Discussion

profileJames00712212
out3.pdf

SECURITY ANALYTICS TOOLS AND IMPLEMENTATION SUCCESS FACTORS:

INSTRUMENT DEVELOPMENT USING DELPHI APPROACH AND EXPLORATORY

FACTOR ANALYSIS

By

Sethuraman K Srinivas

BERNARD J. SHARUM, PhD, Faculty Mentor and Chair

JOHN HERR, PhD, Committee Member

JELENA VUCETIC, PhD, Committee Member

Rhonda Capron, EdD, Dean

School of Business and Technology

A Dissertation Presented in Partial Fulfillment

Of the Requirements for the Degree

Doctor of Philosophy

Capella University

March 2018

ProQuest Number:

All rights reserved

INFORMATION TO ALL USERS The quality of this reproduction is dependent upon the quality of the copy submitted.

In the unlikely event that the author did not send a complete manuscript and there are missing pages, these will be noted. Also, if material had to be removed,

a note will indicate the deletion.

ProQuest

Published by ProQuest LLC ( ). Copyright of the Dissertation is held by the Author.

All rights reserved. This work is protected against unauthorized copying under Title 17, United States Code

Microform Edition © ProQuest LLC.

ProQuest LLC. 789 East Eisenhower Parkway

P.O. Box 1346 Ann Arbor, MI 48106 - 1346

10807845

10807845

2018

© Sethuraman K Srinivas, 2018

Abstract

Over the past two decades, information security scientists have conducted in-depth research in

the area of security analytics to counter cyber-attacks that have challenged the security postures

of corporate networks and data. Learning from this research has immensely benefited security

analytic tools and contributed to their maturity, thereby enabling many organizations to

implement them. While adoption of these tools has increased, understanding factors that impact

the successful implementation of these tools has lagged and such understanding is critical to the

information security practice. The literature review revealed the lack of a validated survey

instrument dedicated to security analytic tools, which can help in extracting implementation

factors that security professionals would consider to be critical for success. The focus of this

research study was to develop a survey instrument and use the developed instrument to identify

factors that impact the successful implementation of any security analytic tool, including big data

based tools. Delphi method was used to develop the instrument in Phase 1 with the help of

security analytic tool experts located in the United States of America, and the same instrument

was used to collect responses during Phase 2 from practitioners located in North America. The

researcher used Delphi method for establishing content validity, exploratory factor analysis for

establishing construct validity and Cronbach’s alpha for testing reliability. The Delphi study

started with 16 experts in the first round, ended with 11 experts providing consensus in the fourth

round. An exploratory factor analysis study performed during Phase 2, involving a sample size of

206, identified seven factors that impacted the successful implementation of security analytic

tools. These factors are: large-scale security event analysis, functional utilization, incident

detection and correlation analysis, governance and chief information security officer metrics, log

source and use case management, threat and operational intelligence, real-time attack and

anomaly detection. By defining metrics for these factors, practitioners could use these factors as

key performance indicators to assess the success of security analytic tool implementation.

Exploring causal relationships among identified factors, such as threat intelligence and incident

detection, will help in tuning security analytic tools and products.

iii

Dedication

I primarily dedicate this dissertation to my spiritual master and one of the greatest

humanitarians to walk this earth, Shri Mata Amritanandamayi Devi. Her loving presence greatly

inspired me to pursue this mammoth academic effort. I also dedicate this dissertation to the Non-

Dual Brahman (Creator), the Essence in all living and nonliving beings. My late father Shri K.V.

Srinivasan was alive when I started this pursuit but passed on to ages during this doctoral

journey. An exemplar of a man he was, and he truly deserves this dedication. I am sure he will be

doubly joyed in heaven.

I also dedicate this dissertation to my vibrant mother, Smt Saraswathy Srinivasan, who

takes enormous pride in all my accomplishments. She is a truly inspiring mother, filled with

myriad talents, and her disciplining nature is the main reason that I stand as a successful man in

all walks of life. No effort of a family man is achievable without the strong support of a spouse.

My wife, Sow Subha Sethuraman, was a great and unfailing support to me throughout this

journey. She spared no efforts in providing a conducive environment for my doctoral journey, in

particular, during the intense preparation for my comprehensive exams. My son, Naveen

Sethuraman, sacrificed a lot of weekend getaways to support me and was able to be highly

independent in his homework and assignments, thereby giving me a lot of time to work on my

dissertation.

iv

Acknowledgments

I profusely thank and acknowledge the guidance and mentorship provided by Dr. Bernard

Sharum, mentor and committee chair. His patience with all my questions and concerns that arose

during this journey needs a special mention. Without his guidance, I would not have made good

progress. I also wish to thank Dr. Jelena Vucetic and Dr. John Herr for their timely support and

guidance during this journey. My sincere thanks to both of them for their encouraging approach.

I am also very thankful to Dr. Shardul Pandya, core faculty member at Capella, for his positive

and motivational words. His help in orienting me to Delphi studies and readiness to answer my

calls are greatly appreciated. My sincere thanks to Dr. Steven Brown, core faculty member in the

information assurance department at Capella, for his guidance during the Delphi study and also

during the final stages of data analysis. I hereby express my heartfelt gratitude to Dr. Tsun

Chow, faculty chair of doctoral IT Programs, for his stellar guidance that greatly enhanced the

quality of this dissertation, during the school review.

My wife, Sow Subha Sethuraman, despite being an extremely busy information

technology start-up professional, dedicated a lot of her time to this dissertation to support me.

Her help in reviewing my documents and her thoroughness in her execution is a rarity in this fast

age. I lovingly acknowledge her unflinching support.

I sincerely thank Mr. Jayakumar Muthukumarsamy (JK), chief architect and fellow at

Shutterfly Inc., who was a source of great support during my dissertation. He provided a lot of

useful ideas during the data analysis stage. My sincere thanks are due to Mr. Srinivas

Tummalapenta, chief architect and distinguished engineer, IBM managed security services. He

v

provided immense guidance during the pre-Delphi field study and also during the data analysis

phase.

Finally, I also want to thank every expert who helped me during the Delphi study rounds.

Their incisive inputs made a big contribution to the Delphi study and its output.

vi

Table of Contents

Acknowledgments.............................................................................................................. iv

List of Tables ..................................................................................................................... ix

List of Figures ..................................................................................................................... x

CHAPTER 1. INTRODUCTION ................................................................................................... 1

Background of the Problem ................................................................................................ 1

Statement of the Problem .................................................................................................... 2

Purpose of the Study ........................................................................................................... 4

Significance of the Study .................................................................................................... 5

Research Questions ............................................................................................................. 7

Definitions of Terms ........................................................................................................... 7

Research Design.................................................................................................................. 8

Assumptions and Limitations ........................................................................................... 11

Organization of the Remainder of the Study .................................................................... 13

CHAPTER 2. LITERATURE REVIEW ...................................................................................... 14

Overview ........................................................................................................................... 14

Methods of Searching ....................................................................................................... 14

Theoretical Orientation for the Study ............................................................................... 15

Review of the Literature ................................................................................................... 29

Critique of Previous Research Methods ........................................................................... 45

Findings............................................................................................................................. 47

Summary ........................................................................................................................... 51

vii

CHAPTER 3. METHODOLOGY ................................................................................................ 55

Purpose of the Study ......................................................................................................... 55

Research Questions ........................................................................................................... 57

Research Design................................................................................................................ 57

Procedures ......................................................................................................................... 59

Likert Scale Instrument ..................................................................................................... 71

Ethical Considerations ...................................................................................................... 72

Summary ........................................................................................................................... 73

CHAPTER 4. RESULTS .............................................................................................................. 74

Background ....................................................................................................................... 74

Research Questions ........................................................................................................... 74

Description of the Sample ................................................................................................. 75

Delphi Study ..................................................................................................................... 81

EFA ................................................................................................................................... 93

Summary ......................................................................................................................... 102

CHAPTER 5. DISCUSSION, IMPLICATIONS, AND RECOMMENDATIONS ................... 104

Introduction ..................................................................................................................... 104

Summary of the Results .................................................................................................. 104

Discussion of the Results ................................................................................................ 107

Findings........................................................................................................................... 114

Conclusions Based on the Results .................................................................................. 114

Limitations ...................................................................................................................... 118

viii

Implications for Practice ................................................................................................. 119

Recommendations for Further Research ......................................................................... 121

Conclusion ...................................................................................................................... 123

REFERENCES ........................................................................................................................... 124

STATEMENT OF ORIGINAL WORK ..................................................................................... 136

APPENDIX A. RESEARCHER-DESIGNED SECURITY ANALYTICS SURVEY .............. 138

ix

List of Tables

Table 1 Assessment of Security Analytics Tools ......................................................................... 47

Table 2 Delphi Panel Member Experience ................................................................................... 77

Table 3 Participant Domain Experience ....................................................................................... 80

Table 4 Participant Industry .......................................................................................................... 81

Table 5 Results of the Delphi Rounds .......................................................................................... 82

Table 6 Delphi Round 1– Descriptive Statistics ........................................................................... 84

Table 7 Delphi Round 2 – Descriptive Statistics .......................................................................... 86

Table 8 Delphi Round 3 – Descriptive Statistics .......................................................................... 89

Table 9 Delphi Round 4 – Descriptive Statistics .......................................................................... 91

Table 10 Sample Adequacy Test ................................................................................................. 93

Table 11 Total Variance Explained (SPSS) .................................................................................. 95

Table 12 Rotated Factor Matrix – SPSS Output ........................................................................... 97

Table 13 Reliability – Overall Instrument Level ........................................................................ 100

Table 14 Case Processing Summary ........................................................................................... 100

Table 15 Cronbach’s Alpha at Factor Level ............................................................................... 101

Table 16 Factor Names ............................................................................................................... 102

Table 17 Factor Definitions ........................................................................................................ 108

Table 18 Factors and Subfactors ................................................................................................. 116

x

List of Figures

Figure 1. Security analytics – Theoretical foundation. ................................................................. 17

Figure 2. Security analytics: A functional architecture. ............................................................... 51

Figure 3. High-level research design. ........................................................................................... 58

Figure 4. Delphi study process flow. ............................................................................................ 64

Figure 5. Security analytics research – A waterfall approach to orient the Delphi study

participant. ................................................................................................................. 79

Figure 6. Phase 2 – EFA study...................................................................................................... 94

Figure 7. SPSS scree plot analysis. ............................................................................................... 96

1

CHAPTER 1. INTRODUCTION

This chapter introduces the topic of assessing the implementation of security analytic

tools. There is an increasing trend towards adoption of security analytic tools among North

American organizations. This trend necessitates the creation and validation of a survey

instrument focused on security analytics leading to the identification of implementation success

factors. This chapter states the research questions in the context of the problem’s background.

These questions form the basis for further research and identification of factors. This chapter

explains the purpose and significance of this research along with research design, assumptions,

and limitations. A description of the organization of the remainder of this study is provided at the

end of this chapter

Background of the Problem

Cyber-attacks have become a daily phenomenon over the past few years, with hacker

strategies becoming very sophisticated and vicious. Botnet-based attacks, advanced persistent

threat (APT) attacks, malware attacks, denial of service (DoS) attacks, and insider attacks are

flooding corporate networks all over the world. These attacks and threats form a major part of

daily security incidents in many enterprises. Cardenas, Manadhata, and Rajan (2013) observed

that enterprises collect terabytes of security log data every day, which leads to challenges even in

storage management. Analyzing large volumes of log data to identify security anomalies that

impact the safety of corporate businesses is a greater problem. The need for enterprises to

comply with national legislation such as Sarbanes-Oxley and payment card industry (PCI)

2

mandates, combined with normal security operations, are contributing to increases in log data.

Van de Moosdijk, Wagenaar, and Final (2015) elaborated on the contribution of log management

and security analytics in fulfilling compliance laws. These laws mandate retention of many years

of log data to satisfy auditing requirements.

As Crespo and Garwood (2014) epitomized in their botnet-related article, identifying

security incidents and correlating large and real-time security data segments to extract actionable

intelligence has warranted the need for deeper and faster analytics. The size, speed, and precision

of this analytics differ based on the need of the enterprise. Mahmood and Afzal (2013) presented

a very comprehensive survey of big data security analytic tools in their analysis of security

analytic trends. Their findings portrayed the capability of big data tools in managing security

incidents.

Most assessments in security analytics deal with self-assessment by product inventors or

tool comparisons by third-party critics. Enterprises that implement market-leading security

analytic tools or in-house tools are the real benefactors of these tools. The end users from these

organizations are in a better position to assess and rate these tools’ benefits and downsides.

Scholar-practitioners in the security analytic domain also benefit immensely from an unbiased

evaluation of these tools by experts and end users.

Statement of the Problem

The research literature on the security analytics domain indicates that there is an

explosive growth of tools and in-house packages in this domain. Such tools are starting to attain

maturity in terms of ensuring the safety of enterprises. However, there is no clear set of factors

and attributes to evaluate the success of these tools within an enterprise. Nicolett and Kavanagh

(2013) studied the critical capabilities of security analytics tools, and they found a relationship

3

between tool capabilities and effectiveness. However, they did not clearly state the areas within

these tools that needed an examination to conclude a successful implementation. Mateski et al.

(2012) defined cyber threat metrics as a part of their research work for Sandia National

Laboratories. While metrics measure the effectiveness of the governance aspects of security

analytic tools, we do not have exhaustive feedback from the user community of these security

analytic tools. The first part of the research problem is a lack of structured assessment of security

analytic tools from the user’s perspective in the currently available and surveyed literature. The

second part of the problem is a lack of identified factors that determine a successful

implementation of security analytic tools according to the tool users and experts.

Shackleford (2014) surveyed the existing commercial security analytic tools from the

perspective of product architecture. Shackleford did not assess whether these tools revealed a

successful implementation, leading to the safety of an enterprise. Howarth (2014) discussed in

detail the actionable intelligence that was generated by the security analytic tools. For example,

actionable intelligence refers to recommending a list of infected endpoint devices that need to be

quarantined. Howarth’s discussion did not focus on broader factors that influence a successful

implementation of security analytic tools. Mahmood and Afzal (2013) presented a

comprehensive survey of big data security analytic tools in their analysis of security analytic

trends. Even though they focused on big data security analytics as a domain, there was no

discussion on identification of factors to assess the success of an implementation. Hence, the

research problem (i.e., determining the factors that influence a successful implementation of

security analytics tools, leading to the safety of an enterprise) is a fresh problem and a gap in the

information security industry that needs to be addressed.

4

Use cases are similar to user scenarios and are driven by the risk scenarios that a security

analytic tool vendor is trying to address. Van de Moosdijk, Wagenaar, and Final (2015) asserted

that use cases are fundamental to security analytic tools. Nicolett and Kavanagh’s (2013) as a

part of their Gartner study identified three use cases for assessing a security analytic tool. These

use cases are threat management, compliance, and tool deployment. These use cases were

standardized based on the opinion of a few research analysts and addressed only a subsection of

security analytic tool assessment problem. Shackleford’s (2014) survey focused on popular

product features such as architecture and performance, in the domain of security analytics.

Above citations point to the fact that commercial surveys are built based on popular product

features and architecture. But the imminent need is a common and broad assessment framework

that will help to remove the bias in commercial product surveys. Cybenko and Landwehr (2012)

recognized that assessment produced by above-mentioned commercial surveys are likely to be

biased towards the sponsor of the survey. Another significant gap in commercial surveys that are

cited above is the lack of validated survey instrument produced by a panel of unbiased and

anonymous experts.

Purpose of the Study

The major goals of this study are to identify factors that determine the successful

implementation of security analytic tools that could be used to ensure the security of any

enterprise. The general problem that is addressed in this research is the lack of a structured

method or instrument to assess the implementation of security analytic tools in any given

organization. Development of such an instrument can solve the broader problem of lack of a

structured assessment method in the field of security analytics. However, literature analysis

revealed that the narrower research problem is the lack of factors that can be used to assess an

5

implementation. Shackleford (2014) developed a commercial survey in the domain of security

analytics which focused more on product features and did not use technology-neutral

implementation factors. Ferketich, Phillips, and Verran (1993) suggested that a researcher

modify an existing instrument or create a new instrument in the absence of a suitable instrument

to answer the research question. The creation of a new survey instrument with a broad focus on

all generations of security analytic tools is the first step that would lead to the extraction of

implementation factors. Since there was no instrument available to survey users of security

analytic tools, a Delphi study to build a questionnaire with the help of experts in the

cybersecurity industry was the immediate first step, and it formed Phase 1 of this research study.

Significance of the Study

The assessment of the implementation of security analytic tools is the broad goal of this

research study. This study is significant due to the recent proliferation of new security analytic

tools, both from popular vendors and independent scientists trying to analyze large volumes of

data to identify cyber-attacks. Security analytic tools, in the context of this research study,

include in-house solutions, intrusion detection and prevention solutions (IDPS), commercial

security information and event management (SIEM) tools, and solutions with big data capability.

