Integration of the Social Sciences into Incident Response

Almost every day a TV news report, newspaper, or Internet news story will report an incident of hacking, computer abuse, or cybercrime . Everyone is getting hit, and it is not just web site defacement of government sites or other "nuisance" attacks. The recent onslaught of distributed denial-of-service attacks, identity thefts, virus releases, and online credit card thefts has demonstrated an increase in the sophistication of attacks and the capability to attack large, successful American and European companies ‚ as well as individuals. To combat these types of incidents, most corporations and government organizations have formed or contracted incident response teams .

In most cases, the incident response teams are sufficiently staffed with technically skilled individuals. Incident response teams follow established polices and procedures for incident handling, and they attempt to limit the scope and magnitude of the incident, prevent the incident from escalating, restore necessary systems, and conduct investigations. The primary tools in the incident response team box are technical. However, to restore the business to normal operations, to identify the attacker(s), or to capture the attacker(s), the capabilities of an incident response team need to expand far beyond the technical expertise of the team members . The successful conclusion (or prevention) of an attack sometimes has more to do with having the capability to handle the human aspects of incident response than the technical aspects.

Understanding the human aspects of incident response is critical to forming, training, and applying the talents of an incident response team to an incident. These human-based issues can be described as those aspects of incident response that fall outside the scope of technical experience and skill. The human aspects of incident response revolve around people: the victims, the employees , the stockholders , the executives, and of course, the perpetrators. If an incident response team does not understand the human or people perspectives when commencing the investigation of an incident, the incident response team is already behind the curve. This lesson has been learned from years of conventional criminal investigation.

A good homicide investigation does not rely on the results of lab tests; the investigation includes eyewitness interviews, the use of informants, victim statements, sketch artists , interrogation of suspects , and criminal or psychological profiling of the perpetrator. The investigator must also consider peripheral aspects of the case, as follows :

1. Possible media exposure

2. Visibility of the case within the police department

3. Interaction with the district attorney's office

4. The political aspects of a high-visibility case

5. Public reaction and safety

6. Behaviors and the emotional state of the survivors' or victims' families

7. Interaction with the suspects' attorneys

8. The proper collection of evidence and maintaining a chain of custody

9. Possible multiple jurisdictions involved in the investigation (which could include local, state, county, and/or federal investigators )

10. The vigilant collection of circumstantial evidence to be used in a grand jury hearing or trial

It is not unusual for homicide detectives , at some point in their careers, to become overwhelmed with a case. Extremely long work hours, time away from their own families, emotional involvement with a case, and obsessive thought about a case can lead investigators down a path of personal issues (such as fatigue, health issues, divorce, depression). These are the human- or people-based issues of investigating conventional crimes. A parallel set of issues exists for incident response teams and the experts who make up incident response teams.

The human aspects of incident response can make or break a case . . . and perhaps make or break a company. Just as the experienced homicide detective uses every tool available, whether it is the forensics lab or the street informant, the incident response team of today must use every tool available. A state-of-the-art incident response team must also realize the peripheral issues surrounding an incident and be equally experienced in anticipating and dealing with them. Most of these peripheral issues are human based and do require an additional or different set of investigation and response skills.

This chapter is divided into four sections and delves into four human aspects of incident response. The four sections are cybercrime profiling (the psychological profiling of attackers), insiders ( attackers who are inside your organization), dealing with incident victims, incident response team fatigue and stress.