This article is part of my Cybersecurity Hygiene Series - I recommend reading the background information about the series first to understand how these tips are structured. See this post: Cyber Security Hygiene.
Knowing what to do when something goes wrong can be just as important as working to prevent it. Anyone who has ever worked in any sort of first responder role (medical, fire fighting, or in my case Search and Rescue) will be familiar with the idea of following a well practiced protocol as a means to take appropriate action when an incident occurs.
One of these protocols called SAPP (Stop Assess Plan Proceed) is just as applicable to a cyber security incident as it might be in the search and rescue context.
Situation
Something has happened, perhaps your computer has just frozen, a concerning message has popped-up, you received a SMS message or questionable email. There are many things that happen with technology that might cause concern. Taking a moment to SAPP in any of these is a great first step.
Stop: The very first thing to do is to stop doing anything at all. Take a moment to catch your breath. You might be looking at what seems like an urgent message but nothing is so urgent that a few moments is going to make it worse, but rushing into it might. Take a moment to allow any panic to subside so you can approach the situation rationally and objectively. While you have stopped "doing" take a moment to observe see what all is going on and collect the facts.
Assess: Now that your heart rate is down, consider what you have observed and what you know about the situation. What exactly is the situation and have you seen this sort of thing before. What, if anything looks unusual about it. Does it make sense are there indicators that might lead you to conclusions about the root cause of what you are seeing.
Plan: Now that you have some factual information you can take the time necessary to think through what is going on. Consider things and make a plan for how you want to approach the situation. Notice that up to this point you are still not actually doing anything. This stage is just about making a plan for what you should do next. Keep in mind that based on your technical expertise, that plan might be to contact someone else for help. All together everything up to and including this part of the SAPP may only have taken a few minutes but having adopted the structure to take a breath and establish a plan means you are acting in a purposeful manner rather that just making some knee-jerk reaction.
Proceed: You have a plan and understand the facts so now you can actually begin to take action on that plan. Keep in mind that the situation may change and you may need to SAPP again sometimes multiple times but in each case you can repeat the process and make sure you are working from a plan each time you begin to take action.
Additional Notes
One of the reasons that first responders adopt the SAPP approach is for safety. It's tempting to rush in to save someone but if you fail to notice the additional hazards and focus only on the person in distress, you may end up in distress yourself and the problem just got worse not better.
In the cyber security context, perhaps a warning message may have appeared on your screen, stating that you must click a button immediately or dire things will happen. In reality the warning is actually nothing but a ruse and nothing bad has really occurred - yet - but if you click that button, you're giving a script permission to do bad things and then you will have a problem. A SAPP may completely prevent the incident that you think you are experiencing, when in fact there is nothing there at all.