Bringing anthropology into cybersecurity

Dr. Xinming Ou
Associate Professor
University of South Florida

Abstract

Researchers in cybersecurity often face two conundrums: 1) it is hard to find real-world problems that are interesting to researchers; 2) it is hard to transition cybersecurity research results into practical use. In this talk I will discuss how we overcome these two obstacles in our four-year and still on-going effort of using anthropological approach to study cybersecurity operations.  The frequent news report on breaches from well-funded organizations show a pressing need to improve security operations. However there had been very little academic research into the problem. Since most of the cyber defense tasks involve humans --- security analysts, it is natural to adopt a human-centric approach to study the problem. Unlike most of the usable security research that has flourished in the recent years, it is extremely difficult to conduct research about security analysts in the usual way such as through surveys and interviews. Security Operation Centers (SOCs) have a culture of secrecy. It is extremely difficult for researchers to gain the trust from analysts and discover how they really do their job. As a result research that could benefit security operations are often conducted based on assumptions that do not hold in the real world. We overcome this hurdle by adopting the well-established research method from social and cultural anthropology -- long-term participant observation. Multiple PhD and undergraduate students in computer science were trained by an anthropologist in this research method, and were embedded in SOCs of both academic institutions and corporations. By becoming one of the subjects we want to study, we perform reflection and reconstruction to gain the "native point of view" of security analysts. Through four years (and still on-going) fieldwork in two academic and three corporate SOCs, we collected large amounts of data in the form of field notes. After systematically analyzing the data using qualitative methods widely used in social science research, such as grounded theory and template analysis, we uncovered major findings that explain the burnout phenomena in the SOCs. We further found that the Activity Theory framework formulated by Engestroem provides a deep explanation of the many conflicts we found in an SOC environment that cause inefficiency, and offers insights into how to turn those contradictions into opportunities for innovation to improve operational efficiency. Finally, in the most recent SOC fieldwork, we were able to achieve our initial goal of conducting this anthropological research -- designing effective technologies for security operations that were taken up by the analysts and improved their work efficiency.

Bio

Dr. Xinming (Simon) Ou is currently associate professor of Computer Science and Engineering at University of South Florida. He received his PhD from Princeton University in 2005. Before joining USF in fall 2015, he had been a faculty member at Kansas State University since 2006. Dr. Ou's research is primarily in cyber defense technologies, with focuses on human-centered approach to addressing this challenge problem. He also has broad interest and on-going work in cyber-physical system security, intrusion/forensics analysis, moving-target defense, and mobile system security. He is the author of the MulVAL attack graph tool which has been used by Idaho National Laboratory, Defence Research and Development Canada -- Ottawa, NATO, NIST, Thales Groups, General Dynamics, Johns Hopkins University Applied Physics Lab, Swedish Defence Research Agency, Army Research Laboratory, and researchers from numerous academic institutions. Dr. Ou's research has been funded by U.S. National Science Foundation, Department of Defense, Department of Homeland Security, Department of Energy, National Institute of Standards and Technology (NIST), HP Labs, and Rockwell Collins. He is a recipient of 2010 NSF Faculty Early Career Development (CAREER) Award, a three-time winner of HP Labs Innovation Research Program (IRP) award, and 2013 Kansas State University Frankenhoff Outstanding Research Award.