1

DOES WEB ANALYTICS ENHANCE CYBER

SITUATIONAL AWARENESS?
Table of Contents
1. Web analytics ..................................................................................................................... 4
1.1. Introduction ..................................................................................................................... 4
1.2. What is web analytics .................................................................................................. 4
1.3. Usage of web analytics ................................................................................................ 4
1.3.1. Monitoring digital services .............................................................................................. 4
1.3.2. Intelligence security information ..................................................................................... 5
1.4. Web analytics process ................................................................................................. 5
1.4.1. Goals stating..................................................................................................................... 5
1.4.2. KPIs metrics ..................................................................................................................... 6
1.4.3. Data collection tools ........................................................................................................ 6
1.5. Key challenges ............................................................................................................. 9
1.6. Conclusion ................................................................................................................. 11
References ............................................................................................................................ 11
2. Cyber situational awareness ................................................................................................. 12
Introduction .......................................................................................................................... 12
2.1. Defining situational awareness (SA) ................................................................................ 14
2.2. Situational awareness models ........................................................................................... 17
2.2.1. Reference model ............................................................................................................ 17
2.2.2. Process model ................................................................................................................ 20
2.3. Visualization ..................................................................................................................... 22
2.4. Application in cyber area .................................................................................................. 22
2.5. Initiatives towards performance and effectiveness ........................................................... 22
2.6. Conclusion ........................................................................................................................ 22
References ................................................................................................................................ 24
 List of figures and diagrams

FIGURE 1 7
FIGURE II 8
FIGURE III 9
FIGURE IV 9
DIAGRAM I 13
DIAGRAM II 19
1. Web analytics
1.1. Introduction
The new internet age has made it possible for people to simply type and URL address and
instantly a file containing links and information will appear- it is a very simple process. It is
quite intriguing to know there could be millions of other people accessing the same information
and it would be quite interesting to know the exact number of people viewing the information
(Hassler, 2010). Web analytics is an evolution that has inspired innovation in finding important
use for the data captured on websites use (Hausmann, Williams, & Schubert, 2012; Kaushik,
2007). The desire to track web usage triggered the web analytics idea. This was just the
beginning of web analytics and today greater innovations have come up. Web analytics came
into existence in the 90s although it took a decade before web analytics was defined using a
standard measure by the association of web analytics
(http://www.webanalyticsassociation.org). This happened in 2006 and it goes to show the
extensive web analytics scale.

1.2. What is web analytics

There are several definitions that correctly define web analytics. Web analytics was defined by
Onwubiko (2016) as the method, technology and tool used to gather, interpret and anlyze or
monitor the usage of web data. Recently a proposal to define web analytics as ‘the objective
collection, tracking, measuring, analysing and reporting quantitative data from the internet with
an intention of optimizing marketing initiatives for websites’ was fronted by Association of
web analytics. The initial definition was not until 2006 proposed, an indication that the web
analytics field is still too young.

1.3. Usage of web analytics

1.3.1. Monitoring digital services

Web analytics benefits can be understood from its purpose of screening digital services like
online banking and portal as well as company websites among other purposes (Onwubiko,
2016; Phippen, Sheppard, & Furnell, 2004). The applications used for web analytics are utilized
in acquiring information from digital users (visitors, customers, or bot) of a website. The
information obtained could be used to evaluate the number of pages viewed for instance or the
quantity of downloaded information, the speed of interaction with the pages among other
things. Web analytics could also be used to approximate website traffic after the launch of fresh
products with an objective of examining trends and measure conversions into sales. Web
analytics could also be used to analyze and monitor web content and digital marketing
campaigns and to screen the journey taken by online customers and their interaction. The
objective in this case is to accumulate customer intelligence. In recent times, institutions are
using web analytics’ applications for performing research on their customers. Customer
intelligence may involve gathering knowledge on what customers purchase and understanding
the time it took a customer to decide to purchase a given product.

Web analytics could also serve as a complimentary tool to online fraud detection applications
with the objective of enforcing financial compliance. Web analytics could for instance be
 utilized in collaboration with online fraud detection applications for the purpose of detecting
money laundering, for compliance and for enforcement purposes. Web analytics could also be
utilized for intelligence and cyber security purposes. This may involve export restrictions, user
profiling and geo location.

1.3.2. Intelligence security information

Web analytics may be employed in gathering important and useful intelligence concerning
online visitors, interaction, customer journey or transaction among other things discussed
below (Onwubiko, 2016; Zeng, Chen, Lusch, & Li, 2010).

 The type of browser that was utilized to settle that transaction.

 The source country where an attack originated or was initiated otherwise referred to as geo-
location or country fingerprint
 The computer OS (operating system) utilized or OS fingerprint.
 The language used. This is the keyboard and browser language settings which normally
uncovers language fingerprint or language locale.
 The behavioral fingerprint identifiable to entity (human or bot) responsible for attack. This may
be the recurrence, frequency and newness of attack. This will assist in historical analysis and
trends.
 Whether visiting entity is human or a robot. Signs such as velocity and speed of clicking as
well as speed of transaction could be used to determine whether a human being or a bot is in
control. CAPTCHA is utilized as a means of minimizing web interaction with bot.
 The gadget (desktop, tablet, mobile, server) used in browsing can be identified and the
accumulated intelligence analyzed.
1.4. Web analytics process
Web analytics is used as a means of improving and comprehending online customers’
experiences while at the same time maximizing revenue earned by online businesses. Web
analytics does not function as a report generating technology but as a process proposing an
important cycle for optimizing the website. Based on web analytics best practices, an analysis
framework for website performance ought to incorporate the steps herein outlined: definition
of goals, creation of KPIs (Key performance Indicators), data collection, data analysis, and
changes implementation (Pietrowicz, Falchuk, Kolarov, & Naidu, 2015; Waisberg & Kaushik,
2009).

