Validating a Set of Candidate Criteria for Evaluating Software Tools and Data Sources for National CSIRTs’ Cyber Incident Responses

What is it about?

National Computer Security Incident Response Teams (CSIRTs) have been established in many countries to coordinate responses to cyber security incidents at the national level. A previous study conducted by us (https://doi.org/10.1145/3609230) reported a proposed set of candidate criteria for evaluating software tools and data sources for the purposes of incident response in National CSIRTs. The candidate criteria were proposed based on insights learned from a number of focus group discussions participated by staff working for national CSIRTs. This study validated such candidate criteria empirically via semi-structured online interviews participated by nine members of staff from national CSIRTs in nine national CSIRTs in Asia-Pacific, Africa and Europe. The candidate criteria were also evaluated by one of us (the first co-author), an experienced member of staff at Malaysia’s national CSIRT, by applying the criteria to two software tools and one data source and by converting each criterion into one or more relevant metrics. Our results showed that all participants perceived the candidate criteria as practically useful for staff of national CSIRTs, and that they can be applied relatively easily in practice.

Featured Image

Why is it important?

This work addresses a key practical issue in the national CSIRTs’ operation: staff do not have a standard and practically applicable set of criteria for evaluating and selecting suitable software tools and data sources for daily incident response work. By empirically validating the candidate criteria proposed in another prior study, this study provides a useful baseline for national CSIRTs (and other types of CSIRTs) in their operational practices on selecting software tools and data sources, especially those freely and publicly available ones that are often less evaluated than commercial tools and data sources. Despite the relatively small number of interviewees, they represent nine different national CSIRTs in different continents and of different sizes/maturity levels, therefore, the overwhelming positive feedback confirmed the deployment readiness of the candidate criteria and the importance of our work. Our own validation of the candidate criteria using two software tools and a public data source further proved that such criteria can be practically used in national CSIRTs’ operational practices. In addition, the criteria could help software designers and developers in producing tools and data sources that are more aligned with end users’ needs.

Perspectives