The main beneficiaries of this study will be both professionals and researchers in the information

security industry.

The ultimate goal of this study is to identify factors that determine the successful

implementation of security analytic tools. The factors are identified after an initial survey

instrument is built. This study would provide many benefits to the information security industry

and its professionals. Some of the significant benefits are (a) identifying the implementation

areas of focus for security analytic tools. For example, certain types of tools may not have strong

6

focus on correlation processes to support correlation analysis of incidents; (b) identifying factors

that will help in ensuring the protection of valuable organizational assets and personally

identifiable information; and (c) identifying factors that will help in the fulfillment of business

stakeholders requirements like log management and compliance with industry compliance laws.

A survey instrument for which the contents and constructs are validated is a necessary pre-

requisite for identifying the implementation factors. This survey instrument will benefit the

researchers in the information security domain.

Commercial surveys do not always consider user inputs from hands-on experts to build

the survey. Nicolett and Kavanagh (2013) analyzed the critical capabilities of commercial SIEM

tools as a part of the Gartner study. This Gartner study is a based on commercial opinion surveys

built using product use-cases. Nicollet and Kavanagh did not examine user perceptions of tools

and factors that users consider as significant for the implementation of these tools. However, this

research study focusses on conducting a survey with end users and extracting factors by

performing factor analysis on the resulting survey data. During Phase 1 of this research study, a

survey instrument was created with a broad focus on all three generation of security analytic

tools. This researcher recruited security analytic industry experts, who had varied

implementation experience, to be part of a Delphi panel to build the initial instrument. The

experts in the Delphi panel and the four rounds of Delphi study contributed to the rigor of Phase

1 process. The participation of experts ensured that the survey instrument provided

implementation specific insights to (a) researchers in the area of security analytics, (b) product

vendors in the field of security analytics, and (c) security analytic tool implementers in any

organization.

7

Future researchers could apply the validated final survey instrument as a starting point for

more focused research. For example, a survey instrument with a specific focus on healthcare

industry or finance industry could be built based on this broader instrument. By determining

industry-specific implementation factors, this type of research attains more depth and maturity.

Vendors and implementers of security analytic products will benefit from the instrument and

factors that are identified by this research study. Some of the benefits are (a) these factors could

provide an initial assessment structure for product assessment, leading to improved product

design; (b) metrics that are defined based on these factors could help implementers to define

service level agreements both for internal use and external use with vendors; and (c) survey

instrument from this research study could be modified and enhanced by focusing only on the

area of tool adoption. For example, after a modification and confirmatory factor analysis, this

instrument could be used to test the conformance of security analytic family of tools to

technology acceptance model (TAM-3) that was defined by Venkatesh and Bala (2008).

Research Questions

Omnibus Research Question (ORQ): What are the factors that determine the successful

implementation of security analytics tools or packages?

Research Subquestion 1 (RSQ1): What are the factors that determine the successful

implementation of non-big data security analytics tools or packages?

Research Subquestion 2 (RSQ2): What are the factors that determine the successful

implementation of big data security analytics tools or packages?

Definitions of Terms

Big data. Big data describes large volumes of high-velocity data and variable data that

require advanced technologies for data management (TechAmerica, 2012).

8

Cyber-attack. A hostile act using a computer or related networks or systems, and

intended to disrupt and/or destroy an adversary’s critical cyber systems, assets, or functions

(Hathaway et al., 2012).

Delphi study. This will be the Phase 1 study. The Delphi method is an iterative process

for consensus-building among a panel of experts who are anonymous to each other (Garson,

2014).

Fraudulent behavior. In this research context, fraudulent behavior refers to fraudulent

hacker behavior in e-banking systems (Malekpour, Khademi, & Minae-Bidgoli, 2014).

Network analytics. A game-theoretic framework for modeling offender-defender

situations in computer networks (Roy et al., 2010).

Non-big data. Any dataset that is not a big dataset. Big data is a term for massive datasets

having large and complex structures with difficulties in storing and analyzing data (Sagiroglu &

Sinanc, 2013).

Probably approximately correct (PAC). The PAC model is the initial standard for

learning programs (Valiant, 1984).

Security analytics. Use of tools, methods, and algorithms that are useful in discovering

security breaches and attacks (Talabis, McPherson, Miyamoto, & Martin, 2014).

User acceptance. User acceptance in this research context refers to four TAM-3

constructs. They are PU, PEOU, behavioral intention, and usage behavior (Ahlan & Ahmad,

2014).

Research Design

The research design for this study was using a quantitative and nonexperimental Delphi

approach in Phase 1. In Phase 2, this study was using exploratory factor analysis (EFA) and

9

reliability analysis. This study consisted of two phases. Phase 1 was a Delphi study with the goal

of arriving at a consensus. The major focus in Phase 1 was the development of a survey

questionnaire. In Phase 2, the researcher conducted an EFA survey with the help of the survey

questionnaire and subjected the data to EFA and reliability analysis to extract the factors that

impact the successful implementation of security analytic tools.

Cardenas et al. (2013) argued that security analytics is a highly advanced technological

topic. However, academic research studies and investigations about this area of security analytics

still take place in nascent and developing conditions. A detailed search by this researcher did not

yield broad and expert-validated survey instruments in the field of security analytics, suitable for

the research questions of this study. Pinsonneault and Kraemer (1993) studied surveys during the

early days of IT growth. Accordingly, scholars invariably use exploratory models to develop

concepts and models of newly arrived fields of research. It is not possible to answer the research

question pertaining to this study by setting up an experiment for the following reasons: (a)

setting up a security analytics tool or SIEM for an experiment is an expensive proposition, (b)

even if the researcher set up an experiment, it would not be possible to simulate the typical

security events and load conditions that happen in a real-world setup, and (c) any results for this

type of research from an experimental approach would not be accurate. Pinsonneault and

Kraemer proposed that researchers conduct surveys to collect data to examine relationships

between variables. However, based on the literature review that follows, no pre-existing Likert

scale survey instrument, suitable for the research questions of this study was available. Hence the

researcher used the Delphi method to develop a survey questionnaire with the help of an expert

panel consisting of security analytic experts. The researcher subsequently performed EFA and

reliability analysis.

10

Data Collection (Delphi Study and EFA Study)

Security analytics, big data, and correlation analysis are areas of applied statistics that

researchers have increasingly used in data analytic tools in the past five to seven years. These

areas and related tools have not been probed with the goal of assessing their effectiveness post-

implementation. Based on the research design requirements of this study, a survey instrument in

the field of security analytics with a broad focus on all three generations of security analytic tools

is needed. Secondary security performance data on security analytic tools, available from many

private and nonprofit organizations, will not reveal the true picture, as these surveys are biased

towards the sponsors. Cybenko and Landwehr (2012) commented that such statistics may be

skewed because there is always a vested interest by major tool vendors sponsoring those surveys.

Delphi data collection usually takes place with a panel of experts, and there might be

three to four rounds of Delphi before panel consensus emerges. In this research study, the

researcher performed Phase 1 using the Delphi technique. In his evaluation of the Delphi

technique, Davidson (2013) asserted the importance of the principle of anonymity. Skulmoski et

al. (2007) mandated four major features of any Delphi study: (a) anonymity of Delphi

participants, (b) an iterative approach that allows the participant to refine his or her views on any

subject matter, (c) controlled feedback from the Delphi coordinator (researcher) to the

participants regarding other perspectives in a Delphi study, and (d) statistical analysis and

aggregation of the group response. Based on the above citations, during Phase 1 of this study, the

researcher circulated an initial questionnaire he had designed among a set of five experts and

then he refined it to establish content validity. This refined survey questionnaire was the first

document that went to the chosen panel of Delphi experts through e-mails. Until consensus

emerged, in each round the researcher collected input from the panel using e-mails. The

11

researcher used the refined survey in Phase 2 to conduct an EFA study through Qualtrics to

collect survey data. The researcher used data from this survey to perform EFA and reliability

analyses to extract the factors that determine the success of any security analytics

implementation.

Assumptions and Limitations

Assumptions

According to Orlikowski and Baroudi (1991), ontological assumptions have connections

to the nature of the phenomenon under investigation. The nature of phenomenon under

investigation may be objective, subjective, or a mix of the two. In the case of this security

analytics study, it is both subjective and objective, as the researcher solicited the opinions of

information security personnel. For this study, security analytic experts applied both their

perception of security analytic tools and their objective experience with the tools in answering

the survey questions.

Jupp (2006) clarified that epistemology deals with methods of achieving knowledge

about reality. The epistemological assumption of this study is positivist, which maintains that

human perception of information security-related data, in the form of security analytic tools,

observed over time, will reveal the true picture about these tools. Information security personnel

working with security analytic tools know from their experience the effect of these tools on the

overall safety of the organization and which factors influence the success of any implementation

most. Iivari (1991) asserted that methodological assumptions deal with choices of research

methods. The Delphi method, as explained by Okoli and Pawlowski (2004), uses consensus to

arrive at the final deliverable. It is the most suitable method for this research study. Pathirage,

Amaratunga, and Haigh (2005) mentioned that axiological assumptions relate to the value of any

12

given research study. In this study, the major stakeholders are information security personnel and

researchers. Apart from the above general assumptions, this researcher has identified a list of

specific assumptions for this study. These assumptions are explained in the following lines.

Experts in the field of security analytics are assumed to have good knowledge of the

implementation specifics and issues of security analytic tools. Participants for the Delphi study

were recruited using the LinkedIn professional network. It is assumed that Delphi participants

actually possess the expertise projected in their LinkedIn profile and can understand the Delphi

study orientation document. It was also important that Delphi participants would unbiasedly

participate in the study. This researcher also assumed that Phase 2 study participants were not the

same people who participated in the Phase 1 study and Phase 2 participants will not use proxies.

Limitations

Any restricting factor that limits the scope of this research is a limitation. The researcher

acknowledges a few limitations of this research study. The survey questionnaire validated in the

EFA study (Phase 2) may not be fully representative of the entire population of security analytic

tool users. Pinsonneault and Kraemer (1993) opined that cross-sectional surveys are not fully

representative of the target population. Lack of time prevented the researcher from performing

longitudinal surveys. Phase 2 survey was conducted only in the United States and Canada and no

other country was involved. Hence, this study does not fully reflect the security analytic usage in

other countries and is a geographic limitation. Industry related limitation is applicable to this

study because Phase 2 study focused only on retail, finance, healthcare and government sectors.

Other industries like manufacturing and energy sectors were not included in the study.

13

Organization of the Remainder of the Study

The remainder of the study focusses on the following major areas: (a) a review of extant

literature in security analytics and related areas, (b) an explanation of the research methodology,

(c) the results of the study, and (d) the conclusion of the study.

14

CHAPTER 2. LITERATURE REVIEW

Overview

The increasing usage of security analytic tools and their impact on the safety of corporate

network and applications necessitated a closer examination of this phenomenon using a thorough

literature review leading to a survey instrument to support the research questions. A high-level

theoretical foundation suitable for this study included five theories. Those five theories are (a)

game theory, (b) MapReduce programming model, (c) TAM-3 theory, (d) computational

learning theory, and (e) Dempster-Shafer theory. The literature review provides an overview of

many independent research tools recently developed in the domain of security analytics.

Cardenas et al. (2013) defined three maturity levels for security analytic products, and this

research study has built a survey instrument that contains probing questions applicable to all the

three maturity levels. The literature review also evaluates the connection between the theories

mentioned above and the independent security analytic solutions. The literature review concludes

with a synthesis of the findings, gaps and a critique of the security analytic solutions including

that of commercial surveys done on security analytic products.

Methods of Searching

The search involved seeking out security analytics-related literature in many online

libraries. The researcher used six major sources to search for articles: (a) Capella University’s

online library and subscriptions to book and journal databases, (b) the Association for

15

Computing Machinery (ACM) online digital library, (c) the Institute of Electrical and Electronic

Engineers (IEEE) online digital library, (d) Google Scholar database, (e) ProQuest dissertation

database, and (f) SAGE journal database. The actual search strings that the researcher used were

(a) security analytics, (b) big data security analytics, (c) theories and security analytics, (d)

security analytics game theory, (e) security analytics computational learning theory, (f) security

analytics TAM-3 theory, (g) security analytics map reduce, (h) security analytics DS theory, and

(i) security analytics Dempster-Schafer theory. Capella University’s Summon search tool was

also extensively used in executing the above searches.

Theoretical Orientation for the Study

Foundational Theories

At the core of this research is the subject of security analytics. As this subject involves

connection to the entire landscape of IT within an organization, many foundational theories can

explain the functionality of security analytic tools. One of the significant components of security

analytics is network analytics. It is easy to model network behavior and to extract intelligence

from these models with the help of game theory and evidence theory. Liang and Xiao (2013)

applied game theoretical concepts to network security by exploiting game models inherent to

game theory. Dempster and Shafer developed DS theory and Shafer (1976) named it as the

theory of mathematical evidence. Big data based security analytic products invariably use

MapReduce theoretical concepts in reducing large datasets to smaller datasets, suitable for

extracting actionable insights. Dean and Ghemawat (2010) introduced MapReduce as a

programming model suitable for parallelizing and executing large programs using multiple

computing resources. Venkatesh and Bala (2008) presented technology acceptance model

(TAM-3) to explain the adoption of new technologies by the user community. Application of

16

TAM-3 constructs to the family of security analytic tools will explain the adoption maturity of

those tools. Machine learning concepts explain the learning component of security analytic tools.

Computational learning theory and its application are also useful to the domain of security

analytics. Goldman (1995) provided an explanation for the assessment of learning algorithms

using computational learning theory. A detailed treatment of the above theories is in the

following section. Figure 1 pictorially depicts the theoretical foundation for security analytics.

Game theory. A game in the simplest case is an interaction between two entities in any

given situation. For example, in a game of chess, there are always two players (entities) in play.

Barron (2013) mathematically described games as involving a number of players (N), a set of

strategies for each player, and a quantitative payoff for each player. Von Neumann and

Morgenstern (2007), for the first time, defined game theory in 1944 as a strategy of games to

solve problems in economics. Turocy and von Stengel (2001) discussed the application of game

theory to bidding in online auctions. Game theory is a mathematical tool that can describe and

solve games (Liang & Xiao, 2013). Liang and Xiao further elaborated about game theory in

their classic introduction on the following salient aspects: (a) Category 1 – based on number of

stages in a game, games are classifiable as static games, dynamic games, or stochastic games, (b)

Category 2 – based on information available on player’s actions, games are classifiable as games

of perfect information and games of imperfect information, (c) Category 3 – based on the

completeness of information available for players, games are classifiable as games of complete

information and games of incomplete information, and (d) equilibrium, which is a result or

combination of players’ strategies.

17

Figure 1. Security analytics – Theoretical foundation.

Nash (1950/1997) for the first time established the Nash equilibrium to indicate that finite

games have an equilibrium point. At this point of equilibrium, all players choose the best

possible action given the decisions their opponents make. Non-cooperative games are quite

popular in the world of information security, as such games model attacker and defender

situations.

18

Game theory and security analytics. Liang and Xiao (2013) opined that network

security is a typical game between attackers and defenders. Analyzing network traffic and related

data is a necessary prerequisite for bolstering network security, and it is an integral part of

security analytics. Theoretical inputs play a major role in modeling network situations. Game

theory has a wide variety of applications in network security. Roy et al. (2010) presented a

thorough survey of applications of game theory and argued that game theory-based solutions fill

the lack of a quantitative decision framework in traditional network analytics.

The Nash equilibrium is widely applicable in a multiple player situation. As per this

principle, it is not possible to predict the results of decisions emanating from multiple players in

a game situation by judging players in isolation. Mohammed, Fung, and Debbabi (2011) applied

this principle to solve a data integration problem for very large databases. Usually, an integrated

dataset obtained by joining multiple data sources reveals sensitive data. To solve this problem,

researchers developed a common algorithm based on Nash’s equilibrium principle in which

every data integrator participated. This algorithm isolated malicious participants. This technique

can detect insider attacks. One of the goals of insider attacks in an enterprise is to procure the

sensitive data of the employees. For example, merging of disparate sources of endpoint data can

reveal sensitive data relating to employees. The Nash equilibrium technique can be applied to

thwart such insider attacks. Security analytic tools involve extensive use of correlational

algorithms and data integration. Mohammed et al.’s research project is easily extendable and

applicable to any commercial security analytic product.

Honeypots are traps set for attackers by defenders (Spitzner, 2003). Deceiving attackers

is an evolving strategy based on game theory. Carroll and Grosu (2011) explained their

deception strategy using a comprehensive set of algorithms and dynamic games. Han (2012)

19

referred to dynamic games as situations in which one player has information about the other

player’s strategy or moves, and multiple moves take place over time. In this deception game, two

sets of players, the defending network and the attacking network, are involved. Camouflaging

normal computers as honeypots and vice versa is a strategy that defenders adopt. Attackers are

usually at a disadvantage in this deception game, as they are not the first movers of the game.

