Cyber Security Lab

Bringing Anthropology into Cybersecurity

This research applies anthropological methods to study cybersecurity analysts working in Security Operation Centers (SOC). These analysts process large amounts of data while handling cyber threats. The job requires intelligence and high levels of skills but has many mundane/repetitive aspects. Adequate tool support is largely lacking and many of the skills and procedures involved are uncodified and undocumented resulting in a large body of "tacit knowledge." This project places researchers trained in both cybersecurity and anthropology into SOCs, working side by side with the analysts. This "participant observation" approach provides a means to access the tacit knowledge of the analysts and to convert it into more explicit knowledge, leading to the development of algorithms that can help automate the tasks. The ethnographic fieldwork also provides an opportunity to observe real security operation centers' work processes and identify factors that influence the effectiveness and efficiency with which cybersecurity incidents are handled. This helps explain why some cybersecurity problems are hard to address in practice, what roles humans and organizational structures play, and where procedures might be inefficient or completely fail for non-technical reasons. The research is carried out through a collaborative effort involving researchers from Kansas State University and two companies. Results from the research will create practical tools that leverage tacit knowledge in security analytics and automate tasks such as incident response and forensic analysis. Research findings also inform the training of cybersecurity professionals by making explicit the tacit knowledge of effective security analytics acquired during participant observation.

• Dr. Xinming Ou
• Dr. Michael Wesch
• Dr. Alexandru Bardas

• Dr. John McHugh (RedJack, LLC)
• Dr. Raj Rajagopalan (Honeywell ACS Labs)

• Marc Eisenbarth (Arbor Networks)
• Dr. William Horne (HP Labs)
• Dr. Loai Zomlot (HP Labs)
• Dan Moor (HP Digital Investigation Services)

• Sathya Chandran Sundaramurthy
• Yuping Li
• Jacob Case
• Stefan Nagy (REU student from UIUC)

We would like to work with interested parties to extend our research to more organizations. If you are interested, please look at this flyer.

• Turning contradictions into innovations or: How we learned to stop whining and improve security operations. Sathya Chandran Sundaramurthy, John McHugh, Xinming Ou, Michael Wesch, Alexandru G. Bardas, and S. Raj Rajagopalan. Symposium On Usable Privacy and Security (SOUPS 2016), Denver, CO, USA, June 22-24, 2016.
• A Human Capital Model for Mitigating Security Analyst Burnout. Sathya Chandran Sundaramurthy, Alexandru G. Bardas, Jacob Case, Xinming Ou, Michael Wesch, John McHugh, and S. Raj Rajagopalan. Symposium On Usable Privacy and Security (SOUPS), Ottawa, Canada, 2015. (Distinguished Paper Award)
• A Tale of Three Security Operation Centers. Sathya Chandran Sundaramurthy, Jacob Case, Tony Truong, Loai Zomlot, and Marcel Hoffmann. CCS Workshop on Security Information Workers, Scottsdale, AZ, USA, Nov, 2014.
• An anthropological approach to studying CSIRTs. Sathya Chandran Sundaramurthy, John McHugh, Xinming Ou, S. Raj Rajagopalan, and Michael Wesch. IEEE Security & Privacy Special Issue on CSIRTs, Sept/Oct, 2014. Preprint.
• Using Anthropology to Study Security Incident Response. Siva Raj Rajagopalan. 26th annual FIRST Conference , Boston, MA, USA, 2014. Slides. Call for Participation Flyer.
• Ethnographic Fieldwork at a University IT Security Office. Xinming Ou. Invited talk at Annual Computer Security Applications Conference (ACSAC), 2013. Slides.
• The Problem with Teaching Cyber Security. Raj Rajagopalan. Panel presentation at CCICADA/DIMACS Brainstorming Workshop on Cyber-security Education, Oct 7, 2013
• Designing Forensic Analysis Techniques through Anthropology. Sathya Chandran Sundaramurthy. Presented at the NSPHD track of New Security Paradigms Workshop (NSPW), 2013.

• K-State News Release.

This research is supported by the National Science Foundation under Grant No. 1314925. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.