Incident response teams in IT operations centers: the T-TOCs model of team functionality

We studied the nature of incident response teams in seven Operations Centers of varying size and types including service providers, a Security Operations Center, a Data Center, and two military training Operations Centers. All responded to incidents by forming teams. We asked: what is the context of incident response work? how can we model incident response work? and what are the implications for tool developers? Activity theory guided our research throughout. Using an ethnographic approach to data collection, we shadowed 129 individuals for a total of 250 h of observations, conducted 38 interviews, and facilitated 11 meetings with executives of Operations Centers. We produced rich descriptions of the work of operators and a model of incident team formation called the Tailor-made Teams in Operations Centers (T-TOCs). We position our results relative to other ethnographic studies and standards in the industry, showing how incident team formation has changed over time. Today’s incident response team is ad hoc, i.e., tailor-made to the circumstances, and responsive to changing circumstances. Our model draws parallels between the incident response work of teams and human cognition. We conclude by pointing out that tools for tailor-made teams are in their infancy.