Since logging is a powerful feature of honeypots, security analytic tools will easily be able to

integrate these log files for analysis.

Games in which players do not know the payoffs or preferences of their opponents are

games with incomplete information (Han, 2012. Liu, Zang, and Yu (2005)) modeled a defense

system with the aim of capturing a DoS attacker’s intent as opposed to the attack pattern. The

attacker’s incentive lies in the core of his or her design. One of the incentives is to access

classified internal documents. This design used data from attacks to study and understand the

intent of the attacker. The game design of this model used a six-tuple game with two players

(defender and attacker), two strategy spaces (one each for attacker and defender), a Bayesian

game type, and a set of outcomes. A Bayesian game is a game in which there is incomplete

information about the other players in the game. In this scenario, there is less information about

attackers. While this approach was not a perfect design in terms of accuracy, this model inspired

many more research projects that applied game theory to security analytics.

Fielder, Panaousis, Malacaria, Hankin, and Smeraldi (2014) addressed the challenge of

supporting the decisions of security administrators and other personnel with respect to protecting

the information-related assets of any organization. They used game theoretic modeling

techniques to model the situation between the attacker and a team of administrators to establish

the Nash equilibrium. One of the aspects of security analytic tools is to model the attacker-

20

defender situation. This can lead to the determination of the number of security analysts

necessary to pursue the actionable intelligence the tool provides. Game theoretic techniques are

easily applicable here to solve the challenge of cybersecurity resource allocation.

Chung, Kamhoua, Kwiat, Kalbarczyk, and Iyer (2016) argued that game theory

techniques can combine with learning algorithms like Q-learning to react to adversarial behavior

in a network situation. Their novel technique does not need complete information from the

opponents. Security incidents belonging to the intrusion category are the main focus of this

approach. Q-learning is a model-free reinforcement learning technique, and it can model games

with incomplete information. Q-learning mainly learns from human behavior. For example, Q-

learning can learn from the type of decisions a security analyst takes. It also learns from the data

of earlier iterations.

Computational learning theory and machine learning. Computer programs that can

perform tasks with the help of human-like intelligence and learn and improve their performance

over time act as learning programs. Goldman (1995), in her elaborate introduction to

computational learning theory, explained the initial work in the early sixties in machine-based

learning in terms of learning theory offering a foundation for assessing learning algorithms.

Leeuwen (2004) introduced machine learning using simple and yet powerful examples. Some of

the typical examples he gave are (a) pattern recognition in an array of images, (b) identifying

words in a handwritten text, (c) discovering and extracting common information from distributed

data, and (d) speech recognition. Most security analytic tools incorporate one or more learning

algorithms that focus on learning about attacks. For example, learning algorithms easily spot

botnet attacks.

21

Computation learning theory is a branch of theoretical computer science that studies

machine learning with the help of a strong mathematical foundation. Gold (1967) provided the

first formal definition of learning. Gold’s theory of learning focused on the learner guessing a

rule behind a data sequence leading to a convergence of the sequence. However, Gold’s theory

of learning did not attempt to evaluate and assess the efficiency of a learning process, whereas

computational learning theory provided a framework to evaluate the learning process. Goldman

(1995) reiterated that computational learning theory provided a framework to compare and rate

different learning algorithms. From the perspective of assessment, computational learning theory

has a close connection to machine learning.

Probably approximately correct (PAC) learning model. The seminal work of Valiant

(1984) initiated computation learning theory in the form of the PAC model. The PAC model is

the initial standard for learning programs. Leeuwen (2004) provided a convincing mathematical

model for PAC. He explained that the goal of a PAC learning algorithm is to classify samples

generated from a sample space (X) into a concept space (C). Based on the samples, the researcher

forms a hypothesis, and with every sample, the researcher adjusts this hypothesis. A hypothesis

is good when the number of errors in classifying samples remains below a predefined bound. A

problem is PAC-learnable if there is an algorithm (A) which for any distribution D and any concept c

will when given some independently drawn samples and with high probability, produce a near error-

free hypothesis (h). Concept learning is a generic term that includes the PAC learning model.

Blum (1994) introduced the two popular phases involved in concept learning. Those two phases

are the training phase and the testing phase. During the training phase, the learning procedure

studies some examples and produces a hypothesis. During the testing phases, it evaluates the

hypothesis.

22

Application of PAC to fraud detection. A PAC learning algorithm can be either strong

or weak. Leeuwen (2004) described a weak learning algorithm as one that performs poorly in

terms of learning. A weak learning algorithm has less accuracy in terms of classification. This

phenomenon is likely due to not having a large training dataset. There are a few meta-learning

techniques that can boost the accuracy and performance of a weak learner. One such popular

technique is boosting. Boosting turns a weak learning algorithm into a strong learner. Malekpour

et al. (2014) elaborated a hybrid model approach in predicting fraudulent behavior in e-banking

systems. Security analytic tools ideally incorporate similar models, both supervised and

unsupervised, to identify financial frauds in banking institutions. Log sources feeding into

security analytic tools form the major inputs to these hybrid models. Hybrid models include both

classification and clustering techniques. The ensemble approach employs boosting algorithms to

increase the model accuracy. Malekpour et al. used this approach to increase their accuracy in

detecting frauds. Increased accuracy was the result of comparing results with earlier techniques.

Boosting the PAC algorithms was the key to improving accuracy.

Dempster-Shafer (DS) Theory and its applications. Science has succeeded in

modeling many aspects of uncertainty in daily life. Kohlas and Monney (1994) introduced the

theory of evidence with a strong computational flavor with the aim of modeling uncertainty.

Researchers also call this theory DS theory. Shafer (1976) released it as a theory of mathematical

evidence. As per Shafer, the main goals of this theory are to represent uncertainty with the help

of evidence and hints. Statistical modeling of uncertainty was a successful outcome of this

theory. Kohlas and Monney elaborated on the application of evidence theory in the area of

decision analysis. Decision analysis is an important application of evidence theory and is applied

in the area of intrusion detection. Detecting intrusion is one of the major functions of security

23

analytic tools. Database log files are a major input to security analytic tools. Intrusive activity in

databases is usually detected by a pre-defined set of rules. Panigrahi, Sural, and Majumdar

(2009) explored the application of evidence theory to intrusion detection in databases. Rules

provide evidence of intrusive behavior in database transactions. However, many pieces of

evidence are combined to form an initial belief in any given transaction. This combination of

evidence is accomplished using DS theoretical constructs as explained in the following section.

Database intrusion detection, a less popular concept, identified user behavioral anomalies

with a focus on preventing insider attacks. Panigrahi, Sural, and Majumdar (2009) elaborated on

a unique algorithm they developed to detect suspicious user activity in databases. Two rules

formed the initial belief function regarding whether a specific user activity is malicious or

normal. The first rule measured the sequence of activities in a transaction and any deviation from

the prebuilt user profile. The second rule detected spatiotemporal outliers in user behavior with

specific reference to location and time of user activity. The belief component of the detection

engine combined output from both the rules that act as evidence to determine malicious

behavior. Panigrahi et al. tested their algorithm using a transaction simulator. Rules in this

experiment are easily extendable to any security analytic tool. Weblogs and database logs are

suitable inputs to the security analytic tool in the application of these rules.

Detecting insider attacks is a high priority for many of the security analytic tools. Mobile

ad hoc network (MANET) is an evolving network model in communication networks, and it is

subject to insider attacks. Ehsan and Khan (2012) presented a detailed analysis of the security

attacks that normally happen in mobile ad hoc network (MANET). Many algorithms are

currently developed by researchers to combat MANET attacks. Wei, Tang, Yu, Wang, and

Mason (2014) developed an algorithm based on DS theory to fuse indirect information provided

24

by one-hop nodes located close to the mobile node under observation. The main purpose of this

fusion is to develop trust with the observed node. Indirect observations involved collecting and

fusing evidence of an observed node based on interactions between other nodes located close to

the observed node. Wei, Tang, Yu, Wang, and Mason applied the DS-theory concept of belief

function probabilities to develop a trust score for every node, and they stored the score in a

routing table to prevent insider attacks. The algorithm checked the routing table for a trust score

to understand whether there were any compromised nodes in the network. Identifying

compromised network nodes is an integral part of any security analytic tool, and the above

algorithm is suitable for next-generation security analytic tools.

Intrusion detection systems (IDSs) monitor network traffic with a view to identifying

intrusive or malicious activity. Most of the intrusion detection systems use signatures that are

embedded into the IDS sensor. Zomlot et al. (2011) considered the problem of false positives as

one of the major reasons for the failure of intrusion detection processes. For example, the sensor

might detect an attack scenario when it really does not exist. The belief functions provided by

DS theory solved this problem of false positives. Pursuing an attack alert by a human analyst

needed the enablement of evidence-based beliefs. Zomlot et al. applied DS theory’s evidence

fusion approach successfully to produce actionable inputs for a human analyst. One of the

achievements of this unique algorithm was its ability to stand the tests performed in a real

production system. Logs from intrusion detection and prevention devices regularly go to security

analytic tools to help in the analysis of attacks and false positives.

A major function of security analytic tools is the ability to fuse alerts generated from

heterogeneous inputs. Those inputs could be (a) intrusion detection devices (IDS), (b) web

application logs, or (c) firewall logs. Intelligent fusion of these alerts can greatly reduce the

25

number of alerts and false positives. Yu and Frincke (2005) proposed an algorithm to fuse alerts

based on extended DS theory. Original DS theory takes into consideration all the individual

alerts (observers) with equal weightings. However, in the algorithm, Yu and Frincke proposed,

weighting goes to the source of the alert. For example, different inputs may detect a distributed

denial of service (DDoS) attack with different levels of confidence. A web application log and an

IDS device may report a SQL-injection attack with different levels of confidence. Different

weights go to the different alert sources, and the final fused alert takes these weights into

consideration. Alserhani (2016) brought out the importance of alert data fusion and its unique

strengths in supporting cyber analytic tools and processes. The application of DS theory has

clearly resulted in a reduction in the time a security analyst dedicates to the correlation of alerts.

Algorithms that are based on DS theory perform most alert correlation tasks accurately.

MapReduce model and framework – History and basic principles. MapReduce

originated as a proprietary Google technology, but it is now genericized. Qin et al. (2012)

described MapReduce as a highly scalable, parallel computing framework. It is useful for

processing large data sets in distributed environments or clusters. The fault-tolerant framework

has two main components: map and reduce functions. The map function filters and sorts the

input into key-value pairs. The reduce function groups and aggregates the input key-value pairs

based on the maps. Dean and Ghemawat (2010) explained Google’s MapReduce model in one of

their introductory papers. Some of the salient features of the MapReduce model from that paper

are (a) MapReduce automatically parallelizes and executes programs on large machines; (b) the

run-time system takes care of splitting the data, scheduling the parallel jobs, handling machine

failures, and managing inter-machine communication; (c) MapReduce jobs use inverted indexes;

(d) MapReduce can handle data from heterogeneous systems; (e) MapReduce does not need to

26

perform full scans of entire input file; and (f) MapReduce produces a high level of inbuilt fault

tolerance by not needing to restart failed jobs from scratch.

MapReduce and its applications. Hu et al. (2014) presented Hadoop’s massive data

analytical capability, based on MapReduce framework’s group-aggregation model of computing.

Security analytics predominantly deal with large volumes of unstructured data that fulfilled the

six Vs of big data, namely velocity, volume, veracity, variety, value, and variability. Tripathi,

Gupta, Almomani, Mishra, and Veluru (2013) proposed the self-adaptive MapReduce scheduling

(SAMR) algorithm, a Hadoop-based solution, to counter DDoS attacks. This solution focuses on

the DoS type of malware attack.

MapReduce is a great solution for performing analytics on data at rest. Schales et al.

(2011) explained the application of MapReduce to performing analytics for data at rest. The

stream computing platform for analyzing threats involves combining historical data and real-time

streaming data to extract actionable intelligence. Analyzing the historical data of many years in

memory demanded a huge hardware infrastructure. Hence, Schales et al. decided to apply the

MapReduce framework to perform analytics on historical data. The unique batch processing

abilities of MapReduce solved the problem of scalability in a stream computing platform.

MapReduce has found extensive application in security analytics. Botnets are networks of

infected computers that spread malware. Singh, Guntuku, Thakur, and Hota (2014) designed a

scalable machine learning approach to detect botnet intrusion in near real time. Security analytic

tools have similar functionality to detect botnet attacks in near real time, and ideally, they should

incorporate similar machine learning approaches. After a network sniffer module has

successfully extracted network flow traces from network dataset, a MapReduce algorithm can

extract a feature set. An example of a feature is total_fpackets (total number of packets in the

27

forward direction). A machine learning module studies the features and applies machine learning

to detect malicious traffic. Buczak and Guven (2016) surveyed machine learning algorithms

suitable for intrusion and botnet detection and described the application of these algorithms.

Singh, Guntuku, Thakur, and Hota highlighted Apache Hive data warehouse and Hive query

language as useful tools in the feature identification and extraction process. Their big data based

approach has achieved peer-to-peer botnet detection.

TAM. The TAM, initially proposed by Davis (1986), has found its deserving place in IT

and information systems-related research. The TAM has its roots in the theory of reasoned

action. Davis applied the concepts of stimulus, organism, and response, taking into consideration

the information explosion that was to happen in the mid-eighties. Davis mapped the information

system’s user interactive features to stimulus, linking user motivation to an organism and actual

usage to response. User acceptance and perception of technology played a major role in

technology acceptance.

As per Lee et al. (2003), two major variables of the TAM that revolutionized the user

acceptance research were perceived usefulness (PU) and perceived ease of use (PEOU).

Behavioral intention and behavior were two more variables that definitely added value to TAM

research. While Lee et al. included many categories of IT research in their paper, there was no

direct mention of information assurance or security analytics in their research. Security analytics-

related research is a relatively new category, and user perception and acceptance is undergoing

research and is in a state of evolution. Categorizing security analytics as expert systems and a

contemporary of e-commerce systems, it is predictable that TAM theoretical constructs could

easily assess the user acceptance of security analytic technology tools and products.

28

TAM-3. User motivation to accept a new IT technology is not necessarily to be taken for

granted by product vendors and researchers. Venkatesh and Bala (2008) discussed the huge loss

experienced by Hewlett Packard and Levi Strauss in the early part of this century due to poor

user acceptance. Identifying interventions to aid the process of user acceptance and helping the

managerial community to make informed decisions were the major triggers leading to TAM-3.

Venkatesh and Bala argued that TAM-2 is deficient in PEOU and theorized that more

determinants would influence PEOU. In 2008, they introduced an integrated model (TAM-3),

comprised of TAM-2 features plus new determinants of PEOU and three new relationships.

TAM-3 is now an accepted standard in IT-related research.

Adoption of emerging technology in healthcare is an ideal topic to explain the application

of TAM-3. Ahlan and Ahmad (2014) explored the adoption and acceptance of healthcare IT in

developing countries. They successfully explored four TAM-3 constructs in their study: (a) PU,

(b) PEOU, (c) behavioral intention, and (d) usage behavior. The perceived threat had a negative

effect on the user acceptance of a new technology. Even though a similar in-depth study is not

the focus of this research on security analytics, these concepts were introduced in the field study

questionnaire. Those questions focused on the perception of security analytic systems by users in

terms of user interface and training impacting their perception and usage of the system.

Security analytics as a technology has been in use since 2005. Hinde (2005) underscored

the importance of security analytics in an introductory article that dealt with computer fraud and

security. Kent (2007) published the first set of standards for SIEM and log management as a part

of National Institute for Standards and Technology documentation. Grublješič and Jaklič (2015)

discussed the maturity of business intelligence systems and their acceptance in the IT domain.

Business intelligence systems is a very mature technology, but security analytics is growing in

29

terms of acceptance. A new technology grows from an adoptive stage to an embedded stage.

Security analytics technology is still in the acceptance and adoption stage. Some of the relevant

additional determinants highlighted by Grublješič and Jaklič for better technology acceptance

relate to: (a) individual, (b) technological, (c) organizational, (d) social, and (e) macro

environmental characteristics. Kavanagh, Rochford, and Bussa (2015) explained the process and

implementation details involved in the implementation of various security analytic tools. Based

on the discussion provided by Kavanagh, Rochford, and Bussa, the researcher introduced

implementation and process focused questions into the field study questionnaire to ascertain the

acceptance of security analytic tools by the user community.

