Abstract for: Preserving a balanced CSIRT constituency
Since their inception Computer Security Incident Response Teams (CSIRTs) have been afflicted by chronic problems concerning workload, QoS and sustaining their constituency. We have cooperated with one of the oldest CSIRTs to model the most challenging issues. Low- and high-priority incident response cause different problems. In companion papers we dealt with the impact of the exponential growth of low-priority incidents on the CSIRT workload and the effect of high-priority incident response on the CSIRT workload and QoS. Here, we focus on a severe consequence of instabilities in high-priority incident response: problems to retain the internal constituency, i.e, the customer base or community who by its funding enable the existence of the CSIRT. Such an external constituency (people and organizations outside the internal constituency) that are provided with limited services, is unavoidable and even desirable, since security incidents often involve sites outside the internal constituency. But our model indicates that the instabilities in high-priority incident reporting create an imbalance that -- if it persists -- could threaten the very existence of the CSIRT. Our model suggests that a management strategy that reduces the turnover of the most frequent reporters is much better than any attempt to attract a higher number of frequent reporters.