{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,2]],"date-time":"2025-12-02T06:13:07Z","timestamp":1764655987718,"version":"3.41.0"},"publisher-location":"Cham","reference-count":50,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319611518"},{"type":"electronic","value":"9783319611525"}],"license":[{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017]]},"DOI":"10.1007\/978-3-319-61152-5_6","type":"book-chapter","created":{"date-parts":[[2017,7,6]],"date-time":"2017-07-06T14:43:15Z","timestamp":1499352195000},"page":"128-169","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":17,"title":["Studying Analysts\u2019 Data Triage Operations in Cyber Defense Situational Analysis"],"prefix":"10.1007","author":[{"given":"Chen","family":"Zhong","sequence":"first","affiliation":[]},{"given":"John","family":"Yen","sequence":"additional","affiliation":[]},{"given":"Peng","family":"Liu","sequence":"additional","affiliation":[]},{"given":"Rob F.","family":"Erbacher","sequence":"additional","affiliation":[]},{"given":"Christopher","family":"Garneau","sequence":"additional","affiliation":[]},{"given":"Bo","family":"Chen","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2017,7,7]]},"reference":[{"key":"6_CR1","unstructured":"Security Operations: Building a Successful SOC, Hewlett-Packard Development Company, hp.com\/go\/sioc (2013)"},{"key":"6_CR2","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1007\/978-3-540-78243-8_2","volume-title":"VizSEC 2007","author":"A D\u2019Amico","year":"2008","unstructured":"D\u2019Amico, A., Whitley, K.: The real work of computer network defense analysts. In: Goodall, J.R., Conti, G., Ma, K.-L. (eds.) VizSEC 2007, pp. 19\u201337. Springer, Heidelberg (2008)"},{"key":"6_CR3","doi-asserted-by":"crossref","unstructured":"D\u2019Amico, A., Whitley, K., Tesone, D., O\u2019Brien, B., Roth, E.: Achieving cyber defense situational awareness: a cognitive task analysis of information assurance analysts. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 49, no. 3, pp. 229\u2013233. SAGE Publications (2005)","DOI":"10.1177\/154193120504900304"},{"issue":"3","key":"6_CR4","doi-asserted-by":"publisher","first-page":"204","DOI":"10.1057\/ivs.2010.5","volume":"9","author":"RF Erbacher","year":"2010","unstructured":"Erbacher, R.F., Frincke, D.A., Wong, P.C., Moody, S., Fink, G.: A multi-phase network situational awareness cognitive task analysis. Inf. Vis. 9(3), 204\u2013219 (2010)","journal-title":"Inf. Vis."},{"issue":"1","key":"6_CR5","first-page":"1","volume":"18","author":"M Gran\u00e5sen","year":"2015","unstructured":"Gran\u00e5sen, M., Dennis, A.: Measuring team effectiveness in cyber-defense exercises: a cross-disciplinary case study. Cogn. Technol. Work 18(1), 1\u201323 (2015)","journal-title":"Cogn. Technol. Work"},{"key":"6_CR6","series-title":"Advances in Information Security","doi-asserted-by":"publisher","first-page":"119","DOI":"10.1007\/978-3-319-11391-3_7","volume-title":"Cyber Defense and Situational Awareness","author":"J Yen","year":"2014","unstructured":"Yen, J., Erbacher, R.F., Zhong, C., Liu, P.: Cognitive process. In: Kott, A., Wang, C., Erbacher, R.F. (eds.) Cyber Defense and Situational Awareness. AIS, vol. 62, pp. 119\u2013144. Springer, Cham (2014). doi: 10.1007\/978-3-319-11391-3_7"},{"key":"6_CR7","doi-asserted-by":"crossref","unstructured":"Etoty, R.E., Erbacher, R.F.: A survey of visualization tools assessed for