How Could Cyber Analysts Learn Faster and Make Better Decisions?

摘要

The reliance on humans have been the weakest link and also the most promising power in the design of cyber security systems. To acquire Cyber Situation Awareness (Cyber SA), the ability to comprehend and predict possible cyber threats in a network, defender's experience is essential. Models of cyber analyst's learning behavior may serve to measure Cyber SA and how well a cyber analyst maintains and develops this awareness as time progresses. This paper builds a computational model that proposes a way to analyze the cyber analyst's awareness at both threat level and attack scenario level. In the threat level, analysts define typical threats for higher-level analysis based on similarity and sequentiality. The attack scenario level takes the recency, frequency and weight difference of threats into consideration to identify whether an organized series of cyber events is an attack or not. This model builds on Instance-Based Learning Theory (IBLT) and proposes a way to provide quantitative feedback regarding potential loss of an organization's property and public image. Following on past research with IBL models we also investigate how the risk tolerance of a cyber analyst influences decision making and learning processes. We provide simulated results with this model. From these results we could conclude that the tolerance to risk is essential for performance. Lower tolerance will learn faster and make correct decisions more steadily with higher hit rate and lower false alarm rate.