Presentation is loading. Please wait.

Presentation is loading. Please wait.

Umbrella Presentation Theme C: Cognitive Science of Cyber SA ASU (Cooke) Cyber Security as a Complex Cognitive System PSU (McNeese & Hall) Computer-aided.

Published byClyde Douglas Modified over 9 years ago

Similar presentations

Presentation on theme: "Umbrella Presentation Theme C: Cognitive Science of Cyber SA ASU (Cooke) Cyber Security as a Complex Cognitive System PSU (McNeese & Hall) Computer-aided."— Presentation transcript:

1 Umbrella Presentation Theme C: Cognitive Science of Cyber SA ASU (Cooke) Cyber Security as a Complex Cognitive System PSU (McNeese & Hall) Computer-aided Computer-Aided Human Centric Cyber Situation Awareness 1

2 System Analysts Computer network Software Sensors, probes Hyper Sentry Cruiser Multi-Sensory Human Computer Interaction Enterprise Model Activity Logs IDS reports Vulnerabilities Cognitive Models & Decision Aids Instance Based Learning Models Simulation Measures of SA & Shared SA Data Conditioning Association & Correlation Automated Reasoning Tools R-CAST Plan-based narratives Graphical models Uncertainty analysis Information Aggregation & Fusion Transaction Graph methods Damage assessment Computer network Real World Test- bed 2

3 Situation Awareness Endsley’s Definition: the perception of elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future PerceptionComprehensionProjection

4 Cyber Situation Awareness is Inherently Human 4 SA is not in the technology (e.g., visualization); it is in the interface between humans and technology

5 Team Situation Awareness A team’s coordinated perception and action in response to a change in the environment Contrary to view that all team members need to “be on the same page” 5

6 DetectorResponderThreat Analyst PerceptionComprehensionProjection Cyber SA is Distributed and Emergent

7 DetectorResponderThreat Analyst PerceptionComprehensionProjection Cyber SA is Distributed and Emergent

8 Cyber Security as a Complex Cognitive System N.Cooke, P. Rajivan, M. Champion, G. Dube, V. Buchanan, S. Jariwala Cognitive Science Theoretical Foundations Top-down Bottom-Up Distributed Research Simulations Metrics & Measures Metrics & Measures Cognitive Systems Engineering Observe Observation Fields of Practice Cyber Defense CyberCog & DEXTAR Communication & Coordination Team Situation Awareness Agent-Based & EAST Modeling Interactive Team Cognition/ Sociotechnical Systems Theory Tools & Methods

9 Theoretical Foundations Human-Centered Theoretical Foundations Human-Centered Distributed Research Simulations CyberCog & DEXTAR Interactive Team Cognition/Sociotechnical Systems Theory Workload Specialization Teams vs Groups Team and Organization Models Actual Experimental Studies Conducted Cyber Security as a Complex Cognitive System N.Cooke, P. Rajivan, M. Champion, G. Dube, V. Buchanan, S. Jariwala

10 Computer-Aided Human Centric Cyber Situation Awareness M. McNeese, D. Hall, N. Giacobe, V. Mancuso, D. Minotra, and E. McMillan Cognitive Science Theoretical Foundations Top-down Bottom-Up Distributed Research Simulations Metrics & Measures Metrics & Measures Cognitive Systems Engineering Observe Observation Fields of Practice Cyber Defense teamNETS Visual Analytics Testbench Complex Event Processing Situated Cognition Tools & Methods

11 Theoretical Foundations Human-Centered Theoretical Foundations Human-Centered Distributed Research Simulations teamNETS Situated Cognition Attention/Disruption Memory / Access Awareness Team Cognition Embedded Model of the Threat Embedded Model of the Threat Actual Experimental Studies Conducted Computer-Aided Human Centric Cyber Situation Awareness M. McNeese, D. Hall, N. Giacobe, V. Mancuso, D. Minotra, and E. McMillan

12 ASU/PSU Objectives PSU Objectives To understand Individual and Team cognition of Situation Awareness in Cyber- Security domains Refine and implement evaluation environment to support evaluation of new analysis models, cognitive tools, and adversarial team cognition via hidden knowledge profiles Develop new tools for practice based on field- and laboratory-based findings ASU Objectives To develop theory of team-based SA to inform assessment metrics and improve interventions (training and decision aids) Iterative Refinement of Cyber Testbeds based on cognitive analysis of the domain – Cybercog – DEXTAR Conduct experiments on Cyber TSA in the testbed to develop theory and metrics Extend empirical data through modeling 12

13 Cyber Security as a Complex Cognitive System Nancy J. Cooke, PhD Prashanth Rajivan, MS Michael Champion, MS Shree Jariwala Geneviève Dubé, Université Laval, Québec Verica Buchanan Arizona State University October 29, 2013 13 This work has been supported by the Army Research Office under MURI Grant W911NF-09-1-0525.

