Abstract
The use of tacit knowledge has previously been shown to help expedite problem-solving procedures in the setting of medical emergency responses, as individuals can use past experiences in present and future challenges. However, there is a lack of understanding in its application in IT and socio-technical management. This paper examines the thought processes observed in Security Operational Centre (SOC) analysts facing threat events to lay the groundwork for tacit knowledge management in SOCs. Based on Sternberg's fieldwork in tacit knowledge, we conducted semi-structured interviews with ten analysts to explore the key artefacts and individual traits that aid their approach to communication, and to examine the thought processes under hypothetical incident handling scenarios. The results highlight a unanimous pursuit of Root Cause Analysis (RCA) upon the outbreak of an incident and stages of decision-making when escalating to third party support providers. Using Business Process Modelling and Notation (BPMN), we show the procedural elements of tacit knowledge from several scenarios. The results also suggest that simulation environments and physical proximity with analysts and vendors can facilitate the transfer of tacit knowledge more effectively in SOCs.
Highlights
Tacit knowledge is a type of knowledge, insight, and intuition that comes from years of experience
Three separate nodes were created for the three threat scenarios, and five more nodes were created to distinguish between validation, containment, remediation, future work, and miscellaneous processes identified during participants’ threat scenario response
Business Process Modelling and Notation (BPMN) and Decision Model and Notation (DMN) were used subsequently to investigate whether such aspects of the incident handling process can be codified as procedural elements of tacit knowledge in incident handling
Summary
Tacit knowledge is a type of knowledge, insight, and intuition that comes from years of experience. It is influenced by an individual through means such as the human intelligence, sensorial experience [1] and the cultural background which facilitates the process of digesting new information. An effective SOC establishes real-time interaction and coordination between people, technology, and processes to respond against threats. Analysts develop an ability to prioritise threats, which enables them to make faster and more effective decisions when containing the attacks. The challenge in capturing tacit knowledge is that over time it becomes harder for an experienced analyst to articulate, or even recognise, the precise expertise
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
