questionnaire.md

Incident Response Processes: Questionnaire

Welcome

Thank you for participating in our study!

•   This study is a joint research project on incident response processes and playbooks from X.
  

•   The study has four parts and takes 7 min.
  

•   Please always refer to your organization (e.g., the company you work for) when asked about processes and playbooks.
  

•   Participation is voluntary; you can withdraw at any point before submitting your answers by closing your browser window.
  

•   All data collected is exclusively used for scientific research. It is possible that we make anonymized and aggregated data publicly available.
  

•   We raffle off a 100€ Amazon gift card among all participants who decide to participate until X.
  

•   We use the term incident to broadly refer to any violation of the confidentiality, integrity, or availability of information or systems.
  

If you need further details or have problems answering the questions, please contact X.

Consent

I hereby confirm that I am over 18 years old, have read and understood the given information on participation, and voluntarily provide answers to the following questions. I agree that my data will be stored in anonymized form and can be published anonymously for scientific purposes. I am aware that I submit my data by clicking "send".

Demographics and Organization

•   How did you find out about the study?
  

•   What is your current job role or position in your organization?
  

  • IT operations (e.g., system admin)
    

  • Security operations (e.g., SOC analyst)
    

  • Incident handler
    

  • Security researcher
    

  • Security consultant
    

  • Senior security expert (e.g., security engineer)
    

  • Senior security manager (e.g., SOC manager / head of CTI)
    

  • Other: ___________________
    

•   How many years have you been working in cybersecurity?
  

•   Which country do you work in?
  

  • USA
    

  • UK
    

  • Germany
    

  • China
    

  • India
    

  • Other: ___________________
    

•   How many employees work in your organization?
  

•   Which industry or sector is your organization part of?
  

•   Which cybersecurity teams does your organization have?
  

  • Incident response (CERT/CSIRT)
    

  • Cyber Threat Intelligence (CTI)
    

  • Product security (ProductCERT)
    

  • Security Operations Center (SOC)
    

  • Security governance / risk
    

  • Other: ___________________
    

•   How many security experts work on incident response topics?
  

•   How mature do you rate your incident response team?
  

  no team (0)	1	2	3	very mature team (4)

•   How mature do you rate your incident response processes?
  

  no processes (0)	1	2	3	very mature processes (4)

•   How mature do you rate your incident response technology stack?
  

  no specific technology (0)	1	2	3	very mature technology stack (4)

Incident Response Playbooks

The notion of incident response playbooks has recently gained attention. However, there are different definitions and perceptions.

• What is a playbook to you?
  

  From an academic perspective, we use the following playbook definition:

  A playbook describes a specific incident response process or procedure based on a workflow with individual steps or actions.

  Playbooks are integral to SOAR platforms. Standardization efforts (e.g., OASIS CACAO) allow structured playbook representation and implementation. Playbooks structure best practices and executable instructions.

• Which term(s) do you use to refer to the concept of playbooks?
  

• Do you use playbooks?
  

• How many playbooks do you have?
  

• How are your playbooks represented?
  

  • Text-based (e.g., table, checklist - Markdown)
    

  • Graphical (e.g., diagram - BPMN)
    

  • Code-based (e.g., file, script - JSON, YAML, Python)
    

  • Other: ___________________
    

• How many playbooks are code-based?
  

• Why do you use playbooks?
  

  • Automation
    

  • Compliance
    

  • Documentation
    

  • Onboarding
    

  • Other: ___________________
    

• Which operational purposes do your playbooks have?
  

  • Alerting, ticketing, reporting
    

  • Investigation, analysis, threat intelligence
    

  • Countermeasures, mitigation
    

  • Other: ___________________
    

• Do you have multi-purpose playbooks?
  

  These playbooks combine operational purposes.

• Do you have playbooks for incident types?
  

• Which are your three most common incident types addressed by playbooks?
  

• Do you have a playbook hierarchy?
  

  Playbooks referencing other playbooks.

• Do you use external playbooks?
  

• Did you modify external playbooks?
  

• Did you create playbooks from scratch?
  

• What was your personal contribution to the creation/modification of the playbooks?
  

  no contribution (0)	1	2	3	complete contribution (4)

• Do you share playbooks?
  

  •   Internally
    

  •   Externally
    

  •   No
    

• What is the automation level of your playbooks?
  

  The automation level is the extent to which playbooks can be executed without human intervention.

  no automation (0)	1	2	3	very high automation (4)

• Which tool(s) do you use for playbook management and deployment?
  

Incident Response Scenarios

Malware

• How many steps does your malware infection process/playbook contain?
  

• Does your malware infection process/playbook contain parallel steps?
  

• Does your malware process/playbook have specific steps that are based on...?
  

  •   Attacker characteristics
    

  •   Industry standards and guidelines
    

  •   Laws and regulations
    

  •   Supply chain/business partner requirements
    

  •   Your internal directives about incident response data operations
    

  •   Your assets/attack targets
    

  •   Your security culture and mandate
    

  •   Your security team
    

  •   Your IT infrastructure
    

  •   Your security tools
    

Phishing

• How many steps does your phishing process/playbook contain?
  

• Does your phishing process/playbook contain parallel steps?
  

• Does your phishing process/playbook have specific steps that are based on...?
  

  •   Attacker characteristics
    

  •   Industry standards and guidelines
    

  •   Laws and regulations
    

  •   Supply chain/business partner requirements
    

  •   Your internal directives about incident response data operations
    

  •   Your assets/attack targets
    

  •   Your security culture and mandate
    

  •   Your security team
    

  •   Your IT infrastructure
    

  •   Your security tools
    

Account Compromise

• How many steps does your account compromise process/playbook contain?
  

• Does your account compromise process/playbook contain parallel steps?
  

• Does your account compromise process/playbook have specific steps that are based on...?
  

  •   Attacker characteristics
    

  •   Industry standards and guidelines
    

  •   Laws and regulations
    

  •   Supply chain/business partner requirements
    

  •   Your internal directives about incident response data operations
    

  •   Your assets/attack targets
    

  •   Your security culture and mandate
    

  •   Your security team
    

  •   Your IT infrastructure
    

  •   Your security tools
    

Incident Response Factors

• Which factors do you think influence incident response processes and the use of playbooks?
  

  •   Attacker characteristics
    

  •   Industry standards and guidelines
    

  •   Laws and regulations
    

  •   Supply chain/business partners
    

  •   Incident response directives
    

  •   People and culture
    

  •   Technology
    

Thank you

•   If you are interested in the results of our study and the chance to win a 100€ Amazon gift card, please provide your personal email address here:
  

•   Math CAPTCHA: 4o + 5o
  

Please click submit to send your answers. Thank You!