{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,13]],"date-time":"2026-02-13T07:32:11Z","timestamp":1770967931358,"version":"3.50.1"},"reference-count":33,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2010,3,23]],"date-time":"2010-03-23T00:00:00Z","timestamp":1269302400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2010,3,23]]},"abstract":"Purpose<\/jats:title>The purpose of this paper is to examine security incident response practices of information technology (IT) security practitioners as a diagnostic work process, including the preparation phase, detection, and analysis of anomalies.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>The data set consisted of 16 semi\u2010structured interviews with IT security practitioners from seven organizational types (e.g. academic, government, and private). The interviews were analyzed using qualitative description with constant comparison and inductive analysis of the data to analyze diagnostic work during security incident response.<\/jats:p><\/jats:sec>Findings<\/jats:title>The analysis shows that security incident response is a highly collaborative activity, which may involve practitioners developing their own tools to perform specific tasks. The results also show that diagnosis during incident response is complicated by practitioners' need to rely on tacit knowledge, as well as usability issues with security tools.<\/jats:p><\/jats:sec>Research limitations\/implications<\/jats:title>Owing to the nature of semi\u2010structured interviews, not all participants discussed security incident response at the same level of detail. More data are required to generalize and refine the findings.<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>The contribution of the work is twofold. First, using empirical data, the paper analyzes and describes the tasks, skills, strategies, and tools that security practitioners use to diagnose security incidents. The findings enhance the research community's understanding of the diagnostic work during security incident response. Second, the paper identifies opportunities for future research directions related to improving security tools.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685221011035241","type":"journal-article","created":{"date-parts":[[2010,3,13]],"date-time":"2010-03-13T07:05:46Z","timestamp":1268463946000},"page":"26-42","source":"Crossref","is-referenced-by-count":69,"title":["Preparation, detection, and analysis: the diagnostic work of IT security incident response"],"prefix":"10.1108","volume":"18","author":[{"given":"Rodrigo","family":"Werlinger","sequence":"first","affiliation":[],"role":[{"role":"author","vocab":"crossref"}]},{"given":"Kasia","family":"Muldner","sequence":"additional","affiliation":[],"role":[{"role":"author","vocab":"crossref"}]},{"given":"Kirstie","family":"Hawkey","sequence":"additional","affiliation":[],"role":[{"role":"author","vocab":"crossref"}]},{"given":"Konstantin","family":"Beznosov","sequence":"additional","affiliation":[],"role":[{"role":"author","vocab":"crossref"}]}],"member":"140","reference":[{"key":"key2022031820390239900_b1","doi-asserted-by":"crossref","unstructured":"Bailey, J., Kandogan, E., Haber, E. and Maglio, P. (2007), \u201cActivity\u2010based management of it service delivery\u201d, CHIMIT '07: Proceedings of Symposium on Computer Human Interaction for the Management of Information Technology, Cambridge, MA, pp. 1\u20105.","DOI":"10.1145\/1234772.1234779"},{"key":"key2022031820390239900_b2","doi-asserted-by":"crossref","unstructured":"Botta, D., Werlinger, R., Gagne, A., Beznosov, B., Iverson, L., Fels, S. and Fisher, B. (2007), \u201cTowards understanding IT security professionals and their tools\u201d, Proceedings of Symposium on Usable Privacy and Security (SOUPS), Pittsburgh, PA, pp. 100\u201011.","DOI":"10.1145\/1280680.1280693"},{"key":"key2022031820390239900_b3","unstructured":"Casey, E. (2002), \u201cError uncertainty and loss in digital evidence\u201d, International Journal of Digital Evidence, Vol. 1 No. 2."