Simon Ou has spent his career thinking about how rigorous academic research can better connect with the day-to-day realities of cybersecurity professionals.
He observed that in some cases, valuable academic insights weren鈥檛 fully reaching the cybersecurity professionals who could benefit most from them. Rather than seeing that as a failure, he saw it as a challenge. It also became an opportunity to bring anthropology and computer science together to address real-world challenges, like burnout among employees at security operations centers or the human behaviors that impact cybersecurity.
鈥淎 lot of the cybersecurity research done by academia would lead to publication, and then you鈥檇 gain fame about getting this paper into a top conference, and that's about it,鈥 said Ou, a professor of cybersecurity in USF鈥檚 Bellini College of Artificial Intelligence, Cybersecurity and Computing. 鈥淵ou鈥檇 rarely find a piece of academic research really making its way into the cybersecurity industry. In other words, industry didn't really care about what we did in security.鈥
Ou wanted to contribute something meaningful with his research. Something that wasn鈥檛 just going to sit on a shelf. 鈥淲e both (industry professionals and academics) want to solve problems that really have a realizable benefit.鈥
In Ou鈥檚 current SOC research, he has partnered with Professor Daniel Lende from the Department of Anthropology in the USF College of Arts & Sciences. The cross-disciplinary collaboration is a focus of the Bellini College and reflects its hub-and-spoke model that connects it with disciplines across the university. That relationship connects it to further research and prepares students for modern technology careers.
Looking for answers
While working on his doctoral degree at Princeton University, Ou remembered his advisor encouraging him to talk to system administrators.
鈥淚 wasn't comfortable doing that because I thought, 鈥極h, why would I talk to those folks? I'm doing my research. I'm not really into these operations things,鈥欌 he said.
But his advisor persisted. Ou got into the habit of meeting face-to-face with system administrators to ask questions.
鈥淲hat do you do? Why do I need to have a firewall? Why do you want to block this port? What's the reason behind that,鈥 he鈥檇 ask.
It wasn鈥檛 a common practice. But it transformed how he thought about technology. The interactions grounded his work in real-world processes.
鈥淲e think our job is to look at this,鈥 he said, pointing to a computer screen. 鈥淭hat's our world 鈥 computers. But we are no longer living in a world where this is just that, because computing touches everything. The computer is intertwined with every aspect of our life and work.鈥
An anthropological mindset
Those early field and anthropological perspectives shaped how Ou approached his research at Cyber Florida's Security Operations Center Apprentice Program (SOCAP) at USF. Student participants, who are paid, work inside the Cyber Florida Security Operations Center, the student-operated SOC that supports cybersecurity efforts at USF and partners with public-sector organizations to provide additional security services.
Working with his doctoral students, Faayed Al Faisal and Kritan Banstola, Ou is exploring options that involve using AI to tackle low-level tasks that would allow analysts to dedicate more time and effort to investigating larger and more important issues.
鈥淲e want to develop an AI system that understands context and can adapt based on how analysts actually make decisions. If we can teach AI to see the work the way a human does, we can start automating the repetitive parts and give people space to think critically again.鈥
The ultimate goal is for the cybersecurity industry to use the research as a blueprint to overhaul their own SOCs, boost productivity and eliminate or reduce turnover.
鈥淭he goal from the very beginning was a to create an SOC assistant AI tool that the analysts will actually use,鈥 Al Faisal said. 鈥淭o know what is useful and to know what may cause a hindrance to the analysts in their workflows with the deployment of an AI tool is why it was important from the beginning to be a part of SOCAP and work as actual analysts and work on the same tasks that they work on.鈥
Inside security operations centers
Ou鈥檚 efforts to address SOC analyst burnout grew out of years of prior research.
Gaining access to security operations centers and embedding a team of student interns in multinational corporation SOCs proved challenging, but he persisted, knowing he would need to offer something of value in return. Grant funding from the National Science Foundation supported students who assisted with the research while working as short-term employees within the SOCs.
鈥淎t first, it was hard to get in. These are high-security environments, and people are cautious about outsiders,鈥 he said. 鈥淏ut once they saw we weren鈥檛 there to judge, just to learn, they opened up.鈥
Once access was secured, the experience proved eye-opening. Ou realized that computing needed professionals with expertise that extended beyond technical skills 鈥 people who understood the humans operating the systems.
鈥淚t was more like anthropology than computer science,鈥 he said. 鈥淏eing a field researcher
inside a technical ecosystem.鈥
That insight led to partnerships with anthropologists, for a simple reason.
