Understanding Situation Awareness in SOCs, A Systematic Literature Review

Abstract

Situation awareness is shown through human factors research to be a valuable construct to understand and improve how humans perform while operating complex systems in critical environments. Within cyber security one such environment is the Security Operations Center (SOC). With the increasing threat of hybrid warfare, knowledge about situation awareness within SOC environments, where human error or low performance may be detrimental, must be developed. This paper reports on the results of a Systematic Descriptive Literature Review of the current research on situation awareness within SOCs. The goal of the paper is to analyze how situation awareness is understood in the current research. To achieve this goal three aspects of understanding were addressed: Theoretical foundations; levels of conceptualization; and measurement of situation awareness. Theoretical foundations in the literature were assessed by how situation awareness was defined and the presence of references to theoretical models of SA. The results show a clear trend of basing the research on Endsley's three level situation awareness model; this model has been developed into a domain specific formulation called “Cyber Situation Awareness”. Some parts of the literature, particularly in research aimed at developing tools for improving situation awareness, lack a theoretical foundation; some refer to alternative theoretical foundations of situation awareness like Stanton et al.’s Distributed Situation Awareness. Further, a balance between conceptualizations on the individual, group and system level has been identified. Within research aimed at developing tools for improving situation awareness there are some examples of specialized and precise measurements of situation awareness, but in general the research seems too reliant on indirect measures of situation awareness. The paper concludes with the proposition of connecting the systems-based theoretical perspective of distributed situation awareness into the research, utilizing a systems level conceptualization of situation awareness. This might prove to be a useful bridge between the human cognitive perspective of situation awareness and the development of the complex technical environment of critical importance that SOCs represent.