On the complexity of collaborative cyber crime investigations

This article considers the challenges faced by digital evidence specialists when collaborating with other specialists and agencies in other jurisdictions when investigating cyber crime. The opportunities, operational environment and modus operandi of a cyber criminal are considered, with a view to developing the skills and procedural support that investigators might usefully consider in order to respond more effectively to the investigation of cyber crimes across State boundaries

Teamwork in Cybersecurity: Evaluating the Cooperative Board Game [d0x3d!] as an Experimental Testbed

It is crucial to identify the knowledge, skills, and attitudes (KSAs) that contribute to success in cybersecurity teams. We introduce a board game, [d0x3d!], as an experimental testbed designed to create a controlled environment and set of manageable tasks aimed at exploring teamwork competencies that may be relevant to the cybersecurity workforce. [d0x3d!] requires players to work together and share information to retrieve stolen digital assets. The authors aim to improve the efficacy of cybersecurity team training by incorporating modern teamwork theory and measurement. This testbed provides a low-cost and user-friendly platform for training, evaluation, and research

Information Pooling Bias in Collaborative Cyber Forensics

abstract: Cyber threats are growing in number and sophistication making it important to continually study and improve all dimensions of cyber defense. Human teamwork in cyber defense analysis has been overlooked even though it has been identified as an important predictor of cyber defense performance. Also, to detect advanced forms of threats effective information sharing and collaboration between the cyber defense analysts becomes imperative. Therefore, through this dissertation work, I took a cognitive engineering approach to investigate and improve cyber defense teamwork. The approach involved investigating a plausible team-level bias called the information pooling bias in cyber defense analyst teams conducting the detection task that is part of forensics analysis through human-in-the-loop experimentation. The approach also involved developing agent-based models based on the experimental results to explore the cognitive underpinnings of this bias in human analysts. A prototype collaborative visualization tool was developed by considering the plausible cognitive limitations contributing to the bias to investigate whether a cognitive engineering-driven visualization tool can help mitigate the bias in comparison to off-the-shelf tools. It was found that participant teams conducting the collaborative detection tasks as part of forensics analysis, experience the information pooling bias affecting their performance. Results indicate that cognitive friendly visualizations can help mitigate the effect of this bias in cyber defense analysts. Agent-based modeling produced insights on internal cognitive processes that might be contributing to this bias which could be leveraged in building future visualizations. This work has multiple implications including the development of new knowledge about the science of cyber defense teamwork, a demonstration of the advantage of developing tools using a cognitive engineering approach, a demonstration of the advantage of using a hybrid cognitive engineering methodology to study teams in general and finally, a demonstration of the effect of effective teamwork on cyber defense performance.Dissertation/ThesisDoctoral Dissertation Applied Psychology 201

Socio-technical communication: The Hybrid Space and the OLB-Model for science-based cyber education

publishedVersio

Kinetic and Cyber

We compare and contrast situation awareness in cyber warfare and in conventional, kinetic warfare. Situation awareness (SA) has a far longer history of study and applications in such areas as control of complex enterprises and in conventional warfare, than in cyber warfare. Far more is known about the SA in conventional military conflicts, or adversarial engagements, than in cyber ones. By exploring what is known about SA in conventional, also commonly referred to as kinetic, battles, we may gain insights and research directions relevant to cyber conflicts. We discuss the nature of SA in conventional (often called kinetic) conflict, review what is known about this kinetic SA (KSA), and then offer a comparison with what is currently understood regarding the cyber SA (CSA). We find that challenges and opportunities of KSA and CSA are similar or at least parallel in several important ways. With respect to similarities, in both kinetic and cyber worlds, SA strongly impacts the outcome of the mission. Also similarly, cognitive biases are found in both KSA and CSA. As an example of differences, KSA often relies on commonly accepted, widely used organizing representation - map of the physical terrain of the battlefield. No such common representation has emerged in CSA, yet.Comment: A version of this paper appeared as a book chapter in Cyber Defense and Situational Awareness, Springer, 2014. Prepared by US Government employees in their official duties; approved for public release, distribution unlimited. Cyber Defense and Situational Awareness. Springer International Publishing, 2014. 29-4

Cybersecurity Incident Response in Organisations: A Meta-level Framework for Scenario-based Training

Cybersecurity Incident Response (IR) teams mitigate the impact of adverse cyber-related events in organisations. Field studies of IR teams suggest that at present the process of IR is underdeveloped with a focus on the technological dimension with little consideration of practice capability. To improve IR capabilities, we develop a scenario-based training approach to assist organisations to overcome socio-technical barriers to IR. The training approach is informed by a comprehensive list of socio-technical barriers compiled from a review of the literature. Our primary contribution is a novel meta-level framework to generate scenarios specifically targeting socio-technical issues. As a first step towards demonstrating the utility of the framework, a proof-of-concept scenario is presented