鈥淭hey don't want to change,鈥 he said. 鈥淭hey don't want to reshape a culture. They want to understand a culture. They want to understand the people who are poorly understood. And the security operations people were poorly understood. They still are."
Ou鈥檚 team of student interns finally gained the access they needed inside the SOCs and were able to observe the analysts as they worked.
鈥淲e began working directly with security operations centers,鈥 he said. 鈥淭hat meant spending time with analysts, watching how they worked, what frustrated them, what they ignored 鈥 all of it.鈥
Once Banstola was able to observe and work with the analysts, he was able to observe how repetitive tasks and false alerts wore them down.
鈥淚 was surprised to see that a lot of alerts received at the SOC are usually benign activities and false positives,鈥 he said. 鈥淏ut the analyst still has to go through a full triage process to identify the nature of the alert, which consumes time and contributes to fatigue.鈥
Al Faisal said learning the anthropological approach through his work with the USF team, with the assistance of Lende from the Department of Anthropology in the USF College of Arts & Sciences, proved useful in learning how to interact with the people they involved in the research.
鈥淧art of that research involved getting input from the students who were volunteering in the training research sessions,鈥 he said. 鈥淭he great thing I learned from that research was how Professor Lende was able to ask and extract information that was useful to the research while not leading the students into an answer, and also keeping them comfortable as to not make it seem like they were being interrogated under a microscope and keeping them comfortable answering. Those cyber training research sessions, as well as our constant communication with Professor Lende, allowed us to be fully integrated into the SOC while also keeping the other analysts comfortable and think of us as part of the team instead of a third party.鈥
Ou, who also serves as the director of Rapid7鈥檚 Cyber Threat Intelligence Lab at USF, collaborated with Lende on another project. That one, which was funded through a $1.5 million grant from the National Science Foundation and Office of Naval Research, was tied to research on how to better train cybersecurity analysts.
Evaluate and identify
Through his previous work at Kansas State University, Ou and his team there noticed how quickly people burned out. Frequently, analysts would leave after a year or two for other opportunities.
鈥淲e found that burnout wasn鈥檛 just about workload, it was the system,鈥 he said. 鈥淧eople who work in the security operations center get burned out quickly. You鈥檇 hire them, train them for a few months and then their life in the SOC was probably 12 to 18 months and then they cannot bear it anymore. Then, because they now have that experience, they can move up to a different role to maybe become a software developer or move to another company.鈥
In the SOC, the work can sometimes seem mundane, but it鈥檚 necessary. But that can sometimes divert attention away from higher-level, more specialized threat prevention.
Success in a vacuum
鈥淪uccess in security operations is the absence of events,鈥 he said. 鈥淣othing happens. Everything is working fine. But then people ask, 鈥榃hy are you still being paid so much money? If nothing happens, why are you spending millions of dollars every year?鈥欌
If productivity is boiled down to a metric like the closing of security tickets, it would provide an analyst with incentive to select the easiest one to close. The one that is more complicated and potentially more of a threat could take away from a tally of closed tickets, Ou said. 鈥淭ensions like that between those two choices create the burnout 鈥 the contradiction.鈥
Leaders must rethink how success is defined inside security operations centers 鈥 moving beyond surface-level productivity metrics to systems that recognize judgment, context and long-term impact.
鈥淵ou can鈥檛 have effective security if the people doing the work are exhausted or feel like their effort doesn鈥檛 matter,鈥 Ou said.
Developing the solution
Taking what he learned through Ou鈥檚 previous research and applying it at USF, Al Faisal and the SOCAP team have the working framework to a solution.
During the research process, the team learned the analysts all had a different process when it came to triage alerts.
鈥淓ach of them had their own set of tools they were comfortable with,鈥 he said. 鈥淓ach of them had their own level of comfortability when it came to using off-the-shelf AI in their day-to-day tasks, despite being encouraged by their managers (to use the AI tools).鈥
Learning the different approaches meant tougher, but not insurmountable, challenges. While it鈥檚 still in the development phase, Al Faisal and Banstola have a working AI assistant they are currently using for triage work, but it still needs to be reviewed and isn鈥檛 quite ready for a full launch yet.
鈥淲e have designed our first version of the AI Companion and tested it out in the SOC ourselves,鈥 Banstola said. 鈥淐urrently, the assistant is able to call out various tools within the SOC for data and logs retrieval, reason through the alert and create a report on findings. In the next steps, we want to observe the utility of the AI companion when used by student analysts working at CyberFlorida. Also, we are looking for ways to have the AI assistant learn from past tickets and continuously improve its reasoning and utility in the SOC.鈥