anomaly-based intrusion detection analysis. No. ARL-TR-6891. Army Research Lab Adelphi MD Computational and Information Sciences Directorate (2014)","DOI":"10.21236\/ADA601590"},{"key":"6_CR8","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-1-4419-0140-8_1","volume-title":"Cyber Situational Awareness","author":"P Barford","year":"2010","unstructured":"Barford, P., et al.: Cyber SA: situational awareness for cyber defense. In: Jajodia, S., Liu, P., Swarup, V., Wang, C. (eds.) Cyber Situational Awareness, vol. 46, pp. 3\u201313. Springer, US (2010)"},{"key":"6_CR9","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"280","DOI":"10.1007\/978-3-642-22348-8_24","volume-title":"Data and Applications Security and Privacy XXV","author":"V Dutt","year":"2011","unstructured":"Dutt, V., Ahn, Y.-S., Gonzalez, C.: Cyber situation awareness: modeling the security analyst in a cyber-attack scenario through instance-based learning. In: Li, Y. (ed.) DBSec 2011. LNCS, vol. 6818, pp. 280\u2013292. Springer, Heidelberg (2011). doi: 10.1007\/978-3-642-22348-8_24"},{"issue":"1","key":"6_CR10","doi-asserted-by":"publisher","first-page":"32","DOI":"10.1518\/001872095779049543","volume":"37","author":"MR Endsley","year":"1995","unstructured":"Endsley, M.R.: Toward a theory of situation awareness in dynamic systems. Hum. Factors J. Hum. Factors Ergon. Soc. 37(1), 32\u201364 (1995)","journal-title":"Hum. Factors J. Hum. Factors Ergon. Soc."},{"key":"6_CR11","unstructured":"Boyd, J.R.: The Essence of Winning and Losing (1996). Unpublished lecture notes"},{"key":"6_CR12","unstructured":"Pirolli, P., Card, S.: The sensemaking process and leverage points for analyst technology as identified through cognitive task analysis. In: Proceedings of International Conference on Intelligence Analysis, vol. 5, pp. 2\u20134 (2005)"},{"issue":"4","key":"6_CR13","doi-asserted-by":"publisher","first-page":"99","DOI":"10.1145\/332051.332079","volume":"43","author":"T Bass","year":"2000","unstructured":"Bass, T.: Intrusion detection systems and multisensor data fusion. Commun. ACM 43(4), 99\u2013105 (2000)","journal-title":"Commun. ACM"},{"key":"6_CR14","doi-asserted-by":"crossref","unstructured":"Mahmood, T., Afzal, U.: Security analytics: Big Data analytics for cybersecurity: a review of trends, techniques and tools. In: 2nd National Conference on Information Assurance (NCIA), pp. 129\u2013134. IEEE (2013)","DOI":"10.1109\/NCIA.2013.6725337"},{"issue":"1","key":"6_CR15","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1186\/s40537-015-0013-4","volume":"2","author":"R Zuech","year":"2015","unstructured":"Zuech, R., Khoshgoftaar, T.M., Wald, R.: Intrusion detection and big heterogeneous data: a survey. J. Big Data 2(1), 1\u201341 (2015)","journal-title":"J. Big Data"},{"issue":"12","key":"6_CR16","first-page":"31","volume":"55","author":"DP Biros","year":"2001","unstructured":"Biros, D.P., Eppich, T.: THEME: security-human element key to intrusion detection. Signal-Fairfax 55(12), 31\u201334 (2001)","journal-title":"Signal-Fairfax"},{"issue":"1","key":"6_CR17","doi-asserted-by":"publisher","first-page":"273","DOI":"10.1146\/annurev.psych.47.1.273","volume":"47","author":"KA Ericsson","year":"1996","unstructured":"Ericsson, K.A., Lehmann, A.C.: Expert and exceptional performance: evidence of maximal adaptation to task constraints. Annu. Rev. Psychol. 47(1), 273\u2013305 (1996)","journal-title":"Annu. Rev. Psychol."