Pursuing and Prosecuting
Pursue Incident if
- systems and assets are protected
- backups exist
- concentrated and frequent attack
- incur financial damage
- intruder can be contained and controlled
- good monitors exist
Don’t Pursue incident if
- No sufficient evidence
- Site is not well protected
- The willingness to prosecute doesn’t exist
- Site is vulnerable to lawsuits
- Resources unknown