Effects of cyber security knowledge on attack detection

Ensuring cyber security is a complex task that relies on domain knowledge and requires cognitive abilities to determine possible threats from large amounts of network data. This study investigates how knowledge in network operations and information security influence the detection of intrusions in a simple network. We developed a simplified Intrusion Detection System (IDS), which allows us to examine how individuals with or without knowledge in cyber security detect malicious events and declare an attack based on a sequence of network events. Our results indicate that more knowledge in cyber security facilitated the correct detection of malicious events and decreased the false classification of benign events as malicious. However, knowledge had less contribution when judging whether a sequence of events representing a cyber-attack. While knowledge of cyber security helps in the detection of malicious events, situated knowledge regarding a specific network at hand is needed to make accurate detection decisions. Responses from participants that have knowledge in cyber security indicated that they were able to distinguish between different types of cyber-attacks, whereas novice participants were not sensitive to the attack types. We explain how these findings relate to cognitive processes and we discuss their implications for improving cyber security.