Cyber Situation Awareness is Broken
The ability to establish situation awareness, SA, over dynamic systems plays a crucial role in human decision-making. This field of research has had a significant impact in various contexts over the recent decades. However, it appears that we have not gained many insights into actually creating cyber situation awareness.
What is situation awareness?
To comprehensively discuss the topic, it is essential to establish a singular definition for situation awareness. The three-level definition of SA by Mica Endsley provides an appropriate framework to achieve this aim.
By this definition, SA consists of the following three levels:
- perception of the elements
- comprehension of their meaning
- projection of their status in the near future.
A common analogy associated with this definition is a person driving a car. One needs to be able to observe the traffic and related elements and assess their significance to estimate future events. This is something relatable to most people. Consequently, the phases above are relevant for establishing SA over any dynamic system.
The Simple Primate We Have to Get Along With
Cyberspace is an exceptionally dynamic environment which generates a significant number of events. In terms of situation awareness, this can lead to confusion where an analyst can no longer distinguish details from an overwhelming volume of data. In other words, we are unable to progress beyond the first phase of situation awareness, hence unable to comprehend the meaning of the events we perceive.
This phenomenon, the saturation of SA, is just one example of challenges in creating SA and it does not stem from a technical issue. Rather, it is strongly related to the simple primate we have in the loop trying to create situation awareness. We must not forget that we humans possess highly limited mental resources in demanding multitasking environments. Although our mental resources are limited, they can be honed by understanding the operational model of the human brain. This approach, however, is not adopted by any current cyber situation awareness (CSA) tools or operating models.
The Operational Methods and Challenges We All Face
A typical approach to enhancing an organisation’s ability to create situational awareness is to organise its technologies using a stratified model, such as the Cyber Kill Chain® or Mitre ATT&CK®. Using a stratified model can help one map defensive technologies and courses of action, CoA, against the phases of a cyber attack. For example, trying to map out which technologies you can use to detect reconnaissance or disrupt malware installations.
Marketing security technologies correlates with this perspective. More often than not, you find yourself listening to a vendor pitch on how their technology will solve your challenges in different parts of the courses of action matrix. It would be unfair to call this approach completely wrong, but from SA perspective it is challenging.
The challenge here is that the approach presented above is insufficient as it generally covers only level one of situation awareness, without fully addressing the actual situation at hand. It is purely a technical approach. Don’t get me wrong, we need to have a level one situation awareness in order to be able to proceed with the task. However, what we need to understand is that combining technical data from various sources to produce useful information for human decision-making is a challenging task.
We must shift from a design approach centered on technology to one that is centered on the user. This shift results in user-centered design, which helps decrease errors and enhance productivity without requiring significant new technological capabilities. This approach also improves user satisfaction by removing some of the frustration related to today’s technology.
What can we do to meet this challenge?
- How can we overcome this challenge?
The SA Oriented Design (SOAD) offers a range of principles for developing systems from the user’s viewpoint. With over 50 different principles one can enhance user-oriented design in one’s own SOC environment design. It would be a considerable task to cover all these principles here, but their significance as a foundation for a truly effective SOC cannot be overstated.
To be a little more specific, based on my experience, the key approach to user-centered design is to implement a goal-oriented task analysis methodology. This approach answers the question of what we need to be aware of in our environment and helps the analyst pay attention to related environmental elements. In practice, this means analyzing the risks associated with our operational environment and, based on this, defining the associated technology. At an operational level, this can lead to specific monitoring use cases which in turn define specific technology use cases.
Too often, however, this process is technology driven, i.e. the technology is selected before the actual use case is defined.
It can be argued that this approach only responds to “known bad” monitoring use cases. This is not the case. Using the car driver analogy, we as humans are great analysts when the amount of information is controlled. No matter what kind of incident we encounter on the road, we can react to it. The same is true for cyber situational awareness; with well-defined monitoring use cases, we can detect the anomaly and proceed with further deeper analysis to understand the situation.
The challenge without these user-centric monitoring use cases is that we’re looking for a needle in a haystack.
It is evident that situation awareness within the cyber environment relies on technical sensors. However, a solely technology-focused approach is likely to be unsuccessful.
I would like to sum up my message in four principles that I have learned the hard way:
- Perception of the elements on level one (SA) does not equate to having an understanding of the situation at hand.
- Focus on level two of situation awareness, i.e. try to understand the elements which have been perceived on level one.
- There are technologies that support situation awareness better than others.
- Implement a user-centric design with clear goals on the operational level.
It should be noted that this write-up just scratches the tip of the CSA-berg. The matter at hand is an interdisciplinary challenge with many unique environment-related variables. I hope, however, that I have sparked your interest in this topic.
Give Us Feedback or Subscribe to Our Newsletter
If this post pushed your buttons one way or another, then please give us some feedback below. The easiest way to make sure that you will not miss a post is to subscribe to our monthly newsletter. We will not spam you with frivolous marketing messages either, nor share your contact details with nefarious marketing people. 😉