14 Outline Overview of Project Definitions and Theoretical Drivers Empirical Study on Teams vs. Groups Agent-Based Modeling Two Case Studies and EAST Models Next Steps 14

15 Overview of Project 15

16 ASU Project Overview Objectives: Understand and Improve Team Cyber Situation Awareness via Understanding cognitive /teamwork elements of situation awareness in cyber-security domains Implementing a synthetic task environment to support team in the loop experiments for evaluation of new algorithms, tools and cognitive models Developing new theories, metrics, and models to extend our understanding of cyber situation awareness Department of Defense Benefit: Metrics, models, & testbeds for assessing human effectiveness and team situation awareness (TSA) in cyber domain Testbed for training cyber analysts and testing (V&V) algorithms and tools for improving cyber TSA Scientific/Technical Approach - Year 4 Explore the role of teamwork in cyber defense through: Empirical work in CyberCog testbed Agent-Based Modeling Case Studies and EAST Modeling Further refine team metrics and testbeds Year 4 Accomplishments Found an empirical benefit of cyber teaming Replicated this benefit in an agent-based model Compared two cyber defense organizations Refined team metrics and cybercog testbed Challenge Struggle to maintain realism in testbed scenarios while allowing for novice participation and team interaction – now addressing with CyberCog and Dextar

17 17 Summary of FY 13 ASU Accomplishments PUBLICATIONS Cooke, N. J., Champion, M., Rajivan, P., & Jariwala, S. (2013). Cyber Situation Awareness and Teamwork. EAI Endorsed Transactions on Security and Safety. Special Section on: The Cognitive Science of Cyber Defense, 13. Cooke, N. J. & McNeese, M. (2013). Preface to special issue on the cognitive science of cyber defence analysis. EAI Endorsed Transactions on Security and Safety. Special Section on: The Cognitive Science of Cyber Defense, 13 Rajivan, P., Champion, M., Cooke, N. J., Jariwala, S., Dube, G., & Buchanan, V. (2013). Effects of teamwork versus group work on signal detection in cyber defense teams. In D. D. Schmorrow and C.M. Fidopiastis (Eds.), AC/HCII, LNAI 8027, pp. 172-180., Berlin: Springer-Verlag. Rajivan, P., Janssen, M. A., & Cooke, N. J., (2013). Agent-based model of a cyber security defense analyst team. Proceedings of the 57th Annual Conference of the Human Factors and Ergonomics Society, Santa Monica, CA: Human Factors and Ergonomics Society. Champion, M., Rajivan, R., Jariwala, S., Cooke, N. J., & Buchanan, V. Understanding the cyber security task. Poster presented at ASU's Sixth Annual Workshop on Information Assurance, May 1, 2013, Tempe, AZ. STUDENTS SUPPORTED Prashanth Rajivan (PhD) Verica Buchanan (UG) PROJECTS SUPPORTED FY 13 CyberCog and metrics development CyberCog study Agent-based models of cyber teaming Agent-based models of cyber warfare Case Studies and EAST models COLLABORATION Coty Gonzalez – IBLT and Agent-Based Modeling Sushil Jajodia – DEXTAR Several MURI partners on an ARL proposal TECH TRANSFER Working with Charles River Analytics and AFRL on team measures of cyber defense Working with SA Technologies on cyber visualization Presentation to ASU Information Assurance Presentation to General Dynamics – The Edge AWARD Prashanth Rajivan wins HFES 2013 Alphonse Chapanis Award for best student paper!!!

