Requirements for Playbook-Assisted Cyber Incident Response, Reporting and Automation

Cybersecurity playbooks assume an increasingly important role as threat-specific documents for guiding operators in the context of cyber incident response. However, these playbooks are mostly unstructured or semi-structured, which significantly limits their utility when it comes to automating response and reporting steps, complying with cybersecurity directives, or sharing best practices for incident response across organisations. We thus argue that cybersecurity playbooks must transition to interoperable and machine-readable formats from generation, via management and utilisation to cross-organisational sharing. In this work, we identify and structure key requirements based on expert interviews as a first step toward this transition. From these requirements, we derive a framework for further guidance during the transition to structured security playbooks and their utilisation in a tool-assisted fashion. We discuss the implications of our framework and lessons learned before outlining directions for future research.