Review of the Literature

Security Analytics – Recent Research

Security analytics deals with a large volume of data. Traditional database management

tools are not suitable to deal with large data. Oltsik (2013) defined the need for big data based

processing to deal with large datasets. As per Schales et al. (2011) most structured large data

analysis acts upon data at rest, while real-time analytics acts upon denormalized and raw data,

also known as data in motion. Freshly accumulated data in a web proxy log is an example of

real-time and denormalized data. For example, structured data analysis is roughly comparable to

biannual performance appraisals, whereas real-time analysis is a closer match to immediate, 360-

degree peer feedback. Real-time analysis and data correlation become necessities in analyzing

security data in motion. For example, if an APT attack needs identification and remediation, a

thorough scan of a few terabytes of stored data and real-time stream data is necessary. Cardenas

et al. (2013) compared the act of searching large datasets for cyber-attacks to searching for a

needle in a haystack and brought out the need for big-data based analytics. Analyzing threat logs

30

is a simpler exercise than correlation analysis, as Mahmood and Afzal (2013) explained.

Malware and worms can be easily identified using log analysis process whereas identifying

complex cyber-attacks involved correlation analysis process. Chari, Habeck, Molloy, Park, and

Teiken (2013) demonstrated an analytic approach combining both a traditional data-management

platform and a big data platform to extract access-related anomalies for enterprise users. Hence

security data analytics performed using large-scale data analysis in real-time is becoming a

necessity to manage cyber-attacks. However, such big data analysis demand a large

infrastructure, highly skilled data scientists, and above all, a strong business case for investment.

Many small enterprises are not ready for this type of investment. Nicholas and Kavanagh

(2013) discussed the importance of investing in security analytic tools. A survey-based study

with the participation of end users who have implemented security analytic tools definitely adds

value to CXO-level decision process in the domain of security analytics. Shackleford (2014)

conducted a survey with a focus on security information and event management (SIEM) tools.

Shackleford’s survey focus was on large enterprises. However, an end-user driven survey leading

to identifying critical implementation factors will help enterprises of all sizes. Many of the

available case studies in peer-reviewed journals point to both structured and big data analytic

solutions. Some of the best among such solutions have come from security leaders such as IBM

and RSA. For example, Kavanagh, Rochford, and Bussa (2015) discussed IBM’s QRadar and

HP’s ArcSight platforms. Even though these tools originated from technology leaders like IBM

and HP, empirical and critical evaluations of these tools and success factors performed with the

help of end-user driven surveys are scant in the literature. Evaluation of security analytic tools

using end-user driven surveys will also generate research ideas for more in-depth research in the

31

area of security analytics. A discussion of some of the recent advances in the security analytic

tool domain is provided in the following section.

Stream computing – Behavioral and threat analysis. Yen, Oprea, and Onarlioglu

(2013) challenged the security analytics industry with a unique design of big-data-based

analytics solution, called Beehive, which can perform threat, policy, and user behavioral

analysis. Beehive has three layers: normalization, feature generation, and clustering. Network

logs are the major input for this tool. Cardenas et al. (2013) discussed Beehive results and

claimed that Beehive could process one billion log messages in one hour. While this claim may

be empirically correct, accuracy in predicting user behavioral anomalies is the correct way to

judge these types of solutions. A critical read of the Beehive tool article indicated a few

deficiencies: (a) Cardenas et al. only tested beehive with two weeks’ worth of data, and (b) they

only tested it for the EMC corporate network. Stream computing is near real-time analytics, and

its main use is network data analysis. Schales et al. (2011) illustrated the power of stream

computing platforms that laid emphasis on enhanced middleware. They used a year of real data

to stress test this platform. Using the front-end tools of the platform, a security analyst can create

ad-hoc anomaly detection logic independent of the architectural components. The Beehive

solution by Yen et al. and the stream computing platform by Schales et al. are both comparable

from an architectural angle, but not from a performance perspective, due to the large data set in

use in stream computing. However, the Beehive tool can tackle simple user profiling and

suspicious host behavior well. Analyzing security analytic tools from a cyber-attack perspective

gives a deeper understanding of the tools’ capabilities. The next section discusses security

analytic solutions for different types of attacks.

32

Combating attacks using security analytics. Insider attacks are a common phenomenon

in today’s enterprises. Chari et al. (2013) proposed an analytic solution for detecting policy

violations by the user community. Users sometimes innocently share their credentials with their

colleagues, leading to misuse. Ineligible users access intellectual property documents due to

privilege elevations. Forming a base user profile and studying user login attempts based on user

geography and human resources-related data, this platform accurately pointed out anomalous

user behavior. Comparing this tool with the Beehive analytic tool developed by Yen et al.

(2013), it is easy to determine that Beehive had broader goals. But a major strength of the tool

developed by Chari et al. was the focus on avoiding false positives. For example, if a user has

concurrently logged on to the enterprise’s intranet, from both his or her iPhone and his or her

laptop, the system should not flag this as anomalous behavior, leading to false positives. This

tool eliminated the most common type of false positives. Many security analytic tools have

problems with false positives.

Botnet attacks are executed by a command and control center that is controlled by the

hacker community. Botnets consist of a series of infected devices connected to the Internet.

Crespo and Garwood (2014) described an ideal SIEM analytics engine as one with a built-in

scalable correlation module and the ability to handle new threats. Cardenas et al. (2013)

classified this type of solution as a third-generation, big data security analytic tool. This tool

performed net flow analytics using the MapReduce theorem to identify and quarantine botnet-

infected computers and used Hadoop clusters to reduce the processing time by a factor of seven.

The advanced cyber defense center (ACDC) project described by Crespo and Garwood scaled

new heights in Europe. This project served as a great attempt to conquer the botnet attacks.

MITRE Corporation developed the structured threat information expression language to

33

communicate cyber threats, and the ACDC project extensively employed this language. The

ACDC project conducted many pilots and handled many variations of botnet attacks. The size of

the ACDC project was far larger than the Net flow project described by Cardenas et al. (2013).

Judging by the tools it developed, the ACDC program was an ideal security analytics program,

since it made use of extensive collaboration, exploited all the available cybersecurity resources in

the European Union, and it justified the large resource usage.

An APT is a targeted attack against a high-value asset or a physical system (Cardenas et

al., 2013). Stealth mode is the master sign of this type of attack. Identifying APTs from the logs

is a labor-intensive project. The Beehive log analyzer developed by Yen et al. (2013) focuses on

APTs and tries to identify pre-attack probes as a part of the user behavior analysis, but it does not

mention anything about reducing false positives. A strategy that synthesizes the approach of the

Beehive analyzer and the access control analyzer developed by Chari et al. (2013) in a suitable

analytics platform could greatly reduce the possibility of an APT attack.

Big Data Security Analytics

Big data security analytics-based tools and processes have created a powerful impact on

the information security industry. Oltsik (2013) argued that big data security analytic tools are

natural extensions to log management and SIEM tools. SIEM technology-based tools brought

about a major shift over log management tools by providing better functionality in terms of

interfaces to security operations center (SOC) and user behavioral analytics. Chuvakin (2016)

highlighted the importance and benefits of user behavioral analytics and anomalous behavioral

analytics using big data tools. He stated that companies are even building custom-based big data

tools to independently analyze enterprise-wide security and log data. Oltsik divided big data

analytics into two major areas: (a) real-time big data analytics and (b) asymmetric big data

34

analytics. Oltsik stated that real-time big data analytics focusses on conventional database

repositories with limited querying capability and data log feeds. Asymmetric big data analytics

focusses on a typical big database platform like Hadoop with flexible querying capability and the

ability to consume heterogeneous data feeds.

Oltsik’s (2013) further elaboration equated real-time big data analytic tools to standard

SIEM platforms released by popular tool vendors. These tools do not include big data platforms

like Hadoop. However, asymmetric big data analytic tools or platforms include Hadoop-like

server clusters including the MapReduce component. These solutions are far more scalable than

real-time big data solutions. Assuming a continuum to define big data security analytic tools,

real-time tools are at the lower end of the continuum and asymmetric tools are at the higher end

of the continuum. Very few vendors have built separate tools for real-time and asymmetric

categories. Chuvakin (2016) summarized the key success factors for implementing big data

security analytic tools: (a) understanding of data science approaches, (b) ability to collect and

retain data, and (c) availability of people to use the tools and prepare data. A discussion of some

of the stellar research efforts in big data-driven security analytics follows with a focus on

extracting applicable concepts for the Delphi study. These discussions will also help in

enumerating the gaps in terms of assessment of these tools.

Wheelus, Bou-Harb, and Zhu (2016) designed and presented a big data-based

architecture that focused on threat intelligence analytics. They deviated from the conventional

approach by emphasizing on building intelligence use cases and tested this solution on large, real

network traffic. They exploited several big data tools and technologies as a part of this study.

They used machine learning algorithms to amalgamate heterogeneous network data sources to

create effective labels to create labeling artifacts. Attack classification and zero-day malware

35

inference were the major achievements of this tool. Streaming data and packet capture data

formed the major inputs to this tool. A commonly used Libpcap library file format was used to

interpret the input data. This tool included Apache Kafka that ingested streaming data into the

tool in the form of queues. Each queue had multiple feeders and multiple consumers. The

processing domain of this tool had two major focus areas, viz., validation of input data and

identification of network features. The tool adopted Hadoop distributed file system as the storage

medium and the HIVE component to query the data. The output (artifacts) this tool produced

supported predictive analytic models. Wheelus et al. conducted three case studies using the

above-mentioned tool. The first case study detected Sality malware, which is formidable, with

90% accuracy. They used artifacts from the output of this tool to train the system for specific

malware analysis. The second case study classified and distinguished different malware families

with only 1% false positives. The third case study found that the prediction model easily

predicted zero-day malware and its attributes. Shackleford (2016) stated that ability to unravel

new attack patterns is an ideal attribute of any security analytic tool. Wheelus et al. built a unique

architecture that had the ability to identify zero-day malware. However, one possible futuristic

direction for this tool would be to test the architecture with unlimited real-time data.

Most of the security analytic tools provide insights into network anomalies through

monitoring and correlation analytics. Chuvakin (2010) explored SIEM technology and

highlighted network anomaly analytics as a major use case in security analytics. Anomalous

network behavior analytics has since become a crucial force in the field of security analytics.

Bhuyan, Bhattacharyya, and Kalita (2014) surveyed network anomaly detection tools and

methods in their widely cited foundational work. Network anomaly detection functions are an

integral part of this research study, and they are inbuilt into any security analytic tool. It is

36

pertinent that this study discusses the basics of network anomaly detection tools, leading to

refined inputs for field study in this research. Anomalous network behavior detection refers to

the problem of finding exceptional patterns in network traffic that are deviations from normal

behavior. Anomaly and outlier are two common terms used to describe this problem.

Crespo and Garwood (2014) explained the role of anomaly detection in SIEM tools and

its ability to detect leakage of sensitive personal identifiers (SPI) and other security events. One

advantage of anomaly-based detection is that it can detect known as well as unknown attack

patterns. Security-related anomalies are of three types: (a) point anomaly, (b) contextual

anomaly, and (c) collective anomaly. Point anomaly refers to an isolated occurrence of a data

point from normal occurrences at any instant of time. This could be an outlier network flow

event. Contextual anomaly refers to abnormal behavior that happens within a given period. For

example, multiple transactions within a short time may mean a stolen credit card. Collective

anomaly refers to a collection of related data instances, but the individual instances are not

anomalies. For example, buying a lot of high-priced items by a group of card users is a collective

anomaly. Shackleford (2016) opined that machine learning techniques are now in widespread use

in providing guidance on anomalous behaviors.

Bhuyan et al. (2014) elaborated on the application of machine learning methods for

solving network anomaly problems. Matching of new instances of network data with an already

existing profile usually occurs using machine learning algorithms and a training dataset. Stored

network data profiles act as reference data and are regularly updated by batch jobs. Anomaly

detection is a problem of big data classification (supervised approach) or clustering

(unsupervised approach). Support vector machine classification scheme is a common method of

37

anomaly detection for security analytics. Hierarchical and ensemble-based clustering techniques

are common in the unsupervised category.

A recent trend in anomaly detection is the application of graph analytics and forensic

analysis to detect anomalous behavior. Puri and Dukatz (2015) designed a big data-based

architecture to detect APT attacks and network anomalies using graphs. They used data from a

live corporate network to pilot test this tool. Three major focus areas for this tool are (a) learning

of network behavior and transformation of network events to probabilistic event graphs, (b)

application of machine learning techniques in anomaly identification, and (c) real-time anomaly

detection. Network log files aggregated from SIEM tools were the main input to this tool. Some

major components of this tool are (a) a big data platform consisting of a big data core and

computing power, (b) a complex event processing (CEP) module, and (c) an in-memory database

system. Log content analysis (LCA) graph learning framework is the application module that

analyzes and presents the network events. Puri and Dukatz analyzed anomalous behavior within

the log content analysis module. The anomalous behaviors this tool identified provided insights

into the inner workings of the network and provided great inputs to the security analysts.

Anomalous big data-based behavioral analytics are used for generating evidence to

pursue investigations on compromised network machines. Probing attacks usually happen before

a botnet takes over a computer. Bou-Harb, Scanlon, and Fackha (2016) applied the concept of

behavioral service graphs to investigate infections. Perceived probing activities as inferred by

this tool can rapidly identify infected machines. Fusing big data analytics with formal graph

theoretical concepts generates the actionable forensic evidence necessary for investigations.

Security personnel has thwarted botnet campaigns by applying this actionable intelligence to real

darknet traffic. The forensic insights produced by this tool were highly accurate.

38

Distributed denial of service (DDoS) attacks involve the flooding of network data packets

to choke and exhaust the network bandwidth. This type of attack will result in denying service to

the user. Tripathi et al. (2013) discussed a unique solution called the self-adaptive MapReduce

scheduling (SAMR) algorithm to deal with the abnormal network traffic management problem

created by a DDoS attack. The SAMR scheduling concept distributed the traffic load using a task

parallel concept. Tripathi et al. did not elaborate on results. Judging from a performance

perspective, the advanced cyber defense center (ACDC) project, as described by Crespo and

Garwood (2014), could combat DDoS attacks using a data clearinghouse. The central

clearinghouse for analytical input data was a unique design of the ACDC project, and hence the

ACDC project scores better than SAMR algorithm.

The multicore approach refers to the parallelizing of tasks or data, or both, depending on

the correlation requirements. Cheng, Azodi, Jaeger, and Meinel (2013) projected the importance

of performing correlation analysis using in-memory processing techniques. The security

analytics lab architecture they proposed implemented all the popular correlation algorithms,

namely k-means, y-means, the robust clustering algorithm for categorical attributes, and a quick

version of the robust clustering algorithm for categorical attributes. From an analysis of results of

this experiment, it is easy to determine that Cheng et al. did not use real-time data to test the

multicore design. Cheng et al. contended that they used simulated data to test the performance.

Comparing the multicore solution with other analytic solutions, it is evident that performance

testing executed with simulated data will not prove the scalability of the solution. However, this

project is a great innovation in security analytics.

Strengthening the network defense of an enterprise is the main aim of security analytic

solutions. Colbaugh and Glass (2011), in their revolutionary research funded by Sandia National

39

Labs, delineated the possibility of using predictive analytics to predict attacks to empower

defenses. The two approaches they used in this proactive solution were (a) a transfer learning

algorithm that uses prior knowledge of attacks to predict zero-day attacks and (b) the generation

of synthetic data to train the cyber defenses of any organization based on the type of attack. They

tested both approaches against two large, publicly available datasets. Choosing a predictive

analytics approach over other approaches is a wise decision for an environment that is more

isolated, smaller, and better controlled.

Glass and Colbaugh (2011) forayed into web security analytics and developed a

framework using web crawling concepts. This predictive solution does not focus on the network

domain, but on text, relational, and temporal analytics, which can help users to understand web

events. Splunk is a powerful tool in security analytics. Zadrozny and Kodali (2013) explained the

functionality of Splunk forwarder in forwarding log data into a Splunk instance. Charishma and

Venkatesh (2015) studied application weblogs and used Splunk forwarder to identify and report

on cross-site scripting and brute force types of attacks. Even though web-analytic platforms do

not focus on the network side of analytics, assessing the reach of this algorithm indicates that it is

necessary to integrate web security analytic platforms into network analytic platforms. Web

analytics are a part of any security analytic commercial product and weblog sources feed into

security analytic tools for the purpose of correlation.

Bowers, Hart, Juels, and Triandopoulos (2013) referred to an emerging and dangerous

trend wherein an attacker destroys the entire analytic trail by removing all the security analytics

sources. Without the sources, it is not possible to perform a forensic analysis of the data. Bowers

et al. presented PillarBox, a tool built to securely relay security analytic source (SAS) messages.

PillarBox enforces integrity and prevents tampering with security analytics source messages.

40

One of the major drawbacks of Pillarbox is its inability to prevent full nelson attacks. Threat

prediction is yet another area of relevance to the domain of security analytics. Thompson (2013)

introduced techniques for threat prediction using traffic flow theory and traffic congestion

principles in his dissertation. The focus of his work is on text-based analysis of network data.

