Paper Number
ICIS2025-1338
Paper Type
Complete
Abstract
The intuition of incident responders often determines whether organizations withstand cyberattacks, especially under ambiguity and time pressure. Drawing on Naturalistic Decision Making, we examine how intuition interacts with analytic reasoning, tools, and procedures in incident response, based on 23 interviews with experienced responders. We found that intuition is particularly critical during incident triage and analysis, where uncertainty is highest. Responders construct provisional storylines from sparse cues to cope with this uncertainty. They thereby rely on schema matching (e.g., matches a DDoS) and mismatching (e.g., deviates from expected behavior), triggering mental simulation and serial evaluation of responses. Time pressure forces them to adopt a satisficing strategy – gathering just enough evidence to initiate containment and buy time for deeper analysis. Our findings highlight the limitations of technological and formalized approaches, underscoring the critical importance of practitioners' expertise. These limitations can be mitigated by integrating expert schemas into training and decision support tools.
Recommended Citation
Schaltegger, Thierry; Ambuehl, Benjamin; Geppert, Tim; and Ebert, Nico, "Understanding the Critical Role of Expert Intuition in Cyber Incident Response" (2025). ICIS 2025 Proceedings. 5.
https://aisel.aisnet.org/icis2025/cyb_security/cyb_security/5
Understanding the Critical Role of Expert Intuition in Cyber Incident Response
The intuition of incident responders often determines whether organizations withstand cyberattacks, especially under ambiguity and time pressure. Drawing on Naturalistic Decision Making, we examine how intuition interacts with analytic reasoning, tools, and procedures in incident response, based on 23 interviews with experienced responders. We found that intuition is particularly critical during incident triage and analysis, where uncertainty is highest. Responders construct provisional storylines from sparse cues to cope with this uncertainty. They thereby rely on schema matching (e.g., matches a DDoS) and mismatching (e.g., deviates from expected behavior), triggering mental simulation and serial evaluation of responses. Time pressure forces them to adopt a satisficing strategy – gathering just enough evidence to initiate containment and buy time for deeper analysis. Our findings highlight the limitations of technological and formalized approaches, underscoring the critical importance of practitioners' expertise. These limitations can be mitigated by integrating expert schemas into training and decision support tools.
When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.
Comments
09-Cybersecurity