{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T10:40:52Z","timestamp":1779100852605,"version":"3.51.4"},"reference-count":68,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2024,7,15]],"date-time":"2024-07-15T00:00:00Z","timestamp":1721001600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"CSIRO\u2019s Collaborative Intelligence (CINTEL) Future Science Platform"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Internet Technol."],"published-print":{"date-parts":[[2024,8,31]]},"abstract":"\n Security Operations Centres (SOCs) play a pivotal role in defending organisations against evolving cyber threats. They function as central hubs for detecting, analysing, and responding promptly to cyber incidents with the primary objective of ensuring the confidentiality, integrity, and availability of digital assets. However, they struggle against the growing problem of alert fatigue, where the sheer volume of alerts overwhelms SOC analysts and raises the risk of overlooking critical threats. In recent times, there has been a growing call for human-AI teaming, wherein humans and AI collaborate with each other, leveraging their complementary strengths and compensating for their weaknesses. The rapid advances in AI and the growing integration of AI-enabled tools and technologies within SOCs give rise to a compelling argument for the implementation of human-AI teaming within the SOC environment. Therefore, in this article, we present our vision for human-AI teaming to address the problem of alert fatigue in the SOC. We propose the \ud835\udc9c\n 2<\/jats:sup>\n \ud835\udc9e Framework, which enables flexible and dynamic decision making by allowing seamless transitions between automated, augmented, and collaborative modes of operation. Our framework allows AI-powered automation for routine alerts, AI-driven augmentation for expedited expert decision making, and collaborative exploration for tackling complex, novel threats. By implementing and operationalising \ud835\udc9c\n 2<\/jats:sup>\n \ud835\udc9e, SOCs can significantly reduce alert fatigue while empowering analysts to efficiently and effectively respond to security incidents.\n <\/jats:p>","DOI":"10.1145\/3670009","type":"journal-article","created":{"date-parts":[[2024,5,30]],"date-time":"2024-05-30T07:09:48Z","timestamp":1717052988000},"page":"1-22","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":43,"title":["Towards Human-AI Teaming to Mitigate Alert Fatigue in Security Operations Centres"],"prefix":"10.1145","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-6138-7742","authenticated-orcid":false,"given":"Mohan","family":"Baruwal Chhetri","sequence":"first","affiliation":[{"name":"CSIRO's Data61, Melbourne, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9090-0579","authenticated-orcid":false,"given":"Shahroz","family":"Tariq","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Sydney Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3352-0486","authenticated-orcid":false,"given":"Ronal","family":"Singh","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Melbourne Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1335-2139","authenticated-orcid":false,"given":"Fatemeh","family":"Jalalvand","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Melbourne Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3816-0176","authenticated-orcid":false,"given":"Cecile","family":"Paris","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Sydney Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3289-6599","authenticated-orcid":false,"given":"Surya","family":"Nepal","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Sydney Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,7,15]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2020.2996587"},{"key":"e_1_3_2_3_2","first-page":"2783","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security\u201922)","author":"Alahmadi Bushra A.","year":"2022","unstructured":"Bushra A. Alahmadi, Louise Axon, and Ivan Martinovic. 2022. 99% false positives: A qualitative study of SOC analysts\u2019 perspectives on security alarms. In Proceedings of the 31st USENIX Security Symposium (USENIX Security\u201922). 2783\u20132800."},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1080\/1463922X.2022.2061080"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCWS53234.2021.9703010"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.artint.2021.103500"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103201"},{"key":"e_1_3_2_8_2","unstructured":"Alexia Cambon Brent Hecht Ben Edelman Donald Ngwe Sonia Jaffe Amy Heger Mihaela Vorvoreanu Sida Peng Jake Hofman Alex Farach Margarita Bermejo-Cano Eric Knudsen James Bono Hardik Sanghavi Sofia Spatharioti David Rosthschild Daniel G. Goldstein Eirini Kalliamvakou Peter Cihon Mert Demirer Michael Schwarz and Jaime Teevan. 