Cyber situation awareness as distributed socio-cognitive work

Tyworth, Michael; Giacobe, Nicklaus A.; Mancuso, Vincent

doi:10.1117/12.919338

Cited by 12 publications

(13 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Situation awareness (SA) literature specifically discusses how systems can support multiple levels of SA in relation to expertise, which can act as guidelines for system development and design [38]. Additional cyber SA literature and ongoing research [39][40][41][42] also may help guide application design specifically for cyber security.…”

Section: Implications For Technology Developmentmentioning

confidence: 99%

Identifying Expertise Gaps in Cyber Incident Response: Cyber Defender Needs vs. Technological Development

Nyre-Yu¹

2021

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

Incident response is an area within cyber defense that is responsible for detecting, mitigating, and preventing threats within a given network. Like other areas of cyber security, incident response is experiencing a shortage of qualified workers which has led to technological development aimed at alleviating labor-related pressures on organizations. A cognitive task analysis was conducted with incident response experts to capture expertise requirements and used an existing construct to help prioritize development of new technology. Findings indicated that current software development incorporates factors such as analyst efficiency and consistency. Gaps were identified regarding communication and team navigation that are inherent to dynamic team environments. This research identified which expertise areas are needed at lower-tier levels of incident response and which of those areas current automation platforms are addressing. These gaps help focus future studies by bridging expertise research to development efforts.

show abstract

Section: Implications For Technology Developmentmentioning

confidence: 99%

Identifying Expertise Gaps in Cyber Incident Response: Cyber Defender Needs vs. Technological Development

Nyre-Yu¹

2021

Proceedings of the Annual Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

show abstract

“…The study of CSIRTs is different than cognitive expertise studies of individual analysts because CSIR is a distributed, team-based activity. A team-focused perspective was pervasive in the literature, including the study of situation awareness (e.g., Tyworth, Giacobe, & Mancuso, 2012). Work has examined CSIRTs in terms of large-scale issues, such as workforce development, team effectiveness and the social maturity of teams (Hoffman, Burley, & Toregas, 2012;Steinke et al, 2015;Tetrick et al, 2016).…”

Section: Prior Researchmentioning

confidence: 99%

Observing Cyber Security Incident Response: Qualitative Themes From Field Research

Nyre-Yu

Gutzwiller

Caldwell

2019

Proceedings of the Human Factors and Ergonomics Society Annual

View full text Add to dashboard Cite

Cyber security increasingly focuses on the challenges faced by network defenders. Cultural and security-driven sentiments about external observation, as well as publication concerns, limit the ability of researchers to understand the context surrounding incident response. Context awareness is crucial to inform design and engineering. Furthermore, these perspectives can be heavily influenced by the targeted sector or industry of the research. Together, a lack of broad contextual understanding may be biasing approaches to improving operations, and driving faulty assumptions in cyber teams. A qualitative field study was conducted in three computer security incident response teams (CSIRTs) and included perspectives of government, academia, and private sector teams. Themes emerged and provide insights across multiple aspects of incident response, including information sharing, organization, learning, and automation. The need to focus on vertical integration of issues at different levels of the incident response system is also discussed. Future research will build upon these results, using them to inform technology advancement in CSIR settings.

show abstract

“…Botta et al [60], [76] conduct interviews to investigate the organizational practices of cyberdefenders and how they achieve distributed cognition [77] within the organization. Tyworth et al [78] interviewed security analysts and similarly find that cyber SA is distributed across human operators and technological artifacts operating in four different functional areas: intrusion detection, threat landscape analysis, operations and policy and management. Each operational domain is separated by physical and virtual boundaries with individual communities of practice, which have distinct knowledge, terminologies, foci, understandings and practices and may even lie distributed outside the organization.…”

Section: Organizational Studies In Cybersecuritymentioning

confidence: 99%

On the collaborative practices of cyber threat intelligence analysts to develop and utilize tacit Threat and Defence Knowledge

Ahrend

Jirotka

Jones

2016

2016 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)

View full text Add to dashboard Cite

While the need for empirical investigations of cybersecurity analysts' collaborative work practices is widely acknowledged, research efforts are fairly limited. This paper aims to provide empirical evidence to support a deeper consideration for the seemingly intangible collaborative practices that situational awareness in cybersecurity relies on and add to our understanding of what it means to "do" threat intelligence. In particular, it aims to unpack the informal forms of collaboration and coordination at work that build tacit knowledge about threat actors and defenders and that span across time, people and tools to inform the translation of threat information into actionable threat intelligence. In-depth semi-structured interviews and diary studies are conducted at three cyber threat intelligence service providers (N=5) and analyzed using thematic analysis. This paper introduces the concept of Threat and Defence Knowledge, tacit knowledge that analysts within an organization form over time and utilize through informal ways of becoming aware of this knowledge, making it available and correlating it. We find that a lack of accessibility to knowledge about relevant threat and defence factors can reduce analysts' effectiveness at arriving at actionable threat intelligence and hence reduce the ability to be alerted in advance about cyber threats, to contain damage and obtain situational awareness. Perceived and potential shortcomings of the existing processes and tools are presented, and practices to circumvent the existing systems investigated and implications for design are considered.

show abstract

Cyber situation awareness as distributed socio-cognitive work

Cited by 12 publications

References 32 publications

Identifying Expertise Gaps in Cyber Incident Response: Cyber Defender Needs vs. Technological Development

Identifying Expertise Gaps in Cyber Incident Response: Cyber Defender Needs vs. Technological Development

Observing Cyber Security Incident Response: Qualitative Themes From Field Research

On the collaborative practices of cyber threat intelligence analysts to develop and utilize tacit Threat and Defence Knowledge

Contact Info

Product

Resources

About