Abstract for: Chronic Workload Problems in CSIRTs

Since their inception Computer Security Incident Response Teams (CSIRTs) have been afflicted by chronic problems concerning workload, quality of service, and sustaining their constituency. We have cooperated with one of the oldest CSIRTs to model the most challenging issues. Low-priority and high-priority incident response cause distinct problems. Low-priority reports grow exponentially, which overwhelms the limited CISRT resources. For high-priority incident response, one observes long-term instabilities in workload and QoS and, ominously, oscillatory decreasing recognition of the CSIRT by its constituency. In this paper we focus on low-priority incident response, leaving high-priority response for two companion papers. For low-priority response, the CSIRT tends to handle the workload by adjusting the productivity of manually handled incidents, a futile task owing to exponential growth in incidents. A more fundamental solution is automated incident response, but its implementation requires careful planning of timing and resources.