1.4.1. Goals stating

The goals of a website can be found in answering the following question: why do websites
exist? Every single website carries with it a unique purpose. For instance, ecommerce websites
are useful for vending products, support websites provide answers to the questions posed by
customers while news websites avail content. Every person owning a website ought to describe
success in accordance to the website objective and often update the goals of that website. The
objectives of websites are critical inputs that assist in the identification of metrics assisting in
the measurement of the channel’s success. Companies use websites as one of their channels in
a multitude of other channels. Websites must be properly accounted for as is with other
expenses in business. There has to be a return on investment. A fundamental evolutionary trend
in recent times is the capacity to evaluate success notwithstanding the purposes of the website.
Previously organizations used to only perform ecommerce but today it is possible to assess the
success rate by examining the company’s ability to drive campaigns through social media,
support websites, the nonprofit making websites or blogs. It is only required that the
organization articulates its business goals accurately

1.4.2. KPIs metrics

The measurement of achievements is made possible by the creation of KPIs (Key performance
Indicators). KPIs indicate whether websites are moving towards the intended objectives or not.
The web analytics world knows well that information is of no importance if important insights
are not deduced from its collection. There ought to be activating linking to every KPI suggested
for websites. For instance if it were possible to measure the cost associated with every website
visitor, two attributable actions should be related one of which relates to an increase in the
number and the other a decline in the number. The former CEO of Intuit, Mr. Steve Bennett, is
known for pushing people to recognize the critically minimal goals, priorities, KPIs, metrics
and anything else. In case a business was at the verge what measure would be used to know if
it’s performing badly or well? Through evaluation of data clutters is it possible to identify the
critically minimal metrics? Most of the people have a multitude of things they evaluate and a
mountain of distractions that still precious time from us. Each person has up to three critically
minimal metrics they use to define their existence.
One of the crucial KPI characteristics is its great adjustability. Every person, department and
company ought to define its KPI in accordance to their interests and objectives. One of the
usual KPI divisions among the industry is through hierarchy. The top management gets reports
on the cumulative realization of website goals. The middle management gets reports on website
optimization and campaign outcomes. Analysts get technical and detailed reports on the
performance of websites. The underlying objective is to have clarity of insight between the
goals of a company and the identifiable solutions each organization level is rooting for. There
are four attributes that good KPIs should have and they are: relevance, simplicity, instant
usefulness and timeliness (Singal, Kohli, & Sharma, 2014).
A great example of an exemplary KPI that complies with each of the criteria previously
discussed is the bounce rate or the visits per single page percentage. This is simple for the
reason that it is not hard to explain, propagate or even understand. The KPI is also timely in
the sense that it is a common standard in all applications of web analytics in the vicinity of one
click only. The bounce rate KPI is also instantly useful in the sense that the owner of the website
can view it and assess the action that needs to be taken. If there is between 25% and 30% of
bounce rate the website, then things are not bad but if the bounce rate is at 50% then some
action is needed. If the bounce rate for a keyword or campaign is at 70% then something is
totally out of control. Although there may be loads of KPIs or metrics at the website owner’s
disposal, it is only the ones that comply with the four criteria that may provide insights that are
actionable and yield positive results on the website.

1.4.3. Data collection tools

The collection of data is fundamental to results analysis. Discussed below are four primary
avenues through which data behavior from websites can be captured.
1.4.3.1. Web Log files
Every time information is requested by a website visitor (this may be through a link to another
website page), the website server registers the request in log files. Log files could take a variety
 of formats although in extended formats of the log files. This is the usual format and it helps
save information such as: IP address of computer placing that request, the moment in time that
transaction became successful, size of information transferred, time taken to complete this
transaction, record of any hitches that occurred with the cache and person making reference.
Some of the merits of this formula include: the person owning the website has data ownership
(this is contrary to the tagging of JavaScript as below illustrated). This demonstrates the full
ownership control of information privacy by the owner: the availability of web blogs is
backwards therefore making it possible for website owner to reevaluate previous campaigns
and institute fresh data processing: web logs also monitor crawling behavior in a website.
Search engine crawlers index websites by visiting them and this is demonstrated in the search
results.
The steps below illustrate the visualization and description of the collection procedure of web
logs.
I) Website user types the desired URL on the browser of choice
II) The request is received by either of the website servers
III) This website server develops a log file entry
IV) The user receives the web page information
The figure below illustrates the steps of log file collection procedures.

Figure 1

Visualization of data collection in log files

1.4.3.2. JavaScript tagging
The process involves technology made up of small JavaScript insertions (they cannot be
cached) in each of the website pages. Each time a website page is accessed by user, the
JavaScript gets activated and the actions and visitor information are recorded in separate file.
Some of the merits of this method include:

I) It records each visit to the website, not unless the website user terminates the page before
loading of the script. This is contrary to log files whiles which may be upset by the pages
cached in proxy (the provider of network connection). Or visitor’s browser. The cached pages
or user’s browser could send web pages to users without recording log files to the server.
Cached information disappears during evaluation of log files hence minimizing accuracy levels
of information gathered from customers.
II) Crawlers are not read by JavaScript. Crawlers often cause a lot of traffic even though their
information does not demonstrate the behavior of customers. It would be better to exclude
crawlers from the examination process. The task is however time consuming and most crawlers
may not be recognizable.
III) The resources utilized in making an analysis are without the company. This means that the
company is not responsible for processing and recording data using internal mechanisms.
Discussed below is a visualization and description of the manner in which JavaScript tagging
operates.

The website user inserts the URL into a preferred browser

The request is received by either of the available web servers
The server returns the website page accompanied by a snippet of an appended JavaScript
code.
Through the process of website loading a JavaScript code is executed. The JavaScript receives
details concerning the cookies and session by visitor and then sends the information to the
server charged with data collection.
In some instances, after receiving the first data set, the server returns more code to browser
for the purpose of gathering more cookies or receive more data (Kaushik, 2007).
The figure below illustrates JavaScript visualization and tagging.

Figure II

1.4.3.3. Web beacons

The technology employed in measuring click troughs and banner impressions is known as web
beacons. Even though web beacons are not often used, they still can be found on websites. One
of the fundamental uses of web beacons is tracking the behavior of customers in a cross section
of websites. Web beacons are the answers to questions like: the performance of banner ads
over many websites (in instances where such websites are accessible to similar of variant sets
of users). Since the server responsible for reading cookies, collecting data and tracking website
use is the same, it then becomes easier for marketers to anonymously track same visitors in a
cross section of websites. It is also possible to track different users visiting the same website
with web beacons.
Illustrated below is a visualization and description of the manner in which collection of web
beacons occurs.
I. The customer inserts desired URL into the browser
II. The request is received by either of web servers
III. The server returns the web page alongside an image of 1x1 pixels from servers belonging to
third parties
IV. In the process of web page loading it implements the image call from the server of third party
V. The server belonging to third party then sends back the image to browser alongside a code
capable of reading cookies and securing the behavior patterns of anonymous visitors.
 Figure III below is an illustration of data collection using web beacon

Figure III

1.4.3.4. Packet Sniffing

This technology although superiorly advanced with respect to technology used, it is mostly
applied for the purpose of testing multivariate. The most pronounced advantage is that packet
sniffing does not require page tagging since all information is processed through packet
sniffers. Described below is illustration and description of the manner in which packet
sniffing operates.
I. The web user inserts the URL into preferred browser
II. The requests is processed through web server using software channel or using packet sniffer
hardware devices responsible for collecting the request characteristics
III. Thereafter packet sniffer directs the requested information to web server
IV. The requested information is then returned to customer although via the same packet sniffer
V. This packet sniffer receives information regarding the page in backward format, stores the
collected data and sends this page to the browser user. Some of the solutions to packet sniffing
for vendors are appending JavaScript tags capable of sending additional data concerning the
visitor to packet sniffer.
The figure below is a visualization of data collection processes by packet sniffer
Figure IV