},{"key":"key2022031820390239900_b4","doi-asserted-by":"crossref","unstructured":"Casey, E. (2005), \u201cCase study: network intrusion investigation \u2013 lessons in forensic preparation\u201d, Digital Investigation, Vol. 2 No. 4, pp. 254\u201060.","DOI":"10.1016\/j.diin.2005.11.007"},{"key":"key2022031820390239900_b5","doi-asserted-by":"crossref","unstructured":"Charmaz, K. (2006), Constructing Grounded Theory, Sage, London.","DOI":"10.1002\/9781405165518.wbeosg070"},{"key":"key2022031820390239900_b6","doi-asserted-by":"crossref","unstructured":"Chiasson, S., van Oorschot, P.C. and Biddle, R. (2007), \u201cEven experts deserve usable security: design guidelines for security management systems\u201d, SOUPS 2007 Workshop on Usable IT Security Management (USM), Pittsburgh, PA, pp. 1\u20104.","DOI":"10.1145\/1280680.1280682"},{"key":"key2022031820390239900_b7","doi-asserted-by":"crossref","unstructured":"Fisler, K., Krishnamurthi, S., Meyerovich, L.A. and Tschantz, M.C. (2005), \u201cVerification and change\u2010impact analysis of access\u2010control policies\u201d, ICSE '05: Proceedings of 27th International Conference on Software Engineering, St Louis, MO, pp. 196\u2010205.","DOI":"10.1145\/1062455.1062502"},{"key":"key2022031820390239900_b8","unstructured":"Gagne, A., Muldner, K. and Beznosov, K. (2008), \u201cIdentifying differences between security and other IT professionals: a qualitative analysis\u201d, Proceedings of HAISA'08: Human Aspects of Information Security and Assurance, Plymouth, pp. 69\u201080."},{"key":"key2022031820390239900_b9","unstructured":"Gibson, S. (2001), \u201cThe strange tale of the denial of service attacks on GRC.com\u201d, available at: http:\/\/whitepapers.zdnet.co.uk\/."},{"key":"key2022031820390239900_b10","doi-asserted-by":"crossref","unstructured":"Goodall, J.R., Lutters, W.G. and Komlodi, A. (2004a), \u201cI know my network: collaboration and expertise in intrusion detection\u201d, CSCW '04: Proceedings of ACM Conference on Computer Supported Cooperative Work (CSCW), New York, NY, pp. 342\u20105.","DOI":"10.1145\/1031607.1031663"},{"key":"key2022031820390239900_b11","unstructured":"Goodall, J.R., Lutters, W.G. and Komlodi, A. (2004b), \u201cThe work of intrusion detection: rethinking the role of security analysts\u201d, Proceedings of Americas Conference on Information Systems (AMCIS), New York, NY, pp. 1421\u20107."},{"key":"key2022031820390239900_b12","doi-asserted-by":"crossref","unstructured":"Halverson, C.A., Erickson, T. and Ackerman, M.S. (2004), \u201cBehind the help desk: evolution of a knowledge management system in a large organization\u201d, CSCW '04: Proceedings of ACM Conference on Computer Supported Cooperative Work (CSCW), New York, NY, pp. 304\u201013.","DOI":"10.1145\/1031607.1031657"},{"key":"key2022031820390239900_b13","doi-asserted-by":"crossref","unstructured":"Hawkey, K., Botta, D., Werlinger, R., Muldner, K., Gagne, A. and Beznosov, K. (2008), \u201cHuman, organizational, and technological factors of IT security\u201d, Ext. Abstracts of ACM Conference on Human Factors in Computing Systems (CHI 2008), Florence, pp. 3639\u201044.","DOI":"10.1145\/1358628.1358905"},{"key":"key2022031820390239900_b14","unstructured":"Kandogan, E. and Haber, E.M. (2005), \u201cSecurity administration tools and practices\u201d, in Cranor, L.F. and Gar\ufb01nkel, S. (Eds), Security and Usability: Designing Secure Systems that People Can Use, O'Reilly, Sebastopol, CA, pp. 357\u201078."},{"key":"key2022031820390239900_b15","doi-asserted-by":"crossref","unstructured":"Killcrece, G., Kossakowski, K., Ruefle, R. and Zajicek, M. (2003), \u201cState of the practice of computer security incident response teams (CSIRTs)\u201d, available at: www.cert.org\/archive\/pdf\/03tr001.pdf.","DOI":"10.21236\/ADA421664"},{"key":"key2022031820390239900_b16","unstructured":"Killcrece, G., Kossakowski, K., Ruefle, R. and Zajicek, M. (2005), \u201cIncident management\u201d, Technical Report, US Department of Homeland Security, Washington, DC."},{"key":"key2022031820390239900_b17","doi-asserted-by":"crossref","unstructured":"Mitropoulos, S., Patsos, D. and Douligeris, C. (2006), \u201cOn incident handling and response: a state of the art approach\u201d, Computers and Security, Vol. 25 No. 5, pp. 351\u201070.","DOI":"10.1016\/j.cose.2005.09.006"},{"key":"key2022031820390239900_b18","doi-asserted-by":"crossref","unstructured":"Orr, J.E. (1986), \u201cNarratives at work: story telling as cooperative diagnostic activity\u201d, CSCW '86: Proceedings of ACM Conference on Computer\u2010Supported Cooperative Work (CSCW), New York, NY, pp. 62\u201072.","DOI":"10.1145\/637069.637077"},{"key":"key2022031820390239900_b33","doi-asserted-by":"crossref","unstructured":"Park, J. and Jung, W. (2003), \u201cThe requisite characteristics for diagnosis procedures based on the empirical findings of the operators' behavior under emergency situations\u201d, Reliability Engineering & System Safety, Vol. 81 No. 2, pp. 197\u2010213.","DOI":"10.1016\/S0951-8320(03)00098-X"},{"key":"key2022031820390239900_b19","unstructured":"Polanyi, M. (1966), The Tacit Dimension, Doubleday, New York, NY."