Professional Documents
Culture Documents
ACC2399
ACC2399
net/publication/335568949
CITATIONS READS
0 384
8 authors, including:
All content following this page was uploaded by Maria Cazares on 02 September 2019.
Abstract—Organizations should face cybersecurity attacks called Computer Incidents Response Teams (CSIRTs) [2].
that can strongly affect their operational processes, business CSIRT are formed in a multidisciplinary way by specialists
image, and security of critical information. Establishing security generally from the field of cybersecurity, legal, psychology,
mechanisms helps to reduce possible weaknesses that can be
exploited by attackers; however, they will not always be sufficient, and data analysts. CSIRT acts according to predefined
and an attack can be successful. Therefore, organizations need procedures and policies in order to respond quickly and
to establish plans or procedures to handle these security effectively to cybersecurity incidents, and mitigate the risk of
incidents or even build incident response teams called CSIRTs. cyber-attacks.
Due to different forms of attacks and massive data growth, Security analysts in CSIRTs require to process massive
handling cybersecurity incidents requires to adapt to new security
management strategies. In this sense, the use of big data, amount of data in order to i) determine patterns or anomalies
artificial intelligence, and data analytics applied to cybersecurity, that trigger alerts of possible attacks, and ii) carry out the
defined as cognitive security, presents a viable alternative detection process more quickly and effectively. Members of
but is necessary to consider that technological solutions CSIRTs are seeking new strategies based on technological
lack effectiveness without adequate training of cybersecurity solutions such as Big Data, Machine Learning, and Data
specialists or if their technical and non-technical skills are used.
Establishing a close interrelation between human skills and Science [3]. International organizations such as the National
technological solutions can help to contrive an adequate and Institute of Standards and Technology (NIST), started the
efficient detection and automation process that can improve Data Science Research Program (DSRP) to accelerate the
the handling of security incidents. This study analyzes the research progress for data analytic methods [4]. In the
interrelation between the technological solutions of cognitive field of cybersecurity, the application of cognitive sciences
security and the skills of cybersecurity specialists. A framework is
proposed for the automation of incident response by establishing for information security processes drives the concept of
situation awareness for making decisions. cognitive security [5]; this allows making predictive and
Index Terms—cognitive security, self-awareness, artificial prescriptive analyzes that could provide a view of the
intelligence, big-data, teamwork, soft-skills. possible impacts of an security attack. Another critical
factor in the success of CSIRTs is the ability to function
I. I NTRODUCTION as team and adapt to different environments [6]; security
Computer security has become an essential element in professionals require skills such as teamwork, critical thinking,
the society due to the expansion of technology in different and communication in the 21st century [7]. In September
areas such as financial services, medical services, public 2015, a collaboration among Association for Computing
services, and critical infrastructures of water, electricity, and Machinery (ACM), IEEE Computer Society (IEEE CS),
telecommunications. According to the Massachusetts Institute Association for Information Systems Special Interest Group
of Technology (MIT), security teams will face risks related on Information Security and Privacy (AIS SIGSEC), and
mainly to attacks on Internet of Things (IoT) devices, International Federation for Information Processing Technical
block-chains, and critical infrastructures [1]; for instance, Committee on Information Security Education (IFIP WG 11.8)
MIT mentions that attackers focus on the use of artificial proposed a curricular guide in cybersecurity education which
intelligence and quantum techniques to perform the attacks in mentions that non-technical skills denominated soft-skills, are
the year 2019. This context involves having better-prepared vital for security professionals and are focused on: teamwork,
organizations with security professionals with the capacity communication, generation of situational awareness, and
to face these new challenges; at international level, several operation with disparate organizational cultures [8].
organizations have defined strategy for respond quickly to The capability to generate cybersecurity situation awareness
security risks through of teams of specialists and researchers in organizations allow to determine proactive strategies to
r
ve
tif
y
co
of the organization about threats and attacks, the impact
Re
of a possible attack and the identification of the attacker
RISK
and user behavior [20]. The analyst must understand the Cycle
security situation and determine the likelihood of impact. For
generate situation awareness, we can use the OODA loop. Pr
ct
ot
te
The cognitive OODA loop proposed by Breton is based on ec
De
the cognitive processes of perception, comprehension and t
projection [21]. Table I shows the relationships between
cognitive phases, cognitive processes and products generated Figure 2. Cybersecurity Risk Management Cycle.
according to Brenton’s proposal.
• Classifier or triage;
Table I
OODA C OGNITIVE P HASES .
• Incident management team - second level;
• Legal team.
