On the collaborative practices of cyber threat intelligence analysts to develop and utilize tacit Threat and Defence Knowledge

Abstract

While the need for empirical investigations of cybersecurity analysts' collaborative work practices is widely acknowledged, research efforts are fairly limited. This paper aims to provide empirical evidence to support a deeper consideration for the seemingly intangible collaborative practices that situational awareness in cybersecurity relies on and add to our understanding of what it means to “do” threat intelligence. In particular, it aims to unpack the informal forms of collaboration and coordination at work that build tacit knowledge about threat actors and defenders and that span across time, people and tools to inform the translation of threat information into actionable threat intelligence. In-depth semi-structured interviews and diary studies are conducted at three cyber threat intelligence service providers (N=5) and analyzed using thematic analysis. This paper introduces the concept of Threat and Defence Knowledge, tacit knowledge that analysts within an organization form over time and utilize through informal ways of becoming aware of this knowledge, making it available and correlating it. We find that a lack of accessibility to knowledge about relevant threat and defence factors can reduce analysts' effectiveness at arriving at actionable threat intelligence and hence reduce the ability to be alerted in advance about cyber threats, to contain damage and obtain situational awareness. Perceived and potential shortcomings of the existing processes and tools are presented, and practices to circumvent the existing systems investigated and implications for design are considered.