},{"key":"6_CR18","doi-asserted-by":"crossref","unstructured":"Chen, P.C., Liu, P., Yen, J., Mullen, T.: Experience-based cyber situation recognition using relaxable logic patterns. In: IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA), pp. 243\u2013250. IEEE (2012)","DOI":"10.1109\/CogSIMA.2012.6188392"},{"key":"6_CR19","first-page":"61","volume":"800","author":"T Grance","year":"2004","unstructured":"Grance, T., Kent, K., Kim, B.: Computer security incident handling guide. NIST Spec. Publ. 800, 61 (2004)","journal-title":"NIST Spec. Publ."},{"key":"6_CR20","unstructured":"Information Security: Agencies Need to Improve Cyber Incident Response Practices. GAO-14-354, 30 April 2014. Publicly Released: May 30, 2014"},{"key":"6_CR21","first-page":"19","volume":"7","author":"FC Freiling","year":"2007","unstructured":"Freiling, F.C., Schwittay, B.: A common process model for incident response and computer forensics. IMF 7, 19\u201340 (2007)","journal-title":"IMF"},{"key":"6_CR22","volume-title":"Incident Response & Computer Forensics","author":"C Prosise","year":"2003","unstructured":"Prosise, C., Mandia, K., Pepe, M.: Incident Response & Computer Forensics. McGraw-Hill\/Osborne, New York (2003)"},{"key":"6_CR23","doi-asserted-by":"crossref","unstructured":"Dawkins, J., Hale, J.: A systematic approach to multi-stage network attack analysis. In: Second IEEE International Information Assurance Workshop, Proceedings, pp. 48\u201356. IEEE (2004)","DOI":"10.1109\/IWIA.2004.1288037"},{"key":"6_CR24","unstructured":"Jha, S., Sheyner, O., Jeannette, M.W.: Minimization and reliability analyses of attack graphs. No. CMU-CS-02-109. Carnegie-Mellon Univ. Pittsburgh PA School of Computer Science (2002)"},{"key":"6_CR25","unstructured":"Thomas, J.J., Cook, K.A.: The science of analytical reasoning. In: Illuminating the Path: The Research and Development Agenda for Visual Analytics, pp. 32\u201368 (2005)"},{"key":"6_CR26","doi-asserted-by":"crossref","unstructured":"Mancuso, V.F., Minotra, D., Giacobe, N., McNeese, M., Tyworth, M.: idsNETS: an experimental platform to study situation awareness for intrusion detection analysts. In: IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA), pp. 73\u201379. IEEE (2012)","DOI":"10.1109\/CogSIMA.2012.6188411"},{"key":"6_CR27","unstructured":"Giacobe, N.A.: Measuring the effectiveness of visual analytics and data fusion techniques on situation awareness in cyber-security. PhD diss., The Pennsylvania State University (2013)"},{"key":"6_CR28","volume-title":"Fundamentals of Behavior Analytic Research","author":"A Poling","year":"2013","unstructured":"Poling, A., Methot, L.L., LeSage, M.G.: Fundamentals of Behavior Analytic Research. Springer Science & Business Media, US (2013)"},{"issue":"3","key":"6_CR29","doi-asserted-by":"publisher","first-page":"267","DOI":"10.1006\/cogp.2000.0747","volume":"42","author":"FJ Lee","year":"2001","unstructured":"Lee, F.J., Anderson, J.R.: Does learning a complex task have to be complex? A study in learning decomposition. Cogn. Psychol. 42(3), 267\u2013316 (2001)","journal-title":"Cogn. Psychol."