Human-centered Assessment of Automated Tools for Improved Cyber Situational Awareness

Attempts to deploy autonomous capabilities, including artificial intelligence (AI), within cybersecurity workflows have been met with an implementation challenge. Often the impediment is the ability of software engineers to assess and quantify the benefits of machine learning (ML) models for cyber analysts. We present a case study demonstrating the successful testing and improvement of an ML tool through human-centered assessments. For the benefit of researchers in this field, we detail our own wargaming environment, which was tested using members of a government intelligence community. The participants were presented with two cybersecurity tasks: report annotation and a situational awareness assessment. Both of these tasks were statistically assessed for the difference between task completion with and without access to automation tools. Our first experiment - report annotation - showed a task improvement of +14.0 ppts in recall and +9.19 ppts in precision; there was an overall significant positive difference in f1 values for the ML subjects (p < 0.01). Our second experiment - cyber situational awareness (CSA) - showed a 66.7% improvement in user scores and a significant positive difference for the ML subjects (p < 0.01). The conclusions of our work focus on the need to rebalance the attention of software engineers away from quantitative metrics and toward qualitative analyst feedback derived from realistic wargame testing frameworks. We believe that sharing our wargame scenario here will allow other organizations to either adopt the same testing methodology or, alternatively, share their own CSA testing framework. Ultimately, we are hoping for a more open dialogue between researchers working across the cyber industry and government intelligence agencies.