Humans lie at the heart of security investigations, but there is an insufficient amount of research focusing on security analyst’s underlying cognitive processes. This has been the focus of much of my Investigation Theory work and led me to a new research project conducted over the course of this summer with my co-researcher Stef Rand.
Using a somewhat academic approach, we interviewed analysts and collected data from them to explore how divergent and convergent thought are used to connect the dots in an investigation. We also explored the relationship between these thinking modes, creative problem solving, and intuition. This eventually resulted in the development of the Ambiguity-Driven Convergence (ADC) model to help better understand how analysts solve problems. We used the model and our findings to highlight practical takeaways for security analysts.
We are excited to announce that this research is complete and that we’re releasing a paper detailing our methods and findings today.
We’d also like to extend a sincere thank you to our research participants and peer reviewers!
Humans lie at the heart of computer network defense. Despite the essential nature of analysts’ cognition in investigations, there have been few systematic attempts to understand how security analysts think during the investigation process. In this study, we set out to develop a better understanding of the cognitive processes of information security analysts. We hypothesized that divergent and convergent thinking styles would be highly influential during the creative problem solving required to find investigative solutions successfully. We interviewed security analysts and observed their use of divergent and convergent thinking in investigation scenarios. We also measured their skill level and their metacognitive awareness. We found that intuition, ambiguity tolerance, metacognitive deficiencies, and the context of the investigation changed analysts’ use of divergent and convergent thinking. We use these findings to build the ambiguity-driven convergence model for analyst thinking, as well as to suggest several practical applications to deliberately leverage divergent and convergent thought for higher quality investigations.
You can download the full paper here.