Text analytic techniques were customized based on traffic flow theoretical constructs and applied

on network data. Major outputs from the framework Thompson proposed are threat predictions

based on network traffic congestion, the location of threat, and nature of a threat. Thompson used

machine learning techniques such as classification and clustering to predict threat and attack

patterns. Experience-based cyber analytics is a new area of research. Chen (2013) devised a set

of algorithms to connect a security analyst’s experience to network intrusion analytic tools.

Interactions with analytic tools exert a heavy workload on security analysts. An experience base

builds dynamically based on the decisions security analysts take, and the experience-base also

acts as the repository for future decision.

The development of security analytics frameworks with specific goals has become

commonplace. Intrusion detection tools use two popular approaches: signature-based detection

and anomaly-based detection. Anomaly-based tools study deviations from normal behavior to

identify intrusions, unlike signature-based systems. Razaq, Tianfield, and Barrie (2016) designed

a cybersecurity analytic framework with a focus on intrusion detection. Some of the highlights of

this framework are (a) it derives inputs from a network log tool (NetL) and a process log (PrcL),

(b) data extraction uses a Hadoop big data process, (c) data normalization and correlation, and

(d) alert generation. Correlation is the key step in this algorithm. False alarms are a known

problem in anomaly-based detection, and this system is no exception. Razaq et al. showed that

security analytic tools and processes are undergoing many changes and improvements, and an

41

understanding of this study adds credence to this current research. The concept of correlation is

an ideal input for the Delphi study (Phase 1) in this research.

Insider threats are now a daily occurrence in many enterprises. Most of the security

analytic tools include use cases for insider attacks. Mayhew, Atighetchi, Adler, and Greenstadt

(2015) explored big data analytics combined with machine learning to provide behavior-based

access control (BBAC) to deal with insider attacks. They combined clustering, a popular

unsupervised learning technique, with classification (a supervised learning technique) in

developing this unique solution. BBAC uses support vector machines to classify normal versus

suspicious data. BBAC cybersecurity analytics solutions predominantly focused on handling

attacks on the Department of Defense.

One of the major components of any security analytic tool is to generate alerts based on

the use cases and rules that are available as inputs to the tool. Thousands of alerts arise every

day, overwhelming the security analysts. Analysts miss many of the alerts. Pierazzi, Casolari,

Colajanni, and Marchetti (2016) introduced a framework that automatically chooses an anomaly

detection technique for any set of alerts. It generates descriptive statistics for the different groups

of alerts and uses these statistics to decide the type of anomaly detection technique. This

framework is a unique, next-generation solution, which is a first of its kind. Many current

commercial security analytic tools might benefit from the approach of this framework. The

complexity of modern-day networks warrants this type of research, and this research by Pierazzi

et al. generated a few questions for the Delphi study.

Research projects on anomaly detection using big data forms a significant part of security

analytics domain. Researchers normally use anomaly detection when they are not sure about the

data patterns for which they are looking. Pinto (2014) opined that most of the recent-day

42

anomaly detection techniques employed in the big data domain have not proven their worth. He

further stated that very few anomaly detection solutions are effective, one of them being ISS

Network’s anomaly detection product (now part of IBM’s QRadar). Pinto further discussed three

big issues associated with anomaly detection approach, and they are (a) the curse of

dimensionality, (b) normality poisoning attacks, and (c) Hanlon’s razor. Chen (2009) defined the

curse of dimensionality as the exponential growth of the number of samples needed to estimate a

function in a given machine learning algorithm. The processing of large samples will result in

increased use of computational resources. As per Pinto, a normality poisoning attack refers to an

attack on training data involved in training a security analytic learning algorithm. This kind of

data poisoning can skew the accuracy of the algorithm. Pinto defined Hanlon’s razor as false

positive created due to a pseudo security issue like a developer experimenting with secure coding

in a production environment resulting in wasted investigation time.

More Security Analytic Solutions

Vehicular ad hoc networks (VANETs) are an evolving type of MANETs in very common

use in building smart cities. VANETs communicate between vehicles, vehicles to infrastructures,

and vehicles to the Internet and the cloud. Gantsou (2015) applied security analytics to detect

Sybil attacks. A Sybil attack is an attack in which a single physical computer or entity receives

multiple identities by an act of forgery. Gantsou uses a unique approach of correlation between

MAC address and IP address to solve the problem of Sybil attacks. It uses the OSSIM security

analytics platform, the only open-source platform, in its IDS layer, OSSEC. A unified security

analytic platform like OSSIM has a clear advantage in extending its power to MANETs like

VANET. Even though mobile ad hoc analytics are not part of the first research question, this

study by Gantsou provides an opportunity for future researchers to develop security analytic

43

platforms that include ad hoc networks, and it reveals the power of security analytics for

nonconventional network systems.

Security Analytics and Correlation

Correlating security events is a key function performed by any security analytic tool. The

process of correlation collects events from different log sources and normalizes them. For

example, normalizing the events based on timestamp on the events. Stroeh, Madeira, and

Goldenstein (2013) proposed machine learning based correlation in security analytic tools. The

solutions fuse normalized events into groups or meta-events. Meta-events present a complete

description of a possible attack scenario than single events. They constitute a more refined

expression of the underlying attack than isolated efforts. Grouping events into meta-events lead

to better situational awareness, improving the classification of real attacks and false alarms; it

also enhances the performance of the system, as the classification operates on meta-events rather

than events. Meta-events enable the contrast between new scenarios and previously learned

attack scenarios. Machine learning techniques can automate this process.

The event correlation process is the key to unraveling many types of cyber-attacks. Rosa,

Alves, Cruz, Simões, and Monteiro (2015) compared different event correlation engines. A

summary of rule-based correlation engines follows. Esper is an open-source event correlator that

specializes in detecting stealthy port scans and employs time-based correlation logic. Simple

event correlator (SEC) is an open-source tool predominantly used for detecting intrusions, and it

uses historical data to flag attacks. The Prelude tool has both open-source and commercial

versions. The main use of Prelude is in the intrusion detection domain. Simple event correlator is

the most common correlator for small sized environments. Correlation engines do not build

security analytic tools by themselves. They need full integration with a SIEM or an equivalent to

44

applying its power. The Delphi questionnaire included assessments of the correlational abilities

of security tools.

Security Analytics and Governance

Security analytics, in general, refers to three generations of technological maturity,

according to Cardenas et al. (2013). The three generations of security analytic tools are (a)

intrusion detection and prevention (IDPS) tools, (b) security information and event management

(SIEM) tools, and (c) big data driven security analytic tools. However, most security analytics

products focus on the SIEM domain. All the market-leading products use SIEM technology. In

recent years, SIEM products have dominated the security governance scenario in many

organizations. Van de Moosdijk, Wagenaar, and Final (2015) detailed all the major areas of

concern in the SIEM domain. Some of the governance-related highlights that are relevant to this

literature review are explained by them in the following lines. Organizational leaders understand

the need to implement SIEM and the benefits of implementing SIEM products. The requirements

for implementing SIEM are well defined. For example, risk appetite, regulatory or compliance

requirements, and reporting requirements are clear. This research study included questions in the

above areas, as a part of the Delphi study. Leaders properly assign roles and responsibilities

regarding SIEM technology. For example, SIEM architects and SIEM correlation engineers are

predominantly technical roles. Van de Moosdijk et al. further stated that SIEM program

managers are also implementation and reporting managers. This research study included such

experts as part of Phase 1. Managers identify SIEM tool requirements before making a product

choice. This research study distilled critical success factors for the implementation of any

security analytic products, including SIEM. Both business and IT stakeholders discuss use cases

requirements. Questions on security analytic use cases were a part of the Delphi study.

45

The establishment of metrics-driven governance is a necessary prerequisite for the

success of any security analytic program. Gordas (2014) discussed the importance of governance

through security metrics. Reports of key performance indicators (KPI) of any security analytic

program usually are routed to CISOs. Commonly reported categories of metrics are security

incidents, suspicious events, log sources, rule changes, use cases, and security investigations and

related escalations.

Security Analytics and security operation center (SOC)

Elliott (2016) dealt with SOC economics in detail. The cost of operating a SOC generally

includes the cost of SOC analysts, who are part of the SOC. Security analytic tools, in particular,

SIEM tools, enhance the productivity of the SOC. Schinagl, Schoon, and Paans (2015)

elaborated about the SOC and its interfaces. They dealt with cyber intelligence inputs to SOC in

detail. Monitoring and incident management are two important functions of SOC where security

analytic tools provide feeds. The triaging team informs SOC analysts about the incident tickets

that the security analytic team or tool creates on a regular basis. The effectiveness of security

analytic tools indirectly impacts the SOC efficiency and output.

Critique of Previous Research Methods

SIEM tools form the mainstream of security analytic products. Nicolett and Kavanagh

(2013) analyzed the critical capabilities of commercial SIEM tools as part of the Gartner study.

Three major use cases they identified were threat management, compliance, and general SIEM

deployment. They scored every commercial tool for these use cases by accounting for eight

critical capabilities: (a) real-time monitoring, (b) threat intelligence, (c) behavior profiling, (d)

data and user monitoring, (e) application monitoring, (f) analytics for root cause, (g) log

management and reporting, and (h) deployment and support simplicity.

46

A deeper evaluation of the Gartner report produced by Nicolett and Kavanagh (2013)

indicated that most security analytic products developed by popular vendors like IBM and HP

scored consistently in the compliance use case, but only a couple of them performed well in

threat and SIEM deployment. A comparison of Nicolett and Kavanagh’s (2013) study with

Shackleford’s (2014) SANS survey revealed several of knowledge gaps in security analytics with

respect to assessment. These gaps were present due to the lack of a validated survey instrument

that was developed with the help of implementation experts. Gartner and SANS surveys are

private surveys that were developed predominantly by research analysts. While commercial

surveys can assess security analytic products, they are likely to have biases towards the sponsors

of the survey. Many white papers released in security analytics have similarly biased views.

Construction of these surveys takes place without a strong practitioner focus and a theoretical

basis. A few experts from within one organization build these surveys, leading to bias in the

questions. Many security analytic tools and projects were discussed in this literature review

section. For most of these tools, self-assessment was made by the product owner. The popular

security analytic products like QRadar are assessed by research analysts from research

organizations like Gartner and SANS. Integrating self-assessments with the opinion of research

analysts revealed a lack of assessment standard for the security analytic tools. The lack of

standards for assessing security analytic tools results in organizations not fully benefiting from

the implementation of these tools. A discussion on the identified knowledge gaps will help in

understanding the research study area for broader and deeper research.

47

Findings

Table 1

Assessment of Security Analytics Tools

Security analytic tool name Function of tool Assessment Description

Beehive tool Threat, policy and behavior

analysis

High-speed network log

processing with less focus

on performance testing

Network predictive analytics,

Sandia Labs Attack prediction analysis

Transfer learning and

synthetic data approach

with limited testing

Gartner assessment of SIEM

tools

Security analytic tool with

focus on incident and event

management

Compliance focus and pre-

defined use case focus.

Assessment lacked

implementation and end-

user specific issues

Advanced cyber defense center

(ACDC) project Attack prevention

Prevention of Botnet

attacks. Lacked details on

User interface (UI)

SANS assessment of SIEM tools

Security analytic tool with

focus on incident and event

management

An assessment made using

product use cases.

Assessment lacked

implementation and end-

user specific issues

Multi-core security analytic tool Correlation event analysis

Employed popular

correlation algorithms but

lacked real-time testing.

It is evident from the discussion on security analytic tools in the previous section that

these tools are predominantly assessed from the perspective of performance data. Table 1

includes a description and assessment of security analytic tools that brought out the predominant

functions of those tools in the earlier part of the literature review section. Ideally, assessment of

48

such tools should take into consideration not only performance data but also other influencing

factors like user interface, ease of use, governance, and reporting capabilities. A recollection of

tool capabilities discussed in this literature review will throw light on the findings. The Beehive

tool presented by Yen et al. (2013) was not subject to a thorough performance testing, as it

underwent testing with only two weeks’ worth of real data. Real tests for any tool should involve

real-time customer data. The predictive analysis approach developed by Colbaugh and Glass

(2011), while unique in its approach, used a controlled and limited test environment of ten runs.

A predictive approach gains more accuracy with an increase in the size of datasets. Judging by

these examples, any research study should include scalability in its survey and interviews, and

the respective stakeholders should be happy with the results. For example, a security analyst

should be convinced about the scalability of an analytic correlation engine and a business

manager should be convinced about the implementation of compliance mandates. Based on the

findings in this section, the researcher introduced questions pertaining to performance and

scalability in the Delphi study.

Results are what matters in huge investments. Governmental compliance laws trigger

changes in the SIEM tools. For example, compliance with Sarbanes-Oxley legislation mandates

the archiving of all network log files for a predetermined number of days. Nicolett and Kavanagh

(2013) mentioned that investments in SIEM tools are predominantly due to the compliance

requirements of the business community. While supporting governmental laws are important for

SIEM tools, these tool owners should also consider other security aspects of the enterprise when

building new product features. The main focus of any research on security analytics is whether a

SIEM tool or an analytic tool made a difference in terms of security to the enterprise.

49

The user interface is yet another important aspect of any modern IT system. A good and

intuitive user interface can inspire an end user to explore an analytics tool. Crespo and Garwood

(2014) included a lot of information about user interfaces in their tool for the ACDC project.

Cheng et al. (2013) depicted a user interface in their architecture diagram. However, they neither

measured nor discussed its effectiveness. Shackleford (2014) did not directly include user

interface assessment in his analytics survey. TAM-3 variables introduced by Venkatesh and Bala

(2008) like the perceived ease of use (PEOU), has a direct application in the area of security tool

user interface. Research utilizing TAM-3 to study the effectiveness of tools should measure user

interface strengths and weaknesses. The Delphi study this researcher performed applied this

finding by incorporating user interface related questions into the survey. In his security analytics

survey, Shackleford (2014) portrayed the fact that 48% of end users were unsatisfied with the

analytics training they received. Without proper training, end users will not be able to utilize the

tool. For example, if a security analyst needs to develop his or her own algorithm to analyze

network traffic as explained in the stream computing platform discussion by Schales et al.

(2011), then he or she must receive proper training from the vendor and other stakeholders.

Shackleford (2016) explained that many organizations have started to collect more data for

analysis. However, a lack of skills at the SOC to deal with security analytic tools was prominent

in his survey.

Actionable intelligence is the ability of the analytic solution to provide inputs to decision

making at different levels of the security organization (Howarth, 2014). Many of the tools in this

paper concerned security intelligence, but the researchers did not share details about the actions

they took based on the intelligence the tool provided. It is possible these are confidential

decisions within an enterprise. However, any research study should include questions on the

50

effectiveness of actionable intelligence recommendations. For example, end-point device

quarantining will impact security threat metrics because a quarantined device is no longer active

in the network. Findings from a review of the literature indicate that extensive research is

progressing in security analytics. While research itself is a great boost to the domain of security

analytics, it is important that the industry focus on measuring the effectiveness of any given

security analytic product after its implementation, irrespective of the product benchmark claims.

Only an implementing organization and its team will be able to provide solid feedback on the

implementation of a security analytic tool.

The literature review of security analytic tools brought out many functional aspects of

these tools. These functional aspects were used in one or more security analytic tool projects in

determining the tool’s success. A functional architecture for a typical security analytic tool is

presented in Figure 2, by integrating all the tool aspects learned from the literature review

presented earlier in this chapter. Core concepts and flows presented in Figure 2 are derived from

the tools discussed earlier in this chapter. Some pertinent citations that comprehensively cover

the core functional concepts, included in Figure 2, are (a) Shackleford (2014) discussed user

training and use cases in his assessment surveys, (b) Elliott (2016) provided comprehensive

inputs on SOC, its operations and endpoints; (c) Nicolett and Kavanagh (2013) expanded on log

sources, use cases, compliance, attack detection and user interface; (d) Rosa, Alves, Cruz,

Simões, and Monteiro (2015) analyzed correlation engines and data analytics; (e) Gordas (2014)

introduced concepts on governance and reporting. Figure 2 includes all the underlying tool

concepts with the central circle explaining all the functions that were discussed in the above

literature review section. Arrows indicate the direction of information or data flow. For example,

a security analytic tool provides inputs to the governance and reporting function of an enterprise.

51

Figure 2. Security analytics: A functional architecture.