},{"key":"key2022031820390239900_b20","doi-asserted-by":"crossref","unstructured":"Rayford, R.H., Vaughn, B. Jr and Fox, K. (2001), \u201cAn empirical study of industrial security engineering practices\u201d, The Journal of Systems and Software, Vol. 61, pp. 225\u201032.","DOI":"10.1016\/S0164-1212(01)00150-9"},{"key":"key2022031820390239900_b21","unstructured":"Redish, J. (2007), \u201cExpanding usability testing to evaluate complex systems\u201d, Journal of Usability Studies, Vol. 2 No. 3, pp. 102\u201011."},{"key":"key2022031820390239900_b22","unstructured":"Riden, J. (2006), \u201cResponding to security incidents on a large academic network\u201d, available at: www.infosecwriters.com\/text_resources\/."},{"key":"key2022031820390239900_b23","doi-asserted-by":"crossref","unstructured":"Roy, M.J., Sticha, D.L., Kraus, P.L. and Olsen, D.E. (2006), \u201cSimulation and virtual reality in medical education and therapy: a protocol\u201d, Cyber Psychology and Behavior, Vol. 9 No. 2, pp. 245\u20107.","DOI":"10.1089\/cpb.2006.9.245"},{"key":"key2022031820390239900_b24","doi-asserted-by":"crossref","unstructured":"Sandelowski, M. (2000), \u201cWhatever happened to qualitative description?\u201d, Research in Nursing & Health, Vol. 23 No. 4, pp. 334\u201040.","DOI":"10.1002\/1098-240X(200008)23:4<334::AID-NUR9>3.0.CO;2-G"},{"key":"key2022031820390239900_b25","doi-asserted-by":"crossref","unstructured":"Schultz, E.E. (2007), \u201cComputer forensics challenges in responding to incidents in real life setting\u201d, Computer Fraud & Security, Vol. 12, pp. 12\u201016.","DOI":"10.1016\/S1361-3723(07)70169-0"},{"key":"key2022031820390239900_b26","unstructured":"Spafford, E.H. (2003), \u201cA failure to learn from the past\u201d, Annual Computer Security Applications Conference (ACSAC), Las Vegas, NV, December 8\u201012, pp. 217\u201033."},{"key":"key2022031820390239900_b27","doi-asserted-by":"crossref","unstructured":"Stephenson, P. (2004), \u201cThe application of formal methods to root cause analysis of digital incidents\u201d, International Journal of Digital Evidence, Vol. 3 No. 1.","DOI":"10.1016\/S1361-3723(05)70186-X"},{"key":"key2022031820390239900_b28","doi-asserted-by":"crossref","unstructured":"Thompson, R.S., Rantanen, E. and Yurcik, W. (2006), \u201cNetwork intrusion detection cognitive task analysis: textual and visual tool usage and recommendations\u201d, Proceedings of Human Factors and Ergonomics Society Annual Meeting (HFES), Santa Monica, CA, pp. 669\u201073.","DOI":"10.1177\/154193120605000511"},{"key":"key2022031820390239900_b29","unstructured":"Weick, K. and Sutcliffe, K. (2001), Managing the Unexpected: Assuring High Performance in an Age of Complexity, Jossey\u2010Bass, San Francisco, CA."},{"key":"key2022031820390239900_b31","doi-asserted-by":"crossref","unstructured":"Werlinger, R., Hawkey, K., Botta, D. and Beznosov, K. (2009), \u201cSecurity practitioners in context: their activities and interactions with other stakeholders within organizations\u201d, International Journal of Human Computer Studies, Vol. 67 No. 7, pp. 584\u2010606.","DOI":"10.1016\/j.ijhcs.2009.03.002"},{"key":"key2022031820390239900_b30","doi-asserted-by":"crossref","unstructured":"Werlinger, R., Hawkey, K., Muldner, K., Jaferian, P. and Beznosov, K. (2008), \u201cThe challenges of using an intrusion detection system: is it worth the effort?\u201d, Proceedings of Symposium on Usable Privacy and Security (SOUPS), Pittsburgh, PA, pp. 107\u201016.","DOI":"10.1145\/1408664.1408679"},{"key":"key2022031820390239900_b32","doi-asserted-by":"crossref","unstructured":"Yamauchi, Y., Whalen, J. and Bobrow, D.G. (2003), \u201cInformation use of service technicians in difficult cases\u201d, CHI '03: Proceedings of Human Factors in Computing Systems, Fort Lauderdale, FL, April 5\u201010, pp. 81\u20108.","DOI":"10.1145\/642611.642627"}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221011035241\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685221011035241\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:12Z","timestamp":1753402152000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/18\/1\/26-42\/182270"}},"subtitle":[],"editor":[{"given":"Steven M.","family":"Furnell","sequence":"first","affiliation":[],"role":[{"role":"editor","vocab":"crossref"}]}],"short-title":[],"issued":{"date-parts":[[2010,3,23]]},"references-count":33,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2010,3,23]]}},"alternative-id":["10.1108\/09685221011035241"],"URL":"https:\/\/doi.org\/10.1108\/09685221011035241","relation":{},"ISSN":["0968-5227"],"issn-type":[{"value":"0968-5227","type":"print"}],"subject":[],"published":{"date-parts":[[2010,3,23]]}}}