18 Definitions and Theoretical Drivers 18

19 Theoretical Drivers Interactive Team Cognition Sociotechnical Systems Theory/ Human Systems Integration 19

20 Interactive Team Cognition Team is unit of analysis = Heterogeneous and interdependent group of individuals (human or synthetic) who plan, decide, perceive, design, solve problems, and act as an integrated system. Cognitive activity at the team level= Team Cognition Improved team cognition  Improved team/system effectiveness Heterogeneous = differing backgrounds, differing perspectives on situation (surgery, basketball) 20

21 Interactive Team Cognition Team interactions often in the form of explicit communications are the foundation of team cognition ASSUMPTIONS 1)Team cognition is an activity; not a property or product 2)Team cognition is inextricably tied to context 3)Team cognition is best measured and studied when the team is the unit of analysis 21

22 Implications of Interactive Team Cognition Focus cognitive task analysis on team interactions Focus metrics on team interactions (team SA) Intervene to affect team interactions 22

23 Cyber Defense as a Sociotechnical System Cyber defense functions involve cognitive processes allocated to – Human Operators – Tools/Algorithms Human Operators – Different roles and levels in hierarchy – Heterogeneity (Information, skills and knowledge) Tools – For different kinds of data analysis and visualization – For different levels of decision making Together, human operators and tools are a sociotechnical system – Human System Integration is required

24 Scaling Up Complexity

25 Findings: Cyber Security Defense Analyst Teaming Cyber analysts work as a group – Not as a team – Collaboration among cyber operators is minimal – Little role differentiation – Bottom-up information flow Possible Reasons – Cognitive overload – Organizational reward structures – “Knowledge is Power” – Lack of effective collaboration tools 25

26 Empirical Study on Teams vs. Groups 26

27 Hypotheses Reward structures conducive to team work in cyber defense analyst groups performing triage level analysis will lead to higher signal detection performance. Improving interactions between analysts (micro level) can improve overall cyber defense performance (macro level emergence) 27

28 CyberCog -Synthetic Task Environment Task: team based triage analysis using the CyberCog simulation. Synthetic Task Environment – Simulation environment – Recreate team and cognitive aspects of the task 28

29 CyberCog STE 29

30 The Experiment 3-person teams/groups in which each individual is trained to specialize in types of alerts 2 conditions: – Team Work (Primed & Rewarded for team work) – Group Work (Primed & Rewarded for group work) 6 individuals at a time – Team Work - Competition between the 2 teams – Group Work - Competition between the 6 individuals Experimental scenarios: – 225 alerts – Feedback on number of alerts correctly classified - constantly displayed on big screen along with other team or individual scores Simulates knowledge is power for individuals group condition Measures Signal Detection Analysis of Alert Processing Amount of Communication Team situation awareness Transactive Memory NASA TLX – workload measure TrainingPractice Scenario 1TLXScenario2TLXQuestionnaire 30

31 Results 31

32 Cyber Teaming is Beneficial for Analyzing Novel and Difficult Alerts Working as team helps when alerts are novel and involves multi step analysis, not otherwise. Signal Detection Measure: A' as performance measure A' ranges from values 0.5 and 1 with 0.5 indicating lowest performance possible and 1 indicating highest performance possible. 32

33 Cyber Teaming Helps When the Going Gets Rough 33 F(1,18) = 5.662, p =.029** (Significant effect of condition) Sensitivity to true alerts

34 Groups that Share Less Information Perceive More Temporal Demands than High Sharers NASA TLX Workload Measure: Temporal Demand Measures perception of time pressure Higher the value higher the task demand 34 Statistically significant across scenarios and conditions (p-value = 0.020)

35 Groups that Share Less Information Perceive Work to be More Difficult than High Sharers NASA TLX Workload Measure: Mental Effort Measures perception of mental effort Higher the value, more mental effort required 35 Statistically significant across scenarios and conditions (p-value = 0.013)

36 Conclusion Break the “Silos” Use the power of human teams to tackle information overload problems in cyber defense. Simply encouraging and training analysts to work as teams and providing team level rewards can lead to better triage performance Need collaboration tools and group decision making systems. 36

37 Agent-Based Modeling 37

38 Introduction Human-in-loop experiment – Traditional method to study team cognition Agent based model – Macro emergence – A complimentary approach Modeling computational agents with – Individual behavioral characteristics – Team interaction patterns Extend Lab Based Experiments 38

39 Model Description Agents: Triage analysts Task: Classify alerts Rewards for classification Cognitive characteristics: – Knowledge and Expertise – Working memory limit – Memory Decay 39

40 Model Description Learning Process: Simplified – Probability based – 75% chance to learn – Cost: 200 points – Payoff: 100 points Collaboration: Two strategies to identify partners – Conservative or Progressive – Cost: 100 points for each – Payoff: 50 points for each Attrition 40

