A MANAGEMENT MODEL FOR BUILDING A COMPUTER SECURITY INCIDENT RESPONSE CAPABILITY

Although there are numerous guides available for establishing a computer security incident response capability, there appears to be no underlying management model that brings them all together. This paper aims to address the problem by developing a management model for establishing a Computer Security Incident Response Team (CSIRT). A design science-based approach has been selected for the overall project. However, the current paper reports on the first three activities in design science research: identifying the problem, listing solution objectives, and designing and developing a model. A comprehensive literature review serves two purposes: to confirm the problem and to provide a structured way of revealing the requirement areas. Following the uncovering of the requirement areas, CSIRT business requirements and services are introduced, before exploring the relationships between the areas using argumentation. This culminates in the development of the management model in two parts: a strategic view and a tactical view. The strategic view comprises the business requirements and "higher" level decisions - the environment, constituency and funding considerations - that need to be made when establishing a CSIRT. The tactical view follows by presenting the "how" considerations. Together, these two views provide an holistic model for establishing a CSIRT by parties interested in doing so.