From Evidence to Decisions: Interview-Based Study of Reporting Practices in Defensive Cyber Operations
DOI:
https://doi.org/10.34190/eccws.25.1.4839Keywords:
incident response, defensive cyber operation, stakeholder, human-dimension, analytics, reportingAbstract
Defensive cyber operations (DCO) missions demand rapid decision-making under active digital threats. Established doctrine and industry standards provide technical procedures for handling incidents. However, they offer little guidance on how reporting artifacts, such as data analytics, visualization, and briefs, are produced, adapted, and communicated for decision-making. To address this gap, we conducted an empirical investigation of reporting practices in DCO through semi-structured interviews with 15 cybersecurity practitioners (managers, analysts, infrastructure technicians, and developers) engaged in incident response and threat hunting. We derived a three-dimensional model of the reporting lifecycle structured around reporting roles, purpose, and operational timeline that characterizes how network data and analytic outputs are represented in reporting artifacts such as templates, risk matrices, and briefs under time pressure and organizational constraints. Our findings highlight how reporting is shaped by trust, audience language, and the balance of standardized and flexible templates. We point to the need for traceability-linked modules, audience-aware data analytics and visualization tools, and playbooks that incorporate reporting artifacts with flexible guidance in DCO.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 European Conference on Cyber Warfare and Security

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.