Inevitably, all systems are vulnerable, and none are impervious to attack. Incident response is an important element in maintaining the cyber security posture of organizations. Incident response practitioners often rely on process descriptions in the form of playbooks as recipes for handling incidents as they occur. However, current practices and mechanisms do not offer a disciplined approach to designing and representing playbooks, risking the effectiveness of the playbooks in directing and coordinating incident response. In this paper, we propose a formal, model-based design approach to designing cyber security incident response playbooks. We provide a tool prototype for the approach, developed using the Eclipse framework, and demonstrate how it can accommodate playbooks. Finally, we discuss how the approach can improve aspects of incident response throughout its lifecycle, by correctly prescribing and coordinating response actions as well as supporting organizational learning.