Phase II: Evaluation

CHAPTER 5: CONCEPTUAL MODELLING 5.1. Introduction

5.5. Derivation of the Conceptual Model

5.5.2. Shared Situational Awareness Tier

125

As organisations involve the collaboration of multiple users for information sharing, awareness cannot be done exclusively at an individual level, and the following section considers the integration of shared situational awareness into the model concept.

126

• Shared Situational Awareness Mechanisms – The use of shared mental models (this can be achieved through sense-making).

• Shared Situational Awareness Processes– “involvement of effective team processes for sharing pertinent information”.

Bolstad and Endsley (2000) indicate that shared situational awareness is achieved through various tools – shared displays, shared communication, and shared environments. The shared situational awareness requirements and shared situational awareness devices will be achieved by visualisation, sense-making and communication channels which help to understand the requirements of each team member and act as devices towards shared communication. The shared situational awareness mechanism will leverage sense-making to achieve a shared mental model. Shared situational awareness processes will be achieved by the role-based situational awareness component of the model which aims to share relevant information to the team members according to roles. The next sub-section explores the two core elements of the shared situational awareness tier, which are sense-making and visualisation.

5.5.2.1 Sense-making

There are various approaches to sense making or sense-making, hence the variations in spelling – sense-making was introduced by Dervin (1998) whereas sense making was introduced by (Weick, 1995). However, recent applications have merged the ideas together (Urquhart et al., 2016). For the sake of readability the spelling variant of “sense-making” will be used in this thesis. Weick (1995) introduced sense-making for organisational contexts, while the approach of Dervin (1998) to sense-making focuses on the individual as it makes sense of a ‘gap’ within a situation. Marshall (2016) frames sense-making as sense giving to deliberately attempt to change how people think. Weick (1995) indicated that sense-making involves understanding, interpretation and attribution where it “involves the on-going retrospective development of plausible images that rationalize what people are doing” (Weick et al., 2005, p. 409). While the approaches to sense-making appear diverse, the ideas are complementary, in that Dervin’s approach to sense-making is achieved when crossing a gap in the information landscape while Weick’s approach to sense-making is achieved retrospectively, that is to make sense of past situations (Harviainen & Melkko, 2022).

127

Sense-making involves making sense of unclear situations and is related to the process of situational awareness, “where individuals and organisations can understand the multifaceted associations between people, places and events to allow them to make their own judgement of future developments and act accordingly” (Jashapara, 2004, pp. 131-132). “Sense-making is an on-going accomplishment originating from the efforts to create order and make retrospective sense of what has occurred” (van Wyk et al., 2020, p. 2).

At an individual level people who have elevated levels of situational awareness can process new data using their mental model which is an organised and dynamic knowledge structure gleaned by experience (Jashapara, 2004). Sense-making involves selecting a structure from multiple frames that best fits the context – a frame is a mental model that identifies limitations and makes forecasts (Howard et al., 2015). The outcome of sense-making is situational awareness which involves “a cyclic process between mental models and dynamic data to find the best match between the two” (Jashapara, 2004, p. 132). Figure 5-5 shows the relationship between these three concepts at an individual level.

Figure 5-5: The Relationship between Mental Models, Sense-making and Situational Awareness (adapted from Jashapara (2004))

128

Within a shared situational awareness context, shared mental models will characterise “the intersection or conjunction among team members’ mental depictions regarding various elements of their team and activity” (Maynard & Gilson, 2014, p. 8). Salas et al. (1994) pointed out that shared mental models assist in understanding the association between team processes and situational awareness and that mental models can be used as descriptive mechanisms for coordination in teams. Maynard and Gilson (2014) argue that shared mental models in research largely consider interaction, communication, and training in a face-to-face context, and there is a paucity of research on the use of information communication technology (ICT) with respect to shared mental models. Maynard and Gilson (2014) argue that ICT affects the development of shared mental models from a team and task perspective and view the attributes of technology that affect the shared mental model by applying a sense-making lens.

Appropriating from Zamani et al., (2021), this study considers the strategies proposed by Weick (1995), as this study involves the organisational context with multiple stakeholders and the aim is to make sense of the fragmented processes within ISIM. Dennis and Valacich (1999) proposed a theory of media synchronicity that posited that all tasks for group work are composed of two fundamental communication processes, conveyance and convergence, which can be used to minimise multiple and conflicting interpretations of a situation. They considered the following sense-making strategies, which were derived from Keick (1985) and Weick (2009), and which are intended to enhance sense-making in group support systems: action, triangulation, deliberation, contextualisation and affiliation.

Conveyance is a process of disseminating a diversity of information from varied sources to enable the receiver of the information to gain a mental model of the situation (Dennis et al., 2008) and it involves the following structures:

• Contextualisation: It refers to the “connection of the new events to past events”

(Dennis & Valacich, 1999, p. 4).