41 Model Process 41 Recruit if needed Assign alerts Collaborate with Agents Team? Get Rewards Add Knowledge Learn?Know? Yes No Yes Adjust Expertise And Remove Analysts No

42 Model in Netlogo Software 42

43 Agents in the Progressive/Teamwork Condition Classified More Alerts (replicates experiment) 43 p<0.001

44 Agents in Team of Six Classified More Alerts 44 p = 0.004

45 Irrespective of Team Size Agents in Progressive Condition Classified More Alerts 45

46 Agents in Progressive Condition Accrued Least Rewards 46 p<0.001

47 Agents in Small Teams Accrued Most Rewards 47 p<0.001

48 Agents in Large Progressive Teams Accrued Least Rewards 48

49 Conclusion Large progressive teams classified most alerts Large progressive teams accrued least rewards Big progressive teams – Lot of collaboration – Less learning – Constant knowledge swapping – More net rewards of 50 points However small progressive teams accrued rewards on-par 49

50 Conclusions Small heterogeneous teams of triage analysts could be beneficial. Agent based modeling – Can extend lab based experiments – Can be used to ask more questions quickly – Can raise new questions and identify gaps 50

51 Two Case Studies and EAST Models 51

52 EAST Event Analysis of Systemic Teamwork framework (Stanton, Baber, & Harris, 2012) Integrated suite of methods allowing the effects of one set of constructs on other sets of constructs to be considered – Make the complexity of socio-technical systems more explicit – Interactions between sub-system boundaries may be examined – Reduce the complexity to a manageable level Social Network – Organization of the system (i.e., communications structure) – Communications taking place between the actors working in the team. Task Network – Relationships between tasks – Sequence and interdependences of tasks Information Network – Information that the different actors use and communicate during task performance With Neville Stanton, University of Southampton, UK

53 Approach Interviews with cyber network defense leads from two organizations on social structure, task structure, and information needs Hypothetical EAST models created Surveys specific to organization for cyber defense analysts developed Surveys administered to analysts in each organization to refine models 53

54 Social Network Diagrams of Incident Response/Network Defense Teams Detector (6) Responder (6) Threat Analyst (1) Op Team Analyst 2 Analyst 1 Analyst 3 Analyst 4 Cyber Command Customer Industry Military

55 Sequential Task Network Diagram Industry Incident Response Team Threat Analyst (1) Modeling Training Hosting Accounts Root Certificate Detector (6) Credit Card Classify Alerts Un- known Responder (6) Deeper Classification Alerts Training From: Credit Card From : Root Certificate From: Hosting Accounts From: Un- known Op Team Update Servers Training Network maintenance

56 Sequential Task Network Diagram Military Network Defense Team Customer Gather Batch of Reports Review Alerts Handoff Review Events Customer Assignment Dispatch Cyber Command

57 Information Network Diagram of Incident Response/Network Defense Teams Respond er DDOS Tools IDS In-house software Detector Anti virus IDS Audio Alerts Analyst Workflo w System Reporting Batches of Alerts Shift Change Meeting Dictiona ry On-Line Help MilitaryIndustry Reports Web Sites Incident Reports Shift Change Meeting Shift Change Meeting Incident Reports IDS

58 EAST Conclusions 58 A descriptive form of modeling that facilitates understanding of sociotechnical system Can apply social network analysis parameters to each of these networks and combinations Can better understand system bottlenecks, inefficiencies, overload Can better compare systems Combined with empirical studies and agent-based modeling can allow us to scale up to very complex systems

59 Next Steps 59

60 Plan for FY 14 Cognitive Task Analyses and Theory Development Testbed and Scenario Development ExperimentationModels and Metrics FY 14 Refine theory and models of cyber situation awareness DEXTAR: Known vs. Unknown vulnerabilities & attack patterns; Systematic increase of data and difficulty Metric testing and validation in DEXTAR Explore teaming possibilities and structures in cyber defense analysis Develop models from empirical data and extend to larger and more complex teaming 60

61 Questions 61 ncooke@asu.edu

Download ppt "Umbrella Presentation Theme C: Cognitive Science of Cyber SA ASU (Cooke) Cyber Security as a Complex Cognitive System PSU (McNeese & Hall) Computer-aided."

Similar presentations

Division of Information Management Engineering User Interface Laboratory 11 Fall 09 Human Interface UI Evaluating Design Proposals for Complex Systems.

