Modeling Information Pooling Bias in Incident Response Teams: An Agent Based Modeling Approach

Abstract

Security analysts regularly correlate disparate incidents to detect cyber-attacks. However, past research shows that team-based incident correlation analysis may be affected by information pooling bias. This article presents findings from an agent-based model used to explore the cognitive processes hypothesized to be causing this bias during information exchange within a team. The model simulated information exchange between three analysts conducting incident correlation analysis by searching for information available with them about the different incidents. Three models of memory search process were compared: Random, Local, and Memory-aided search. Results from the simulation show that agents in a local search model, compared to memory-aided search model, shared more often the information known to majority in the team. Comparing model results with data from lab experiments suggest that teams, by default, may be employing a heuristic search process during information exchange leading to sub-optimal team processes and performance.

Get full access to this article

View all access options for this article.

References

Burnstein

Vinokur

(1977). Persuasive argumentation and social comparison as determinants of attitude polarization. Journal of Experimental Social Psychology, 13(4), 315-332.

Goodall

J. R.

Lutters

W. G.

Komlodi

(2004, November). I know my network: collaboration and expertise in intrusion detection. In Proceedings of the 2004 ACM conference on Computer supported cooperative work (pp. 342-345).

Hill

G. W.

(1982). Group versus individual performance: Are N1 heads better than one? Psychological Bulletin, 91(3), 517-539.

Kahneman

Klein

(2009). Conditions for intuitive expertise: A failure to disagree. American Psychologist, 64(6), 515.

Kruschke

J. K.

(2013). Bayesian estimation supersedes the t-test. Journal of Experimental Psychology: General, 142(2), 573.

Liu

Chen

Lin

(2013). A novel search engine to uncover potential victims for APT investigations. Network and parallel computing (pp. 405-416) Springer.

Yuan

Y. C.

McLeod

P. L.

(2012). Twenty-five years of hidden profiles in group decision making: A meta-analysis Journal of the Society for Personality and Social Psychology. 16(1), 54-75.

Miller

G. A.

(1956). The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review, 63(2), 81.

Puvathingal

B. J.

Hantula

D. A.

(2012). Revisiting the psychology of intelligence analysis: From rational actors to adaptive thinkers. American Psychologist, 67(3), 199.

10.

Rajivan

Cooke

N. J.

(2018). Information-pooling bias in collaborative security incident correlation analysis. Human factors, 60(5), 626-639.

11.

Railsback

S. F.

Grimm

(2019). Agent-based & individual- based modeling: a practical introduction. Princeton university press.

12.

Russell

S. J.

Norvig

(2016). Artificial intelligence: a modern approach. Malaysia; Pearson Education Limited.

13.

Stasser

Titus

(1985). Pooling of unshared information in group decision making: Biased information sampling during discussion. Journal of Personality and Social Psychology, 48(6), 1467.

14.

Straus

S. G.

Parker

A. M.

Bruce

J. B.

(2011). The group matters: A review of processes & outcomes in intelligence analysis. Group Dynamics: Theory, Research, & Practice, 15(2), 128.

15.

Wittenbaum

G. M.

Hollingshead

A. B.

Botero

I. C.

(2004). From cooperative to motivated information sharing in groups: Moving beyond the hidden profile paradigm. Communication Monographs, 71(3), 286-310.