1) The document discusses developing a digital teammate to support collaborative sensemaking in cyber security incident response teams. 2) It identifies challenges such as the large amounts of information analysts must process and the ad-hoc and time-constrained nature of their work. 3) The proposed digital teammate would provide tools to facilitate sensemaking, team and incident awareness, and connect different sites to potentially help teams handle incidents better and faster.

1. TOWARDS A DIGITAL TEAMMATE
TO SUPPORT SENSEMAKING IN
CYBER SECURITY TEAMS
iHSI 2018 | Dr. Rick van der Kleij

2. CYBER SECURITY
Cyber security is the protection of computer systems from the theft and damage
to their hardware, software or information, as well as from disruption or
misdirection of the services they provide;
Cyber security includes protecting against harm that may come due to
malpractice by insiders (e.g., employees), whether intentional or accidental.
Digital teammate to support collaborative sensemaking in Cyber Security Incident Response Teams 08 January 2018

3. 08 January 2018Digital teammate to support collaborative sensemaking in Cyber Security Incident Response Teams

4. CYBER SECURITY PROFESSIONALS
Business
processe
s

5. HEADLINES: CYBER SECURITY = TEAMWORK
http://www.csoonline.com/article/2844133/data-protection/chertoff-cybersecurity-takes-teamwork.html
https://forums.juniper.net/t5/Government-Trends-and-Insights/IMPROVING-CYBERSECURITY-REQUIRES-TEAMWORK-AND-COLLABORATION/ba-p/283544

6. PROBLEM DEFINITION
Cyber security teams have a crucial role in protecting business processes and
critical infrastructure;
The information environment in cyber security can be characterized as a ‘big
data problem’ for human analysts who have to process the large amounts of
information to detect attacks;
Professionals often have to work on an ad-hoc basis, in close cooperation with
other teams, and in time constrained and distributed environments;
Failure is not an option;
It could be argued that under these working conditions these teams would be
likely to encounter problems.

7. PURPOSE & RESEARCH QUESTION
Purpose: To investigate the need for support in professional Cyber Security
Teams
Research Question: “Are there any needs for improvements or issues that need
to be resolved, and, if yes, how could support look like?“

8. USER CENTERED DESIGN
08 January 2018Digital teammate to support collaborative sensemaking in Cyber Security Incident Response Teams

9. CYBER SECURITY NEEDS MODEL
Organization
needs
Team
Performance
needs
Individual
needs
Instrumental
needs
Needs that pertain to Incident handling behavior or tangible outcomes,
such as time to identification, or ability to remove threat
Needs that pertain to the state of the team or level of team performance
required for satisfactory functioning, such as team structure
Needs that pertain to the individual’s abilities or attitudes, such as job
satisfaction or team orientation
Interventions or tools that are required to obtain a satisfactory level of
functioning
Van der Kleij, R. Kleinhuis, G., & Young, H. (2017). Computer Security Incident Response Team Effectiveness: A Needs Assessment. Frontiers in Psychology, 8, 1-8.
Special issue on Mastering Cyberpower: Cognitive Sciences and The Human Factor in Civilian and Military Cyber Security

10. ‘DATA FRAME MODEL OF SENSEMAKING’
“What is happening?”

11. 08 January 2018Digital teammate to support collaborative sensemaking in Cyber Security Incident Response Teams

12. EVIDENCE/ARGUMENTS MAPPING
08 January 2018Digital teammate to support collaborative sensemaking in Cyber Security Incident Response Teams

13. PREMORTEM IN CYBER SECURITY?
1. Image that several hours have
passed
2. Your [emergence response to
contain the incident/ incident
analysis] has been shown to be an
utter disaster
3. Briefly explain why it was a disaster
4. Think of ways to address threats to
success
08 January 2018Digital teammate to support collaborative sensemaking in Cyber Security Incident Response Teams

14. USER CENTERED DESIGN
08 January 2018Digital teammate to support collaborative sensemaking in Cyber Security Incident Response Teams

15. DIVERSE PHASE OF THE DESIGN
08 January 2018Digital teammate to support collaborative sensemaking in Cyber Security Incident Response Teams
Innovative
Digital
assistant
human
aware
Provides for
incident and team
awareness
Observable,
predictable and
directableAble to connect
different sites
Facilitates
sensemaking
Lead to better & faster
incident handlings services

16. USER CENTERED DESIGN
08 January 2018Digital teammate to support collaborative sensemaking in Cyber Security Incident Response Teams

17. 17 | Computer Security Incident Response Teams
“John is
available”
“Could he be of
assistance to
you?”
“What is the best
approach to
mitigate this
threat?”

18. Innovating for Cyber Security Professionals

19. USER CENTERED DESIGN
08 January 2018Digital teammate to support collaborative sensemaking in Cyber Security Incident Response Teams

20. 08 January 2018Digital teammate to support collaborative sensemaking in Cyber Security Incident Response Teams

21. THE WAY FORWARD
Our prototype is a first iteration of a support concept, integrating many
needs on process and team support;
We are now in the process of developing ways to enhance
collaborative sensemaking in Security Operation Centres and
Computer Security Incident Response Teams;
Cyber security, as a system state, is dependant not only on human
behaviour of target & threat entities, but on teamwork of cybersecurity
professionals as well.
08 January 2018Digital teammate to support collaborative sensemaking in Cyber Security Incident Response Teams

22. THANK YOU FOR YOUR
ATTENTION
Take a look:
TIME.TNO.NL