1.5. Key challenges

Most the challenges attributed to web analytics involve:
 Visitors identification
 Bots filtration
 Cache issues
 Overload of data
 Nature of metrics
 Time spend on the final page
 Appropriate tools
 Extensive analysis of entire site
 Findings analysis
 Issues of privacy

Visitors identification could be achieved through user profiles in case logging in will be a
requirement, caching or the IP address. Every one of the methods has setbacks and this needs
to be considered since there will probably not be absolute accuracy and counting of every user
individually may not be possible. User profile could provide absolute accuracy and be the
simplest method as well as monitor every user individually. If the user does not however permit
use of their information for the purposes of web analytics, it will not be possible to use the
information. Precaution must also be observed to ensure passwords are not linked to the
analytical information. When utilising caching, it is probable that users with protect their
profiles from caching hence making information analysis impossible. Last but not least, in
utilising IP address, the issues of privacy may come up and a number of single website users
mat change occasionally as previously discussed.
When utilising log files for the purpose of conducting web analytics, bots and spiders must be
detected and eliminated before conducting data analysis. Failure to do this will result to
distortion of human traces as well as alteration of statistics. Caching is another difficult web
analytics method. JavaScript tagging happens to be the only method for data collection capable
of analysing websites accessed by users in the cached category. Every other page does not have
these website pages therefore resulting into low statistics results. Data volumes subjected to
analysis may also cause another problem. The number of applications capable of handling
gigantic data quantities are limited (Sen, Dacin, & Pattichis, 2006). This is especially so when
data is analysed real time. The attempt to analyse large data quantities from previous use could
cause major problems.
As previously discussed web analytics applications uses many metrics. Have comprehension
of the different metrics and identifying the most appropriate ones to use is often difficult
(Hausmann et al., 2012). It is important also to have an understanding of the manner in which
the metrics were created. The amount of time spent on final page before departing from it may
not be accurately measured. Since incoming information is absent from subsequent servers
many tools only detect departure from a website subsequent to inactivity for a period of not
less than 29 minutes (Kaushik, 2007). Over the past few years web analytics applications
markets have grown considerably. The biggest problem is identification of the most appropriate
tool and understanding the differences in the tools. It is important also to have an understanding
of the website itself over and above comprehending the analytical aspects. This includes the
structure and content of the website (Cooley, 2003; Pietrowicz et al., 2015). The requirement
to have comprehension of the analysis metrics is inherent as well as the generation of important
statistical findings during analysis itself. Most of the analysis processes terminate at the point
where identifying the number of people accessing the website. Proper and comprehensive web
analytics tools must go beyond this and attempt to determine actions required such as
reformulation of websites or gathering using ideas to be used in marketing initiatives
1.6. Conclusion
Besides the environmental changes such as the introduction of fresh products, having
comprehension of the behavior of website users is a primary reason as to why websites are
undergoing reinvention currently (Weischedel & Huizingh, 2006). Previously customers were
often passive in the general ecosystem. The inception and growth of internet has changed this
position fundamentally (Weischedel & Huizingh, 2006). In the present day internet users are
no longer passive but active participants who offer very interesting analysis information. It
therefore becomes important to have an understanding of the manner in which supporting them
can be achieved. The use of web analytics allows entities to have a rare view of the situation
from the perspective of website users themselves (Spiliopoulou & Pohle, 2001). Having
comprehension of the manner in which website users access the website and the path they take
is crucial for development of useful strategies in marketing since it allows companies to project
website visitors’ behavior. The process also makes it possible to maximize the website’s
logical structure (Cooley, 2003). Enhancing communication through websites is crucial to the
objective of satisfying the goals of targeted audience and of the website itself (Norguet,
Zimányi, & Steinberger, 2006).
Web analytics has in the past been used in economic fields. Most of the analytical examination
described in the literature was precisely for commercial sites (Wu, Cheng, Liu, & Liu, 2009).
This notwithstanding there is absolutely good grounds for usage of web analytics in other types
of websites. Some of the areas are easy to determine in the process of examining ecommerce
websites such as the number of successful visits supported by purchase although there are many
more areas that could be used for other websites types. Web analytics has to be understood
only as an analysis process. It is not an absolute science. There are no web analytics numbers
likely to describe the reality absolutely. Answers that are backed by clarity are not possible
since no direct information is given from the users. Using the assistance of web analytics
applications it could be quantify websites although the information needs interpretation from
analysts who are action oriented and pragmatic enough to implement improvement (Ogle,
2010).
Web analytics could go wrong often because the process was not completed. Most often large
amounts of investment amounts are put on web analytics tools but eventually nothing beyond
reports is generated. The aspect of implementing action after analysis is often the most crucial
perspective of web analytics although it is often ignored.

References

Cooley, R. (2003). The use of web structure and content to identify subjectively interesting
web usage patterns. ACM Transactions on Internet Technology (TOIT), 3(2), 93-116.
Hassler, M. (2010). Web analytics: Metriken auswerten, Besucherverhalten verstehen, Website
optimieren: MITP-Verlags GmbH & Co. KG.
Hausmann, V., Williams, S. P., & Schubert, P. (2012). Developing a Framework for Web
Analytics. Master's Thesis, University of Koblenz-Landau.
Kaushik, A. (2007). Web Analytics: An Hour A Day (W/Cd): John Wiley & Sons.
Norguet, J.-P., Zimányi, E., & Steinberger, R. (2006). Improving web sites with web usage
mining, web content mining, and semantic analysis. Paper presented at the International
Conference on Current Trends in Theory and Practice of Computer Science.
Ogle, J. A. (2010). Improving Web Site Performance Using Commercially Available
Analytical Tools. Clinical Orthopaedics and Related Research®, 468(10), 2604-2611.
Onwubiko, C. (2016). Exploring web analytics to enhance cyber situational awareness for the
protection of online web services. Paper presented at the Cyber Security And Protection
Of Digital Services (Cyber Security), 2016 International Conference On.
Phippen, A., Sheppard, L., & Furnell, S. (2004). A practical evaluation of Web analytics.
Internet Research, 14(4), 284-293.
Pietrowicz, S., Falchuk, B., Kolarov, A., & Naidu, A. (2015). Web-Based Smart Grid Network
Analytics Framework. Paper presented at the Information Reuse and Integration (IRI),
2015 IEEE International Conference on.
Sen, A., Dacin, P. A., & Pattichis, C. (2006). Current trends in web data analysis.
Communications of the ACM, 49(11), 85-91.
Singal, H., Kohli, S., & Sharma, A. K. (2014). Web analytics: State-of-art & literature
assessment. Paper presented at the Confluence The Next Generation Information
Technology Summit (Confluence), 2014 5th International Conference-.
Spiliopoulou, M., & Pohle, C. (2001). Data mining for measuring and improving the success
of web sites. Data Mining and Knowledge Discovery, 5(1-2), 85-114.
Waisberg, D., & Kaushik, A. (2009). Web Analytics 2.0: empowering customer centricity. The
original Search Engine Marketing Journal, 2(1), 5-11.
Weischedel, B., & Huizingh, E. K. (2006). Website optimization with web metrics: a case
study. Paper presented at the Proceedings of the 8th international conference on
Electronic commerce: The new e-commerce: innovations for conquering current
barriers, obstacles and limitations to conducting successful business on the internet.
Wu, J., Cheng, Y., Liu, Y., & Liu, X. (2009). Using web-analytics to optimize education
website. Paper presented at the International Conference on Hybrid Learning and
Education.
Zeng, D., Chen, H., Lusch, R., & Li, S.-H. (2010). Social media analytics and intelligence.
IEEE Intelligent Systems, 25(6), 13-16.

