I. INTRODUCTION
Computer security has become an essential element of society due to the expansion of technology in different domains such as financial services, healthcare, public **** services, and critical infrastructures such as water, electricity, and telecommunications. According to the Massachusetts Institute of Technology (MIT), the risks that security teams will face are mainly attacks against Internet of Things (IoT) devices, blockchain, and critical infrastructures[1]; for example, MIT mentions that attackers are mainly using AI and quantum technologies for their attacks in 2019. This scenario involves well-prepared organizations and security professionals capable of facing these new challenges; at the international level, several organizations have defined strategies to rapidly respond to security risks through teams of experts and researchers called Computer Scene Incident Response Teams (CSIRTs)[2].CSIRTs are composed of specialists from the fields of cybersecurity, law, psychology, and data analysts, among others. The CSIRT responds quickly and effectively to cybersecurity incidents and reduces the risk of cyberattacks based on predefined procedures and policies.
Security analysts in CSIRTs need to process large amounts of data in order to i) identify patterns or anomalies that trigger alerts of possible attacks, and ii) perform the detection process more quickly and efficiently.Members of CSIRTs are looking for new strategies based on technological solutions, such as big data, machine learning, and data science [3]. In order to accelerate the research process on data analytics methods [4], international organizations such as the National Institute of Standards and Technology (NIST) have launched the Data Science Research Program (DSRP). In the field of cybersecurity, the application of cognitive science to the information security process has advanced the concept of cognitive security [5]; this allows for predictive and descriptive analyses that provide a view of the likely impact of a security attack.Another key factor for the success of CSIRTs is the ability to work in teams and the ability to adapt to different environments. In the [7] era of the 21st century, security professionals need skills such as teamwork, critical thinking, and communication.In September 2015,a between the Association for Collaborative Computing (ACM), the IEEE Computer Society (IEEE CS), the Association for Information Systems Special Interest Group on Information Security and Privacy (AIS SIGSEC), and the Technical Committee of the International Federation of Information Processing Information Security Education (11.8 Consortium WG) presents a Cybersecurity Education Curriculum Guide that mentions non-technical skills billed as soft skills, critical for security professionals, and focuses on: teamwork, communication, generation of situational awareness, and operations using different organizational cultures [8].
The ability to generate cybersecurity situational awareness in an organization allows the identification of proactive strategies to face ongoing and upcoming attacks or threats. Situational awareness arises from three cognitive processes:perception, comprehension, and projection. Cognitive processes are inherent to human behavior and can be affected by different factors such as: stress, fatigue, distraction, physical or environmental conditions. Analyzing task performance and the effects of these factors is of interest to several researchers. For example, Robert Karasek proposed the Demand Control Model [9], which examines the cognitive, emotional and physical demands of computer personnel in different work domains, where computer personnel have a high level of psychological demands. In this context, the development of cognitive strategies is necessary at all levels of information processing; in addition, there is a need to analyze how executive functions can be optimized to integrate all levels of information processing through:inhibitory control, working memory processing [10] to help cybersecurity professionals to work efficiently and with adequate response time.
In this study, we propose a model to integrate cognitive skills, teamwork, and data analysis in the field of cybersecurity, as shown in Figure 1. Cognitive security can take advantage of the characteristics of security analysts' cognitive skills by transferring this knowledge and intelligence to a computer system; by doing so, they can perform an immediate response action or notification to the security team to make a decision against a security attack, as shown in Figure 1.
The rest of the study is organized as follows. Section II describes related work on automated cybersecurity response. Section III provides background on the importance of psychology in cybersecurity. Section IV presents a proposal for an automated cybersecurity framework based on cognitive processes. Finally, Section VI summarizes the findings of this paper and proposes directions for future work.
II.RELATEDWORK
According to an analysis by the MIT Review [11], in 2018, cities will have installed multiple layers of sensors to monitor air quality, waste levels, or traffic; this prediction, coupled with Gartnert's prediction for 2020, [12] will have 20.4 billion connected devices. In the new security scenario, organizations must face dramatic changes in the size and complexity of the networks or computing platforms that underpin the organization's support for service delivery and device connectivity. In this new context, traditional security solutions are limited in their ability to act and in the ability of humans to detect and respond to security events. An alternative to cybersecurity evaluated for organizations and researchers is the use of cognitive models as a proposal to enhance the security of computing environments and expand human analytical capabilities.
