Situational awareness in cybersecurity operations,

    C. Onwubiko, “CyberOps: Situational awareness in cybersecurity operations,” vol. 5, no. 1, pp. 82–107

  49. [49]

    CTI-SOC2m2 – the quest for mature, intelligence-driven security operations and in- cident response capabilities,

    D. Schlette, M. Vielberth, and G. Pernul, “CTI-SOC2m2 – the quest for mature, intelligence-driven security operations and in- cident response capabilities,” vol. 111, 2021

  50. [50]

    Check for updates INCREASE: A dynamic framework towards enhancing situational awareness in cyber incident response,

    J. Andreassen, M. Eileraas, and L. C. Herrera, “Check for updates INCREASE: A dynamic framework towards enhancing situational awareness in cyber incident response,” inInformation Technology in Disaster Risk Reduction: 7th IFIP WG 5.15 International Conference, ITDRR 2022, Kristiansand, Norway, October 12–14, 2022, Revised Selected Papers, vol. 672. Spring...

  51. [51]

    Hybrid situational awareness against cyber-attacks,

    D. Antunes and M. Esteve, “Hybrid situational awareness against cyber-attacks,” inThe Russian Federation in Global Knowledge Warfare: Influence Operations in Europe and Its Neighbourhood, H. Mölder, V . Sazonov, A. Chochia, and T. Kerikmäe, Eds. Springer International Publishing, pp. 233–245

  52. [52]

    A gamification approach to improving interpersonal situational awareness in cyber defense

    T. F. Ask, B. J. Knox, R. Lugo, L. Hoffmann, and S. Sütterlin, “A gamification approach to improving interpersonal situational awareness in cyber defense.”

  53. [53]

    Bartnes Line, I

    M. Bartnes Line, I. Anne Tøndel, and M. G. Jaatun, “Current practices and challenges in industrial control organizations re- garding information security incident management – does size matter? information security incident management in large and small industrial control organizations,” vol. 12, pp. 12–26

  54. [54]

    Gaps and opportunities in situational awareness for cybersecurity,

    R. Gutzwiller, J. Dykstra, and B. Payne, “Gaps and opportunities in situational awareness for cybersecurity,” vol. 1, no. 3, pp. 18:1– 18:6

  55. [55]

    Assessing a decision support tool for SOC analysts,

    J. Happa, I. Agrafiotis, M. Helmhout, T. Bashford-Rogers, M. Goldsmith, and S. Creese, “Assessing a decision support tool for SOC analysts,” vol. 2, no. 3, pp. 22:1–22:35

  56. [56]

    Decision support elements and enabling techniques to achieve a cyber defence situational awareness ca- pability

    S. Llopis Sánchez, “Decision support elements and enabling techniques to achieve a cyber defence situational awareness ca- pability.”

  57. [57]

    Understanding situation awareness in SOCs, a systematic literature review,

    H. J. Ofte and S. Katsikas, “Understanding situation awareness in SOCs, a systematic literature review,” vol. 126, p. 103069

  58. [58]

    Comprehensive information security awareness (CISA) in security incident management (SIM): A conceptualiza- tion

    M. Thangavelu, “Comprehensive information security awareness (CISA) in security incident management (SIM): A conceptualiza- tion.”

  59. [59]

    What you can change and what you can’t: Human experience in computer network defenses,

    V . M. Rooney and S. N. Foley, “What you can change and what you can’t: Human experience in computer network defenses,” in Secure IT Systems, N. Gruschka, Ed. Springer International Publishing, pp. 219–235

  60. [60]

    Human factors in cyber incident response: Needs, collaboration and the reporter,

    M. Huis, R. van der Kleij, G. Kleinhaus, L. de Koning, J. Kort, P. Meiler, and H. Young, “Human factors in cyber incident response: Needs, collaboration and the reporter,” pp. 1–47

  61. [61]

    Sensemak- ing in cybersecurity incident response: The interplay of organiza- tions, technology and individuals

    R. Lakshmi, H. Naseer, S. Maynard, and A. Ahmad, “Sensemak- ing in cybersecurity incident response: The interplay of organiza- tions, technology and individuals.”