2023. Early LLM-Based Tools for Enterprise Information Workers Likely Provide Meaningful Boosts to Productivity. Microsoft."},{"key":"e_1_3_2_9_2","unstructured":"Janis A. Cannon-Bowers Eduardo Salas and Sharolyn Converse. 1993. Shared mental models in expert team decision making. In Individual and Group Decision Making: Current Issues N. M. Castellan Jr. (Ed.). Lawrence Erlbaum Associates 221\u2013246."},{"key":"e_1_3_2_10_2","article-title":"Plan explanations as model reconciliation: Moving beyond explanation as soliloquy","author":"Chakraborti Tathagata","year":"2017","unstructured":"Tathagata Chakraborti, Sarath Sreedharan, Yu Zhang, and Subbarao Kambhampati. 2017. Plan explanations as model reconciliation: Moving beyond explanation as soliloquy. arXiv preprint arXiv:1701.08317 (2017).","journal-title":"arXiv preprint arXiv:1701.08317"},{"key":"e_1_3_2_11_2","unstructured":"Jessie Y. Chen Katelyn Procci Michael Boyce Julia Wright Andre Garcia and Michael Barnes. 2014. Situation Awareness-Based Agent Transparency. ARL-TR-6905. U.S. Army Research Laboratory."},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1177\/00187208211009995"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.2308\/accr-10273"},{"key":"e_1_3_2_14_2","volume-title":"SANS 2023 SOC Survey","author":"Crowley Chris","year":"2023","unstructured":"Chris Crowley, Barbara Filkins, and John Pescatore. 2023. SANS 2023 SOC Survey. White Paper. Escal Institute of Advanced Technologies (SANS Institute). https:\/\/www.sans.org\/white-papers\/2023-sans-soc-survey\/"},{"issue":"5","key":"e_1_3_2_15_2","first-page":"B63\u2013B70","article-title":"Augmenting team cognition in human-automation teams performing in complex operational environments","volume":"78","author":"Cuevas Haydee M.","year":"2007","unstructured":"Haydee M. Cuevas, Stephen M. Fiore, Barrett S. Caldwell, and Laura Strater. 2007. Augmenting team cognition in human-automation teams performing in complex operational environments. Aviation, Space, and Environmental Medicine 78, 5 (2007), B63\u2013B70.","journal-title":"Aviation, Space, and Environmental Medicine"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1145\/3418034"},{"key":"e_1_3_2_17_2","unstructured":"Statista Research Department. 2023. Size of Cyber Security Market Worldwide from 2019 to 2030. Retrieved July 23 2023 from https:\/\/www.statista.com\/statistics\/1256346\/worldwide-cyber-security-market-revenues\/"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/3411764.3445188"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1177\/154193128803200221"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1518\/001872095779049543"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1177\/0018720816681350"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.chb.2022.107574"},{"key":"e_1_3_2_23_2","doi-asserted-by":"crossref","unstructured":"Steven R. Gomez Vincent Mancuso and Diane Staheli. 2019. Considerations for human-machine teaming in cybersecurity. In Augmented Cognition. Lecture Notes in Computer Science Vol. 11580. Springer 153\u2013168.","DOI":"10.1007\/978-3-030-22419-6_12"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.3390\/s21144759"},{"key":"e_1_3_2_25_2","article-title":"Policy shaping: Integrating human feedback with reinforcement learning","volume":"26","author":"Griffith Shane","year":"2013","unstructured":"Shane Griffith, Kaushik Subramanian, Jonathan Scholz, Charles L. Isbell, and Andrea L. Thomaz. 2013. Policy shaping: Integrating human feedback with reinforcement learning. Advances in Neural Information Processing Systems 26 (2013), 1\u20139.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00096"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.chb.2022.107451"},{"key":"e_1_3_2_28_2","article-title":"Machine learning with a reject option: A survey","volume":"2107","author":"Hendrickx Kilian","year":"2021","unstructured":"Kilian Hendrickx, Lorenzo Perini, Dries Van der Plas, Wannes Meert, and Jesse Davis. 2021. Machine learning with a reject option: A survey. arXiv abs\/2107.11277 (2021).","journal-title":"arXiv"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.bushor.2018.03.007"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3491209"},{"key":"e_1_3_2_31_2","first-page":"97","volume-title":"Proceedings of the 19th Symposium on Usable Privacy and Security (SOUPS\u201923)","author":"Kersten Leon","year":"2023","unstructured":"Leon Kersten, Tom Mulders, Emmanuele Zambon, Chris Snijders, and Luca Allodi. 2023. \u2018Give Me Structure\u2019: Synthesis and evaluation of a (network) threat analysis process supporting Tier 1 investigations in a security operation center. In Proceedings of the 19th Symposium on Usable Privacy and Security (SOUPS\u201923). 97\u2013111."