Assessing a Decision Support Tool for SOC Analysts

Happa, Jassim; Agrafiotis, Ioannis; Helmhout, Martin; Bashford-Rogers, Thomas; Goldsmith, Michael; Creese, Sadie

doi:10.1145/3430753

Cited by 7 publications

(7 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The preliminary steps towards evaluating such systems were investigated very recently, for example, in the work of Rodriguez‐Bermejo et al, 70 who propose an evaluation methodology for mission‐centric cyber situational awareness capabilities covering correct technical implementation, core functionality, and user acceptance. In another example, Happa et al 71 conducted a user evaluation study of decision support tools for SOC analysts. A recent complex decision support system for cybersecurity incident handling proposed by Husák et al 2 also resorted to case study and user evaluation.…”

Section: Discussionmentioning

confidence: 99%

“…A testbed could be set up to create a benchmark for the evaluation of the system in a controlled environment. However, field trials and more interactions with potential users shall give more insights than formal evaluation or performance analysis 70‐72 . We plan to extend the number of modeled missions and circle of their stakeholders to collect feedback on the decision support system and its features.…”

Section: Discussionmentioning

confidence: 99%

“…However, field trials and more interactions with potential users shall give more insights than formal evaluation or performance analysis. [70][71][72] We plan to extend the number of modeled missions and circle of their stakeholders to collect feedback on the decision support system and its features. For example, it would be interesting to find a balance between the level of details in the mission decomposition model and the cost to maintain it.…”

Section: Discussionmentioning

confidence: 99%

See 2 more Smart Citations

Mission‐centric decision support in cybersecurity via Bayesian Privilege Attack Graph

Javorník

Husák

2022

Engineering Reports

View full text Add to dashboard Cite

We present an approach to decision support in cybersecurity with respect to cyber threats and stakeholders' requirements. We approach situations in which cybersecurity experts need to take actions to mitigate the risks, such as temporarily putting an IT system out of operation, but need to consult them with other stakeholders. We propose a decision support system that uses a mission decomposition model representing the organization's functional and security requirements on its IT infrastructure. Based on the cybersecurity state assessment, that is, discovery of vulnerabilities and attacker's position, the decision support system calculates the resilience metrics for each IT infrastructure's configuration, that is, how likely are they to not be disrupted. The calculation is enabled by two novel formal models, Privilege-Exploit Attack Graph and Bayesian Privilege Attack Graph, which reduce complex attack graphs into a comprehensible bipartite graph. Moreover, they illustrate the impact of exploiting the vulnerabilities and attackers gaining the privileges. The system recommends the most resilient mission configurations that are comprehensible to both cybersecurity experts and non-technical stakeholders, who may then choose which configuration to apply. Our approach is illustrated in a case study of a real-world medical information system.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Mission‐centric decision support in cybersecurity via Bayesian Privilege Attack Graph

Javorník

Husák

2022

Engineering Reports

View full text Add to dashboard Cite

show abstract

“…Further exploring the tacit aspects of decision making occurring within contemporary SOCs, Happa et al (2021) evaluate the effectiveness of a decision support tool for SOC analysts. The authors conduct a user study to assess the tool’s ability to support analysts in decision-making, triage, and prioritization tasks.…”

Section: Literature Reviewmentioning

confidence: 99%

Understanding decision making in security operations centres: building the case for cyber deception technology

Reeves

Ashenden

2023

Front. Psychol.

View full text Add to dashboard Cite

IntroductionA Security Operations Centre (SOC) is a command centre where analysts monitor network activity, analyse alerts, investigate potential threats, and respond to incidents. By analysing data activities around the clock, SOC teams are crucial in ensuring the prompt detection and response to security incidents. SOC analysts work under considerable pressure to triage and respond to alerts in very short time frames. Cyber deception technology offers the promise of buying SOC analysts more time to respond by wasting the resources and time of attackers, yet such technology remains underutilised.MethodWe carried out a series of interviews with experts to uncover the barriers which prevent the effective implementation of cyber deception in SOCs.ResultsBy using thematic analysis on the data, it was clear that while cyber deception technology is promising it is hindered by a lack of use cases, limited empirical research that demonstrates the efficacy of the technology, hesitancy to embrace a more active form of cyber defence, issues surrounding the over promising of results by off-the-shelf vendors, and an aversion to interrupting the decision-making processes of SOC analysts.DiscussionTaking this last point about the decision-making processes of SOC analysts we make the case that naturalistic decision making (NDM) would help us better understand how SOC analysts make decisions and how cyber deception technology could be used to best effect.

show abstract

“…Recently, recommender systems were employed for the cybersecurity needs to help address the cyber attacks at the right place at the right time [3], [7], [8]. However, the cybersecurity teams are often understaffed or overloaded with work to successfully deploy all the tools proposed in recent research, namely in situations when the tools require non-trivial amounts of high-quality data or other inputs that are hard to collect [6], [9].…”

Section: Introductionmentioning

confidence: 99%

Lightweight Impact Assessment and Projection of Lateral Movement and Malware Infection

Husák,

Javorník

2023

2023 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

Assessing a Decision Support Tool for SOC Analysts

Cited by 7 publications

References 23 publications

Mission‐centric decision support in cybersecurity via Bayesian Privilege Attack Graph

Mission‐centric decision support in cybersecurity via Bayesian Privilege Attack Graph

Understanding decision making in security operations centres: building the case for cyber deception technology

Lightweight Impact Assessment and Projection of Lateral Movement and Malware Infection

Contact Info

Product

Resources

About