In [13], the authors propose a combination of machine learning-based detection with temporal logic-based analysis that allows distinguishing anomalies and enabling dynamic network responses. In [14], the use of cognitive security for personal devices is included to allow devices to recognize the owner and autonomous security so that the device takes its own security decisions. Knowledge based on functions and dependencies [15] allows for automation of diagnostics. In "A Survey of Autonomic Computing Approaches in Digital Service Ecosystems" [16], 25 different digital ecosystems applying the concept of autonomic computing are presented, and in [13], it is presented how cognitive security approaches can establish "good anomalies" to establish normal operating parameters, and how any changes can generate automatic reconfiguration of network devices to control data flow.
III. Cognitive skills and network security
a Situational awareness
Situational awareness has been defined, from the field of psychology, as the ability to generate an understanding of his life, based on his experiences [17]. This concept has been applied to the field of computer systems; for example, Lewis defines self-awareness of a computing system as the ability to acquire knowledge about itself based on internal and external events [18]. In [19], self-awareness is defined as the ability to generate knowledge about itself and its environment for a computer system and to decide on actions to be performed based on this knowledge.
1) Cybersecurity Situational Awareness (CSA):The concept of Situational Awareness (SA) describes the current threat and attack scenario of an organization, the impact of possible attacks, and the identification of attackers and user behavior [20]. Analysts must understand the security situation and determine the likelihood of impact. To generate situational awareness we can use OODA loop.Breton proposed cognitive OODA loop is based on the cognitive process of perception, understanding and projection [21]. Table I shows the relationship between the cognitive stages, the cognitive process and the products generated according to Brenton's proposal.
2) Cyber Cognitive Situational Awareness (CCSA):
In order to build an organization's cybersecurity situational awareness, we can rely on the support of cognitive aspects oriented to the decision-making process. Adapting the cognitive processes of perception, understanding and projection in cyberspace, we will have the relationships shown in Table II.
b . Non-Technical Skills
Organizations such as the U.S. Department of Homeland Security (DHS) and the National Cybersecurity Alliance (NCSA) have conducted National Cybersecurity Awareness Month, celebrating its 15th edition in 2018 [22], to promote community understanding of relevant aspects of risks and threats in the digital environment. In these areas, it is important for security professionals to have non-technical skills in order to be able to disseminate knowledge in a clear and consistent manner to a group of individuals without a technical background. For cybersecurity within an organization, the defense strategy is based on risk management, which is divided into four levels of the cybersecurity risk management lifecycle as shown in Figure 2.
Within the cybersecurity risk management lifecycle, at least the following people are required:
? Team Leader/Coordinator;
? Responsible for systems and information security;
? Communication team or PR;
? Classifier or classification;
? Incident Management Team - Tier 2;
? Legal team.
This emphasizes the need to develop collaborative skills in an environment where professionals from different disciplines*** work together, so teamwork is a very important skill for cybersecurity professionals.Newstrom mentions that 21st century organizations or companies are more flexible, able to adapt to change quickly, and have more effective horizontal relationships; therefore, today's organizations place a greater emphasis on flexible structure and horizontal communication. Tasks and roles are defined in a more open way, environments are more dynamic, and teams are created to allow for the realization of the aspects described. According to Morin, complexity and multidisciplinary work are part of the 21st century, and the future of education must be centered on the human condition and the diversity of relationships between human beings.Another important aspect Morin mentions in Education for the 21st Century is the preparation of students to face the uncertainty that arises from the different events of everyday life.
Regarding the first aspect Morin mentions about focusing on the human aspect of students, it may be important to begin emphasizing training that focuses on strengthening skills. Mumford categorizes skills into four categories[25]:
1) cognitive skills;
2) interpersonal skills;
3) business skills;
4) strategic skills.
In general, universities in the field of cybersecurity focus primarily on improving cognitive, business, and strategic skills, but less on non-technical skills. Teamwork, collaboration, communication, and networking are included in the category of interpersonal skills, according to a categorization proposed by Mumford. Future cybersecurity professionals are studying at universities; therefore, engineering education needs to encourage the development of non-technical skills.Kyllonen proposed the skills needed in the 21st century, of which the following are mentioned[7]:
? Critical thinking;
? Oral and written communication;
? Labor Ethics;
? Teamwork;
? Cooperation;
? Professionalism;
? Troubleshooting.
A good cybersecurity staff framework [26] establishes a set of knowledge, skills, and competencies for security professionals related to non-technical aspects such as:
? Ability to participate in planning teams, coordination teams, and task teams;
? Ability to apply collaboration skills and strategies;
? Ability to apply critical reading/thinking skills;
? Ability to work effectively with others.