P hase P rocess This emphasizes the need to develop collaborative skills
Observe Perceiving - Feature Matching within an environment of professionals of heterogeneous
Orient Comprehending - Projecting - Mental Models disciplines that must work in coordination, so teamwork is
Decide Recalling - Evaluating
a very critical skill in cybersecurity specialists. Newstrom
mentions that organizations or companies in the 21st century
2) Cyber-cognitive situation awareness (CCSA): To are more flexible, to adapt quickly to change, and that
establish the cybersecurity situation awareness of the horizontal relationships are more effective [23]; therefore,
organization, we could rely on cognitive aspects oriented to the organizations today give it greater importance to flexible
support of decision-making processes. Adapted to cyberspace structures and horizontal communication. The tasks and roles
the cognitive processes of perception, comprehension and are defined in a more open manner, the environment is more
projection, we would have the relationships shown in Table II. dynamic and the creation of teams allows the described
aspects to be fulfilled. Morin bases that the complexity and
Table II multidisciplinary work are part of the 21st century, education
C YBER C OGNITIVE S ITUATION AWARENESS .
of the future must be centered on the human condition and
Process Attribute the diverse relations between humans [24]. Another essential
aspect mentioned by Morin in Education 21st century is to
Perception Identification of relevant data
prepare students to face the uncertainty that is generated in
Interpretation of data
Comprehension
Conversion in knowledge
the different events of daily life.
Regarding the first aspect mentioned by Morin about
Prediction of futures events
Projection
Evaluation of possible impacts focusing on the human aspects of students, it may be important
to begin to emphasize a training focused on strengthening
the skills. Mumford presents a classification of skills in four
B. Non-technical Skills categories [25]:
Organisms like the U.S. Department of Homeland Security 1) Cognitive Skills;
(DHS) and the National CyberSecurity Alliance (NCSA) have 2) Interpersonal Skills;
promoted the National CyberSecurity Awareness Month that 3) Business Skills;
in 2018 has celebrated its 15th edition [22], to promote that the 4) Strategic Skills.
community know about the relevant aspects of the risks and Generally, universities in the field of cybersecurity focus
threats in the digital environment. In these spaces is necessary primarily on enhance cognitive, business and strategic skills
that security professionals have non-technical skills to be able but do not focus heavily on non-technical skills. According
to disseminate knowledge in a clear and consistent way to to the classification proposed by Mumford, the teamwork,
a group of people without technical background. Concerning the collaboration, the communication, and the networking
cybersecurity in organizations, defense strategy are based on are included in the interpersonal skills category. Future
risk management, established in four levels cybersecurity risk professionals of cybersecurity are studying the university;
management life-cycle depicted in Fig. 2. therefore, the education in engineering, requires encouraging
Within the cybersecurity risk management life-cycle, the the development of non-technical skills. Kyllonen presents the
following personnel is required, as a minimum: skills that are required in the 21st century among which the
• Team leader / coordinator; following are mentioned [7]:
• Responsible for systems and information security; • Critical thinking;
• Communication team or public relations; • Oral and written communication;
• Labor ethics;
• Teamwork;
Complexity
• Collaboration;
• Professionalism;
• Troubleshooting.
Table III
TASKS AND S KILLS IN CYBERSECURITY OPERATIONS .
f) Automated Response Layer: It defines the response control processes, generate safety commitment indicators, and
actions that can be automated, for this is necessary to establish define the update data times.
a security incident management plan. To establish situation awareness from the information that
can be processed by security analysts, we have proposed
V. D ISCUSSION a framework composed of four modules as illustrated in
In psychology research, job performance is a topic that Fig. 5: sources, cognitive processes, collaborative security
seeks to improve performance at work thought of personal and tasks, and soft-skills. The teamwork supports the four modules.
environmental variables. The variables that we have analyzed In [23], the authors mention that the goal of a team is
in this study are the cognitive skills in the professionals to encourage the members to analyze the way they work
who perform incident management in the cybersecurity field. together, identify their weaknesses, and develop new forms of
We consider that the higher cognitive processes linked to collaboration. To achieve this, it is essential that the learning
executive function produce higher performance of the tasks process focuses on tasks. Following the Newstrom model of
solved for security analyst, due to the high demand in the equipment construction [23], we propose the following in the
quick response to reduce the impact of attacks. For this reason, cybersecurity field:
it is essential strengthening cognitive flexibility in order to i) • Trained Specialist to identify the problem;
expand the analysis of the incidents’ data, ii) being able to • Data collection;
visualize a more significant number of possibilities to face • Feedback for the development of action plans;
the cyber attacks, ii) develop of inhibitory control to improve • Generation of situational awareness;
the degree of precision and effectiveness in their decisions. • Solution experience;
On the other hand, working memory plays a vital role in • Continuous improvement.
