Reducing Information Overload Via An Analog Model For Cyber Risk
Abstract
Cybersecurity relies on Security Operations Center (SOC) personnel to conduct data triage on large numbers of automated alerts to identify true threats to networks. To achieve this goal, SOC personnel must not only filter out false positives in data streams but also coalesce disparate pieces of data to generate information that yields a conclusion of an existing exception condition in the desired state of cybersecurity and requires action. Additionally, false negatives in data streams may later be identified when a compromise is discovered via human reporting or other means. Limitations of Turing machines used as automated sensors, ever-increasing network size and speed of transmission, limited numbers of qualified personnel, and the necessity to work in uncertainty all serve to exacerbate the continual condition of information overload for network defenders. This research will attempt to address information overload by reducing the information that is presented to personnel working in a SOC. The goal is to propose a new framework for determining cybersecurity risk as a time-dependent function, which will allow for reduced information overload and at least maintain equivalent cybersecurity posture. Our findings indicate that the quantity of information presented to cybersecurity personnel can be reduced, in some cases by more than half, while maintaining the cybersecurity posture required for the completion of mission-essential tasks.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jun 01, 2020
- Accession Number
- AD1114649
Entities
People
- Pablo C. Breuer
Organizations
- Naval Postgraduate School