Vulnerability analysis and response may require networking and forensics skills for certain classes of vulnerabilities, but often also requires some mix of the following skills:

In most organizations, these skills will likely be dispersed among a team of people rather than expecting a single person to be fluent with all of these topics.

Beware Analyst Burnout

Some organizations may have a small enough flow of incoming vulnerability reports that all the CVD-related roles can be fulfilled by a single team, or even a single person. Other organizations might choose to split the technical analysis roles apart from the more human-oriented communication and coordination roles. No matter the arrangements, it is important that vendors and coordinators establishing a CVD capability mitigate the potential for analyst burnout. Burnout of security analysts is well-documented phenomenon [1,2,3]. Analysts working full-time in a CVD process are at risk of this too. A vendor's CVD capability may receive a large amount of incoming reports each week, especially at larger vendors. This can result in CVD staff becoming stressed and having low job satisfaction, leading to lower quality of work and ultimately employee attrition. The costs of lower quality work (e.g., missing an important report), employee turnover (e.g., hiring and training a new analyst), and associated damage to the vendor's reputation suggest that this problem should be addressed ahead of time with reasonable precautions. At the CERT/CC, we have attempted to mitigate this issue with reasonable success by implementing the suggestions below. Research has shown that many of these are effective responses to commonly-held morale problems [3].

A related possibility shared with us by a vendor is the possibility of work rotation, whereby team members are rotated in and out of CVD roles; rather than temporary, the rotation is permanent among a larger group of team members. An example would be an analyst spending one week in a CVD role, followed by two to three weeks on a different project or role. The same concerns in our above discussion would apply; organizations must be careful to balance time in and out of CVD roles in order to maximize the effectiveness of the rotation.

Due to the possibility of burnout and the associated costs, the CERT/CC recommends that CVD capability be established within a well-resourced team or teams specifically created for this task, rather than concentrating the responsibilities to a small team, or even a single person. Our suggestions above may be helpful to combat analyst burnout, but do not form an exhaustive list of possible actions.

< 7.2 Operational Security | 8. Open Problems in CVD >


  1. B. Rothke, "Building a Security Operations Center (SOC)," 29 Feb 2012. [Online]. Available: [Accessed 24 May 2017].
  2. S. Ragan, "Avoiding burnout: Ten tips for hackers working incident response," 30 April 2014. [Online]. Available: [Accessed 24 May 2017].
  3. S. C. Sundaramurthy, A. G. Bardas, J. Case, X. Ou, M. Wesch, J. McHugh and S. R. Rajagopalan, "A human capital model for mitigating security analyst burnout," in Proceedings of the Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), July 2015.