In a corporate network, the situation awareness (SA) of a security analyst is of particular interest. The current work describes a cognitive Instance-Based Learning (IBL) model of an analyst’s recognition and comprehension processes in a cyber-attack scenario. The IBL model first recognizes network events based upon events’ situation attributes and their similarity to past experiences (instances) stored in the model’s memory. Then, the model comprehends a sequence of observed events as being a cyber-attack or not, based upon instances retrieved from its memory, similarity mechanism used, and the model’s risk-tolerance. The execution of the model generates predictions about the recognition and comprehension processes of an analyst in a cyber-attack. A security analyst’s decisions in the model are evaluated based upon two cyber-SA metrics of accuracy and timeliness. The chapter highlights the potential of this research for design of training and decision support tools for security analysts.
TopIntroduction
With the prevalence of WikiLeaks hacks and other threats to corporate and national cybersecurity, guarding against cyber-attacks today is becoming a significant part of IT governance, especially because most government agencies have moved to online systems (Sideman, 2011). In order to protect national cybersecurity, leaders from the Defense Department, NATO, and the European Union assembled in Brussels recently to discuss a plan to prevent, detect, defend, and recover from cyber-attacks (Sideman, 2011). The leaders there agreed that existing cybersecurity measures were incomplete and decided to fast-track a new plan for cyber-incident response. Similarly, the Department of Homeland Security (DHS) has recently launched a national campaign called, “Stop|Think|Connect,” aiming to cultivate a collective sense of cyber–civic duty among personnel in organizations and enterprises that help preserve cybersecurity (Lute & McConnell, 2011). The DHS’ message begins with the following wisdom:
Senior management in each and every office, company and department, whether private or public, must take responsibility for the protection of its own systems and information, by fielding up-to-date security technology, training employees to avoid common vulnerabilities, and reporting cybercrime when it occurs. (Lute & McConnell, 2011, p. 1)
As 80%-90% of what individuals and the government do using the Internet today depend upon private corporate networks provided by organizations and enterprises (Sideman, 2011), according to DHS, corporate networks that ensure our cybersecurity have much bigger responsibilities than previously thought (Lute & McConnell, 2011). Thus, meeting the DHS’ objectives in a corporate network requires cyber situation-awareness (SA), a three stage process which includes recognition (or the awareness of the current situation in the network); comprehension (or the awareness of malicious behavior in the current situation in the network); and projection (assessment of possible future courses of action resulting from the current situation in the network) (Endsley, 1995; Tadda, Salerno, Boulware, Hinman, & Gorton, 2006).
The ability of a corporate network to protect itself from a cyber-attack using cyber-tools and algorithms without any interventions from human decision-makers is still a distant goal (Jajodia, Liu, Swarup, & Wang, 2010). Thus, the role of human decision-makers in security systems is one that is crucial and indispensible (Gardner, 1987; Johnson-Laird, 2006).
In the absence of perfect cyber-SA tools to recognize, comprehend, and project about cyber-attacks (PSU, 2011), a key role in the cybersecurity process is that of a security analyst. The security analyst is a human decision-maker who is in charge of protecting the online operations of a corporate network (e.g., an online retail company with an external webserver and an internal fileserver) from threats of random or organized cyber-attacks. However, very little is currently known about the role of the cognitive processes of the security analyst (like memory, risk-tolerance, similarity etc.) that might influence the cyber-SA of the analyst and his ability to detect cyber-attacks in corporate networks under different scenarios (Jajodia et al., 2010; PSU, 2011). Also, currently there seems to be a big gap between how security analysts function in the real world according to their cognitive processes and how cyber-SA tools and algorithms function that intend to replace human analysts, sometime in the future (Jajodia et al., 2010; PSU, 2011). Due to these reasons, it becomes important to investigate the influence of cognitive processes of a security analyst on his cyber-SA in popular cyber-attack scenarios.