Human Performance Factors in Cyber Security Forensic Analysis

Human performance has become a pertinent issue within cyber security. However, this research has been stymied by the limited availability of expert cyber security professionals. This is partly attributable to the ongoing workload faced by cyber security professionals, which is compounded by the limited number of qualified personnel and turnover of personnel across organizations. Additionally, it is difficult to conduct research, and particularly, openly published research, due to the sensitivity inherent to cyber operations at most organizations. As an alternative, the current research has focused on data collection during cyber security training exercises. These events draw individuals with a range of knowledge and experience extending from seasoned professionals to recent college graduates to college students. The current paper describes research involving data collection at two separate cyber security exercises. This data collection involved multiple measures which included behavioral performance based on human-machine transactions and a questionnaire-based assessments of cyber security experience. It was found that participants reporting more experience with cyber security topics and cyber security software tools made greater use of general purpose software tools, combining the use of general purpose tools with specialized cyber security software applications. Given that organizations make substantial investments in cyber security software tools, it is important to recognize that while these tools enable specialized analyses that would not be possible otherwise, they are not sufficient. Instead, effective cyber security operations involve a range of activities that extends from the highly general (e.g., taking notes, Internet search) to domain specific (e.g., disk forensics) and the accompanying work environment should accommodates this range of activities.