2. Cyber situational awareness

Introduction
Reacting to cyber threats requires ability to handle imprecise and uncertain information. The
potential for malicious activities robs network users of optimal security. Most machines are
vulnerable to compromise and the extent of damage caused may not be immediately realized.
During security planning it becomes inherently important to understand the consequences of
vulnerability including information compromise. This understanding allows for better
balancing of performance, functionality, ease of use and security. The information available is
however in most instances imprecise and vague. According to Leopold (2015) the imprecise
and imperfect information has to be relied upon for the purpose of monitoring for actual attacks
and prevention of further attacks from taking place by applying credible risk management
measures.

Situational awareness according to Hawk (2015) is a fundamentally important concept in cyber

information security operations. Hawk defined situational awareness as the perception
regarding enterprise security situation and the environmental threats that come with it in a given
time span and space. Situational analysis involves comprehension of the risks involved and
projection of the cyber security situation into the future. Diagram I below is a summarized
representation of the ecology and interrelation of the many layers governing the perpetual
elements of monitoring. The diagram represents the flow of information.

Diagram I

Perpetual/continuous monitoring is a continuous process of observing with an objective of

providing warning. The capacity to provide perpetual monitoring entails continuous analysis
and observation of the state of operations in the system in order to come up with decisions
pertaining to variance from expectation and situational awareness (Jajodia, 2010).

According to Hawk (2015) the methods and merits of philosophies applied for network security
including situational awareness can cause much deliberation. Dynamicity is one of the primary
characteristics in situational awareness. Situational awareness makes it possible employ
dynamic tactics in responding to the evolving and new threat models. This is inherently
contrary to the typical information security paradigm. The traditional information security
mechanisms can be compared to building castles and fortresses- they are mostly static. In order
to accomplish a security foundation, the traditional avenues for information security may apply
risk management tactics. Threat modeling is a tactic used in the development of applications
for the purpose of mitigating and analyzing application security. In cyber situational security
however new ways of reasoning are applied with the objective of exploring innovative ways
of threat modeling.in order to satisfy the dynamic needs existing in network attacks landscape
the below highlighted characteristics are essential for the network:

Network characteristics for situational awareness

For effective cyber situational awareness monitoring has to be activated across all networks.
Information sent to log files must be monitored and the log data has to be sent into SIEM
(Security Information and Event Management) (Miller, 2011)). SIEM is responsible for
analyzing and correlating received data log for the possibility of attack trends (Lachance,
2015). SIEM is expected to compare and contrast incoming data for potential vulnerabilities
and exposures (CVE) and configuration errors (CCE). SIEM also examines databases prone to
threats for the sake of assessing possibility of an imminent attack (Nicolett, 2010). Network
hosts ought to be classified in the category of asset databases capable of scanning the network
for vulnerabilities and providing remedies that are compliant with the recognized strategies.

In order to achiever situational awareness acceptable practices in change control and

configuration management has to be achieved. All the code patches ought to be properly tested
under test environment prior to implementation in the environment of production. Any system
that is vulnerable and cannot be repaired using code ought to be under strict monitoring,
hardening or armoring (Hawk, 2015). IRP (Incident Response plans) ought to be created as a
way of dealing with the various types and classes of occurrences (Gurkok, 2013). Network
security should be supplemented through extension of monitoring initiatives across
environments, processes and people (Schneier, 2014). Technology must never be the exclusive
avenue for the network security enterprise.

Cyber security or physical security has monitoring, control assessment and prompt response to
incidents as the most fundamental security aspects. In the cyber situational awareness paradigm
security may be achieved through environmental awareness and quick response to threats
identified as opposed to creating castles and fortresses with an expectation of maximizing
capacity to withstand attacks optimally (Jajodia, 2010). It must be understood that cyber
situational awareness does not refer to a single product. It however refers to a philosophy
realizable through use of intelligence of processes and products that define the networks of
information systems.

2.1. Defining situational awareness (SA)

Cyber-attack is a phenomenon that has continuously increased in complexity and numbers.
This has prompted need to have better education and training on cyber defense mechanisms.
One of the major setbacks to education on cyber security has been overdependence on
instructions styled ads lectures and failure to incorporate hands-on training. There is therefore
need to have a comprehensive training solution capable of offering realistic human centric
environments for exploration, interaction and collaboration by cyber analysts. This will enable
for effective learning.

Huang (2015) defined situational awareness as the perception and comprehension of elements
in the environment based on space and time. Cyber situational awareness therefore is an
extension of situational awareness to cyber domain. Cyber analysts have to understand the
meaning behind observation for cyber security awareness. Analysts must also have an ability
of projecting implications of their observation on the system. Huang (2015) describes the
assessment and training systems in cyber situational awareness with an intention of assessing
and teaching team and individual cyber situational awareness in a context of cyber defense.
Huang also incorporates a variety of technologies with an objective of enhancing the learning
process for cyber analysts.

In order to conduct effective training on cyber security, it is important to design genuine

exercise lessons. Accurately identifying the cognitive processes in experts through analysis of
tasks using cognition can be transformed into useful training materials to educate cyber analysts
on how to act and think like experts for the purpose of defending the system. Information
overload is a challenge trainees contend with. To overcome it, identification and design of
statistics is implemented. This allows the trainees to develop their customized observation
statistics and the thresholds that trigger action so as to identify cyber-attacks more easily and
faster. The speed of recognizing, analyzing and responding to cyber-attacks is important. This
is because this ability reduces damage potential and minimizes costs of recovering from an
attack. Cyber analysts can therefore be evaluated based on the time taken to respond in relation
to the estimated ground timeline of an attack.

