The awareness of operators: a goal-directed task analysis in SOCs for critical infrastructure

IF 2.4 4区 计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS
Håvard Jakobsen Ofte
{"title":"The awareness of operators: a goal-directed task analysis in SOCs for critical infrastructure","authors":"Håvard Jakobsen Ofte","doi":"10.1007/s10207-024-00872-6","DOIUrl":null,"url":null,"abstract":"<p>Security operation centers (SOCs) are increasingly established to meet the growing threat against cyber security. The operators of SOCs respond to complex incidents under time constraints. Within critical infrastructure, the consequences of human error or low performance in SOCs may be detrimental. In other domains, situation awareness (SA) has proven useful to understand and measure how operators use information and decide the correct actions. Until now, SA research in SOCs has been restricted by a lack of in-depth studies of SA mechanisms. Therefore, this study is the first to conduct a goal-directed task analysis in a SOC for critical infrastructure. The study was conducted through a targeted series of unstructured and semi-structured interviews with SOC operators and their leaders complemented by a review of documents, incident reports, and in situ observation of work within the SOC and real incidents. Among the presented findings is a goal hierarchy alongside a complete overview of the decisions the operators make during escalated incidents. How the operators gain and use SA in these decisions is presented as a complete set of SA requirements. The findings are accompanied by an analysis of contextual differences in how the operators prioritize goals and use information in network incidents and security incidents. This enables a discussion of what SA processes might be automated and which would benefit from different SA models. The study provides a unique insight into the SA of SOC operators and is thus a steppingstone for bridging the knowledge gap of Cyber SA.</p>","PeriodicalId":50316,"journal":{"name":"International Journal of Information Security","volume":"62 1","pages":""},"PeriodicalIF":2.4000,"publicationDate":"2024-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10207-024-00872-6","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Security operation centers (SOCs) are increasingly established to meet the growing threat against cyber security. The operators of SOCs respond to complex incidents under time constraints. Within critical infrastructure, the consequences of human error or low performance in SOCs may be detrimental. In other domains, situation awareness (SA) has proven useful to understand and measure how operators use information and decide the correct actions. Until now, SA research in SOCs has been restricted by a lack of in-depth studies of SA mechanisms. Therefore, this study is the first to conduct a goal-directed task analysis in a SOC for critical infrastructure. The study was conducted through a targeted series of unstructured and semi-structured interviews with SOC operators and their leaders complemented by a review of documents, incident reports, and in situ observation of work within the SOC and real incidents. Among the presented findings is a goal hierarchy alongside a complete overview of the decisions the operators make during escalated incidents. How the operators gain and use SA in these decisions is presented as a complete set of SA requirements. The findings are accompanied by an analysis of contextual differences in how the operators prioritize goals and use information in network incidents and security incidents. This enables a discussion of what SA processes might be automated and which would benefit from different SA models. The study provides a unique insight into the SA of SOC operators and is thus a steppingstone for bridging the knowledge gap of Cyber SA.

Abstract Image

操作员的意识:关键基础设施 SOC 中的目标任务分析
为应对日益严重的网络安全威胁,越来越多地建立了安全运行中心(SOC)。SOC 的操作人员在时间紧迫的情况下应对复杂的事件。在关键基础设施中,人为失误或 SOC 性能低下可能会造成严重后果。在其他领域,态势感知(SA)已被证明有助于了解和衡量操作员如何使用信息并决定采取正确行动。迄今为止,由于缺乏对 SA 机制的深入研究,SOC 中的 SA 研究一直受到限制。因此,本研究首次在关键基础设施 SOC 中进行了目标导向任务分析。研究通过一系列有针对性的非结构化和半结构化访谈进行,访谈对象包括 SOC 操作员及其领导,并辅以对文件、事件报告的审查,以及对 SOC 内部工作和真实事件的现场观察。研究结果包括一个目标层次结构,以及操作员在事件升级期间所做决策的完整概述。操作员如何在这些决策中获得和使用 SA,将作为一套完整的 SA 要求进行介绍。研究结果还分析了运营商在网络事件和安全事件中优先考虑目标和使用信息的背景差异。这样就可以讨论哪些 SA 流程可以实现自动化,哪些可以从不同的 SA 模型中受益。这项研究为 SOC 运营商的 SA 提供了独特的见解,因此是缩小网络 SA 知识差距的垫脚石。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
International Journal of Information Security
International Journal of Information Security 工程技术-计算机:理论方法
CiteScore
6.30
自引率
3.10%
发文量
52
审稿时长
12 months
期刊介绍: The International Journal of Information Security is an English language periodical on research in information security which offers prompt publication of important technical work, whether theoretical, applicable, or related to implementation. Coverage includes system security: intrusion detection, secure end systems, secure operating systems, database security, security infrastructures, security evaluation; network security: Internet security, firewalls, mobile security, security agents, protocols, anti-virus and anti-hacker measures; content protection: watermarking, software protection, tamper resistant software; applications: electronic commerce, government, health, telecommunications, mobility.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信