  62. [62]

    Collective computer incident response using cognitive maps,

    J. Krichene, M. Hamdi, and N. Boudriga, “Collective computer incident response using cognitive maps,” in2004 IEEE Interna- tional Conference on Systems, Man and Cybernetics (IEEE Cat. No.04CH37583), vol. 1, pp. 1080–1085 vol.1

  63. [63]

    Developing decision support for cybersecurity threat and incident managers,

    R. van der Kleij, J. M. Schraagen, B. Cadet, and H. Young, “Developing decision support for cybersecurity threat and incident managers,” vol. 113, p. 102535

  64. [64]

    Turning contradictions into innovations or: How we learned to stop whining and improve security op- erations,

    S. C. Sundaramurthy, J. McHugh, X. Ou, M. Wesch, A. G. Bardas, and S. R. Rajagopalan, “Turning contradictions into innovations or: How we learned to stop whining and improve security op- erations,” inTwelfth Symposium on Usable Privacy and Security (SOUPS 2016), pp. 237–251

  65. [65]

    Enhancing cyber defense preparation through interdisciplinary collaboration, training, and incident response,

    T. Amador, R. Mancuso, E. Moore, S. Fulton, and D. Likarish, “Enhancing cyber defense preparation through interdisciplinary collaboration, training, and incident response,” vol. 8, no. 1, pp. 6–6

  66. [66]

    Cyber teaming and role specialization in a cyber security defense competition,

    N. Buchler, C. G. La Fleur, B. Hoffman, P. Rajivan, L. Marusich, and L. Lightner, “Cyber teaming and role specialization in a cyber security defense competition,” vol. 9

  67. [67]

    Cybersecurity incident response capabilities in the ecuadorian financial sector,

    F. E. Catota, M. G. Morgan, and D. C. Sicker, “Cybersecurity incident response capabilities in the ecuadorian financial sector,” vol. 4, no. 1, p. tyy002

  68. [68]

    Moore,The Role of Diverse Skill Sets in Incident Response

    S. Moore,The Role of Diverse Skill Sets in Incident Response

  69. [69]

    A coordinated communication & awareness approach for information security incident manage- ment: An empirical study on ethiopian organizations,

    K. Padayachee and E. Worku, “A coordinated communication & awareness approach for information security incident manage- ment: An empirical study on ethiopian organizations,” vol. 12, no. 2

  70. [70]

    Do you play it by the books? a study on incident response playbooks and influencing factors,

    D. Schlette, P. Empl, M. Caselli, T. Schreck, and G. Pernul, “Do you play it by the books? a study on incident response playbooks and influencing factors,” in2024 IEEE Symposium on Security and Privacy (SP). IEEE, pp. 3625–3643

  71. [71]

    Sim- ulation of workflow and threat characteristics for cyber security incident response teams

    T. M. Reed, R. G. Abbott, B. R. Anderson, and K. S. Nauer, “Sim- ulation of workflow and threat characteristics for cyber security incident response teams.”

  72. [72]

    Normal cyber accidents,

    S. Backman, “Normal cyber accidents,” vol. 8, no. 1, pp. 114–130

  73. [73]

    Values and value conflicts in the context of OSINT technologies for cyber- security incident response: A value sensitive design perspective,

    T. Riebe, J. Bäumler, M.-A. Kaufhold, and C. Reuter, “Values and value conflicts in the context of OSINT technologies for cyber- security incident response: A value sensitive design perspective,” vol. 33, no. 2, pp. 205–251

  74. [74]

    Enhancing incident response with live logs: The significance and challenges of maintaining sufficient log retention for mitigating cyber attacks

    E. Akba¸ s, “Enhancing incident response with live logs: The significance and challenges of maintaining sufficient log retention for mitigating cyber attacks.”

  75. [75]

    A triage playbook: privacy harm and data incident response in the UK

    C. S. H. Devey, “A triage playbook: privacy harm and data incident response in the UK.”

  76. [76]

    GDPR impact on information security incident detection and response

    A. Imrichová, “GDPR impact on information security incident detection and response.”

  77. [77]

    Computer security incident response teams in the reformed network and information security directive: good prac- tices

    I. Kamara, “Computer security incident response teams in the reformed network and information security directive: good prac- tices.”

  78. [78]

    Prerequisites for building a computer security incident response capability,

    R. Mooi and R. A. Botha, “Prerequisites for building a computer security incident response capability,” in2015 Information Secu- rity for South Africa (ISSA), pp. 1–8

  79. [79]

    Incident handling in SCADA & OT environments,

    G. D. Pamnani and P. Saxena, “Incident handling in SCADA & OT environments,” vol. 66, no. 3, pp. 28–35

  80. [80]

    A comparative study on cyber threat intelligence: The security incident response perspec- tive,

    D. Schlette, M. Caselli, and G. Pernul, “A comparative study on cyber threat intelligence: The security incident response perspec- tive,” vol. 23, no. 4, pp. 2525–2556

Showing first 80 references.