A Controlled Experiment on the Impact of Intrusion Detection False Alarm Rate on Analyst Performance

UNCW Author/Contributor (non-UNCW co-authors, if there are any, appear on document): Lucas Layman (Creator); William Roden (Creator)
Institution: The University of North Carolina Wilmington (UNCW ); Web Site: http://library.uncw.edu/

Abstract: Organizations use intrusion detection systems (IDSes) to identify harmful activity among millions of computer network events. Cybersecurity analysts review IDS alarms to verify whether malicious activity occurred and to take remedial action. However, IDS systems exhibit high false alarm rates. This study examines the impact of IDS false alarm rate on human analyst sensitivity (probability of detection), precision (positive predictive value), and time on task when evaluating IDS alarms. A controlled experiment was conducted with participants divided into two treatment groups, 50% IDS false alarm rate and 86% false alarm rate, who classified whether simulated IDS alarms were true or false alarms. Results show statistically significant differences in precision and time on task. The median values for the 86% false alarm rate group were 47% lower precision and 40% slower time on task than the 50% false alarm rate group. No significant difference in analyst sensitivity was observed.

A Controlled Experiment on the Impact of Intrusion Detection False Alarm Rate on Analyst Performance
PDF (Portable Document Format)
261 KB
Created on 7/13/2023
Views: 290

Additional Information

Publication: https://doi.org/10.48550/arXiv.2307.07023; Language: English; Date: 2023
Keywords: intrusion detection systems, cybersecurity, false alarm rates

Email this document to

Browse All

Theses & Dissertations

Submissions

A Controlled Experiment on the Impact of Intrusion Detection False Alarm Rate on Analyst Performance

Additional Information