• Action: This is the process where, “members ask questions of or propose actions, information or opinions to other group members, and await the response” (Dennis &

Valacich, 1999, p. 4).

• Triangulation: This is the process of attaining information in a variety of formats from a variety of sources in order to obtain a complete picture (Dennis & Valacich, 1999).

129

Convergence is the process of reaching a common understanding of the current situation based on an individual’s interpretation of the information (Dennis & Valacich, 1999) and involves the following structures:

• Deliberation is the process of integrating the information gained through action, triangulation, and contextualisation in order to understand the current situation (Dennis

& Valacich, 1999).

• Affiliation considers how other individuals infer or understand information, and reach a mutually agreed upon meaning (Dennis & Valacich, 1999).

ISIM deals with various processes such as planning, detection, assessment, response and lesson learning. The above processes of sense-making can play a role in the enhancement of these ISIM processes. Conveyance can assist in transmitting information during an information security incident by combining a variety of sources using the strategies of ‘contextualisation’,

‘action’ and ‘triangulation’. Convergence can assist in forming a shared mental model of incident information which supports all the processes of ISIM using the strategies of

‘deliberation’ and ‘affiliation’. Convergence requires less deliberation when encountering new information in situations where individuals have a shared mental model, consequently encoding and decoding of existing information could be expediated (Dennis et al., 2008).

Table 5-1 considers how the strategies for sense-making could be theoretically applied to ISIM to promote shared situational awareness.

Table 5-1: The Interaction of Sense-making and ISIM Sense-making Strategy Sense-making within ISIM processes

Triangulation Searching the incident pool of previously detected incidents.

Contextualisation Characterisation of the incident from previous cases.

Action Communicate incident information to stakeholders

Deliberation ISIRT deliberates on information from the process of triangulation, contextualisation and action

Affiliation Submitting incident information to stakeholders for feedback to ensure mutual understanding.

Visualisation has been used to enhance the usability of different interactive systems to support improved acceptance through sense-making (van Wyk et al., 2020). This is the subject of the next complementary strategy used to achieve shared situational awareness.

130 5.5.2.2 Visualisation

Tamassia et al. (2009) surveyed techniques of visualisation of information security using the graph drawing approach. They highlight the advantages of visualisation over textual information which is often difficult to analyse. D'Amico and Kocka (2005) indicate that visualisation is a common tool used to enhance situational awareness. A situation-awareness visualisation in information systems helps to offer “perceptually based presentations that permit decision-makers to rapidly infer the readiness of all available cyber resources”

(Erbacher, 2012, p. 17). Existing models have considered visualisation from mostly an analyst’s or a decision-maker’s perspective (Erbacher, 2012).

Visualisation also enhances the users’ knowledge transfer through easy understanding between different entities (van Wyk et al., 2020). D'Amico and Kocka (2005) proposed several visualisation techniques for each level of situational awareness for information assurance.

These notions are now revised within the ISIM context:

▪ Perception: Visualisation to the source IP address and its relation to other IP addresses amongst millions of transactions per day to show that the stakeholders visually see the relationship of this source address to other destination IP addresses and transactions.

▪ Comprehension: A visualisation of the links “between various entities” and an animation showing the path of the incident. For example, a path is taken by either an external or insider attacker to “gain insight into the attacker’s activities”.

▪ Projection: A visualisation that replays the visual representation and aims to determine the next entity that could be attacked if the attacker is not circumvented. For example, an attacker who gains access to the employee entity can therefore use this information to gain access to the client entity.

Although visualisation of Big Data was studied from different perspectives such as situational awareness (Jonker, Langevin, Schretlen, & Canfield, 2012) and from a human cognitive analysis perspective (D’Amico & Kocka, 2005), few studies were conducted from an ISIM perspective. While Erbacher (2012) addressed incorporating visualisation in situational awareness to predict security incidents for decision-makers, the author did not incorporate an integrated communication strategy as described in the research problem and conceptual design of this research.

131

More importantly, in this research study, from the perspective of ISIM, the process of visualisation is to deal with mapping and querying the existing information to show summary and graphical presentations on the incident which had taken place, and the frequency and distinctive characteristics of incident information. Such information will be visualised in the prototype (Chapter 6). Mapping and inference of data are associated with the visualisation, as data inside the system can be visualised in graphical form. It involves reading from the data, synthesising, inferring and putting together similar and different incident clusters in diverse ways. Bolstad and Endsley (2000) found that while shared displays (i.e., visualisation) were useful in building shared mental models, they decreased performance due to the mental overload and proposed that perhaps abstract shared displays which only provide the “critical information” of the display to reduce the mental strain might be more useful. They found that abstracted shared displays helped in the coordination of teams in excessive workload situations when direct communication is strained.