Evaluation of Information Elements in a Cyber Incident Report

An analyst’s main task within cyber security is to monitor, analyze, and decide on appropriate remedies for detected attacks. Analysts should ideally produce incident reports for record keeping and traceability, but also for enabling information sharing.This paper investigates which information elements that need to be included in an incident report to support incident management in a time-critical and high mental workload situation. Background information on existing reporting templates were drawn from the literature. Five different templates, a data exchange format, as well as two cyber situational awareness frameworks were analyzed. Then a novel reporting template from the military domain was scrutinized during a live cyber defense exercise.The results show that the information elements in the various existing templates differ, probably due to the different areas of use. The proposed military template was found to be useful to a high degree, even for incident reporting in the civilian sector. The new template can be improved by introducing additional fields, such as, e.g. descriptions of victims, attackers and assessments of attackers’ motives.