},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1145\/3461702.3462516"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCWS48432.2020.9292394"},{"key":"e_1_3_2_34_2","unstructured":"K. Knerler I. Parker and C. Zimmerman. 2022. Eleven Strategies of a World-Class Cybersecurity Operations Center. MITRE."},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354239"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1037\/0022-3514.77.6.1121"},{"key":"e_1_3_2_37_2","first-page":"442","volume-title":"Proceedings of the Human Factors and Ergonomics Society Annual Meeting","volume":"63","author":"Paul Celeste Lyn","year":"2019","unstructured":"Celeste Lyn Paul, Leslie M. Blaha, Corey K. Fallon, Cleotilde Gonzalez, and Robert S. Gutzwiller. 2019. Opportunities and challenges for human-machine teaming in cybersecurity operations. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting, Vol. 63. SAGE Publications, Los Angeles, CA, 442\u2013446."},{"key":"e_1_3_2_38_2","article-title":"Predict responsibly: Improving fairness and accuracy by learning to defer","volume":"31","author":"Madras David","year":"2018","unstructured":"David Madras, Toni Pitassi, and Richard Zemel. 2018. Predict responsibly: Improving fairness and accuracy by learning to defer. Advances in Neural Information Processing Systems 31 (2018), 1\u201311.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_39_2","article-title":"Predict responsibly: Improving fairness and accuracy by learning to defer","volume":"31","author":"Madras David","year":"2018","unstructured":"David Madras, Toni Pitassi, and Richard Zemel. 2018. Predict responsibly: Improving fairness and accuracy by learning to defer. Advances in Neural Information Processing Systems 31 (2018), 1\u201311.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_40_2","unstructured":"Trend Micro. 2021. A Global Study: Security Operations on the Backfoot. Retrieved August 16 2022 from https:\/\/www.multivu.com\/players\/English\/8967351-trend-micro-cybersecurity-tool-sprawl-drives-plans-outsource-detection-response"},{"key":"e_1_3_2_41_2","unstructured":"National Academies of Sciences Engineering and Medicine and others. 2022. Human-AI Teaming: State-of-the-Art and Research Needs. Consensus Study Report. National Academies of Sciences Engineering and Medicine."},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1037\/1089-2680.2.2.175"},{"key":"e_1_3_2_43_2","article-title":"Pervasive label errors in test sets destabilize machine learning benchmarks","author":"Northcutt Curtis G.","year":"2021","unstructured":"Curtis G. Northcutt, Anish Athalye, and Jonas Mueller. 2021. Pervasive label errors in test sets destabilize machine learning benchmarks. arXiv preprint arXiv:2103.14749 (2021).","journal-title":"arXiv preprint arXiv:2103.14749"},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.CSW"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/3468.844354"},{"key":"e_1_3_2_46_2","unstructured":"Cecile Paris and Andrew Reeson. 2021. What\u2019s the secret to making sure AI doesn\u2019t steal your job? Work with it not against it. The Conversation. Retrieved May 31 2024 from https:\/\/theconversation.com\/whats-the-secret-to-making-sure-ai-doesnt-steal-your-job-work-with-it-not-against-it-172691"},{"key":"e_1_3_2_47_2","unstructured":"Ani Petrosyan. 2023. Estimated Cost of Cybercrime Worldwide 2017-2028. Retrieved July 23 2023 from https:\/\/www.statista.com\/forecasts\/1280009\/cost-cybercrime-worldwide"},{"key":"e_1_3_2_48_2","first-page":"2","volume-title":"Proceedings of International Conference on Intelligence Analysis","volume":"5","author":"Pirolli Peter","year":"2005","unstructured":"Peter Pirolli and Stuart Card. 2005. The sensemaking process and leverage points for analyst technology as identified through cognitive task analysis. In Proceedings of International Conference on Intelligence Analysis, Vol. 5. 2\u20134."},{"key":"e_1_3_2_49_2","first-page":"121","volume-title":"Next-Generation Analyst III","author":"Preece Alun","year":"2015","unstructured":"Alun Preece, Will Webberley, and Dave Braines. 2015. Conversational sensemaking. In Next-Generation Analyst III, Vol. 9499. SPIE, 121\u2013129."},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1007\/s41469-021-00095-2"},{"key":"e_1_3_2_51_2","unstructured":"PurpleSec. 2023. Cyber Security Statistics: The Ultimate List of Stats Data & Trends for 2023. Retrieved April 9 2023 from https:\/\/purplesec.us\/resources\/cyber-security-statistics"},{"key":"e_1_3_2_52_2","doi-asserted-by":"crossref","unstructured":"Andreas Reisser Manfred Vielberth Sofia Fohringer and G\u00fcnther Pernul. 2022. Security operations center roles and skills: A comparison of theory and practice. In Data and Applications Security and Privacy XXXVI. Lecture Notes in Computer Science Vol. 13383. Springer 316\u2013327.","DOI":"10.1007\/978-3-031-10684-2_18"},{"key":"e_1_3_2_53_2","volume-title":"2022 Devo SOC Performance Report","author":"Research Wakefield","year":"2022","unstructured":"Wakefield Research. 