What is Situation Awareness?

The constant stream of data produced daily, the complicated environment and the need for quick reaction to malicious attacks make the life of cyber defense analyst a living nightmare. Many wonder how are we supposed to be able to review the gigabytes of logs produced daily, how can we manage to analyze them all and extract valuable insight into what is happening in the network?

Such questions have no easy answer. In recent years, there have been major advancements in the ways we treat data, how humans can use sophisticated tools to parse and review the information in easily digestible chunks, but the work is far from over.

Note from the writer: I would like to thank Axelle Perez, a former student at the Université Libre de Bruxelles, for her effort in researching and documenting the theory behind Situation Awareness during her Master Thesis with the Research Unit for Cyber Defense, here at the Royal Military Academy.

To better understand the difficulty of the task, we need to go down to the root of the problem- data can take many forms, many of which complicated to understand at first glance. This is not only the case for network analysis, but for every aspect of the human life. Since the dawn of time, humans have had the need to observe closely their environment to detect possible predators or adapt to the ever-changing environment. This is something quite intrinsic to human nature- the ability to observe our surrounding and gain valuable information, which will then be used to shape our future decisions. The ability to take decisions based on environment cues in the context of complex and dynamic environments has been described many times over the years, but one definition which is often viewed as the most complete is that of "Situation Awareness" (SA). This unanimously accepted definition was given by Mica Endsley, in particular in dynamic environments [1,2]:

Situation awareness is the perception of elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future.

The model established by Endsley is widely used in the psychology domain to define how humans can make sense of their surroundings and perceive complex situation. As an engineer working for the US Air Force, she noticed the problems originating with aircraft's dashboard and the abundance of information, which the pilots need to deal with. Without being pilots, we ourselves can relate in many ways. A lot of us have sat at one point or another behind the steering wheel of a car, having multiple gauges and indicators on the dashboard, showing us different information about the state of the car. The dashboard of a car is not really comparable to that of a plane, but it can serve as a good example to what we are up against. A driver needs to keep their eyes on the road, observing the other drivers and the road ahead, but also keeping an eye on the speed/gas and temperature of the engine. On top of that we might need to take into account if there are other passengers in the car and how they act. A big part of juggling these different information inputs is the ability of the driver, but this can be made easier by the tools available to observe the information. This is the goal Endsley wanted to work towards: designing better instruments, which can more clearly and easily convey information to the users.

The Situation Awareness model

To achieve her goal, a model describing how "Situation Awareness" works needed to be established. The three essential components of the SA model, as shown in the Figure below, are there to define how well a human can recognize important information and react to it.

• Perception - this involves the capability of humans to monitor, detect cues and basic recognition. Through the use of our senses, we can get awareness about the different elements of the environment and their dynamic.
• Comprehension - after the initial stage of perception, it is vital to be able to interpret the perceived information, recognize possible patterns and understand their significance. This is achieved by combining our knowledge of the environment with the new data and making sense of it in the given context.
• Projection - as the information is gathered and better understood, a clear model of the evolution of the situation can be constructed to better understand its possible future impact.

Situation Awareness in the Cyber domain

The model described earlier is clear and straightforward, but also a bit generic. When we try to apply it to the Cyber domain, we need to introduce and define some extra concepts to extend the model.

• Cyber environment - when we talk about Situation Awareness typical environment, we are discussing the physical environment, which is relatively well known and immutable. Contrary to that, the cyber environment is almost limitless and scale-free. As the spatial properties of the cyber environment are global, we usually define the spatial boundary for CSA as the physical location of the system or network.
• Perception - users in the Cyber domain can't use their own senses, but instead rely on sensors set up throughout the network for their input. This adds an extra layer of complexity, as the we need to be sure the information the sensors relay is not fraudulent. Ways to verify the information and the status of the sensors need to be put in place.
• Resources - in a typical environment, we rely on the resources available to us and there are some limits to them. In the Cyber domain, the resources needed to launch a cyber-attack are unrestricted.
• Implicated entities - there must be a clear separation and definition given between the different elements of the environment. All hardware elements are considered Physical elements and are prone to their own faults and have a specific role. On the other side we have the Immaterial entities such as the software used by humans and the data itself.

In regards to the cyber defense domain, analysts can quickly become overwhelmed by the significant amounts of alerts and events produced by detection assets in the network, as well as by the systems and applications producing logs and audit trails. For ages, humans have used visual aids to better understand complex situations and this is highly applicable for the cyber domain as well. Through the use of visual representation of the data, a domain analyst can perceive important information and suspicious events at a greater rate, interpret the significance of the findings through possible pattern recognition, and estimate the impact they might have on the system [3]. This means that to enhance the Cyber Situation Awareness, we need to rely on the field of Visual Analytics, through which we can combine the strengths of a human analyst with the speed of the electronic data processing [4,5].

Final Notes

As we have seen through this blog, our way of perceiving our environment is of great important to how we understand and use information. In the cyber domain, we need to rely on different software to understand what is happening in our network and we rely on Visual Analytics to quickly visualize and relay information to the user. We will discuss how this can be accomplished in a future blog.

References

[1] https://en.wikipedia.org/wiki/Mica_Endsley

[2] Endsley, M.R.: Toward a theory of situation awareness in dynamic systems. Human factors 37(1), 32–64 (1995)

[3] Lavigne, V., Gouin, D.: Visual analytics for cyber security and intelligence. The Journal of Defense Modeling and Simulation 11(2), 175–199 (2014)

[4] Cui, W.: Visual analytics: A comprehensive overview. IEEE Access 7, 81555–81573 (2019)

[5] Thomas, J.J., Cook, K.A.: A visual analytics agenda. IEEE computer graphics and applications 26(1), 10–13 (2006)

This blog post is licensed under CC BY-SA 4.0