Problem statement. Despite the mission-critical role of people in protect and defend roles, relatively little is known about how cognition supports defender proficiency, a pressing problem given a workforce shortage and skills gap (Crumpler & Lewis, 2019). Understanding of the cognitive processes relevant to cybersecurity roles could support strategies to develop the skills of defenders and increase workforce participation. These processes, called macrocognition, are the result of cognitive resources at work in operational environments (Klein et al., 2003).
Research questions. The cognition of defenders is not well understood, and defender proficiency is only starting to be defined; what cognitive processes support proficiency in defender roles? To address the skills gap, a critical question is how to develop the proficiency of defenders efficiently; how can understanding of defender cognition be used to strengthen the cybersecurity workforce?
Contribution. A methodology using cognitive task analysis (CTA) is presented to describe the macrocognition of defenders. CTA is a collection of “tools and techniques for describing the knowledge and strategies required for task performance” (Schraagen et al., 2000, p. xiii). This work is complementary to prior defender CTAs in that CTA is used to describe the cognition of individuals with the aim of generalizing those processes across related work roles.
Rationale. This approach connects work roles based on related cognitive skills. Understanding of macrocognition could help defenders connect how they think with their work outcomes and may unlock novel, evidence-based strategies for workforce development, especially in training and recruitment.
Investigative approach. Macrocognition’s role in describing cognition at a useful layer of abstraction and complement to the NICE Framework (NIST SP 800-181; Newhouse et al., 2017) is introduced. CTA is discussed as a method of understanding proficiency in support of workforce development, and CTAs relevant to this perspective are reviewed. A use case with two industry defenders is presented, and lessons learned are offered to accelerate replication.
Lessons learned. The use case shows how concept mapping can lead to macrocognitive themes. The themes suggest practice implications and new research questions. Successes and failures in the use case are discussed so that researchers can more efficiently link CTAs to defender macrocognition.
Implications for practice. The NICE Framework defines knowledge, skills, abilities, and tasks mapped to work roles with emerging discussion of qualifications; the methodology complements the NICE Framework by establishing the cognitive mechanisms that support individuals performing the skills and abilities. Macrocognition for cybersecurity may predict performance across similar roles even when policies, departments, organizations, sectors, and technologies change. There is potential value in diagnosing macrocognition to improve performance outcomes. This research can result in a more prepared cyber workforce, trained and recruited on the basis of cognitive skills relevant to their role.
Implications for research. This work serves as a call and framework for additional CTA research to understand cognitive processes, and replication is necessary. Through the methodology, quantitative researchers can benefit from better understanding of relevant contextual factors, which can lead to more meaningful experimentation and establish reliable measurement.
David Schuster, Ph.D.
Sponsored by the National Science Foundation
