Cyber Incident Response Time Estimator
Estimates the total expected cyber incident response time (in hours) based on incident severity, team size, detection lag, containment complexity, and organizational readiness. Based on NIST SP 800-61 Rev. 2 incident response lifecycle phases.
Formula
T_total = T_detection_lag + (T_base × F_team × F_systems × F_playbook × F_data) + T_external
- T_base = sum of phase base hours (Triage + Containment + Eradication + Recovery) by severity level
- F_team = 1 / (1 + 0.15 × ln(teamSize)) — team efficiency with diminishing returns (Brook's Law)
- F_systems = 1 + 0.05 × ln(systemsAffected) — logarithmic scale for systems scope
- F_playbook = 1.0 (full) / 1.3 (partial) / 1.7 (none) — readiness multiplier
- F_data = 1.0 / 1.1 / 1.25 / 1.5 — data sensitivity compliance overhead
- T_external = 8 hours fixed mobilization overhead if external IR firm engaged
- T_detection_lag = hours elapsed before IR team was notified
Phase base hours by severity (industry benchmarks):
| Severity | Triage | Containment | Eradication | Recovery | Total |
|---|---|---|---|---|---|
| 1 – Low | 1h | 2h | 2h | 4h | 9h |
| 2 – Medium | 2h | 6h | 8h | 16h | 32h |
| 3 – High | 4h | 16h | 24h | 48h | 92h |
| 4 – Critical | 8h | 48h | 72h | 168h | 296h |
Assumptions & References
- Phase base hours are derived from industry benchmark data in the IBM Cost of a Data Breach Report 2023 (avg. 204 days to identify + 73 days to contain for high-severity breaches) and normalized to IR lifecycle phases.
- Team efficiency follows Brook's Law (adding people to a late project makes it later) modeled as a logarithmic diminishing-returns function; a team of 1 gets no efficiency bonus, larger teams reduce time but not linearly.
- Systems affected uses a logarithmic scale per NIST SP 800-61 Rev. 2 guidance that scope growth is sublinear due to parallel remediation efforts.
- Playbook multipliers reflect findings from SANS Incident Response Survey 2022: organizations with tested playbooks resolve incidents ~30–40% faster than those without.
- Data sensitivity multipliers account for regulatory notification, legal review, and forensic preservation requirements under GDPR, HIPAA, PCI-DSS, and classified frameworks.
- External IR firm mobilization overhead of 8 hours reflects typical SLA response windows for retainer-based DFIR services (e.g., CrowdStrike, Mandiant, Palo Alto Unit 42).
- This estimator covers the active response lifecycle only (detection through recovery). Post-incident activities (lessons learned, regulatory reporting deadlines) are not included.
- Estimates assume 24/7 IR team availability. Business-hours-only teams should multiply active phase hours by ~2.5×.
- References: NIST SP 800-61 Rev. 2 (2012); IBM X-Force IRIS; SANS ICS/IR Survey 2022; Ponemon Institute Cost of Cyber Crime Study; Brook's Law — "The Mythical Man-Month" (Brooks, 1975).