Regarding the second aspect proposed by Morin in the field of computer science, namely uncertainty, some authors, such as [27] and [28], mention that uncertainty in the software development process can be related to human involvement, concurrency, and uncertainty in the problem domain. In software environments, uncertainty may occur between the development of the product and the changes in the requirements initially proposed by the users. In the cybersecurity domain, uncertainty may be related to other aspects such as timing, type, and target of cyberattacks.
Teamwork can also generate uncertainty; in [29], the authors mention that uncertainty can arise in human functioning and environmental work, depending on variables such as foresight, altruistic intelligence, gains and windfalls. In [30], the authors argue that uncertainty depends on the structure of the team and the interactions between its members.
As shown in Figure 3, there are four main areas that are necessary to educate computer science engineering students in the field of cybersecurity in the context of 21st century education.
IV Cognitive Skills-Based Automated Cybersecurity Response
Our proposal for automation of incident response is based on the importance of building situational awareness to make the right decisions based on an understanding of the positive and negative aspects of organizational security. Our proposal utilizes a collaborative approach to generate self-awareness and decision making that is based on the importance of the cognitive process of the security analyst to be able to identify a security event among multiple events, it must be identified an anomalous behavior that can warn of an attack. One of the aspects considered in our proposal is to enhance the cognitive process. At the 2017 RSA Conference, IBM [31] demonstrated the cognitive tasks that a security analyst must perform when investigating an incident, and in Table III, we propose a link between cybersecurity cognitive tasks and cognitive processes.
For automating the process of responding to security incidents, we propose a layered architecture as shown in Figure 4. Our proposal emphasizes the analytics layer, in which data obtained from different sources (e.g., sensors, logs, or security blogs) are made sense of. Moreover, in this layer, the experience and effective communication of security analysts is fundamental, as it will predict the adequate assessment of events and their categorization into incidents, and establish the most appropriate decisions to reduce the impact of attacks. Specifically, in this layer, we propose two subcomponents that allow to build situational awareness:i) the subcomponent of automatic learning and ii) teamwork. These two subcomponents *** enjoy a direct communication with the aim of generating labels for training supervised learning algorithms based on knowledge generated by analysts through interaction and exchange of ideas. On the other hand, unsupervised learning algorithms can detect patterns or anomalies that are not easily detectable and alert security analysts to determine if they correspond to the *** same security attack.
A framework based on a data management process is designed to ensure the integrity and quality of data at different levels; then, it includes:
? Collection;
? Preparation;
? Analysis;
? Visualization;
? Access.
In Figure 4 below, we describe in detail the layers that make up our proposed framework.
a) Network Collection Layer:Covers the sources of information that will be used to create cyber security situational awareness. Among the sources of information, the following can be considered:
? Network simulation platforms;
? Sensors;
? Intrusion detection systems;
? Vulnerability analysis;
? Security portals, blogs, or subscription feeds;
?netflow;
? Server and network device logs.
b) Infrastructure Layer:The infrastructure layer contains the following components:
? Data collection servers where data ingestion of information from different sources will be processed. At least three servers are considered for load balancing and high availability.
? Indexing servers, in these servers the process of indexing the data is performed and based on that the attributes are defined, based on that the data is debugged and processed to generate the information in the visualization layer. Consider at least two servers for load balancing and high availability processes.
? Queue Management Server, this server establishes processes to manage the processing resources of the Big Data solution in multiple requests for information to be executed simultaneously Reporting Server and Data Visualization, this server handles the data visualization tools that allow interaction with the analysts to be able to perform the query of the information.
? Intrusion Detection Server, in which the rules for detecting patterns related to security attacks are defined and the server has access to security sensors.
? Alert Management Server, in which alert management is defined to notify analysts when abnormal patterns are detected, and in which an event management system is included to allow flow control of escalations before security events are detected.
c) Indexing Layer:Used to define the search dictionary.
d) Situational Awareness Layer:This layer is the core of our proposal. The goal in this layer is to establish a baseline security state of an organization, for this we consider two parts, the first consists of machine learning algorithms that allow to identify patterns or anomalies based on the preprocessing of data server logs from different data sources, and the second part is called teamwork to generate self-awareness based on the collaboration of CSIRT security analysts. Based on the knowledge generated by the team, you can train learning algorithms to improve their accuracy.
e) Classification Layer:It defines alerts generated against security analysts, CsIRTs or other participants in the incident management process. According to good practice, it is wise to define the classification of the alert level.
f) Automated Response Layer:It defines the response actions that can be automated, as this is necessary to build a security incident management program.
