Table of Contents
Fetching ...

Passing the Baton: Shift Handovers within Cybersecurity Incident Response Teams

Liberty Kent, Nilufer Tuptuk, Ingolf Becker

TL;DR

This study addresses the lack of guidance for CSIRT shift handovers by co-designing two draft guidelines (A: checklist; B: detailed template) and evaluating them with six practitioners through semi-structured interviews. Using inductive thematic analysis, the authors identify 11 themes, including signposting, evolving procedures, and variation across individuals, and find a broad preference for Guideline B while noting the potential value of Guideline A in certain contexts. The work demonstrates that structured handover guidance is feasible and can be adapted to diverse CSIRT contexts, with proposals for adding service-status and post-incident review components. Overall, the paper provides a foundation for formalizing CSIRT transition practices and outlines directions for larger-scale replication and cross-organizational validation.

Abstract

Effective shift transitions are crucial for cybersecurity incident response teams, yet there is limited guidance on managing these handovers. This exploratory study aimed to develop guidelines for such transitions through the analysis of existing literature and consultation with practitioners. Two draft guidelines (A and B) were created based on existing literature and online resources. Six participants from the UK and international incident response teams, with experience in shift handovers, were interviewed about handover structure, challenges, training practices, and their views on the draft guidelines. The collected data indicate the importance of signposting, evolving handover procedures, individual differences in handover style and detail, and streamlining the handover procedure. Participants agreed the drafts included all relevant details but suggested adding a post-incident review section and a service section for outages or technical difficulties. This study establishes a foundation for enhancing transition practices in cybersecurity incident response teams.

Passing the Baton: Shift Handovers within Cybersecurity Incident Response Teams

TL;DR

This study addresses the lack of guidance for CSIRT shift handovers by co-designing two draft guidelines (A: checklist; B: detailed template) and evaluating them with six practitioners through semi-structured interviews. Using inductive thematic analysis, the authors identify 11 themes, including signposting, evolving procedures, and variation across individuals, and find a broad preference for Guideline B while noting the potential value of Guideline A in certain contexts. The work demonstrates that structured handover guidance is feasible and can be adapted to diverse CSIRT contexts, with proposals for adding service-status and post-incident review components. Overall, the paper provides a foundation for formalizing CSIRT transition practices and outlines directions for larger-scale replication and cross-organizational validation.

Abstract

Effective shift transitions are crucial for cybersecurity incident response teams, yet there is limited guidance on managing these handovers. This exploratory study aimed to develop guidelines for such transitions through the analysis of existing literature and consultation with practitioners. Two draft guidelines (A and B) were created based on existing literature and online resources. Six participants from the UK and international incident response teams, with experience in shift handovers, were interviewed about handover structure, challenges, training practices, and their views on the draft guidelines. The collected data indicate the importance of signposting, evolving handover procedures, individual differences in handover style and detail, and streamlining the handover procedure. Participants agreed the drafts included all relevant details but suggested adding a post-incident review section and a service section for outages or technical difficulties. This study establishes a foundation for enhancing transition practices in cybersecurity incident response teams.
Paper Structure (28 sections, 5 tables)