Abstract
AbstractSecurity operation centers (SOCs) are increasingly established to meet the growing threat against cyber security. The operators of SOCs respond to complex incidents under time constraints. Within critical infrastructure, the consequences of human error or low performance in SOCs may be detrimental. In other domains, situation awareness (SA) has proven useful to understand and measure how operators use information and decide the correct actions. Until now, SA research in SOCs has been restricted by a lack of in-depth studies of SA mechanisms. Therefore, this study is the first to conduct a goal-directed task analysis in a SOC for critical infrastructure. The study was conducted through a targeted series of unstructured and semi-structured interviews with SOC operators and their leaders complemented by a review of documents, incident reports, and in situ observation of work within the SOC and real incidents. Among the presented findings is a goal hierarchy alongside a complete overview of the decisions the operators make during escalated incidents. How the operators gain and use SA in these decisions is presented as a complete set of SA requirements. The findings are accompanied by an analysis of contextual differences in how the operators prioritize goals and use information in network incidents and security incidents. This enables a discussion of what SA processes might be automated and which would benefit from different SA models. The study provides a unique insight into the SA of SOC operators and is thus a steppingstone for bridging the knowledge gap of Cyber SA.
Funder
Norges Forskningsråd
NTNU Norwegian University of Science and Technology
Publisher
Springer Science and Business Media LLC
Reference56 articles.
1. EuropeanUnion: Council Directive 2008/114/EC of 8 December 2008–on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection. Off. J. Eur. Union 345, 75–82 (2008)
2. Kayan, H., et al.: Cybersecurity of industrial cyber-physical systems: a review. ACM Computing Surveys (CSUR) 54(11s), 1–35 (2022). https://doi.org/10.1145/3510410
3. Chowdhury, N., Gkioulos, V.: Cyber security training for critical infrastructure protection: a literature review. Comput. Sci. Rev. 40, 100361 (2021). https://doi.org/10.1016/j.cosrev.2021.100361
4. Evans, M., et al.: Human behaviour as an aspect of cybersecurity assurance. Secur. Commun. Netw. 9(17), 4667–4679 (2016). https://doi.org/10.1002/sec.1657
5. Endsley, M.R.: A systematic review and meta-analysis of direct objective measures of situation awareness: a comparison of SAGAT and SPAM. Hum. Factors 63(1), 124–150 (2021). https://doi.org/10.1177/0018720819875376