Cyber-attacks are responsible for substantial disruptions of work. It is therefore important to

understand how a defender ought to behave in their attack tolerance and experience in threat
handling. It is important also to master the adversaries’ actions which could affect threats
detection. Cognitive modeling is one of the avenues proposed by Dutt et al. (2013) to predict
cyber-attack factors. Cyber-attacks according to Dutt et al. (2013) involve the disruption of
normal functions of computers and loss of confidential information through networks. The
reason for loss and disruptions is malicious network occurrences that are increasing by the day.
It is believed the propensity for cyber-attacks could in the near future undermine technical
network systems that essentially support every activity in a network. This includes activities
like recording and broadcasting world events like Olympics and the FIFA world cup (Trendle,
2003). In today’s world there are many anonymous network users and hacking groups that pose
a serious threat on national security. Securing against potential attacks has become a significant
component of the IT governance process especially because most private entities and
government agencies have shifted their platforms online.

The United States recently declared cyber threat as a serious national security and economic
challenge. The 2017 election were dominated by accusations of cyber-attacks against the
Democratic National congress. China was recently accused of hacking into the white house as
well. There are two components to the strategy for cyber security and they are: enhanced
resilience to cyber-attack incidents and the reduction of cyber threats. In order to achieve this
target security analysts otherwise referred to as defenders are charged with protecting online
infrastructure of the corporate networks from organized or random cyber-attacks (Jajodia,
2010). Security analysts protect corporate networks through accurate detection of threats in the
soonest possible time in the event of a cyber-attack.
Dutt et al. (2013) examines factors that influence the experiences of a simulated security analyst
and their ability to tolerate threats through accurately detecting them for behaviors that are
simulated. The computational model is used in the simulations. Behaviors that are adversarial
are demonstrated through different strategies of simulated attack and therefore differ in threat
timing over sequences of events in a network. The awareness process of the security analyst is
also simulated using computational systems of rigorous decision making.

In general situational awareness could be described as perception of element in the environment

in accordance to space and time, understanding of the meaning of these elements and status
projection after certain variables change like time (Endsley, 1995). Cyber situational awareness
can be understood as virtual situational awareness. It involves recognition of situations,
perception of cyber-attack type, origin of the cyber-attack and its target. Cyber situation
awareness involves comprehension of the situation, understanding of the reasons for the
prevailing situation, the impact of the situation and projection of the situation. The
determination of future expectations of an attack, the location of that attack and the possible
impact also comprises of cyber situational awareness ((Jajodia et al., 2010; Tadda at al., 2006).

Cyber situational awareness according to Kotenko & Doynikova (2014) is the capacity to offer
assistance to people charged with decision making in their attempt to make decisions with
clarity and assist security analysts in the prevention of malicious actions. The field manual for
USA Army explains situational awareness as the understanding and knowledge of prevailing
situation therefore allowing for accurate, timely and relevant evaluation of enemy, friendly as
well as other operations inside the battles zone. This allows for effective decision making.
Situational awareness in cyber security means an accurate understanding of cyber security
utilities.
Cyber situational awareness entails accurate comprehension of the utilities in the operations of
cyber security and each of the CIKR (critical infrastructure and key resource) contributing to
the entire utilities system process (Blumenthal et al., 2012). In situational awareness there has
to be comprehensive analysis of the existing operations within the cyber security utilities. It
must be possible to evaluate weaknesses, potential breakdowns and vulnerabilities which may
be exploited by the enemy (Franke & Brynielsson, 2014). This gives the network utilities
optimal security. Situational security is characterized by surveillance of unusual occurrences
and events within the networks of cyber security. Situational awareness entails flexibility in
the approach of possible security threats and ability to mitigate the threats before they sustain
any success. It is important to have situational awareness for the reason of the growing
operations complexity in the present day utility systems. It is important to understand that the
variability of cyber security changes within the network is highly dynamic far and above other
utility grids. It is inherent therefore that the industry and utility employ unified CIKR and cyber
security approaches.
Cyber-attack is a computer attack meant to undermine the confidentiality and integrity of
information resident in computers. Huang (2015) indicates that cyber-attacks have significantly
increased both in complexity and numbers recently. A cyber attacker first of all examines the
vulnerable points in a system and then infiltrates the hosts and/or networks. Upon accessing
the system, the attacker uses it to either steal important data, monitor communication, uncover
new ways of attack in relation to that system, and take over control of the management of assets
in that system or paralyze the computer, networks and other related systems. Some of the
damaging effects of successful Cyber-attacks include taking control of network resources and
hosts and access to sensitive information present in the network.
Situational awareness according to Jajodia (2010) is an evolving perception concerning the
attributes and evolving status of elements. It is the comprehension of several observations with
an intention of relating them to the prevailing situation and projecting the possible outcomes
in the future based on knowledge and experiences accumulated in the past. Cyber situational
awareness projects situation awareness to cyber domain. This is where data is collected by
cyber analysts and signs of potential attack tracks are sought, the potential consequence of the
identified attack tracks is estimated and the attacker’s moves are anticipated. The effectiveness
of CSA is however derailed by the gigantic complexity and size of today’s networks, the
adaptive characteristics of knowledgeable adversaries, increasing quantity of false alarms
caused by IDS (Intrusion Detection Systems), absence of grounded skills for assessing
performance of defense systems, presence of institutional stove pipes derailing collaboration
and use of technologies that do not have enough comprehension of prevailing human needs.
2.2. Situational awareness models
The situational awareness concept is often described in literature work by Salmon et al., (2008).
The concept however remains principally individually constructed and most of the situational
awareness models interpret situational models using personal perspectives. Collaborative
deliberations of situational awareness have gathered less attention. The situation has made
situational awareness a complex factor hence challenging human actors both in the
establishment of theoretical viewpoints and of authentic assessments. The process of
developing guidelines for training and systems as well as procedure designs has become
difficult. Salmon et al. (2008), critiques and reviews situational awareness and compares team
and individual models. The argument by Salmon and team is that the approaches in situational
awareness proposed in recent times are most fit for the purpose of assessing and describing
situational awareness in collaborative environments globally.
2.2.1. Reference model
In software engineering, enterprise and systems, the reference model is understood to be a
theory or abstract framework made up of intertwined circle of concepts that have clear
definition from experts. The objective is to foster communication clarity (Chatti et al., 2012).
Reference models are capable of representing individual parts identifying any idea that is
consistent (Day & Zimmermann, 1983). This may be in business functions or system
components. The reference model designed can be a tool of communicating ideas with clarity
to members belonging to a single community.
OASIS. (2012) defines a reference model as a theoretical framework used to understand the
relationship existing among entities in one environment. Reference models are used to develop
consistent specifications and standards that sustain that environment. Reference models are
built on the foundation of smaller concepts that could be used as a means of educating and
elaborating concepts to people that are not specialists. Reference models are never built on the
basis of any technologies, standards or tangible details of implementation. Reference models
will however provide universal semantics that could be applied unequivocally over different
implementation platforms.

