4. FOCUS ON PROFESSIONALS: ISSUES?
Large component of knowledge work: creative problem solving
Highly automated environment: human automation teaming
Information overloaded environment/ big data problem (high number of
potential false positives)
…..
Question: How to improve the performance & functioning of the human
elements in this challenging working enviroment?
SRP Cyber for Financials
5. NEEDS MODEL: INTERVIEWS IN 2017
Organization
needs
Team
Performance
needs
Individual
needs
Instrumental
needs
21 September 20175 | Computer Security Incident Response Teams
Needs that pertain to Incident handling behavior or tangible outcomes,
such as time to identification, or ability to remove threat
Needs that pertain to the state of the team or level of team performance
required for satisfactory functioning, such as team structure
Needs that pertain to the individual’s abilities or attitudes, such as job
satisfaction or team orientation
Interventions or tools that are required to obtain a satisfactory level of
functioning
Van der Kleij, R. Kleinhuis, G., & Young, H. (2017). Computer Security Incident Response Team Effectiveness: A Needs
Assessment. Frontiers in Psychology. doi: 10.3389/fpsyg.2017.02179
6. ORGANISATION
Innovating for Cyber Security Professionals
• Problem solving
capacity;
• Measuring
Effectiveness;
• Coordination &
information
exchange;
• Organizational
learning
7. TEAM
Innovating for Cyber Security Professionals
• Sharing information
within team (e.g.,
between shifts &
handovers);
• Work in multiteams
• Team awareness;
8. INDIVIDUALS
Innovating for Cyber Security Professionals
• Acquire en keep
personnel;
• Competence
management;
• Decision making around
incident (e.g., triage);
• Balancing workload
9. INSTRUMENTS
Innovating for Cyber Security Professionals
• Interpersonal
communication tools;
• Incident-reports;
• Visual overviews for
shared situation
awareness;
10. 10 | Computer Security Incident Response Teams
Human state monitoring
OTHER RELEVANT TOPICS?
11. BOTTLENECKS RELATED TO HF RESEARCH?
It’s about humans, so professionals, employees or customers need to
be involved in the research
Capacity and involvement is required
Observations and interviews sometimes needed in practice, e.g., to gain
detailed understanding of how analysts perform, how sensemaking
takes place in practice, and what the issues are that relate to SOC-
automation.
Interventions eventually need to be tested in practice (human-in-the-
loop)
SRP Cyber for Financials
12. THANK YOU FOR YOUR
ATTENTION
Take a look:
TIME.TNO.NL