Operations-informed incident response playbooks

Avi Shaked*, Yulia Cherdantseva, Pete Burnap, Peter Maynard

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review


Cyber security incident response playbooks are critical for establishing an effective incident response capability within organizations. We identify a significant conceptual gap in the current research and practice of cyber security playbook design: the lack of ability to communicate the operational impact of an incident and of incident response on an organization. In this paper, we present a mechanism to address the gap by introducing the operational context into an incident response playbook. This conceptual contribution calls for a shift from playbooks that consist only of process models to playbooks that consist of process models closely linked with a model of operations. We describe a novel approach to embed a model of operations into the incident response playbook and link it with the playbook's incident response activities. This allows to reflect, in an accurate and systematic way, the interdependencies and mutual influences of incident response activities on operations and vice versa. The approach includes the use of a new metric for evaluating the change in operations in coordination with critical thresholds, supporting decision-making during cyber security incident response. We demonstrate the application of the proposed approach to playbook design in the context of a ransomware attack incident response, using a newly developed open-source tool.

Original languageEnglish
Article number103454
JournalComputers and Security
StatePublished - Nov 2023
Externally publishedYes


  • Critical national infrastructure
  • Cyber security
  • Impact analysis
  • Incident response
  • Model of operations
  • Organizational capability


Dive into the research topics of 'Operations-informed incident response playbooks'. Together they form a unique fingerprint.

Cite this