Challenges in managing uncertainty during cyber events: Lessons from the staged-world study of a large-scale adversarial cyber security exercise

In spite of the recognized challenge and importance of developing knowledge of the domain of cyber security, human-centered research to uncover and address the difficulties experienced by network defenders is to a large extent lacking. Such research is needed to influence the design of the joint systems facing cyber attacks. Network defense depends on the capacity to successfully identify, investigate and respond to suspicious events on the network. Such events correspond to fragmented micro phenomena that occur in a background of overwhelming amounts of very similar network activity. One key question in order to understand and better support cyber defense is: how can cyber defense systems manage the high level of uncertainty they face? Human operators are essential in network analysis. Network analysts operate within teams, and within larger organizations. These are essential dimensions of cyber security that remain under-researched. They are also at the heart of challenges typical of joint activity in complex work systems: tasks conducted by distinct teams put them at risk of working at cross-purposes and security goals conflict with the organization‟s production goals. In addition, cyber events are fundamentally adversarial events, a dimension of cyber security also under-researched. This paper presents findings from a stagedworld study of a large-scale adversarial cyber security exercise. It describes the challenges and management of uncertainty in this context and discusses their implications for the design and development of better defense systems. INTRODUCTION The continuously growing connectivity of systems creates increasingly complex digital infrastructures that enable critical and valued services. This source of performance also constitutes a source of vulnerability to cyber threats, a growing concern expressed in military, financial and industrial domains. In particular, the potential impact of cyber attacks on critical infrastructures and services societies depend on daily is worrying. Industrial control systems, seldom designed with cyber security in mind, also exist in a competitive economical context in which proprietary information becomes decisive. These characteristics make industries high-value targets for cyber terrorism (Finco, Lee, Miller, Tebbe and Wells, 2007). Importantly, cyber security experts observe that, at the same time, the knowledge cost for hackers is getting considerably lower (Goodall, Lutters and Komlodi, 2004), especially because of the large availability of information, documentation and even ready-to-use software. On the other hand, cyber defense remains a highly demanding task. Numerous efforts exist to improve cyber defense, typically focused on the search for technological solutions. But in spite of the recognized challenge and importance of developing knowledge of this critical domain, human-centered research to uncover and address the difficulties experienced by network defenders is recent and still limited. Moreover, understanding cyber security, a fundamentally adversarial domain, requires investigations of the interrelated defense and attack processes, but such studies are rare. While research has produced models of cyber attack or defense processes, simultaneous investigations of both processes do not appear to exist (studies usually rely more or less explicitly on hypothesized attacker or defender behavior). Such research is needed to influence the design of the joint systems facing cyber attacks. Common publications about cyber defense are how-to resources that focus on technological dimensions of the domain and associated knowledge and skills (e.g., firewalls and their management). In this type of literature, network analysts are expected to follow good practices in order to ensure network security. However, other authors recognize that, in spite of significant technological progress, human analysts continue to be key elements of network security. Based in part on cognitive task analysis methods, detailed accounts of network defense analysts’ work do exist, but are largely focused on this single perspective within the larger context of cybersecurity (Goodall et al., 2004; D’amico and Whitley, 2008). More recently, publications from a group of researchers at the University of British Columbia has described the collaborative nature of cyber defense and its processes within the larger organizational framework (Werlinger, Muldner, Hawkey and Beznosov, 2010; Hawkey, Muldner and Beznosov, 2008). Cyber attacks have been described based on after-the-fact investigations or expert interviews. These accounts are informed interpretations at best, since available data often are scarce and highly ambiguous. Most studies have focused on defense relying more or less explicitly on hypothesized attacker behavior. A notable exception is Jonsson and Olovsson’s study (1997) of cyber attack dynamics (but this study made assumptions that limited its realism). The focus of this paper will be primarily on cyber defense. However, understanding cyber defense requires considering the dynamics of cyber attack and of the interplay between attack and defense. These dynamics will, therefore, be presented here; they are described in greater detail elsewhere (Branlat et al., 2011; Branlat, 2011). Insights from these processes of cyber security result in directions for the improvement of cyber defense.