V. DISCUSSION
In psychological research, job performance is a topic that seeks to improve job performance, taking into account personal and environmental variables. The variable we analyzed in this study is the cognitive skills of professionals who perform incident management in the field of cybersecurity. We argue that the higher the cognitive processes related to the execution of the function, the better the performance of the tasks solved by the security analysts, due to the higher demand for a quick response to minimize the impact of an attack. For this reason, it is crucial to enhance cognitive flexibility in order to i) expand the analysis of event data, ii) be able to visualize more possibilities to face cyber-attacks, and ii) develop inhibitory control in order to improve the accuracy and effectiveness of their decisions. On the other hand, working memory plays a crucial role in the storage of experiences and the subsequent use of this information, so this cognitive process also contributes to the development of an awareness of the scenarios of risks and threats facing the organization. Another key variable relates to stress management in the work of incident management professionals to develop strategies that allow them to offset labor demands.
In a situational awareness-based cybersecurity management model, analyzing whether the executive function integrates sensing, understanding, and projecting processes to improve task performance can enhance the decision-making process. Non-technical skills play a critical role in many ways, because without adequate communication and the ability to build ****enjoyment of knowledge, cybersecurity teams will not be able to achieve the efficiency needed to respond to security attacks. For example, when confronted with an incident or problem that arises, dealing with complexity should not be left to simple reasoning by security analysts, but rather the ability to generate mental models that represent complexity and work as a team. This understanding can be complex, so recommendations such as the management of ****enjoyed mental maps may be of importance. Another fact is multidisciplinary work, where specialists from different fields have to be involved together, but there are interaction problems due to limited knowledge of the pair, different technical vocabularies and heterogeneous working methods. Finally, the uncertainty of the results of processing activities or interactions with other team members.
The proposed big data model covers the different components that must be considered for the generation of knowledge about the state of cybersecurity (cybersecurity situational awareness). Simply implementing a big data architecture is not enough to solve the problem of dealing with massive data processing; we should work on finding reliable information sources, establishing data quality control processes, generating security commitment metrics, and defining the time to update data.
In order to build situational awareness from information that security analysts can process, we propose a framework consisting of four modules as shown in Figure 5: sources, cognitive processes, collaborative security tasks, and soft skills. Teamwork supports the four modules. In [23], the authors mention that the goal of teams is to encourage members to analyze the way they work together, identify their weaknesses, and develop new forms of collaboration. To do this, the learning process must focus on the task. Following the Newstrom model of equipment construction [23], we propose the following in the field of cybersecurity:
? Trained experts to identify problems;
? Data collection;
? Feedback action plan development;
? Generation of situational awareness;
? Solution Experience;
? Continuous Improvement.
VI. CONCLUSIONS AND FUTURE WORK
Technological and societal changes have produced dynamic and complex environments that generate large amounts of data. This fact creates new challenges for security analysts who must process the data to identify patterns or anomalies that allow the identification of threats or security attacks. The use of cognitive security provides the ability to process large amounts of data in different formats in a short period of time, thus increasing the effectiveness of security operations. In cybersecurity, big data is primarily used for surveillance operations and anomaly detection that are focused on reactive security strategies, but other security activities can be augmented by big data analytics for proactive strategies such as threat search or network deception.
Cybersecurity tasks for event management include identifying data about events to determine the amplitude of attack scenarios. Developing experience from data about threats and attacks builds awareness of the cybersecurity posture. Building awareness of the cybersecurity posture requires cognitive and affective skills, where the ability to perform cognitive processes is critical; perception and attention are the first filters that allow security analysts to gather information from the external environment. Higher cognitive processes related to working memory, cognitive flexibility, and inhibitory control are involved in externalizing behaviors in decision-making and incident management tasks.
Continuous improvement of the cognitive processes of the safety analyst can be achieved through two skills:
1) Process control. Process control is an important skill for team members because it helps them perceive, understand, and react constructively.
2) Feedback gives you data to back up your decisions, self-correcting based on their perceptions of the rest of the team.
There are different proposals for the use of big data and machine learning in security in business and academia; however, they are not widely implemented. We believe that a possible future work would be to analyze the reasons for this situation, which may be, in general, insufficient budget, personnel experience, and technical support. In addition, a synthesis through focus groups could be an important contribution to complement this study.