2022. 2022 Devo SOC Performance Report. White Paper. Wakefield Research. https:\/\/www.devo.com\/resources\/analyst-research\/2022-devo-soc-performance-report\/"},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1037\/0033-2909.100.3.349"},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.1177\/1555343416682891"},{"key":"e_1_3_2_56_2","doi-asserted-by":"publisher","DOI":"10.1145\/3586183.3606756"},{"key":"e_1_3_2_57_2","first-page":"347","volume-title":"Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS\u201915)","author":"Sundaramurthy Sathya Chandran","year":"2015","unstructured":"Sathya Chandran Sundaramurthy, Alexandru G. Bardas, Jacob Case, Xinming Ou, Michael Wesch, John McHugh, and S. Raj Rajagopalan. 2015. A human capital model for mitigating security analyst burnout. In Proceedings of the 11th Symposium on Usable Privacy and Security (SOUPS\u201915). 347\u2013359."},{"key":"e_1_3_2_58_2","volume-title":"Voice of the SOC 2023 Report","year":"2023","unstructured":"Tines. 2023. Voice of the SOC 2023 Report. White Paper. Tines. https:\/\/www.tines.com\/reports\/voice-of-the-soc-2023"},{"key":"e_1_3_2_59_2","article-title":"Assured autonomy: Path toward living with autonomous systems we can trust","author":"Topcu Ufuk","year":"2020","unstructured":"Ufuk Topcu, Nadya Bliss, Nancy Cooke, Missy Cummings, Ashley Llorens, Howard Shrobe, and Lenore Zuck. 2020. Assured autonomy: Path toward living with autonomous systems we can trust. arXiv preprint arXiv:2010.14443 (2020).","journal-title":"arXiv preprint arXiv:2010.14443"},{"key":"e_1_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.1126\/science.185.4157.1124"},{"key":"e_1_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1126\/science.7455683"},{"key":"e_1_3_2_62_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3045514"},{"key":"e_1_3_2_63_2","volume-title":"The State of Security Automation","author":"Briefing Virtual Intelligence","year":"2021","unstructured":"Virtual Intelligence Briefing. 2021. The State of Security Automation. Technical Report. Palo Alto Networks. https:\/\/start.paloaltonetworks.com\/The-State-of-SOAR-Automation"},{"key":"e_1_3_2_64_2","unstructured":"Sarah Myers West Meredith Whittaker and Kate Crawford. 2019. Discriminating Systems: Gender Race and Power in AI\u2014Report. AI Now Institute."},{"key":"e_1_3_2_65_2","doi-asserted-by":"publisher","DOI":"10.1093\/comjnl\/25.4.465"},{"key":"e_1_3_2_66_2","volume-title":"Proceedings of the 29th International Joint Conference on Artificial Intelligence (IJCAI\u201920). Article 212, 8 pages.","author":"Wilder Bryan","year":"2021","unstructured":"Bryan Wilder, Eric Horvitz, and Ece Kamar. 2021. Learning to complement humans. In Proceedings of the 29th International Joint Conference on Artificial Intelligence (IJCAI\u201920). Article 212, 8 pages."},{"key":"e_1_3_2_67_2","article-title":"AutoGen: Enabling next-gen LLM applications via multi-agent conversation framework","author":"Wu Qingyun","year":"2023","unstructured":"Qingyun Wu, Gagan Bansal, Jieyu Zhang, Yiran Wu, Shaokun Zhang, Erkang Zhu, Beibin Li, Li Jiang, Xiaoyun Zhang, and Chi Wang. 2023. AutoGen: Enabling next-gen LLM applications via multi-agent conversation framework. arXiv preprint arXiv:2308.08155 (2023).","journal-title":"arXiv preprint arXiv:2308.08155"},{"key":"e_1_3_2_68_2","doi-asserted-by":"publisher","DOI":"10.1145\/3491102.3517582"},{"key":"e_1_3_2_69_2","article-title":"Imitation learning: Progress, taxonomies and challenges","author":"Zheng Boyuan","year":"2022","unstructured":"Boyuan Zheng, Sunny Verma, Jianlong Zhou, Ivor W. Tsang, and Fang Chen. 2022. Imitation learning: Progress, taxonomies and challenges. IEEE Transactions on Neural Networks and Learning Systems. Published Online, October 25, 2022.","journal-title":"IEEE Transactions on Neural Networks and Learning Systems."}],"container-title":["ACM Transactions on Internet Technology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3670009","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3670009","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:05:44Z","timestamp":1750291544000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3670009"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,15]]},"references-count":68,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2024,8,31]]}},"alternative-id":["10.1145\/3670009"],"URL":"https:\/\/doi.org\/10.1145\/3670009","relation":{},"ISSN":["1533-5399","1557-6051"],"issn-type":[{"value":"1533-5399","type":"print"},{"value":"1557-6051","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,7,15]]},"assertion":[{"value":"2024-01-03","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-05-23","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-07-15","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}