},{"issue":"4","key":"6_CR30","doi-asserted-by":"publisher","first-page":"656","DOI":"10.3758\/BF03193898","volume":"38","author":"U Kukreja","year":"2006","unstructured":"Kukreja, U., Stevenson, W.E., Ritter, F.E.: RUI: recording user input from interfaces under Windows and Mac OS X. Behav. Res. Methods 38(4), 656\u2013659 (2006)","journal-title":"Behav. Res. Methods"},{"issue":"4","key":"6_CR31","doi-asserted-by":"publisher","first-page":"419","DOI":"10.1006\/jmla.1997.2558","volume":"38","author":"PD Allopenna","year":"1998","unstructured":"Allopenna, P.D., Magnuson, J.S., Tanenhaus, M.K.: Tracking the time course of spoken word recognition using eye movements: evidence for continuous mapping models. J. Mem. Lang. 38(4), 419\u2013439 (1998)","journal-title":"J. Mem. Lang."},{"issue":"5","key":"6_CR32","doi-asserted-by":"publisher","first-page":"e1000072","DOI":"10.1371\/journal.pcbi.1000072","volume":"4","author":"MI Rabinovich","year":"2008","unstructured":"Rabinovich, M.I., Huerta, R., Varona, P., Afraimovich, V.S.: Transient cognitive dynamics, metastability, and decision making. PLoS Comput. Biol. 4(5), e1000072 (2008)","journal-title":"PLoS Comput. Biol."},{"key":"6_CR33","unstructured":"Tom, P., Santtila, P., Bosco, D.: The ability of human judges to link crimes using behavioral information: current knowledge and unresolved issues. In: Crime Linkage: Theory, Research, and Practice. CRC Press, p. 268 (2014)"},{"key":"6_CR34","doi-asserted-by":"crossref","unstructured":"Zhong, C., Samuel, D., Yen, J., Liu, P., Erbacher, R., Hutchinson, S., Etoty, R., Cam, H., Glodek, W.: RankAOH: context-driven similarity-based retrieval of experiences in cyber analysis. In: IEEE International Inter-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA), pp. 230\u2013236. IEEE (2014)","DOI":"10.1109\/CogSIMA.2014.6816567"},{"key":"6_CR35","doi-asserted-by":"crossref","unstructured":"Zhong, C., Yen, J., Liu, P., Erbacher, R., Etoty, R., Garneau, C.: An integrated computer-aided cognitive task analysis method for tracing cyber-attack analysis processes. In: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security, p. 9. ACM (2015)","DOI":"10.1145\/2746194.2746203"},{"key":"6_CR36","doi-asserted-by":"crossref","unstructured":"Pirolli, P.: Information Foraging Theory: Adaptive Interaction with Information. Oxford University Press (2007)","DOI":"10.1093\/acprof:oso\/9780195173321.001.0001"},{"issue":"4","key":"6_CR37","doi-asserted-by":"publisher","first-page":"643","DOI":"10.1037\/0033-295X.106.4.643","volume":"106","author":"P Pirolli","year":"1999","unstructured":"Pirolli, P., Card, S.: Information foraging. Psychol. Rev. 106(4), 643 (1999)","journal-title":"Psychol. Rev."},{"key":"6_CR38","doi-asserted-by":"crossref","unstructured":"Zhong, C., Yen, J., Liu, P., Erbacher, R., Etoty, R., Garneau, C.: ARSCA: a computer tool for tracing the cognitive processes of cyber-attack analysis. In: IEEE International Inter-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA), pp. 165\u2013171. IEEE (2015)","DOI":"10.1109\/COGSIMA.2015.7108193"},{"key":"6_CR39","unstructured":"\u201cVAST Challenge 2012 Mini-Challenge 2\u201d, Visual Analytics Community (2012)"},{"key":"6_CR40","doi-asserted-by":"crossref","unstructured":"Scholtz, J., Whiting, M.A., Plaisant, C., Grinstein, G.: A reflection on seven years of the VAST challenge. In: Proceedings of the 2012 BELIV Workshop: Beyond Time and Errors-Novel Evaluation Methods for Visualization, p. 13. ACM (2012)","DOI":"10.1145\/2442576.2442589"},{"key":"6_CR41","unstructured":"Bass, T.: Multisensor data fusion for next generation distributed intrusion detection systems, pp. 24\u201327 (1999)"},{"key":"6_CR42","doi-asserted-by":"crossref","unstructured":"Lan, F., Chunlei, W., Guoqing, M.: A framework for network security situation awareness based on knowledge discovery. In: 2nd international conference on Computer Engineering and Technology (ICCET), vol. 1, pp. V1\u2013226. IEEE (2010)","DOI":"10.1109\/ICCET.2010.5486194"},{"key":"6_CR43","doi-asserted-by":"crossref","unstructured":"Fink, G.A., North, C.L., Endert, A., Rose, S.: Visualizing cyber security: usable workspaces. In: 6th International Workshop on Visualization for Cyber Security, VizSec 2009, pp. 45\u201356. IEEE (2009)","DOI":"10.1109\/VIZSEC.2009.5375542"},{"key":"6_CR44","doi-asserted-by":"crossref","unstructured":"McClain, J., Silva, A., Emmanuel, G., Anderson, B., Nauer, K., Abbott, R., Forsythe, C.: Human Performance Factors in Cyber Security Forensic Analysis (2015)","DOI":"10.1016\/j.promfg.2015.07.621"},{"key":"6_CR45","doi-asserted-by":"crossref","unstructured":"Zhong, C., Kirubakaran, D.S., Yen, J., Liu, P., Hutchinson, S., Cam, H.: How to use experience in cyber analysis: an analytical reasoning support system. In: IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 263\u2013265. IEEE (2013)","DOI":"10.1109\/ISI.2013.6578832"},{"key":"6_CR46","doi-asserted-by":"crossref","unstructured":"Giacobe, N.A.: Application of the JDL data fusion process model for cyber security. In: SPIE Defense, Security, and Sensing, p. 77100R. International Society for Optics and Photonics (2010)","DOI":"10.1117\/12.850275"},{"issue":"1","key":"6_CR47","doi-asserted-by":"publisher","first-page":"107","DOI":"10.1016\/j.inffus.2007.06.002","volume":"10","author":"SJ Yang","year":"2009","unstructured":"Yang, S.J., Stotz, A., Holsopple, J., Sudit, M., Kuhl, M.: High level information fusion for tracking and projection of multistage cyber attacks. Inf. Fusion 10(1), 107\u2013121 (2009)","journal-title":"Inf. Fusion"},{"key":"6_CR48","unstructured":"Vandenberghe, G.: Visually assessing possible courses of action for a computer network incursion. In: SANS Institute, InfoSec Reading Room (2007)"},{"issue":"1","key":"6_CR49","doi-asserted-by":"crossref","first-page":"39","DOI":"10.3233\/AIC-1994-7104","volume":"7","author":"A Aamodt","year":"1994","unstructured":"Aamodt, A., Plaza, E.: Case-based reasoning: foundational issues, methodological variations, and system approaches. AI Commun. 7(1), 39\u201359 (1994)","journal-title":"AI Commun."},{"issue":"1","key":"6_CR50","doi-asserted-by":"crossref","first-page":"2","DOI":"10.1145\/1456650.1456652","volume":"41","author":"A Cockburn","year":"2009","unstructured":"Cockburn, A., Karlson, A., Bederson, B.B.: A review of overview+detail, zooming, and focus+context interfaces. ACM Comput. Surv. (CSUR) 41(1), 2 (2009)","journal-title":"ACM Comput. Surv. (CSUR)"}],"container-title":["Lecture Notes in Computer Science","Theory and Models for Cyber Situation Awareness"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-61152-5_6","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,21]],"date-time":"2025-06-21T12:26:34Z","timestamp":1750508794000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-61152-5_6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017]]},"ISBN":["9783319611518","9783319611525"],"references-count":50,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-61152-5_6","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2017]]},"assertion":[{"value":"7 July 2017","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}}]}}