uring the past 8 months we have deployed and tested the CS-AWARE system in the contexts of the municipalities of Rome and Larissa. We have worked intensively with the users, collected and implemented their feedback, tried to understand how cybersecurity is handled in their contexts, and how CS-AWARE can make a positive impact. A crucial concept for our project is that of cybersecurity awareness. We defined cybersecurity awareness as a concept with 6 components: it involves knowledge of cybersecurity threats (1), the system network (2), the organisation (3), external cybersecurity-related organisations and communities (4), as well cybersecurity agency: knowing how to act in case of a threat (5), and acting when there is no threat (6). Agency can be defined here as the possibility for actively contributing to cybersecurity.

When we say that CS-AWARE is an expert system, we crucially refer to the process of dealing with threats. This involves agency (5), but also knowledge of cybersecurity threats (1) and of the system network (2). This process was different in the two pilot municipalities. In Larissa, the system administration department handled all cyberthreats. This is a small department, with experts who can work together to resolve a threat. The way they currently work may not have to fundamentally change by implementing CS-AWARE. In Rome, expertise on all aspects of the extended network of nodes and services, is highly distributed. Handling cybersecurity threats requires a central expert who delegates different tasks to different experts, who are responsible for their particular system or service. More often than not, handling a cyberthreat will involve more than two system administrators, who work in different departments. These differences have implications for agency and on how knowledge is distributed between users.

We distinguished four main phases in the process of dealing with threats, and we learned a couple of things about awareness of these phases. For each phase, a number of things for awareness came out:

  • Concerning perception of threats (detection and classification), the opening screen of CS-AWARE increased immediate awareness of threats.
  • Concerning comprehension of threats, we noted that users attend to the main characteristics of a threat (type, date, system component involved), but not always to all details (detailed description, system information and threat history). This may have good reasons, linked to a user’s expertise, and the need for immediate resolution may require efficient handover. We observed that threat comprehension has more attention from those who are responsible for all aspects of threat resolution, as opposed to those who deal with some part of that process.
  • Concerning projection of the potential dangers of a threat, the same applies as for comprehension. While some users study the network visualisation extensively, others do not look at it, and focus on their own ‘section’ of the network. We think it is crucial for users to understand their own system, especially its vulnerabilities. It is highly recommended for training for new users to focus on projection of threats through system visualisation with CS-AWARE.
  • Concerning decision-making on how to resolve a threat, we noted that handover of threat mitigation to other users was the rule rather than the exception: cybersecurity clearly is a collaborative endeavour. Also, we noted that most users have the habit of checking if their decision was implemented correctly (e.g. threat now listed in resolved threats, or handover now included in current threats). It was clear that this already was part of their normal routines, but now made much more explicit (and recorded to be shared with others) through CS-AWARE.

As a conclusion for agency in handling threats, which is only one of the components of cybersecurity awareness, we can say that CS-AWARE greatly facilitates user agency, making detection and mitigation more efficient and effective, with the additional asset of better comprehension and projection of threats.

Jerry Andriessen, Wise & Munro Learning Research