Understanding and Enabling Tactical Situational Awareness in a Security Operations Center

Cybersecurity operations are highly complex, requiring the coordination of specialized skills across multiple teams to successfully execute missions. Command and control within security operations centers is dominated by fragile mental models, demonstrating a need for systems that reinforce shared situational awareness across the organization. In this paper, we present the results of our research to: (1) define the needs associated with tactical cyber situational awareness; and (2) evaluate the usability and utility of a prototype tactical situational awareness dashboard. We found that incident tracking, tasking structure, execution timeline, and resource health constitute the essential aspects of tactical cyber situational awareness. Evaluations of prototypes suggest that three visualizations are well suited for conveying this information. We believe these results generalizable and will enable the development of tactical situational awareness capabilities in Security Operations Centers across public and private enterprises.