A Feedback-based Evaluation Approach for the Continuous Adjustment of Incident Prioritization

Incident Prioritization is a technique that evaluates security incidents to derive a priority in order to enable an analyst to focus on the most important events first. It is traditionally based on a set of static calculations, which are rarely adjusted. Especially since there is no explicit process to identify errors and improvements are made and evaluated manually on a best guess basis. This leads to issues when changes occur, as due to shifting concepts, new entities and attacks or changing guidelines. In this paper, we discuss the requirements and an approach to assist in a continuous tuning of the incident prioritization model. We develop a process that involves feedback from an analyst in order to evaluate potential improvements. This process includes mechanisms to quickly identify incorrect ratings and supports the selection of a new model and its establishment.