Summary

Concepts From Security Analytics Literature for Delphi Study

The detailed analysis of the literature in the previous sections yielded several concepts

that were used as the basis for developing survey questions in both the field study and Delphi

study. Yen et al. (2013) discussed the Beehive tool with a focus on threat intelligence and user

behavioral anomaly, thereby deserving a place in the initial Delphi questionnaire. Schales et al.’s

52

(2011) discussion on stream computing yielded the concept of network logging. All the network

log sources in a corporate network should go into the security analytic tool to help in the

correlation of logs and the extraction of threat intelligence. Chari et al. (2013) studied policy

violations using their tool. Detecting policy violation can lead to identifying insider attacks like

user privilege escalations. It is important that any security analytic tool has a native feature to

detect policy violations. Crespo and Garwood (2014) built a solution to address botnet attacks.

One of the important analytic concepts to emerge from this study is the correlation concept. A

correlation engine in any security analytics tool correlates logs from heterogeneous sources to

identify attacks. Questions relating to correlation were very applicable to the Delphi

questionnaire. Yet another concept Crespo and Garwood (2014) raised is the interface for the

user or administrator. Screen interface or user interface is the main gateway for any tool user to

understand the intricacies and capabilities of a tool. While command line interface is still

prevalent among administrators, sophisticated user interfaces and dashboards are part of many

SIEM tools. If a powerful security analytic tool has a poor user interface, users will not tap the

tool’s full potential because of their lack of motivation to navigate the user interface. Venkatesh

and Bala (2008) built the TAM-3 after the advent of e-commerce systems and introduced

variables of perception in their theory. Hence the researcher, introduced questions on user

interface into the Delphi study to gain the perceptions of administrators of the security analytic

tools on the friendliness of user interfaces. Malekpour et al. (2014) elaborated on big data based

learning and boosting algorithms that help in detecting fraudulent behavior in banking

transactions. The concept of learning based on either training data or anomaly identification is

popular in security analytics based on the literature reviews. Hence the researcher examined the

effectiveness of big data based learning in the field study. Bou-Harb et al. (2016) extracted

53

actionable forensic evidence with the help of big data based graphical analysis. Actionable

intelligence is a key term, and it is a great time saver for security analysts who work in the SOC.

Actionable intelligence inputs given by any security analytic tool to security analysts will

drastically reduce the lead time to mitigate an attack. Hence, the concept of actionable

intelligence was very relevant to the Delphi questionnaire.

Strategies to Fill Gaps in Literature

The goal of this research study is to directly address the gaps and findings discussed in

the previous two sections, by identifying factors that determine the success of implementing any

security analytic tool. To accomplish this goal, this researcher developed a security analytic

questionnaire through two stages: the first stage is the Delphi study and the second stage is the

exploratory factor analysis (EFA) study. The questionnaire focused on implementation-related

issues. The researcher performed statistical analysis on the final set of questions to extract factors

that influence a successful implementation. This set of factors is expected to help both the

technical and managerial professionals involved in the implementation of security analytic tools

and solutions.

Measuring security programs in an enterprise is a big challenge. Cybenko and Landwehr

(2012) compared security analytics and measurements to game theory concepts. In game theory,

researchers already know the rules and players, and hence measurement is easier in a game

situation. However, in security analytics, it is difficult to measure the effectiveness of a solution,

as the playing field is comparable to a moving target. Cardenas et al. (2013) discussed many

types of attacks, as well as the impact of security analytic in mitigating those attacks, but none of

the analytic tools, discussed in the literature review, convincingly assessed the tool against a

broad and common assessment framework.

54

An ideal approach to assess a security analytic tool is to measure security posture of an

organization using quantitative metrics, before the implementation of the tool and after the

implementation. Comparing the results obtained in the before and after scenario will reveal the

impact of the tool. Mateski et al. (2012) defined cyber threat metrics and also elaborated on the

challenge involved in measuring the security posture using metrics. Most organizations do not

even disclose data breaches due to the fear of customer backlash making measurements a

difficult task. Van de Moosdijk et al. (2015) discussed the ability of SIEM tools in producing

many security data governance reports including data breach related reports. Even though SIEM

tools can produce such reports, they are usually not available for researchers. Due to the above-

mentioned reasons, it is impossible to accurately measure the impact of these tools only by using

metrics data which are usually not made publicly available. However, it is possible to

understand the effectiveness of a security analytic tool indirectly by designing survey questions

to assess the different functional areas of the tool from a user’s perspective. A detailed literature

search and review did not yield expert-validated survey instrument in the field of security

analytics that was suitable to answer the research questions of this study. It is to be recollected

here that this research study broadly focused on all three generations of security analytic tools.

55

CHAPTER 3. METHODOLOGY

The security analytics domain has experienced rapid growth in the past ten years in terms

of maturity. Cardenas et al. (2013) discussed the three levels of maturity for the security analytic

domain, but the fourth level of maturity is now opening up in the information security industry,

that is, artificial intelligence (AI)-driven security analytics. Internet Protocol (IP) v6 has many

known vulnerabilities. Fuzzy rules are being used in machine learning to classify network

attacks. Salih, Ma, and Peytchev (2017) built a blended algorithm comprising fuzzy rules and

genetic algorithms to counter IPv6 vulnerabilities. Given the explosive growth of analytics in this

industry, it is important to produce expert-validated survey instruments in the security analytic

domain to help further research. Based on the discussion in earlier chapters, the researcher

adopted two phases for this research study. Phase 1 involved the development of a survey

instrument using a Delphi expert panel, and Phase 2 involved the refinement and validation of

the same instrument using construct validity and reliability techniques. The researcher tested for

construct validity using exploratory factor analysis (EFA) and for instrument reliability using

Cronbach’s alpha.

Purpose of the Study

The purpose of this research study was to identify factors that determine the

implementation success of security analytic tools that help in improving the security postures of

organizations. Security analytics is a relatively unexplored area from the perspective of academic

research. Cardenas et al. (2013) argued that security analytics is an evolving technology topic.

56

However, research studies and investigations in this area of security analytics are still in a

nascent and developing condition. A search by this researcher did not yield any expert-validated

survey instruments in the domain of security analytics. A casual Google search will provide

many results for assessments of commercial security information and events management

(SIEM) tools performed by Gartner group and other research groups. For example, Nicolett and

Kavanagh (2013) assessed SIEM tools using product use-cases but not using surveys built with

the help of hands-on implementers. Pinsonneault and Kraemer (1993) established that

researchers invariably use exploratory models to develop concepts and models in newly arrived

fields of research. Pinsonneault and Kraemer further asserted that surveys are an effective way to

collect data and quantitatively to analyze results. The literature review revealed that there are no

dedicated survey instruments validated by expert users in the domain of security analytics. A

survey instrument is a good input to identify important implementation factors for security

analytic tools as per Yong, and Pearce (2013). Hsu and Sandford (2007) opined that the Delphi

technique is a practical and suitable technique for working with experts and arriving at a

consensus on any emerging area of research. Newsom (2005) argued that exploratory factor

analysis (EFA) is an effective approach to validate a survey instrument when the researcher does

not have any hypothesis and the subject matter is a relatively unexplored area. The purpose of

this quantitative exploratory study was to identify the factors that determine a successful

implementation of a security analytic tool. Shackleford (2014) conducted a survey on security

analytic tool users from a commercial angle. His survey focused on popular vendor built security

analytic tools like QRadar and ArcSight. The survey questions were built by a few research

analysts with the help of product knowledge. In Shackleford’s survey, the user experts did not

pool their experience and build a survey questionnaire. Even though Shackleford’s survey was

57

not an expert-validated survey, it gave initial insights about security analytic tool usage, among

customers. However, in this research study executed by this researcher, security analytic tool

users and experts pooled their experience and validated the survey instrument, both in Phase 1

and Phase 2.

Research Questions

The research questions for this study were as follows:

Omnibus Research Question (ORQ): What are the factors that determine the successful

implementation of security analytics tools or packages?

Research Subquestion 1 (RSQ1): What are the factors that determine the successful

implementation of non-big data security analytics tools or packages?

Research Subquestion 2 (RSQ2): What are the factors that determine the successful

implementation of big data security analytics tools or packages?

Research Design

This study used a two-phase approach: Phase 1 was a quantitative Delphi study to arrive

at a survey instrument by working with experts using a consensus approach; Phase 2 was an EFA

study to refine the instrument by sending it to a large group of experts in the information

assurance industry (Figure 3). Skulmoski et al. (2007) argued that Delphi technique is the

predominant approach when there is a lack of complete knowledge about a particular research

area. This study fell under the category of non-experimental category because experiments

involve the creation of control and test groups, and this study does not involve any experiment

on security analytics tools. Spector and Meier (2014) established that non-experimental methods

involve observation without manipulation. Studying the factors involved in assessing a

successful implementation of security analytic tools is the real goal of this research. This

58

research involves the application of Delphi and exploratory data analysis to explore the research

questions given above. Garson (2014) opined that Delphi studies are applied mainly in the area

of exploratory research. Delphi models are more suitable for this study, as they are useful in

areas where there is incomplete information or incomplete maturity of the domain.

Figure 3. High-level research design.

Garson (2014) attested to the effectiveness of the quantitative Delphi approach in

reaching consensus on the composition of survey questionnaires. Garson also mentioned that

quantitative Delphi processes are suitable to achieve content and contrast validity. In this specific

59

Delphi study, building a consensus and distilling a survey instrument that will help in assessing

the success of security analytic tool implementation was the major focus. Gliddon (2006)

performed a classic Delphi study and created a list of competencies for innovative leadership

after three rounds of Delphi. Vonhof (2015) employed a similar design to build a survey

instrument and then used it to perform an exploratory factor analysis (EFA) study of telework

adoption.

Procedures

Methodology

This research employed a nonexperimental approach. Nonexperimental methods involve

observation without manipulation (Spector & Meier, 2014). There are no experiments or variable

manipulations involved in this research study. Phase 1 of this research study focused on building

an instrument with the help of experts. Phase 2 focused on validating the instrument and

extracting factors using EFA. Extracting factors from the survey instrument was the main goal of

Phase 2 of this study. In Phase 2, the output of Phase 1, that is, a survey instrument, was

administered to the industry experts with the aim of refining the items in the instrument.

The Delphi technique and its suitability to the current research question are of prime

importance in understanding the methodology. Hsu and Sandford (2007) expounded the Delphi

technique, stating that it is a very practical approach to achieve convergence of ideas and

opinions of experts in any domain of activity. A research question is a prime trigger to decide the

direction of an investigation, namely quantitative or qualitative. In the case of the current study,

the research questions involved the identification of factors that help in assessing the successful

implementation of a security analytic tool or package. This study did not focus on the impact of

security analytic tools on the job role of a security analyst, which would warrant a qualitative

60

study. Garson (2014) surveyed many Delphi studies and established that consulting domain

experts is an ideal approach for a less explored area of research. Hence the direction of the

research question clearly identified the need for a panel of experts, as only experts could furnish

elite information in security analytics.

Quantitative Delphi method. Gunaydin (2006) asserted that the Delphi technique is an

iterative process very suitable for integrating into the quantitative process if the research focuses

on construct validation. According to Garson (2014), the Delphi method has multiple rounds

until a consensus emerges between experts or the results from two successive rounds are the

same. Leclerc, Lefrancois, Dubé, Hébert, and Gaulin (1998) applied the quantitative Delphi

method to validate constructs. He built a self-actualization instrument using the Delphi method.

Vonhof (2015) used the quantitative Delphi approach to build and validate an instrument as a

part of his Capella dissertation on telework adoption. Chaturvedi, Singh, Gupta, and

Bhattacharya (2014) successfully implemented an information security Delphi survey with a

five-point Likert-type scale. This research study fell into the quantitative category of Delphi

study based on the close similarities to the above citations.

Delphi design explanation. Skulmoski et al. (2007) mandated four major features of any

Delphi study: (a) anonymity of Delphi participants, (b) an iterative approach that allows the

participants to refine their views on any subject matter, (c) controlled feedback from the Delphi

coordinator (researcher) to the participants regarding other perspectives in a Delphi study, and

(d) statistical analysis and aggregation of group responses. There is no concept of a population in

Delphi study. As it tested no hypothesis, a power analysis was not a requirement for this study.

The number of Delphi participants and the qualifications of the participants are of great

significance in a Delphi study. Taylor-Powell (2002) suggested that the qualifications and

61

experience of the Delphi panelists should be up to date and that participants should be unbiased.

Avella (2016) provided a range for the panel size for any given Delphi study. He suggested that

it ranges from a minimum of 10 to a maximum of 100. This researcher applied the anonymity

principle by ensuring that all Delphi participants sign the informed consent form. The consent

form contained all the qualification criteria required from the Delphi participant. Delphi

participants used a flow diagram developed by this researcher to understand all the steps

involved in the Delphi study. Based on the panel size recommended by Avella (2016) an initial

size of 20 was planned for the first round of Delphi. This researcher searched the LinkedIn

professional network for up to date profiles in the area of security analytics and found 43

members to be suitable for this research study. Invitations were sent to 43 members in the

LinkedIn network.

Consensus in Delphi studies. Arriving at a consensus is a collaborative effort usually

facilitated by the researcher. Garson (2014) advocated the iterative Delphi method to achieve

reliable expert consensus. In this specific research study, after the Delphi panel members

provided their inputs for every round, the researcher used a couple of consensus techniques to

assess consensus. The researcher also assessed the stability of the instrument after every round.

Heiko (2012) focused his research on consensus in Delphi studies. He examined many Delphi

studies in his research of consensus methods, and he concluded that while consensus was not the

sole aim of Delphi studies, it is a very important component in Delphi studies. Apart from

consensus, Heiko opined that stability of the instrument is also a necessary part of building

consensus. He added that consistency in responses between successive rounds of a Delphi study

is stability. In other words, if the instrument has remained consistent between two rounds, then

that instrument is stable. For example, there might be insignificant changes (in terms of

62

responses) between two rounds of Delphi. Descriptive statistics and inferential statistics are

essential in computing consensus in Delphi studies. Putnam, Spiegel, and Bruininks (1995)

recommended the use of the percent agreement method for Delphi surveys using a five-point

Likert-type scale, and this method was very suitable for the current research study on security

analytics. Cooper, Gallegos, and Granof (1995) recommended Kendall’s coefficient for

computing consensus in quantitative Delphi studies. Percent agreement method was used in

Phase 1 (Delphi study) to compute consensus after every Delphi round. Kendall’s coefficient was

also used at the end of each Delphi round in Phase 1. Stability, as defined by Heiko, was applied

in the Delphi study to understand the consistency of responses between any two rounds of

Delphi.

Participant Selection

One of the major applications of Delphi study is to validate constructs and build

instruments, but there is no hypothesis to be tested. Avella (2016) asserted that there is no

concept of a population in Delphi studies, but only expertise. Security analytic experts are

usually busy professionals, and they are usually not able to allocate time for research studies.

Since LinkedIn is now a highly sought-after professional networking tool and the profile

information of individuals is nearly accurate, this researcher chose LinkedIn to recruit security

analytic experts. Lops, De Gemmis, Semeraro, Narducci, and Musto (2011) analyzed LinkedIn

user profiles as a part of their content extraction. Their study revealed that LinkedIn is a very

useful professional networking tool and that users regularly update their profiles. Gliddon (2006)

surveyed 50 Delphi studies and found that in 95% of the cases, the researchers used purposive

sampling to select the experts. Gliddon recommended that researchers validate the experts by

going through their curriculum vitae. This Delphi study was a homogeneous study, that is, the

63

researcher selected experts only from within the information security domain, and all these

experts were in the United States. However, security, managerial, and operational personnel

share the knowledge necessary to assess the implementation of a security analytic tool.

Skulmoski et al. (2007) analyzed 41 Delphi dissertations in the information sciences and found

that the sample size ranged from eight to 345. The median value was 28. Gliddon (2006)

surveyed 46 Delphi studies and found that the average sample size was 24. In this specific study

on security analytics, the researcher identified the following categories of experts: (a) security

program managers, (b) IT managers working in the security group, (c) security analysts, (d)

security service managers, (e) security incident personnel, (f) product architects, (g) business

area managers, and (h) security analytic tool administrators. Hence the researcher chose a sample

size of 24 to start the study. According to Garson (2014), exploratory Delphi studies generally

have smaller panel sizes. Figure 4 explains the overall flow of the Delphi study. Figure 4 is

developed based on the inputs derived from Delphi method citations provided in the above

section.

The researcher used a purposive sampling approach by searching LinkedIn profiles and

creating connections with potential participants. Gliddon (2006) recommended purposive

sampling based on the survey he conducted on Delphi studies. As per Gliddon, 95% of Delphi

studies used purposive sampling. The search in LinkedIn for experts was based on the

qualification criteria that was outlined in the informed consent form. The qualification criteria

are explained later in this section. The search tool provided by the LinkedIn professional network

was used to search for suitable professionals. The search strings were (a) security analytics, (b)

big data security, and (c) security analyst. Invitations to participate in the Delphi study on

security analytics went to 43 connected LinkedIn users who were high-profile security analytic

64

experts. Gliddon further stated that experts should be recruited only after validation of their

profile or curriculum vitae. The researcher wrote a letter of invitation to all the shortlisted 43

members whose qualifications and experience fell into the criteria below. A consent letter was

also attached to the invitation.