Reference model purpose

OASIS (2012) stated that reference models are utilized by architects as a mechanism of
constituting architectures. This is the same mechanism used by the automotive industry in
making logical divisions for car components. Software industries utilize reference models in
creating divisions and making logical decisions for architectures. In so doing, it becomes easier
for products owned by vendors to be fashioned to satisfy the needs of architecture and also
permit users to comprehend the fitting position of products in the corporate architecture. The
reference model operates in the same manner as it would for tire manufacturers who have an
understanding that automobile manufacturers know precisely well that the wheel is a circular
car component bolting to the hub and requiring a tire fitted onto the rim. Contrary to specific
architecture, reference models do not specify the wheel sizes or the patterns of bolts that ought
to be used. The only thing is that these attributes are common with the automobile industry.
Individually it is logical that rims and wheel sizes, composition and shape may vary.

Uses of reference model

The reference model creates the standards both for the objects exhibiting model and the
relationship the objects have with each other. Through standards creation, developers and
engineers have an easy time creating objects that function according to set standards. The
reference model can be used by software developers to breakdown large problem sets into small
manageable problems that are easily understandable, handled and refined. Engineers who are
relatively new to specific problem sets can easily identify the existing problems and therefore
focus on providing solutions to those problems while exuding confidence that other areas of a
system properly understood and thoroughly constructed. Trust is an important characteristic of
developers for the good of focusing on the tasks at hand.
Reference models also help enhance communication systems between people. Reference
models subdivide problems into smaller entities or items that are self-existing. This often is
unequivocal recognition of commonly shared concepts among people. When these concepts
are developed using precise methods, then the reference model assists in the definition of the
manner in which the concepts are different from one another and/or relate to each other. This
will help enhance the communication between people participating in the application of the
concepts. The reference model also creates clearly defined responsibilities. Through
development of entities and relationships between them an organization could dedicate explicit
teams or individuals therefore allowing them to assume the role of problem solving concerning
specific entity sets. The reference model also allows for comparison of a variety of things.
Through demystification of problem sets into simple concepts, the reference model could be
used as a tool for examining distinct solutions to the problem. Through doing so, the principle
components to a solution could be deliberated on while comparing them to other solutions.

Reference model concepts

The reference model is a description of existing entities and the relationship between them i.e.
their connection, interaction and their common properties. A mere list of types of entities does
not offer adequate information for classification as reference model. A reference model could
be understood also as an abstract. Reference models offer information concerning a specific
environment. In this case the reference model will provide information concerning cyber
security situation. The reference model elaborates on the type of entities existing in an
environment and not the entities themselves. For example of cyber security entails an
environment of networks and computing devices. The security elements of cyber security detail
the protection processes which form part of the reference model. It is important to understand
the security concept and web analytics in order to implement cyber situational awareness.
A reference model is a concept that clarifies elements existing in an environment as opposed
to describing an entity. A reference model ought to include clear problem description involved
in the entity and the stakeholders concerns. The stakeholders are the subjects in need of a
solution. In cyber situation awareness the network users are in need of cyber security. The
reference model has limited use if assumptions concerning the platforms or technology used in
a computing environment are hypothetical. The reference model makes it possible to
comprehend categories of problems and not to offer solutions to these problems. For this reason
the reference model must be facilitate evaluation and comprehension of the potential solutions
aimed at offering help to practitioners. The reference model may describe software applications
since for example in the case of cyber situational awareness the problem is overcoming security
challenges caused by cyber attackers.

Relationships between Reference model and Cyber situational awareness

Endsley (1995) proposed that the situational awareness reference model is process spanning
three phases i.e. perception phase, comprehension phase and projection phase. Situational
awareness starts with perception. This provides information concerning the status, dynamics
and attributes of concerned elements in that environment. Perception incorporates also
information classification into understandable facets and provision of the primary building
blocks to facilitate projection and comprehension. For the reference model situational
comprehension entails the manner in which people interpret, correlate and combine
information. This provides an organized outlook of prevailing situation through determination
of the importance of events and objects. The reference model is a Dynamic process and must
therefore entail comprehension of the combined information with the pre-existing knowledge
in order to create a cumulative picture of evolving situations. This is a projection essentially.
Cyber situational awareness entails three phases which are: data collection, estimation of the
impact caused by cyber-attacks and anticipation of subsequent moves.

Diagram II

Salerno (2008) proposed a revision to the reference model to what appears in diagram II above.
In the attempt to create and test situational awareness reference model Salerno et al (2005)
started research aimed for application in cyber domain. The situational awareness reference
model has been updated since and given a more complete definition by Salerno (2008) as
shown in diagram II above.
According to Jajodia (2010) cyber situational awareness reference model involves adoption of
a JDL (Joint Directors of Laboratories) (Onwubiko & Owens, 2012) model of data fusion.at
the various Cyber situational awareness levels. The first level of JDL deals with identification
and tracking of separate objects (Mahoney et al., 2010). The second level of JDL involves
aggregation of existing objects into units or groups by identifying relationships existing
between objects. JDL is often applied in many situational awareness frameworks although it is
considered unsuitable in the cyber domain. JDL is a method that ignores information context
like the location, time of acquisition, destination and source of service and communication. All
this absent characteristics are important in accurate detection of threats (Kott et al., 2014).
Taking the time taken for data acquisition as an example and assuming that cyber analysts are
able to detect TCP (Transmission control protocol) connection requests on a singular port, if
the cyber analysts are directed into different machines in a short span of time, the assumption
could be that there is an attempt from an attacker to find an attack entrance after ascertain
whether SSH server has been activated. If however the probing takes place once in a week, this
might be the system attempt to probe behavior (Deli & Çağman, 2015).
Reference models will only be useful in instances where they offer useful reference
information. Reference models are implemented best by application of standards. If perhaps
the fundamental standards are absent, they ought to be developed on the premise of reference
model characteristics. In cases where existing models are already implemented they should be
mapped on reference model for the purpose of comparisons and interoperability. Where an
implementer is at liberty to select their preferred model, the reference model should be directly
applied using preexisting standards.
2.2.2. Process model
Process models can be understood as processes having the same nature and are classified in
one group as a model (Gendlin, 1997). The process model describes a process at the stage of
its type. For this reason a process exemplifies the process model. The process model is applied
in the creation of many elements. The process model could be used as a description of how
processes ought to take place as opposed to articulating the substance of the process. Process
models anticipate the details of a process in advance. The actual nature of the process will be
realized during development of the process itself.
The objectives of process models include explanation of the process rationale for easy
understanding of the process details, evaluation and exploration of various grounds upon which
actions are founded, establishment of explicit relationship between the processes and model
requirements. The process model also projects the instance at which information could be
retrieved for purpose of reporting. Prescription: process models define the process in its
desired/absolute state and how the process ought to be executed. The process model also
establishes the behavior patterns, guidelines and rules which should be followed in order to
achieve the desired performance levels of the process. The behavior patterns could entail
flexible guidelines or strict enforcement.
Another objective of the process model is description of the actual happenings in a process.
Process models also employ the perspective of external observers who are interested in the
manner in which processes have been executed. Through this, the external observer decides on
the areas that need improvement in order to make the process more efficient and effective.

