Formalizing and Integrating User Knowledge into Security Analytics

• Published in: SN computer science Vol. 3; no. 5; p. 347
• Main Authors: Böhm, Fabian, Vielberth, Manfred, Pernul, Günther
• Format: Journal Article
• Language: English
• Published: Singapore Springer Nature Singapore 01.09.2022; Springer Nature B.V
• Subjects: Collaboration; Computer Imaging; Computer Science; Computer Systems Organization and Communication Networks; Cyber-physical systems; Cybersecurity; Data Structures and Information Theory; Explicit knowledge; Industry 4.0; Information systems; Information Systems and Communication Service; Information Systems Security and Privacy; Internet of Things; Mathematical analysis; Original Research; Pattern Recognition and Graphics; Software Engineering/Programming and Operating Systems; Subject specialists; Vision; Security analytics; Visual analytics; Security awareness; Security operations; Domain knowledge
• ISSN: 2661-8907; 2662-995X; 2661-8907
• DOI: 10.1007/s42979-022-01209-7

The Internet-of-Things and ubiquitous cyber-physical systems increase the attack surface for cyber-physical attacks. They exploit technical vulnerabilities and human weaknesses to wreak havoc on organizations’ information systems, physical machines, or even humans. Taking a stand against these multi-dimensional attacks requires automated measures to be combined with people as their knowledge has proven critical for security analytics. However, there is no uniform understanding of information security knowledge and its integration into security analytics activities. With this work, we structure and formalize the crucial notions of knowledge that we deem essential for holistic security analytics. A corresponding knowledge model is established based on the Incident Detection Lifecycle, which summarizes the security analytics activities. This idea of knowledge-based security analytics highlights a dichotomy in security analytics. Security experts can operate security mechanisms and thus contribute their knowledge. However, security novices often cannot operate security mechanisms and, therefore, cannot make their highly-specialized domain knowledge available for security analytics. This results in several severe knowledge gaps. We present a research prototype that shows how several of these knowledge gaps can be overcome by simplifying the interaction with automated security analytics techniques.