In cyber defense, sometimes communication is overrated

It turns out that the less time cybersecurity team members spend time talking about a responding to an attack, the better the outcome is likely to be.

At least that's what Army researchers found when they studied how the performance of cyber defense teams during head-to-head team competition at the Mid-Atlantic Collegiate Cyber Defense Competition. Teams had to defend and maintain their networks against a cyberattack on critical infrastructure and were evaluated on maintaining services, incidence response and scenario injects. In responding to scenario events, team members were assigned tasks by a role-playing CEO and were required to submit incident reports to authorities.

Contestants wore sociometric badges, devices developed at MIT that use infrared sensors to measure the frequency and duration of face-to-face interactions and that can shed light on individual and collective patterns of behavior and identify social affinity among team members. The researchers also gathered data from a questionnaire in which team members evaluated their team's leadership style, task distribution, team meetings, communication and collaboration.

It's no surprise that teams with effective leadership and functional specialization were more successful. However, face-to-face interactions, as measured by the sociometric badges, emerged as a strong negative predictor of success in the competition, according to Norbou E. Buchler, a cognitive scientist within Army Research Laboratory's Human Research and Engineering Directorate and team leader with the ARL Cyber and Networked Systems Branch. "In other words, the teams whose members interacted less during the exercise were usually more successful," he said. "Successful cyber teams don't need to discuss every detail when defending a network; they already know what to do."

High-performing teams have fewer interactions because all the team members know each other's roles and work interdependently.  "The responsibility for performing the various tasks and sub-tasks necessary to accomplish the team's goal is divided and parceled-out among the team," Buchler said.

The results are important because they show the importance of both functional specialization and leadership in cybersecurity teams, which could help with detection and mitigation of threats.  Currently, Buchler said, "training programs commonly emphasize cybersecurity knowledge and do not provide training on effective team management," he said.

The research also highlights benefits derived from wearable technology.  Social-sensing platforms like the sociometric badges can "enhance human measurement and validate and refine theories regarding the factors influencing human performance and teamwork over time," Buchler said.