Process model purpose

In the process of development process modeling underlines the principle concepts that must be
described. Dowson (1987) finds that from an operational perspective process modeling has an
objective of offering guidance to application developers and method engineers. The process of
business modeling is often meant to project the needs for changing processes or identification
of the issues that need correction. An IT environment is a primary driver for modeling business
processes. Programs for change management are important for exercising the process. Process
modeling solves the processing qualities of a business architecture therefore resulting into all-
inclusive enterprise architecture.
Process modeling according to Berg (2011) assists in the identification of bottlenecks. The
ability to visualize the internal processes through a process model helps reveal the points where
bottlenecks occur. Most organizations respond to bottlenecks by adding resources which in
most instances is not a solution. Adding more resources means the operators require more
indoctrination/orientation time, training time and in the process the newly introduced resources
negatively affect the ability of the team to complete its work. Through process modeling it is
possible to identify areas of improvement before new resources are injected. In cyber
situational awareness problem sets can be easily identified using process modeling and the style
of implementing reinforcement visualized with ease.
Process modeling makes it possible to uncover excessive handoffs. Upon visualization of the
process, it is thrilling to discover that an item changes hands very many times during the
process. Effective process models will help actualize the excessive handoffs identified and
offer opportunity to evaluate whether there could be intermediate activities terminated. Web
analytics and cyber situational awareness can employ process modeling to identify unnecessary
processes in virtual processes of cyber security.
Process modeling helps identify sources of rework and errors. The process model illustrates
the separate stages in a workflow. This makes it very easy to pinpoint the point at which errors
occur and the elements that need rework in the system. The ability to identify errors early
enough in the process, the lesser the cost of remedy there will be. Failure to visualize the
process means that more errors will find their way downstream hence more costs will be
incurred as the erroneous activity continues inside the process. The resources consumed along
the process also escalate. In cyber situational awareness identification of cyber security errors
can help minimize vulnerability to cyber-attacks. The process comes in handy in aiding the
identification of inaccuracies by the security analysts/defenders.
The process model creates uniformity in the quality of breeds. Variation is an enemy of quality.
Through process reconciliation and modeling of the various ways through which staff workers
perceive the process, it becomes possible to reduce variations and hence improve output quality
exponentially. In cyber situational awareness security analysts have the opportunity to examine
the cyber-attack vulnerabilities comprehensively using process model and therefore enhance
the quality of cyber security.
Process models help sustain continuity in business operations. An efficient process model will
not only help diagnose problems in the process but also assist in process documentation. An
effective documentation process is the most important aspect of creating manuals of procedure
and training materials utilized in orientation of new workers into the standard practices
designed diligently over time. The same benefit of sustaining continuity can be used in cyber
security. The process model has the capacity to assist in keeping track of the network activities
and document the process. Through this diligence is established over time therefore making it
a lot easier to monitor the networks for potential attacks.
Careful examination of processes through modeling is important. The ideas generated through
process modeling ultimately result to cost saving. Process models are the basis upon which
improvements to the system can be implemented and realization of organization goals attained.

2.3. Visualization
Visualization is a very important component of cyber situational awareness (Tamassia et al.,
2009). D'Amico et al. (2007) uses cognitive analysis of tasks to develop a visualization
framework aimed at supporting analysts’ work. Michel et al. (2011) investigated the
importance of virtual world in bettering conveyance of large data sets real time for cyber
situational awareness. Salas (2003) examines the importance of three dimensional models in
visualization of the impact caused by information security activities during military missions.
Klein et al. (2012) sought solutions the problems of cyber situational awareness using two
phases which are: collection of data into comprehensive models and the visualization of the
data in a manner that encourages human understanding. The techniques used in visualization
are rarely applied in strategies adopted by a nation although there are some exceptions.
According to National Information Security Center (2013) Japan is a country that uses
visualization to assess the level of vulnerability on its cyberspace. The country also uses
visualization to detect extent of malware that has infected the networks as well as other cyber
security trends. Information visualization is a crucial component in securing situational
awareness.

2.4. Application in cyber area

The visualization concept is not directly linked to perception created by situational awareness.
It is important to carry out extensive research into the impact various visualization aspects have
on cyber situational awareness. Visualization as earlier discussed enables security analysts to
accurately monitor the security metrics in the networks. As is the case with Japan, visualization
has the capacity to assist in detecting Cyber-attack vulnerability levels, detection of malware
that has infected the system as well as monitor the security trends.

2.5. Initiatives towards performance and effectiveness

The reference model and process model has been identified as tools of enhanced performance
of the cyber situational awareness activities. The process model particularly assists in the
identification of errors, bottlenecks and handoffs. Process model helps identify network
vulnerabilities and enhance network quality. Visualization is a concept that assists security
analysts with monitoring security metrics of the network. It is possible to detect malware and
vulnerable points in the network through visualization. Monitoring according to Miller (2011)
is an essential component of cyber situational awareness and the reference model, process
model and the visualization concept facilitate in offering insights on the state of a cyber space.
2.6. Conclusion
Cyber situational awareness as previously discussed can be achieved through creation of
environmental awareness and quick response to the threats identified. Situational awareness
cannot be likened to the creation of fortresses and castles with an objective of maximizing
ability to overcome attacks (Jajodia, 2010). In order to achieve effective cyber situational
awareness there has to be continuous monitoring of all networks. In order to maximize cyber-
security all the vulnerable systems that may not be repairable using code have to be consistently
monitored in order to alleviate potential attacks (Hawk, 2015). It has been deduced that the
objective of an attacker is to scout for the vulnerable points in a system and thereafter infiltrate
the network. The attacker may choose to still confidential information, monitor communication
taking place through the hardware and/or explore new ways of attacking the system. The
attacker can even take over asset management of the system or disable the computer, network
and other related systems.
In order to stem the vulnerabilities, visualization and situational awareness models facilitate in
detecting errors in a network and the cyber situational awareness process. The models help in
enhancing the diligence of security analysts therefore minimizing the possibility of attacks.in
order to prevent an attack defenders have to be accurate in the identification of potential attacks,
implement defense mechanisms in good time and evaluate the trends of the enemy promptly.
The concept of cyber security requires practical training on defense mechanisms as opposed to
the formal theoretical training.
References
Berg, R. (2011) Why process modeling? Journal of insurance operations. Perr & Knight.

