Information-Pooling Bias in Collaborative Security Incident Correlation Analysis

Objective: Incident correlation is a vital step in the cybersecurity threat detection process. This article presents research on the effect of group-level information-pooling bias on collaborative incident correlation analysis in a synthetic task environment. Background: Past research has shown that uneven information distribution biases people to share information that is known to most team members and prevents them from sharing any unique information available with them. The effect of such biases on security team collaborations are largely unknown. Method: Thirty 3-person teams performed two threat detection missions involving information sharing and correlating security incidents. Incidents were predistributed to each person in the team based on the hidden profile paradigm. Participant teams, randomly assigned to three experimental groups, used different collaboration aids during Mission 2. Results: Communication analysis revealed that participant teams were 3 times more likely to discuss security incidents commonly known to the majority. Unaided team collaboration was inefficient in finding associations between security incidents uniquely available to each member of the team. Visualizations that augment perceptual processing and recognition memory were found to mitigate the bias. Conclusion: The data suggest that (a) security analyst teams, when conducting collaborative correlation analysis, could be inefficient in pooling unique information from their peers; (b) employing off-the-shelf collaboration tools in cybersecurity defense environments is inadequate; and (c) collaborative security visualization tools developed considering the human cognitive limitations of security analysts is necessary. Application: Potential applications of this research include development of team training procedures and collaboration tool development for security analysts.

[1]  Georg Carle,et al.  Collaborative Incident Handling Based on the Blackboard-Pattern , 2016, WISCS@CCS.

[2]  Nancy J. Cooke,et al.  Designing a Synthetic Task Environment , 2017 .

[3]  Huwaida Tagelsir Elshoush,et al.  Alert correlation in collaborative intelligent intrusion detection systems - A survey , 2011, Appl. Soft Comput..

[4]  Nancy J. Cooke,et al.  Effects of Teamwork versus Group Work on Signal Detection in Cyber Defense Teams , 2013, HCI.

[5]  Stefan Szeider,et al.  PERSUASIVE ARGUMENTATION , 2011 .

[6]  Susan G. Straus,et al.  The Group Matters: A Review of Processes and Outcomes in Intelligence Analysis , 2011 .

[7]  P. A. Mileman Decision making in health care. Theory, psychology, and applications , 2001 .

[8]  Donald A. Hantula,et al.  Revisiting the psychology of intelligence analysis: from rational actors to adaptive thinkers. , 2012, The American psychologist.

[9]  Wayne G. Lutters,et al.  I know my network: collaboration and expertise in intrusion detection , 2004, CSCW.

[10]  G. Stasser,et al.  Discovery of hidden profiles by decision-making groups: Solving a problem versus making a judgment. , 1992 .

[11]  Anita D. D'Amico,et al.  The Real Work of Computer Network Defense Analysts , 2007, VizSEC.

[12]  M. A. Champion,et al.  Team-based cyber defense analysis , 2012, 2012 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support.

[13]  D. Kahneman,et al.  Conditions for intuitive expertise: a failure to disagree. , 2009, The American psychologist.

[14]  N. Pennington,et al.  Inside the Jury. , 1985 .

[15]  G. W. Hill Group versus individual performance: are n + 1 heads better than one?" psychological bulletin , 1982 .

[16]  Mahdi Aiash,et al.  Toward an Efficient Ontology-Based Event Correlation in SIEM , 2016, ANT/SEIT.

[17]  Yi-Ming Chen,et al.  A Novel Search Engine to Uncover Potential Victims for APT Investigations , 2013, NPC.

[18]  Nancy J. Cooke,et al.  Influence of Team Communication and Coordination on the Performance of Teams at the iCTF Competition , 2012 .

[19]  A. Hollingshead,et al.  From cooperative to motivated information sharing in groups: moving beyond the hidden profile paradigm , 2004 .

[20]  Leslie A. DeChurch,et al.  Information sharing and team performance: a meta-analysis. , 2009, The Journal of applied psychology.

[21]  G. Stasser,et al.  Effects of information load and percentage of shared information on the dissemination of unshared information during group discussion. , 1987 .

[22]  Kim J. Vicente,et al.  Ecological interface design: theoretical foundations , 1992, IEEE Trans. Syst. Man Cybern..

[23]  A. Vinokur,et al.  Persuasive argumentation and social comparison as determinants of attitude polarization , 1977 .

[24]  E. Salas,et al.  Toward an understanding of team performance and training. , 1992 .

[25]  G. Stasser,et al.  Pooling of Unshared Information in Group Decision Making: Biased Information Sampling During Discussion , 1985 .