the storage of experiences and the subsequent use of this
information, so this cognitive process also contributes to the VI. C ONCLUSIONS AND F UTURE WORK
development of the awareness of the situation of risks and The technological and social changes generate dynamic
threats to which organizations are exposed. Another critical and complex environments that produce large amounts of
variable is linked to the management of stress in the work of data. This fact poses new challenges to security analysts who
incident management professionals to develop strategies that must process the data to determine patterns or anomalies
allow them to counteract labor demands. that allow identifying threats or security attacks. The use
Analyzing if executive functions integrates the perception, of Cognitive Security is proposed as a new alternative to
comprehension and projection process, in the cybersecurity improve the effectiveness of security operations by providing
management model based on situation awareness for the ability to process large volumes of data of different formats
improving task’s performance, could enhanced the decision in a short time. In the field of cybersecurity, Big Data is
making process. There are several aspects where non-technical applied majority to monitoring operations and detection of
skills play a crucial role because without adequate anomalies which focus on reactive security strategies, but other
communication and the ability to build shared knowledge, security activities could be enhanced by Big Data analytics for
cybersecurity teams will not reach the effectiveness they need proactive strategies such as threat hunting or cyber deception.
to face security attacks. For instance, handling complexity Cybersecurity tasks for incident management include
when facing the events or problems that come up should identifying data about the incident to have an amplitude of the
not be all led to simplistic reasoning by the security analyst attack scenario. Developing experiences from the data about
but to be able to generate mental models that represent the threats and attacks allow establishing the awareness of the
the complexity and working as a team. This understanding cybersecurity situation. Establishing cybersecurity situation
can be complicated, so proposals such as the management awareness require cognitive and emotional skills in which the
of shared mental maps can be significant. Another fact is ability of cognitive processes are essential; perception and
multidisciplinary work where specialists from different areas attention are the first filters that allow security analyst to
must participate together, but there are problems of interaction collect information from the external environment. The higher
due to limited knowledge of the area of knowledge of the cognitive processes linked to working memory, cognitive
pair, different technical vocabularies, and heterogeneous work flexibility, and inhibitory control, have a participation in the
methodologies. Finally, handling the uncertainty of knowing decision making and in the behaviors that are externalized in
at the end the result of an activity or the interaction with other the incident management tasks.
team members. Continuous improvement of cognitive process in security
The proposed model of Big Data cover the different analysts can be achieved through these two skills:
components that must be considered for the generation of 1) Process control that is an important skill within a
knowledge regarding the cybersecurity status (Cybersecurity team member because it helps members to perceive,
Situation Awareness). Just implementing a Big Data understand and react constructively.
architecture is not enough to solve the problem of dealing with 2) Feedback that allows you to have data in which to
the processing of large amounts of data, we should work on sustain your decisions, self-correction based on how they
identifying reliable information sources, establish data quality see other members of the team.
There are different proposals in the commercial and [14] R. Greenstadt and J. Beal, “Cognitive security for personal devices,”
academic field regarding the use of Big Data and machine in Proceedings of the 1st ACM Workshop on Workshop on AISec, ser.
AISec ’08. New York, NY, USA: ACM, 2008, pp. 27–30. [Online].
learning in the security field; however, they have not been Available: http://doi.acm.org/10.1145/1456377.1456383
widely implemented. We consider that a possible future work [15] M. Möstl, J. Schlatow, R. Ernst, H. Hoffmann, A. Merchant, and
is to analyze the reasons for that, in general perspective, could A. Shraer, “Self-aware systems for the internet-of-things,” in 2016
International Conference on Hardware/Software Codesign and System
be budget, personnel experience, lack of technical support. Synthesis (CODES+ISSS), Oct 2016, pp. 1–9.
Furthermore, a review through a focus group could be an [16] D. B. Abeywickrama and E. Ovaska, “A survey of autonomic
important contribution to complement the present study. computing methods in digital service ecosystems,” Serv. Oriented
Comput. Appl., vol. 11, no. 1, pp. 1–31, Mar. 2017. [Online]. Available:
ACKNOWLEDGMENT https://doi.org/10.1007/s11761-016-0203-8
[17] S. Baker, “The identification of the self,” Psychological Review, no. 3,
The authors would like to thank the financial support of the pp. 272–284, May 1897.
