This research applies anthropological methods to study cybersecurity analysts working in Security Operation Centers (SOC). These analysts process large amounts of data while handling cyber threats. The job requires intelligence and high levels of skills but has many mundane/repetitive aspects. Adequate tool support is largely lacking and many of the skills and procedures involved are uncodified and undocumented resulting in a large body of "tacit knowledge." This project places researchers trained in both cybersecurity and anthropology into SOCs, working side by side with the analysts. This "participant observation" approach provides a means to access the tacit knowledge of the analysts and to convert it into more explicit knowledge, leading to the development of algorithms that can help automate the tasks. The ethnographic fieldwork also provides an opportunity to observe real security operation centers' work processes and identify factors that influence the effectiveness and efficiency with which cybersecurity incidents are handled. This helps to explain why some cybersecurity problems are hard to address in practice, what roles humans and organizational structures play, and where procedures might be inefficient or completely fail for non-technical reasons. The research is carried out through a collaborative effort involving researchers from Kansas State University and two companies. Results from the research will create practical tools that leverage tacit knowledge in security analytics and automate tasks such as incident response and forensic analysis. Research findings also inform the training of cybersecurity professionals by making explicit the tacit knowledge of effective security analytics acquired during participant observation.
