Enhancing the Effectiveness of Cyber Security Teams DEPARTMENT OF PSYCHOLOGY: Lois Tetrick, PhD, Reeshad Dalal, PhD, Steve Zaccaro, PhD, Julie Steinke, PhD, Amber Hargrove, MA, Kristin Repchick, MA, and Shannon Schrader, BA Project Overview SAMPLE JOB AD: Analyze systems for signs of compromise Leverage tools to lead implementation and maintenance of security information and SIEM Understand security standards Design, deploy, and support complex security products Provide operational support of the infrastructure Work collaboratively with other team members and vendors Engage in critical decisions involving risk and security process improvements requiring integrity and moral character Communicate with management through presentations and reports Most job descriptions for cybersecurity positions (as well as the KSAs developed through the National Initiative for Cybersecurity Education’s National Cybersecurity Workforce Framework) focus on individual and technical aspects of the job. They often hint at the need for collaboration and communication among team members, without fully clarifying what those specific team skills are. IDENTIFIED NEED: Identification of skills and abilities that enable one to work effectively within a multi-team structure. Cognitive Knowledge, Skills, and Abilities Data Sources Total Interviewees*Teams RepresentedMultiteam Systems (MTSs) Represented *Types of CSIRTs: Government agencies, corporate, military, academic, private and public sectors. Includes US-CERT, Nationaal Cyber Security Centrum (The Netherlands), and Myndigheten för Samhällsskydd och Beredskap (Sweden). Learning Ability Problem-Solving Skills Investigative Skills Team Knowledge, Skills, and Abilities Trustworthiness Collaborative Problem- Solving Final Products Handbook for CSIRT Managers 11 chapters (e.g., CSIRTs as Multiteam Systems, Decision-Making in CSIRTs, Collaborative Problem Solving) 9 appendices (e.g., CSIRT Performance Taxonomy, Fostering External Relationships, Assessment Questions and Strategies Table) Workshops (e.g., FIRST Conference, June 2015; US-CERT, February 2016; The Netherlands, April 2016) Description of handbook, focus on CSIRT Social Maturity, interactive exercise on Collaborative Problem Solving Project Plan Cyber Security Incident Response Teams (CSIRTs) should be conceptualized as multi-team systems (MTSs), demonstrating the importance of understanding individual, within-team, and between-team interactions to be effective. We increase the understanding of CSIRT characteristics and processes (e.g., information sharing, the need to be adaptive and innovative) and factors that foster CSIRT effectiveness by conducting research that identifies individual and team knowledge, skills, and abilities (KSAs) important for effective CSIRT work. Cybersecurity Scenarios and Areas for Improvement (Examples) A social analog to Stikvoort and colleagues’ SIM3 Maturity Model. SKUE = Shared Knowledge of Unique Expertise. Intelligence Decision-Making Competence Motivation to Work on Behalf of Team Communication Skills Mentoring/coaching ability “Problem”Areas for Improvement (Relevant Handbook Chapter/Section) Policy requirements place restrictions on what and how information can be shared Understand methods of effective communication (Ch. 5) and their impact on information sharing (Ch. 6) Collaborate to solve problems (Ch. 7) across team or organizational boundaries (Ch. 2) Manage conflict based on disagreements about processes (Ch. 9) Analysts are on 12- hour shifts, leading to stress/irritability and difficulty maintaining attention within and across shifts Sustain attention and focus over time (Ch. 10) Share incident information through effective communication during shift changes (Chs. 5, 6) Preserve individual and team resilience over long periods of time (Appendix on Resilience) Manage conflict based on disagreements about processes (Ch. 9)