Figure 4. Delphi study process flow.

The professional experience of these invitees ranged from network security experts to

CISOs. Of the 43 experts who received invitations, 18 experts agreed to sign the informed

consent form and to participate in the Delphi study. There were two possible qualification

criteria for the Phase 1 Delphi study. Option 1 consisted of all the following criteria: (a)

minimum seven years in the information security industry, (b) minimum 10 years of total

65

experience in the IT industry, (c) minimum three years of experience with security analytic tools,

in any capacity, within any enterprise, and (d) preferably a minimum professional certification or

degree in the area of IT security or IT. Option 2 consisted of only one criterion: 20+ years of

strong IT experience in managing large programs or projects or architecting major IT solutions.

Phase 2 of the study was the exploratory factor analysis (EFA) study. There were two

participant qualifying criteria for the Phase 2 EFA study: (a) minimum 10 years of experience in

the IT industry OR minimum six years of experience in the information security industry, and (b)

minimum one year of experience in the security analytics domain (any experience that relates to

security analytic tools like SIEM/big data/intrusion-prevention or equivalent).

Protection of Survey Participants

The two phases of this research study had different types of participant requirements.

Phase 1 was a Delphi study, and Phase 2 required a bigger audience to fulfill the requirements of

an EFA study. Tabachnick and Fidell (2013) argued that a minimum sample size of 100

participants are needed for an exploratory factor analysis (EFA) study. Phase 1 of the study

involved recruiting and interacting with the Delphi participants. Since recruiting took place

through LinkedIn, some participant data like e-mail addresses were available to the researcher.

However, the researcher collected no sensitive personal information about the participants.

Adams and Miles (2013) explained that Belmont principles for human subjects are the major

focus of any research. Any researcher needs to scrupulously apply justice, respect, and

beneficence principles. The respect principle leads to informed consent. The researcher informed

the panelists and survey participants about the pros and cons of this research using an informed

consent form. There were two versions of informed consent form: one for the Delphi study

66

(Phase 1) and other for the EFA study (Phase 2). Only after all the participants signed the

informed consent forms could they participate in the study.

The justice principle requires researchers to treat the participants in a fair manner. Adam

and Miles (2013) discussed the importance of justice principle for surveys. In this survey (both

Phase 1 and Phase 2), participants from different industries and with different levels of

experience received the same respect. Beneficence requires avoiding injury or any other form of

harm to human subjects. There was no coercion of participants in either phase. The researcher

implemented the Belmont principles through informed consent. Schrittwieser, Mulazzani, and

Weippl (2013) articulated a change in research direction for information security-related

research. Based on their opinion, the researcher did not force the survey participants to provide

definitive answers. The researcher did not ask the survey participants to provide confidential

information, due to the sensitive nature of the subject. In their study of the Menlo Report,

Dittrich and Kenneally (2012) explained the fourth principle of research: respect for law and the

public interest. The Menlo Report sets a new direction for information security research, as the

Department of Homeland Security published it. Survey questions respected the internal mandates

of the participating organizations. In both phases, there was a neutral option available to the

participants so that they had the freedom to avoid answering sensitive survey questions. The

Delphi panel also reviewed the survey questions through many iterations to remove any sensitive

questions before the start of the EFA phase.

Data Collection

Phase 1. Phase 1 of this study was a Delphi process. Goodman (1987) asserted that the

Delphi method is a highly suitable way to achieve consensus in an area of research where

maturity is low or there is no survey instrument. Prior to initiating the Delphi survey to build a

67

survey instrument that focused on security analytics, the researcher conducted a small field study

with the help of security analytics experts from IBM. Avella (2016) stressed the importance of

field study as a pre-requisite to Delphi rounds. A total of five experts helped this researcher to

build an initial starting point by providing feedback on an initial survey questionnaire that the

researcher built. The output of this field study (questionnaire) was the input for the first round of

the Delphi survey. Four rounds of Delphi iterations took place before the survey instrument

stabilized for the next phase (Phase 2). In the first round of Delphi, 16 security analytic experts

participated and provided feedback on the survey instrument. In the final round (fourth) of

Delphi, there were 11 participants. All the Delphi rounds took place via e-mail and every

participant anonymously participated. It took a total of 20 weeks to complete all four rounds of

the Delphi study. The researcher facilitated all the rounds of Delphi. Avella discussed the

importance of the researcher playing the role of a facilitator in Delphi rounds. Before the start of

the first round, the researcher informed the Delphi participants that there would be a maximum

of three rounds of Delphi to build the survey instrument. This constraint of three rounds was due

to the time limitation and the cost of the survey. However, due to the lack of consensus and

stability in the third round, one more round of Delphi was necessary, leading to a stable

instrument in the fourth and final round. The researcher notified potential Delphi participants

before the start of the Delphi rounds that there was no penalty for electing not to participate and

that they were free to drop out at any stage of the Delphi process. After the researcher collected

all the responses for any given Delphi round, the researcher consolidated the inputs and sent out

a document to the entire panel about the current Delphi round. This exercise helped the panel

members to learn about the collective perspective for every round.

68

Phase 2. The researcher administered Phase 2 of the study (EFA) through Qualtrics, a

survey and research organization. The researcher chose Qualtrics after considering top three

popular survey audience services. The choice of Qualtrics was made mainly because of

Qualtrics’s large database of information security panelists as revealed by the number of recent

dissertations in the field of information security. Burton and Mazerolle (2011) clarified that

construct validity is the assessment of whether the instrument is measuring what it should

measure. Normally EFA is one of the ways of determining construct validity. The factors that

emerge from the analysis process reflect the construct validity of the survey instrument

(Boudreau, Gefen, & Straub, 2001). EFA requires a minimum sample size.

Sample size for Phase 2. Mensch and Wilkie (2011) argued that 134 responses from a

survey that went out to 2,000 students were enough to perform an EFA. Janssens, de Pelsmacker,

and van Kenhove (2008) indicated that a minimum sample size of 100 is necessary to perform a

successful EFA. Štemberger, Manfreda, and Kovačič (2011), in their research on IT

management, found that a survey response of 152 was enough to extract factors using EFA.

Garrido-Moreno and Padilla-Meléndez (2011), in their discussion on the impact of knowledge

management on CRM success, managed to conduct an EFA using 153 completed responses.

Tabachnick and Fidell (2013) asserted that an EFA should have a minimum sample size of 100

and a maximum of 500, depending on the factor loadings. Lu and Ramamurthy (2011), in their

research on IT capability and organizational agility, successfully performed an EFA with 128

responses. Costello and Osborne (2005) provided best practices for EFA. Based on the above

citations and taking into consideration the cost of the survey and the quality of data, the

researcher chose a sample size of 200 completed responses for the Phase 2 survey. Subject to

item ratio is a common measure for determining sample size for any survey involving EFA.

69

Subject to item ratio means the number of participants divided by the number of survey

questions. Twenty-six percent (26%) of the EFA studies fall in the range of 2:1 to 5:1 ratio, that

is, two to five respondents per question. Since there are 50 items (questions) in this research

study, the chosen subject to item ratio for this study is 4:1 (200:50), which complies with the best

practices Costello and Osborne described. These 50 items were the output of four rounds of

Delphi study. But these 50 items included the hidden factors that form the foundation of any

security analytic implementation.

Data Analysis

Phase 1 – Delphi study. Kendall’s coefficient (W), the percent agreement method, and

stability are the primary techniques the researcher chose to assess consensus among participants.

Worrell, di Gangi, and Bush (2013) recommended Kendall’s W as an established technique to

determine consensus among participants. Vonhof (2015) stated that computation of Kendall’s W

is a common practice in arriving at a consensus. A value of W = 0 indicates complete

disagreement and a value of W = 1 indicates full agreement. Duffield (1993) explained that there

are many ways to arrive at a consensus among Delphi participants. Putnam et al. (1995) applied

the percent agreement method in their Delphi study to establish consensus. They used the

stability of responses between successful rounds as the sole criterion for defining consensus. In

this research, which used a quantitative Delphi technique, the researcher used Kendall’s W and

percent agreement method to assess consensus.

Phase 2 – EFA study. Yong and Pearce (2013) stated that factor analysis is very useful

in extracting underlying concepts from a large set of variables. Typically questions in a

questionnaire have hidden concepts that need extraction for interpretation and grouping. There

are two types of factor analysis: confirmatory factor analysis and EFA. Confirmatory factor

70

analysis generally confirms or disconfirms hypotheses, whereas EFA uncovers complex patterns

by exploring the dataset. In this research study, the output of the Phase 1 Delphi study was a 50-

item instrument. The researcher used this instrument to conduct an actual survey of industry

professionals in the security analytic domain. The researcher analyzed the resulting dataset for

hidden patterns or factors. Sadi and Noordin (2011) conducted an EFA study in mobile

commerce. They used factor analysis to refine their instrument. In this research, there was a

similar need to refine the instrument from Phase 1 (Delphi). Hence EFA was a logical choice for

this research study. Field (2013) asserted that factor analysis aims to reduce a set of variables

into smaller units called factors or dimensions. In this specific research study, factor analysis

took place on the final output of the Delphi study (Phase 1) with the main purpose of identifying

underlying factors that impact the successful implementation of any given security analytic tool.

In this process, elimination of items (questions) is the first step, and extraction of factors is the

second step. Many experts in EFA concurred that a multistep analysis process is necessary,

leading to the extraction of factors (Field, 2013; Williams, Onsman, & Brown, 2010).

Multistep analysis process. In any EFA exercise, it is necessary first to validate the

adequacy of the sample. Williams et al. (2010) asserted that researchers should perform tests to

assess the suitability of survey data for factor analysis. The researcher used the Kaiser-Meyer-

Olkin (KMO) measure of sampling adequacy in this research study to assess whether the sample

size was adequate to generate factors. Field (2013) opined that researchers must perform

correlations between variables/items to eliminate variables that do not correlate well. He

recommended ignoring variables with correlation values less than 0.3. Generation of a

correlation matrix is a necessary prerequisite for EFA. The researcher performed factor

extraction in this research study with the help of the principal axis factoring method. Williams et

71

al. (2010) recommended that principal axis factoring is most suitable to extract factors in factor

analysis studies. The researcher also used a scree plot to confirm the number of factors and to

decide on the number of factors for retention. A scree plot is a plot of eigenvalues on the y-axis

with factors on the x-axis. The point of inflection in the scree plot helps to decide the number of

factors. Kaiser (1960) recommended retaining factors with eigenvalues greater than 1 for further

analysis. Field (2013) suggested that using rotation techniques can improve the interpretability of

factors. Varimax rotation assumes that factors have no correlations and it connects variables to

factor loadings. Da Veiga, Martins, and Eloff (2007) established that researchers could include

variables with factor loadings of 0.3 and greater in any given factor. In this research study, the

researcher used a factor loading value of 0.3 and greater to include a variable in a factor.

Validity and Reliability

Malhotra (1981) explained that a field study usually establishes the face and content

validity of an instrument. In this research, the researcher completed a field study to achieve face

validity before conducting the Delphi study. Cronbach (1951) established that reliability is the

ability of the survey instrument to measure what it intends to measure. Combining the factor

analysis goals with that of reliability, the researcher used Cronbach’s alpha on the entire survey

instrument and on the individual factors.

Likert Scale Instrument

Questions in the newly created instrument were based on five-point Likert scale. A field

test conducted by this researcher produced the initial version of the survey instrument. Face and

content validity was established with the help of field test. Dawis (1987) recommended that

formatting is kept simple when designing a new instrument. Burton and Mazerolle (2011)

mandated that field test panel validate the instrument for appearance and appropriateness. Both

72

the above recommendations were applied during the field test in this research study. Field test

experts also reviewed the statements in the survey instrument to ensure that these constructs were

appropriate for the intended audience. The survey instrument underwent more enhancements

during the Delphi study (Phase 1) in terms of subject matter content. Costello and Osborne

(2005) opined that construct validity is usually established using exploratory factor analysis

(EFA). EFA technique established construct validity of the survey instrument during Phase 2 in

this study.

Ethical Considerations

The researcher fully followed the Belmont principle mandates, ensuring that survey

participants received respect, justice, and equity during the execution of the dissertation phase

(National Institutes of Health, Office of Human Subjects Research, 1979). This study did not

collect sensitive personal information or retain any of the contact e-mails of the survey

participants. All the responses from participants remained anonymous for both Phase 1 and

Phase 2 of the study. Even the initial field study that preceded the Delphi study took place in an

anonymous manner. There was no direct or indirect conflict of interest. Delphi participants had

the freedom not to participate in any round of the survey. In fact, over the course of the Delphi

study, a few participants dropped out of the survey. The researcher securely stored all the data he

obtained from the participants during the survey. All communications with the Delphi

participants were completely anonymous. Vonhof (2015) explained the need for anonymity in

his Delphi research study. This anonymity was necessary to avoid bandwagon types of

responses. For Phase 2 of the study, Qualtrics administered the survey under secure conditions,

so that only the qualified and approved participants fulfilling the survey requirements could take

73

the survey. All the data provided by Qualtrics are in secure storage and the researcher will safely

anchor the storage USB drive for the next seven years.

Summary

This chapter has discussed the multiple phases of this research study as applicable to the

research question. It has explained all the methods and process involved with both Delphi (Phase

1) and EFA (Phase 2) studies. Qualification criteria, participant selection, and research ethics

were some of the major highlights of this chapter. It has explained the data collection methods

for both Phase 1 and Phase 2 of the study. Similarly, it has delineated data analysis steps for both

the phases. Chapter 4 discusses the results of the data analysis. Chapter 5 provides the

interpretations of the research study.

74

CHAPTER 4. RESULTS

Background

The purpose of this multiphase, quantitative, nonexperimental, exploratory study was to

identify and extract factors that impact the successful implementation of any security analytic

tool. Vonhof (2015) extracted factors using exploratory factor analysis (EFA) in the area of

telework adoption. Factors in this context fall into two types. The first type is the intrinsic factors

that are part of the tool architecture (e.g., tool functionality). The second type is closely

connected with the landscape of the tool (e.g., security governance). This study also had another

significant purpose, that is, to build a comprehensive survey instrument to assess the

implementation of security analytic tool implementation for any corporation. Ferketich, Phillips,

and Verran (1993) suggested that development of a new survey instrument is the best approach

in the absence of existing instrument to probe research questions. While there were commercial

surveys available in security analytics, there were no expert-validated instruments. This survey

instrument should easily help the future research community to assess any security analytic

implementation.

Research Questions

The main research question (ORQ) was “What are the factors that determine the

successful implementation of security analytics tools?” There are two variations to this question.

The first variation (RSQ1) was to determine the factors that impact the successful

implementation of non-big data security analytics tools or packages. The second variation

75

(RSQ2) was to determine the factors that impact the successful implementation of big data

security analytics tools or packages. As Chapters 1 and 3 explained, there were two phases of the

study. Phase 1 of the study focused on developing the survey instrument and Phase 2 focused on

the exploratory factor analysis (EFA). In Phase 2, the researcher established construct validity

for the instrument. Yong and Pearce (2013) endorsed the application of EFA to validate

constructs hidden in a survey instrument. They even recommended confirmatory factor analysis

after the EFA to validate the factors after identification.

Description of the Sample

Phase 1 – Development of the Survey Instrument

Field study. A Delphi study that included anonymous participants leading towards

consensus was the approach for Phase 1. However, the Delphi study cannot begin without any

basis. Malhotra (1981) stressed the need for a field study before initiating the Delphi study. The

researcher, with the help of literature review and interaction with five experts in the field of

security analytics, built an initial questionnaire consisting of 20 questions focused on eliciting

opinion about the implementation of any security analytic tool or package. Of the five experts,

three were hands-on architects in the field of security analytics, and two were highly qualified

academicians specializing in IT. Curtis, Krasner, and Iscoe (1988) insisted that field study is a

viable way of soliciting initial opinion from experts. The researcher adopted some of these best

practices in this field study of security analytics. Even though it was not necessary, the

researcher maintained anonymity between the participants. Each field study participant

independently reviewed the initial set of questions, added his or her opinions on changes to

existing questions, and some added new questions to the questionnaire. The researcher avoided

bias among participants by executing the field study in parallel. One of the five experts was a

76

technology researcher, and he preferred to provide his feedback through a discussion process. At

the end of the field study, 32 questions in security analytics emerged from these five experts.

These 32 questions formed the input to the Delphi study (Round 1).