Blumenthal, U., Haines, J., Streilein, W., & O’Leary, G. (2012). Information Security for
Situational Awareness in Computer Network Defense.
Candela, L., Castelli, D., Ferro, N., Ioannis, Y., Koutrika, G., Meghini, C., Pagano, P., et al.
(2008). The DELOS Digital Library Reference Model-Foundations for Digital
Libraries. Version 0.98. On Digital Libraries, 215.
Chatti, M. A., Dyckhoff, A. L., Schroeder, U., & Thüs, H. (2012). A Reference Model for
Learning Analytics. International Journal of Technology Enhanced Learning, 4(5/6),
318-331.

Cyber situational awareness. (2012). Springer-Verlag New York.

D’Amico, A., & Whitley, K. (2008). The Real Work of Computer Network Defense
Analysts: The Analysis Roles and Processes that Transform Network Data into
Security Situation Awareness.
D'Amico, A., Salas, S., & Proceedings DARPA Information Survivability Conference and
Exposition. (2003). Visualization as an aid for assessing the mission impact of
information security breaches'. 2, 190.
Day, J. D., & Zimmermann, H. (1983). The OSI reference model. Proceedings of the
IEEE, 71, 12, 1334-1340.
Deli, I., & Çağman, N. (2015). Intuitionistic fuzzy parameterized soft set theory and its
decision making. Applied Soft Computing Journal, 28, 109-113.

Denning, P. J., & Denning, D. E. (2010). Discussing Cyber Attack. Communications of the
ACM, 53(9), 29-31.
Dowson, M. (1987). Iteration in the software process: Proceedings of the 3rd International
Software Process Workshop, Breckenridge, Colorado, USA, 17-19 November 1986.
Washington, D.C: Computer Society Press of the IEEE.
Dutt, V., Ahn, Y.-S., & Gonzalez, C. (2013). Cyber situation awareness: modeling detection
of cyber attacks with instance-based learning theory. Human factors, 55(3), 605-18.
Endsley, M. R. (1995). Toward a theory of situation awareness in dynamic systems: Situation
awareness. Human Factors, 37(1), 32-64. Human Factors and Ergonomics Society.
Franke, U., & Brynielsson, J. (2014). Cyber situational awareness – a systematic review of
the literature. Computers & Security, 46, 41. Elsevier Ltd.
Gendlin, E. T. (1997). A process model. Spring Valley, N.Y.: Focusing Institute.
Gurkok, C. (2013). Cyber forensics and incident response. Managing Information Security:
Second Edition (pp. 275-311). Elsevier Inc.
Hawk, R., (2015). Situational Awareness in Cyber Security. Retrieved 11 January, 2017
from: https://www.alienvault.com/blogs/security-essentials/situational-awareness-in-
cyber-security
Huang, Z. (2015). Human-centric training and assessment for cyber situation awareness.
Jajodia, S. (2010). Cyber situational awareness: Issues and research. New York: Springer.
Jajodia, S. (2010). Cyber situational awareness: Issues and research. New York: Springer.
Klein, G., Günther, H., & Träber, S. (January 01, 2012). Modularizing Cyber Defense
Situational Awareness - Technical Integration before Human Understanding.
Kotenko, I., & Doynikova, E. (2014). Security evaluation for cyber situational
awareness. Proceedings - 16th IEEE International Conference on High Performance
Computing and Communications, HPCC 2014, 11th IEEE International Conference
on Embedded Software and Systems, ICESS 2014 and 6th International Symposium
on Cyberspace Safety and Security, CSS 2014 (pp. 1197-1204). Institute of Electrical
and Electronics Engineers Inc.
Kott, A., Wang, C., & Erbacher, R. F. (2014). Cyber defense and situational awareness.
Lachance, D. (2015). CISSP: Security Information and Event Management. Nashua, New
Hampshire : Skillsoft Ireland Limited
Leopold, H. (2015). Cyber Situational Awareness. Elektrotechnik und
Informationstechnik, 132(2), 97-100. Springer-Verlag Wien.
Mahoney, S., Pfautz, J., Wu, C., Farry, M., Roth, E., Steinke, K., & 54th Human Factors and
Ergonomics Society Annual Meeting 2010, HFES 2010. (December 01, 2010). A
cognitive task analysis for cyber situational awareness. Proceedings of the Human
Factors and Ergonomics Society, 1, 279-283.
Miller, D. (2011). Security information and event management (SIEM) implementation. New
York: McGraw-Hill.
Michel, M. C. K., Helmick, N. P., Mayron, L. M., & 2011 IEEE International Multi-
Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision
Support (CogSIMA 2011). (February 01, 2011). Cognitive cyber situational
awareness using virtual worlds. 179-182.
Nicolett, M. (2010). Critical Capabilities for Security Information and Event Management
Technology. Event (London), (May), 16.
OASIS. (2012). OASIS SOA Reference Model (SOA-RM) TC. Online Webpage. Retrieved 11
January, 2017from: https://www.oasis-open.org/committees/soa-rm/faq.php

Onwubiko, C., & Owens, T. (2012). Situational awareness in computer network defense:
Principles, methods and applications. Hershey, PA: Information Science Reference.
Salmon et al., (2008). What really is going on? Review of situation awareness models for
individuals and teams. Theoretical Issues in Ergonomics Science. Taylor and
Francis, 9(4), 297-323
Salerno, J. (2008). Measuring situation assessment performance through the activities of
interest score. Proceedings of the 11th International Conference on Information
Fusion, FUSION 2008.
Salerno, J. J., Hinman, M. L., & Boulware, D. M. (2005). A situation awareness model
applied to multiple domains. 5813, 1, 65-74.
Schneier, B. (2014). The future of incident response. IEEE Security and Privacy. Institute of
Electrical and Electronics Engineers Inc.
Sushil Jajodia, Peng Liu, Vipin Swarup, Cliff Wang. (2010). Cyber Situational Awareness.
Springer US.
Tadda, G., Salerno, J. J., Boulware, D., Hinman, M., & Gorton, S. (2006). Realizing situation
awareness within a cyber-environment. 6242, 1, 624204.
Tamassia, R., Palazzi, B., & Papamanthou, C. (January 01, 2009). Graph Drawing for
Security Visualization. Lecture Notes in Computer Science, 5417, 2-13.
Trendle, G. (2003). Cyber threat! Middle East, 38-41.