Division of Information Management Engineering User Interface Laboratory 11 Fall 09 Human Interface UI Evaluating Design Proposals for Complex Systems.
Dynamic Decision Making Lab www.cmu.edu/ddmlab Social and Decision Sciences Department Carnegie Mellon University 1 MODELING AND MEASURING SITUATION AWARENESS.

Dynamic Decision Making Lab Social and Decision Sciences Department Carnegie Mellon University 1 MODELING AND MEASURING SITUATION AWARENESS.
Chapter 19: Social Factors Human Factors EXP 4250 Dr. Steve Presentation by Laura Shaver.

Chapter 19: Social Factors Human Factors EXP 4250 Dr. Steve Presentation by Laura Shaver.
Practicing Community-engaged Research Mary Anne McDonald, MA, Dr PH Duke Center for Community Research Duke Translational Medicine Institute Division of.

Practicing Community-engaged Research Mary Anne McDonald, MA, Dr PH Duke Center for Community Research Duke Translational Medicine Institute Division of.
Modeling Human Reasoning About Meta-Information Presented By: Scott Langevin Jingsong Wang.

Modeling Human Reasoning About Meta-Information Presented By: Scott Langevin Jingsong Wang.
Modeling Command and Control in Multi-Agent Systems* Thomas R. Ioerger Department of Computer Science Texas A&M University *funding provided by a MURI.

Modeling Command and Control in Multi-Agent Systems* Thomas R. Ioerger Department of Computer Science Texas A&M University *funding provided by a MURI.
The Role of Software Engineering Brief overview of relationship of SE to managing DSD risks 1.

The Role of Software Engineering Brief overview of relationship of SE to managing DSD risks 1.
Improving Collaboration in Unmanned Aerial Vehicle Operations March 27, 2007 Stacey D. Scott Humans & Automation Lab MIT Aeronautics and Astronautics

Improving Collaboration in Unmanned Aerial Vehicle Operations March 27, 2007 Stacey D. Scott Humans & Automation Lab MIT Aeronautics and Astronautics
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Sensemaking and Ground Truth Ontology Development Chinua Umoja William M. Pottenger Jason Perry Christopher Janneck.

Sensemaking and Ground Truth Ontology Development Chinua Umoja William M. Pottenger Jason Perry Christopher Janneck.
Modeling Command and Control in Multi-Agent Systems* Thomas R. Ioerger Department of Computer Science Texas A&M University *funding provided by a MURI.

Modeling Command and Control in Multi-Agent Systems* Thomas R. Ioerger Department of Computer Science Texas A&M University *funding provided by a MURI.
Teamwork IE491 October 17, 2005. Teamwork thoughts What do you think of when I say teamwork? How many of you have participated in a team-oriented activity?

Teamwork IE491 October 17, Teamwork thoughts What do you think of when I say teamwork? How many of you have participated in a team-oriented activity?
Principles of Marketing

Principles of Marketing
TimeCleanser: A Visual Analytics Approach for Data Cleansing of Time-Oriented Data Theresia Gschwandtner, Wolfgang Aigner, Silvia Miksch, Johannes Gärtner,

TimeCleanser: A Visual Analytics Approach for Data Cleansing of Time-Oriented Data Theresia Gschwandtner, Wolfgang Aigner, Silvia Miksch, Johannes Gärtner,
Team Composition and Team Role Allocation in Agile Project Teams Brian Turrel 30 March 2015.

Team Composition and Team Role Allocation in Agile Project Teams Brian Turrel 30 March 2015.
IE496 Industrial Engineering Internship Dr. Barnes October 16, 2006 Lecture #6.

IE496 Industrial Engineering Internship Dr. Barnes October 16, 2006 Lecture #6.
User Centered Design Lecture # 5 Gabriel Spitz.

User Centered Design Lecture # 5 Gabriel Spitz.
Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.

Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.
HTA as a framework for task analysis Presenter: Hilary Ince, University of Idaho.

HTA as a framework for task analysis Presenter: Hilary Ince, University of Idaho.
Join Our Research Efforts in CCAA to Improve Cybersecurity Robustness, Resiliency and Management in Enterprises Information Slides to Encourage Your Organization.

Join Our Research Efforts in CCAA to Improve Cybersecurity Robustness, Resiliency and Management in Enterprises Information Slides to Encourage Your Organization.

Similar presentations

Ads by Google