Incident Management Mission Diagnostic Method, Version 1.0 - Cert
Incident Management Mission Diagnostic Method, Version 1.0 - Cert
Incident Management Mission Diagnostic Method, Version 1.0 - Cert
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
SUCCESS AND<br />
FAILURE DRIVERS<br />
Each driver represents an outcome driver that can guide an IMC<br />
toward successful or failing outcome 7 . A success driver is a condition<br />
or circumstance (e.g., efficient work processes) that steers an IMC<br />
toward a successful outcome, while a failure driver is a condition or<br />
circumstance (e.g., inadequate budget) that steers an IMC toward an<br />
unsuccessful outcome. In IMMD, the set of drivers is evaluated to<br />
determine how many are success drivers, and how many are failure<br />
drivers. Each IMC will have a mixture of success and failure drivers<br />
influencing the eventual outcome. The goal is for the success drivers to<br />
provide a stronger influence on the outcome and steer the IMC toward<br />
success, while failure drivers (which can also be considered risks) are<br />
mitigated.<br />
BASIC IMMD<br />
APPROACH<br />
The philosophy underlying the IMMD is that the relative number of<br />
success and failure drivers can be used to forecast an IMC’s potential<br />
for success. The analysis of drivers in IMMD has two parts:<br />
1. Evaluate each driver to determine the extent to which it is a<br />
success or failure driver.<br />
2. Analyze the entire set of drivers to estimate the overall potential<br />
for the success of the IMC.<br />
7<br />
An outcome here is defined as the end result of a specific mission. In the case of a CSIRT, a successful outcome<br />
could be that all computer security incidents are successfully managed in a timely manner, with little adverse impact<br />
to the organization. An unsuccessful outcome might be that security incidents are undetected and cause significant,<br />
costly damage to constituent systems and data.<br />
8 | CMU/SEI-2008-TR-007