Abstract

Objective: Incident correlation is a vital step in the cybersecurity threat detection process. This article presents research on the effect of group-level information-pooling bias on collaborative incident correlation analysis in a synthetic task environment. Background: Past research has shown that uneven information distribution biases people to share information that is known to most team members and prevents them from sharing any unique information available with them. The effect of such biases on security team collaborations are largely unknown. Method: Thirty 3-person teams performed two threat detection missions involving information sharing and correlating security incidents. Incidents were predistributed to each person in the team based on the hidden profile paradigm. Participant teams, randomly assigned to three experimental groups, used different collaboration aids during Mission 2. Results: Communication analysis revealed that participant teams were 3 times more likely to discuss security incidents commonly known to the majority. Unaided team collaboration was inefficient in finding associations between security incidents uniquely available to each member of the team. Visualizations that augment perceptual processing and recognition memory were found to mitigate the bias. Conclusion: The data suggest that (a) security analyst teams, when conducting collaborative correlation analysis, could be inefficient in pooling unique information from their peers; (b) employing off-the-shelf collaboration tools in cybersecurity defense environments is inadequate; and (c) collaborative security visualization tools developed considering the human cognitive limitations of security analysts is necessary. Application: Potential applications of this research include development of team training procedures and collaboration tool development for security analysts.

Original languageEnglish (US)
JournalHuman Factors
DOIs
StateAccepted/In press - Mar 1 2018

Fingerprint

Computer Security
incident
Information Dissemination
trend
Visualization
Research
Communication
Data storage equipment
visualization
Processing
threat
human being
available information
Group
paradigm
communication
Recognition (Psychology)

Keywords

  • cybersecurity
  • hidden profile paradigm
  • security visualization
  • teamwork
  • threat detection

ASJC Scopus subject areas

  • Human Factors and Ergonomics
  • Applied Psychology
  • Behavioral Neuroscience

Cite this

Information-Pooling Bias in Collaborative Security Incident Correlation Analysis. / Rajivan, Prashanth; Cooke, Nancy.

In: Human Factors, 01.03.2018.

Research output: Contribution to journalArticle

@article{e02ccd5a8e6f49d48ed287513293d675,
title = "Information-Pooling Bias in Collaborative Security Incident Correlation Analysis",
abstract = "Objective: Incident correlation is a vital step in the cybersecurity threat detection process. This article presents research on the effect of group-level information-pooling bias on collaborative incident correlation analysis in a synthetic task environment. Background: Past research has shown that uneven information distribution biases people to share information that is known to most team members and prevents them from sharing any unique information available with them. The effect of such biases on security team collaborations are largely unknown. Method: Thirty 3-person teams performed two threat detection missions involving information sharing and correlating security incidents. Incidents were predistributed to each person in the team based on the hidden profile paradigm. Participant teams, randomly assigned to three experimental groups, used different collaboration aids during Mission 2. Results: Communication analysis revealed that participant teams were 3 times more likely to discuss security incidents commonly known to the majority. Unaided team collaboration was inefficient in finding associations between security incidents uniquely available to each member of the team. Visualizations that augment perceptual processing and recognition memory were found to mitigate the bias. Conclusion: The data suggest that (a) security analyst teams, when conducting collaborative correlation analysis, could be inefficient in pooling unique information from their peers; (b) employing off-the-shelf collaboration tools in cybersecurity defense environments is inadequate; and (c) collaborative security visualization tools developed considering the human cognitive limitations of security analysts is necessary. Application: Potential applications of this research include development of team training procedures and collaboration tool development for security analysts.",
keywords = "cybersecurity, hidden profile paradigm, security visualization, teamwork, threat detection",
author = "Prashanth Rajivan and Nancy Cooke",
year = "2018",
month = "3",
day = "1",
doi = "10.1177/0018720818769249",
language = "English (US)",
journal = "Human Factors",
issn = "0018-7208",
publisher = "SAGE Publications Inc.",

}

TY - JOUR

T1 - Information-Pooling Bias in Collaborative Security Incident Correlation Analysis

AU - Rajivan, Prashanth

AU - Cooke, Nancy

PY - 2018/3/1

Y1 - 2018/3/1

N2 - Objective: Incident correlation is a vital step in the cybersecurity threat detection process. This article presents research on the effect of group-level information-pooling bias on collaborative incident correlation analysis in a synthetic task environment. Background: Past research has shown that uneven information distribution biases people to share information that is known to most team members and prevents them from sharing any unique information available with them. The effect of such biases on security team collaborations are largely unknown. Method: Thirty 3-person teams performed two threat detection missions involving information sharing and correlating security incidents. Incidents were predistributed to each person in the team based on the hidden profile paradigm. Participant teams, randomly assigned to three experimental groups, used different collaboration aids during Mission 2. Results: Communication analysis revealed that participant teams were 3 times more likely to discuss security incidents commonly known to the majority. Unaided team collaboration was inefficient in finding associations between security incidents uniquely available to each member of the team. Visualizations that augment perceptual processing and recognition memory were found to mitigate the bias. Conclusion: The data suggest that (a) security analyst teams, when conducting collaborative correlation analysis, could be inefficient in pooling unique information from their peers; (b) employing off-the-shelf collaboration tools in cybersecurity defense environments is inadequate; and (c) collaborative security visualization tools developed considering the human cognitive limitations of security analysts is necessary. Application: Potential applications of this research include development of team training procedures and collaboration tool development for security analysts.

AB - Objective: Incident correlation is a vital step in the cybersecurity threat detection process. This article presents research on the effect of group-level information-pooling bias on collaborative incident correlation analysis in a synthetic task environment. Background: Past research has shown that uneven information distribution biases people to share information that is known to most team members and prevents them from sharing any unique information available with them. The effect of such biases on security team collaborations are largely unknown. Method: Thirty 3-person teams performed two threat detection missions involving information sharing and correlating security incidents. Incidents were predistributed to each person in the team based on the hidden profile paradigm. Participant teams, randomly assigned to three experimental groups, used different collaboration aids during Mission 2. Results: Communication analysis revealed that participant teams were 3 times more likely to discuss security incidents commonly known to the majority. Unaided team collaboration was inefficient in finding associations between security incidents uniquely available to each member of the team. Visualizations that augment perceptual processing and recognition memory were found to mitigate the bias. Conclusion: The data suggest that (a) security analyst teams, when conducting collaborative correlation analysis, could be inefficient in pooling unique information from their peers; (b) employing off-the-shelf collaboration tools in cybersecurity defense environments is inadequate; and (c) collaborative security visualization tools developed considering the human cognitive limitations of security analysts is necessary. Application: Potential applications of this research include development of team training procedures and collaboration tool development for security analysts.

KW - cybersecurity

KW - hidden profile paradigm

KW - security visualization

KW - teamwork

KW - threat detection

UR - http://www.scopus.com/inward/record.url?scp=85045039089&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85045039089&partnerID=8YFLogxK

U2 - 10.1177/0018720818769249

DO - 10.1177/0018720818769249

M3 - Article

C2 - 29613819

AN - SCOPUS:85045039089

JO - Human Factors

JF - Human Factors

SN - 0018-7208

ER -