Abstract for: Persistent Instabilities in the High-priority Incident Workload of CSIRTs

Since their inception Computer Security Incident Response Teams (CSIRTs) have been afflicted by chronic problems concerning workload, quality of service, and sustaining their constituency. We have cooperated with one of the oldest CSIRTs to model the most challenging issues. Low-priority and high-priority incident response cause distinct problems. In a previous paper we dealt with the impact of the exponential growth of low-priority incidents on the CSIRT workload. In this paper we deal with high-priority incident response and its impact on the CSIRT workload and quality of service. One observes long-term instabilities in workload and QoS and, ominously, oscillatory decreasing recognition of the CSIRT by its constituency. An improved communication of the service level provided by the CSIRT is the most effective policy to mitigate long-term instability in the workload and quality of service.