Skip to main content

How big should a blue team be? [Resolved]

Let's say I wanted to convince my management that my company needed a blue team. I have all the arguments ready and I'm sure I'll give a great presentation. At the end I will have to spell out what it will cost. Therefore I should be able to say how big my blue team will be.

My blue team will look like the okay Wikipedia definition of a blue team:

A blue team is a group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and to make certain all security measures will continue to be effective after implementation.

Is there are a formula of some sort to calculate how big my blue team should be?

For instance, one person in the blue team per 100 employees, per 100 endpoints, per X customers or for every 100K$/€ of turnover? Or maybe a mixed calculation of that?

My threat model includes being able to defend against script kiddies and medium-skilled hackers that attack my services that are internet-facing, but it does not plan to defend against nation-state attacks and high-skilled and motivated hackers. Insider threats are a thing my company has heard of.

If needed, assume that my company is an IT service provider.

Question Credit: Tom K.
Question Reference
Asked September 2, 2019
Posted Under: Security
2 Answers

You can use a Poisson distribution related to the number of events and incidents, as seen in Chapter 9, Measuring Security Cost and Value, as part of the book, IT Security Metrics: A Practical Framework for Measuring Security & Protecting Data.

The book also mentions in that chapter how to focus a WBS for hiring and project purposes. Another more-strategic method is Hoshin Kanri.

Highly suggest that you also lever the NIST Special Publication 800-181, the NICE Cybersecurity Workforce Framework (NCWF), to map out roles to knowledge, skills, and abilities for standard operating procedures. A nice interface to those roles can be found here --

credit: atdre
Answered September 2, 2019

I would say to accurately answer this you would calculate your company's current risk exposure (from cyber vectors) via quantitative analysis (e.g. monte carlo simulation). Armed with this data you could then scope an appropriate cyber security operations budget (capital and operational expenditures). If I'm the CFO and I'm evaluating a proposal to establish a blue team that is the data I would want.

credit: DarkMatter
Answered September 2, 2019
Your Answer