Incident response teams – Challenges in supporting the organisational security function

Incident response is a critical security function in organisations that aims to manage incidents in a timely and cost-effective manner. This research was motivated by previous case studies that suggested that the practice of incident response frequently did not result in the improvement of strategic security processes such as policy development and risk assessment. An exploratory in-depth case study was performed at a large global financial institution to examine shortcomings in the practice of incident response. The case study revealed the practice of incident response, in accordance with detailed best-practice guidelines, tended to adopt a narrow technical focus aimed at maintaining business continuity whilst neglecting strategic security concerns. The case study also revealed that the (limited) post-incident review process focused on ‘high-impact’ incidents rather than ‘high-learning’ (i.e. potentially useful incidents from a learning perspective) incidents and ‘near misses’. In response to this case study, we propose a new double-loop model for incident learning to address potential systemic corrective action in such areas as the risk assessment and policy development processes.