Ecuadorian Corporation for the Development of Research and [18] P. R. Lewis, A. Chandra, and Parsons, “Self-awareness and
the Academy (RED CEDIA) for the development of this work, self-expression: Inspiration from psychology,” in Self-awareness and
Self-expression: Inspiration from Psychology. Springer, Cham, 2016.
under Project Grant GT-II-2017. [19] J. Camara, S. Kounevand, J. Kephart, A. Milenkoski, and X. Zhu,
“Self-aware computing systems: Related concepts and research areas,” in
R EFERENCES Self-aware Computing Systems: Related Concepts and Research Areas.
[1] M. Review. (2019) Las cinco nuevas ciberamenazas más peligrosas que Springer, Cham, 2017.
veremos en 2019. [Online]. Available: https://www.technologyreview.es [20] J. Timonen, “Improving situational awareness of cyber physical systems
[2] FIRST. (2019) Forum of incident response and security teams. [Online]. based on operator’s goals,” 06 2015, pp. 1–6.
Available: https://www.first.org [21] R. Breton and R. Rousseau, “The c-ooda: A cognitive version of the
[3] IBM. (2018) Ai for cybersecurity. [Online]. Available: ooda loop to represent c2 activities. topic: C2 process modelling,” 03
https://www.ibm.com/security/artificial-intelligence 2019.
[4] NIST. (2018) Big data public working group. [Online]. Available: [22] CSIAC. (2018) National cyber security awareness month. [Online].
https://www.nist.gov/el/cyber-physical-systems/big-data-pwg Available: https://www.csiac.org
[5] MIT. (2018) Cognitive science. [Online]. Available: [23] K. Davis and J. W. Newstrom, “Comportamiento humano en el trabajo
https://bcs.mit.edu/research/cognitive-science / k. davis, j.w. newstrom ; tr. por antonio núñez ramos.” 03 2019.
[6] J. Steinke, “Improving cybersecurity incident response team [24] E. Morin and A. Sátiro, “Edgar morin y los siete
effectiveness using teams-based research,” IEEE Security and Privacy, saberes necesarios para la educación del futuro,”
vol. 13, no. 4, pp. 20–29, Jul. 2015. http://www.redined.mec.es/oai/indexg.php?registro=018200430039,
[7] P. Kyllonen, “Measurement of 21st century skills within the common 03 1999.
core state standards,” 01 2012. [25] M. D. Mumford, E. Todd, C. Higgs, and T. Mcintosh, “Cognitive skills
[8] ACM. (2017) Cibersecurity curricula 2017. [Online]. Available: and leadership performance: The nine critical skills,” The Leadership
https://www.acm.org Quarterly, vol. 28, 11 2016.
[9] R. Karasek, C. Brisson, N. Kawakami, I. Houtman, P. Bongers, [26] NICSS. (2018) Cybersecurity workforce framework. [Online]. Available:
and B. Amick, “The job content questionnaire (jcq): An instrument https://niccs.us-cert.gov/
for internationally comparative assessments of psychosocial job [27] H. Ziv and D. Richardson, “The uncertainty principle in software
characteristics,” Journal of occupational health psychology, vol. 32, pp. engineering,” 09 1996.
322–55, 1998. [28] H. Ibrahim, B. H. Far, A. Eberlein, and Y. Daradkeh, “Uncertainty
[10] A. Miyake and M. J. W. A. H. H. A. W. T. D. Friedman, N. management in software engineering: Past, present, and future,” in 2009
P.and Emerson, “The unity and diversity of executive functions and their Canadian Conference on Electrical and Computer Engineering, May
contributions to complex “frontal lobe” tasks: A latent variable analysis.” 2009, pp. 7–12.
Cognitive Psychology, vol. 41, p. 49–100, 2000. [29] Y. Engel, M. Kaandorp, and T. Elfring, “Toward a dynamic process
[11] MIT. (2018) Tr10: La ciudad sensible. [Online]. Available: model of entrepreneurial networking under uncertainty,” Journal of
https://www.technologyreview.es/s/10023/tr10-la-ciudad-sensible Business Venturing, vol. 32, pp. 35–51, 01 2017.
[12] Gartner. (2017) Press release. [Online]. Available: [30] P. Nowell and K. Williams-Middleton, “Trust-control relationships in
https://www.gartner.com new venture teams during organizational emergence,” 11 2016.
[13] L. Jagadeesan, A. Mc Bride, V. K. Gurbani, and J. Yang, [31] IBM. (2017) Applied cognitive security complementing the security
“Cognitive security: Security analytics and autonomics for analyst. [Online]. Available: https://www.rsaconference.com
virtualized networks,” in Proceedings of the Principles Systems
and Applications on IP Telecommunications, ser. IPTComm ’15.
New York, NY, USA: ACM, 2015, pp. 43–50. [Online]. Available:
http://doi.acm.org/10.1145/2843491.2843837