Situational Awareness model in SPHINX environment
In 2001, Mirca R. Endsley defined Situation Awareness (SA) as the key to providing information, because the problem is no longer lack of information, but finding what is needed when it is needed. Over the years, SA has been defined in several complementary ways, most focusing on the application of SA to specific domains.
SA model in SPHINX relays on a modified version of Endsley’s model, to enable security officers to be aware of the current situation, the impact and evolution of an attack, the behaviour of the attackers, the quality of available information and models, and the potential futures of the current situation, thus making informed decisions.
SPHINX SA model consists of the following four levels:
Collection is the central mechanism that will allow all disparate pieces of evidence to be collected, gathered, and available for the scope of analysis of Level 2.
Comprehension comprises of analysis tools and techniques to better understand situations that occur in Cyber. Analysis is an on-going process that incorporates technology to perform automated, swift and repetitive tasks aimed at providing actionable insights of the current or impending future situations in Level 3.
The Interpretation mechanism provides the outcome of analysis that will allow all pieces of evidence to be well understood and available for the scope of Level 3 and in parallel support decision making.
Projection takes advantage of the “analysed intelligence” from Level 2 to predict future states or situations.
The Potential Futures mechanism provides information regarding future states or situations. This process shall provide information to the decision-making level for risk management, the implementation of proactive actions or the design of a mitigation strategy.
Resolution focuses on what needs to be done in order to remedy, recover and resolve situations or respond to future situations observed through security monitoring, threat intelligence, tracking and external intelligence.
Investigation and Actions blocks act as a forensics mechanism that gather incident-related evidences and any action taken in order to provide additional information to Collection (L1) & Interpretation (L2). Controls are the implemented safeguards or countermeasures to avoid, detect, counteract, or minimize security risks involving information, computer systems, or any other type of assets used to support Level 2.
Finally, the Recommendations block includes any additional information stemming from decision support suggestions that is not incorporated into a control.
More information about the situational awareness model can be found at Deliverable 3.1 that is publicly available here.