Delphi Panel. The researcher recruited the Delphi expert panel with the help of

purposive or criterion sampling. Hasson, Keeney, and McKenna (2000) delineated, in their

highly cited study, the need for a Delphi study to have a sample of experts. Unlike a

conventional quantitative study, where researchers commonly choose their samples using

random selection techniques, in a Delphi study, researchers choose experts based on predefined

criteria. Hence, the name for this type of recruiting is criterion sampling. The researcher

recruited experts based on the criteria explained in Chapter 3. After identifying 47 experts

through LinkedIn profile searches, the researcher sent invitations to 43 experts in security

analytics. It later emerged that four experts had conflicts of interest, and the researcher dropped

them from the panel shortlist. Two reminders were sent to the experts after the initial invitation

to send in their filled-in consent forms.

After waiting for a period of one month, the researcher received consent from 20 experts

to participate in the Delphi study. All these participants sent filled-in consent forms to the

researcher’s e-mail address. In this process, all the Delphi participants communicated from their

personal e-mail addresses to the researcher’s student e-mail address. The researcher never asked

any of the panel members to share their sensitive personal information. The researcher

communicated with the panel members throughout the Delphi study only to the e-mail addresses

that they voluntarily shared. The researcher did not coerce any of the participants into the study

at any stage of the Delphi process, thereby truly implementing the Belmont principles as

explained by Adams and Miles (2013). The initial Delphi panel of 16 members, who completed

77

the first round, belonged to the following diverse categories of security professionals: (a)

information security executive leaders, (b) engineering fellows, (c) security architects, (d)

security program managers, (e) security analytic product managers, and (f) security consultants.

The average experience of the 16 panel members was 20 years in the information security

industry (Table 2). Two notable participants in the panel were a chief information officer and a

chief information security officer (CISO). Every question in the questionnaire had five choices

using a Likert-type scale. Those choices were (a) highly relevant, (b) relevant, (c) neutral, (d)

less relevant, (e) irrelevant. Experts rated the questions based on how relevant those questions

were to the survey. As already discussed in earlier chapters, these Delphi experts contributed

their expertise in building a questionnaire which went on to Phase 2 for the EFA study. The

Phase 2 study went to a larger audience to collect enough data to perform factor analysis. The

Delphi study had four rounds before a solid instrument emerged.

Table 2

Delphi Panel Member Experience

# IT / Info security experience category Years of experience

1 Principal IT architect / Fellow 20

2 CISO 20

3 Security consultant 10

4 Senior DB security developer 15

5 IT consulting manager 30

6 Security operations consultant 12

7 CIO 30

8 Security services manager 12

9 Security program manager 22

10 Senior IT program manager 13

11 Senior IT and security architect 30

12 Senior IT program manager 23

13 Senior ERP and security consultant 28

14 Security product manager 18

15 Database product manager 22

16 Security managing consultant 20

78

All the Delphi participants received a complete orientation to the study and an

explanation of their roles using a waterfall model diagram (Figure 5). They had options to ask

questions and clarifications. Some of the participants obtained the necessary clarifications from

this researcher after going through the model described in Figure 5.

Phase 2 – Sample Description

Chapter 3 has explained the sample size choice of 200 participants for the EFA study

(Phase 2), and the rationale behind the sample size. The researcher used Qualtrics Research and

Audience Services as the survey tool to collect the sample from a broad audience of information

security professionals who had good exposure to security analytic tools. The researcher added a

total of six screening questions to the existing set of 50 questions. These questions had the twin

purpose of improving the quality of the survey and bringing in security professionals from

multiple business domains. The purposes of these questions were as follows: (Q1) obtaining

informed consent from the participant, as mandated by the institutional review board (IRB); (Q2)

providing an option to the participant to be a volunteer in the study without any coercion; (Q3)

procuring commitment from the survey participant to provide thoughtful answers to the

questions; (Q4) ensuring that any participant in the survey had a minimum of one year’s

exposure to security analytic tools; (Q5) ensuring active involvement of the participant in the

information security domain in the last year; and (Q6) ascertaining the business / industry of the

participant (finance, retail, healthcare, government, other).

79

Figure 5. Security analytics research – A waterfall approach to orient the Delphi study

participant.

Research problem Lack of assessment factors for security analytics tools in the currently

available and surveyed academic literature (not commercial assessments).

Research topic To assess such tools, the first step is to identify factors that impact and

influence a successful implementation.

Identify factors To identify factors it is very important that the user community of these

tools is surveyed – .

Security analytics questionnaire

To survey these users a security analytics questionnaire was developed

by the researcher based on his initial knowledge.

Field study of questionnaire A small group of experts reviewed the above questionnaire and

made necessary changes to it.

Delphi study by expert panel (Phase 1) A bigger group of security analytics experts will refine the

questionnaire and this process will go for many rounds (at least

three) till consensus

EFA study by actual participants (Phase 2) The questionnaire which is the outcome of Phase 1 (above)

will be modified (format wise) to suit the exploratory factor

analysis (EFA) study and will be distributed to cyber security

professionals in the industry within North America.

Statistical analysis performed on EFA study data Quantitative statistical techniques will be applied to

the data returned from EFA study to extract success

factors and make final corrections to the questionnaire.

You are one of

the Delphi

panel experts

and your role

ends with Phase

1.

80

The researcher had established a contract with Qualtrics for 200 responses based on

sample size requirements (Chapter 3) and cost constraints. Qualtrics published the survey and

made it available for five days after recruiting the cybersecurity professionals from within its list

of professionals. A total of 2,202 professionals took the survey. Some 1,497 professionals did not

have any experience in cybersecurity, so they did not get beyond Q3. Only 705 participants

reached Q5. Of these 705 participants, 319 participants had one year’s experience in the security

analytics domain, 167 participants had two years of experience in security analytics domain, 219

participants had three years of experience in security analytics domain, and 87 more participants

were not able to proceed beyond Q5, as their cybersecurity experience was not current. A final

list of 373 completed the survey. Qualtrics provided the best 210 responses to the researcher

based on the contract agreement. Qualtrics provided 10 responses free of cost. The researcher

discarded four responses, as they contained repeated straight-line responses. Simple analytics

performed on the 206 responses revealed the following statistics (Tables 3 and 4).

Table 3

Participant Domain Experience

Security Analytic Domain Experience (Years) Participant Count

1 71

2 38

3 or more 97

81

Table 4

Participant Industry

Industry Participant Count

Finance 52

Healthcare 31

Retail 45

Government 21

Other 57

Table 3 indicates that 47% (97 counts) of the participants had used security analytics

tools for three or more years in their information security career. Some 66% (135 counts) of the

survey participants had more than two years of experience in using security analytic tools and

processes. Table 4 provides the count of participants from different industries. Finance, retail,

and other categories formed 75% of the survey participants.

Delphi Study

Round 1 of the Delphi Technique

The Round 1 questionnaire for the security analytic study went to 20 security analytic

experts who signed up to participate in the study. Sixteen of the experts returned the filled-in

questionnaire after two reminders went out. The researcher consolidated all 16 responses to the

32 questions. Skulmoski et al. (2007) opined that the first round of Delphi is mostly an initial

brainstorming round. In this round, the panel generated the maximum set of new ideas, as panel

members looked at the questionnaire for the first time. Based on the feedback, the researcher

took a few actions: (a) the researcher consolidated all the Round 1 feedback and communicated it

to the panel members, (b) the researcher computed Kendall’s coefficient to understand the extent

of convergence among panel members; (c) the researcher sent 25 new questions that emerged to

the panel members, (d) the researcher used the percent agreement method to assess consensus.

82

The focus areas of feedback for Round 1 were (a) tool service level agreements; (b) upgrades,

availability, and failover support; (c) log source management; (d) tool coverage, compliance, and

licensing; and (e) cloud environment and architecture. Kendall’s coefficient for Round 1 was

0.208 (Table 5).

Table 5

Results of the Delphi Rounds

Delphi

Round

#

# of

Panel

Experts

# of Items

(at the

Start of

the

Round)

Kendall’s

Coefficient

(W)

% Agreement

Among Panel

Members for

Relevancy of

Question/Item

Notes

1 16 32 0.208 81% Initial input to the panel

(output of the field study)

contained 32 questions.

The expert panel found

81% of the questions

relevant

2 15 57 0.148 77% Twenty-five questions

added based on expert

panel feedback before the

start of Round 2. The

expert panel found 77% of

the questions relevant

3 13 50 0.147 100% Seven questions removed

based on refinement

feedback from the panel

before the start of Round

3.

4 11 50 0.212 100% No additions of new

questions were made.

Minor changes to existing

questions.

Applying the percent agreement method, panel members found that 81% of the questions

were either relevant or highly relevant, thereby approving those questions for Phase 2 of the

study. The researcher considered all the responses to every question except “neutral” and “not

83

applicable” responses in computing percent agreement. For every question, the researcher

computed an average of the responses. For 81% of the questions, the average rating was less than

2. On the Likert-type scale, the researcher assigned the following values to the Delphi survey

responses: (a) 1 for “highly relevant,” (b) 2 for “relevant,” (c) 3 for “neutral,” (d) 4 for “less

relevant,” and (e) 5 for “irrelevant.” Vonhof (2015) followed a similar process of employing the

Likert-type scale in Delphi survey. For the big data section of the survey only, the researcher

introduced an additional option (6: not applicable). The researcher did this for two reasons: (a)

many organizations may not have implemented big data security analytics, and (b) participants

may not want to commit to a new or emerging area of technology in a survey, and hence they

should have an option to ignore the question; a “neutral” option will not cover the above

conditions. The descriptive statistics are in Table 6.

Round 2 of the Delphi Technique

Round 2 started with 57 questions that emerged from the collective feedback from the

panel in Round 1. The researcher added 25 new questions and modified some others. Delphi

panelists reviewed the consolidated feedback after the completion of Round 1 and accepted

them. There was no feedback from the panel for the consolidated report after Round 1. Hence,

the researcher converted all the feedback from Round 1 into formal questions. Major feedback

for Delphi Round 2 focused on the following areas: (a) threat intelligence, (b) big data-based

security analytic tools, and (c) pruning of unsuitable questions. Consolidated feedback went to

the Round 2 participants. Kendall’s coefficient for Round 2 was 0.148. A reduced Kendall’s

coefficient was predictable for Round 2, as the number of questions nearly doubled. One

participant dropped out of the Delphi study and the number of participants for Round 2 was 15.

84

Table 6

Delphi Round 1– Descriptive Statistics

Descriptive Statistics

N Mean Std. Deviation Minimum Maximum

Q1 16 1.50 0.632 1 3

Q2 16 1.63 0.619 1 3

Q3 16 2.25 1.238 1 5

Q4 16 1.69 0.793 1 4

Q5 16 1.69 0.704 1 3

Q6 16 2.06 0.929 1 4

Q7 16 1.81 0.911 1 4

Q8 16 2.31 1.250 1 4

Q9 16 1.88 1.088 1 4

Q10 16 2.13 0.957 1 4

Q11 16 1.75 0.856 1 4

Q12 16 1.56 0.727 1 3

Q13 16 1.56 0.629 1 3

Q14 16 2.06 0.854 1 4

Q15 16 1.75 0.775 1 4

Q16 16 1.63 0.719 1 3

Q17 16 1.81 0.981 1 4

Q18 16 1.69 1.078 1 5

Q19 16 2.06 0.854 1 3

Q20 16 1.63 0.885 1 4

Q21 16 1.50 0.516 1 2

Q22 16 1.56 0.727 1 3

Q23 16 1.50 0.632 1 3

Q24 16 1.50 0.632 1 3

Q25 16 1.56 0.814 1 3

Q26 16 1.75 0.775 1 3

Q27 16 1.88 0.957 1 5

85

Table 6 (continued)

Descriptive Statistics

N Mean Std. Deviation Minimum Maximum

Q28 16 2.31 1.352 1 5

Q29 16 2.88 1.310 1 5

Q30 16 3.06 1.237 1 5

Q31 16 2.88 1.204 1 5

Q32 16 2.75 1.291 1 5

As per the percent agreement method, the number of questions that the participants found

relevant was 77% of the 57 questions. The researcher ignored “neutral” and “not applicable”

responses in computing the percentage of agreement. This drop in percentage triggered the need

to prune questions that were not relevant to the survey from the list. As a result, the researcher

removed seven questions from the list based on the feedback from the panel members. The

descriptive statistics for Round 2 are provided in Table 7.

Round 3 of the Delphi Technique

Round 3 started with 50 questions, and these questions went to the Delphi panel for

further feedback and review. Even though there were no new questions or new areas of security

analytics, feedback focus from the panel was on questions in big data security analytics. Panelists

suggested changes to these questions concerning some foundational aspects of big data.

Consequently, after applying these changes, big data questions were more focused and effective

in extracting answers from potential participants. Consolidated feedback on Round 3 went to the

participants just before the start of Round 4.

86

Table 7

Delphi Round 2 – Descriptive Statistics

Descriptive Statistics

N Mean Std. Deviation Minimum Maximum

Q1 15 1.33 0.488 1 2

Q2 15 1.53 0.516 1 2

Q3 15 1.93 0.961 1 4

Q4 15 1.73 0.458 1 2

Q5 15 1.73 0.458 1 2

Q6 15 1.73 0.594 1 3

Q7 15 1.93 1.033 1 4

Q8 15 1.80 0.941 1 4

Q9 15 1.80 0.862 1 4

Q10 15 2.47 0.834 1 4

Q11 15 1.73 0.594 1 3

Q12 15 2.13 0.990 1 4

Q13 15 2.47 0.834 1 4

Q14 15 1.53 0.516 1 2

Q15 15 2.40 0.910 1 4

Q16 15 1.73 0.594 1 3

Q17 15 2.00 1.000 1 4

Q18 15 1.60 0.507 1 2

Q19 15 2.13 0.834 1 4

Q20 15 1.53 0.640 1 3

Q21 15 2.27 0.961 1 4

Q22 15 2.00 1.000 1 4

Q23 15 2.00 0.926 1 4

Q24 15 1.80 0.941 1 4

Q25 15 1.53 0.516 1 2

Q26 15 1.67 0.617 1 3

Q27 15 1.93 0.704 1 3

87

Table 7 (continued)

Descriptive Statistics

N Mean Std. Deviation Minimum Maximum

Q28 15 1.60 0.632 1 3

Q29 15 1.87 0.834 1 3

Q30 15 2.00 0.756 1 3

Q31 15 2.13 0.743 1 3

Q32 15 2.20 0.941 1 4

Q33 15 1.67 0.724 1 3

Q34 15 2.07 0.884 1 4

Q35 15 2.40 0.910 1 4

Q36 15 2.00 0.756 1 3

Q37 15 2.40 0.910 1 4

Q38 15 2.33 0.900 1 4

Q39 15 2.00 0.926 1 4

Q40 15 2.13 0.915 1 4

Q41 15 2.00 1.134 1 5

Q42 15 2.27 1.033 1 5

Q43 15 1.93 0.704 1 3

Q44 15 2.27 0.884 1 4

Q45 15 2.27 1.163 1 6

Q46 15 2.47 1.246 1 6

Q47 15 2.60 1.242 1 6

Q48 15 2.67 1.234 1 6

Q49 15 2.47 1.187 1 6

Q50 15 2.47 1.356 1 6

Q51 15 2.20 1.320 1 6

Q52 15 2.80 1.320 1 6

Q53 15 2.53 1.246 1 6

Q54 15 2.67 1.234 1 6

Q55 15 2.47 1.246 1 6

88

Table 7 (continued)

Descriptive Statistics

N Mean Std. Deviation Minimum Maximum

Q56 15 2.53 1.125 2 6

Q57 15 2.47 1.246 1 6

Two participants dropped out of the study in Round 3. Only 13 participants participated

in Round 3 and provided responses within the waiting period of three weeks. Kendall’s

coefficient was 0.147, almost the same as Round 2. However, as per the percent agreement

method, the number of questions that the panel found relevant increased to 100%. The researcher

ignored “neutral” and “not applicable” responses in computing the percentage of agreement. As

per the original agreement, the researcher had only planned three rounds of Delphi study.

However, based on the feedback in Round 3, with the specific focus on big data security

analytics, and the lack of consensus, the researcher decided to conduct one more round of the

Delphi study. The researcher notified the participants of this and gave them the option to drop

out of Round 4 if they were not interested in proceeding to one more round. Descriptive statistics

for this round are provided in Table 8.

Round 4 of the Delphi Technique

Round 4 started with 50 questions that emerged from Delphi Round 3. The researcher

incorporated the changes and modifications the panel members suggested in Round 3 before the

questionnaire went out to the panel members for Round 4. The questionnaire went to the 13

members who were still in the study by the end of Round 3. After the waiting period of three

weeks, the researcher received feedback from 11 participants.

89

Table 8

Delphi Round 3 – Descriptive Statistics

Descriptive Statistics

N Mean Std. Deviation Minimum Maximum

Q1 13 1.46 0.660 1 3

Q2 13 1.62 0.961 1 4

Q3 13 1.62 0.768 1 3

Q4 13 1.54 0.519 1 2

Q5 13 1.69 0.751 1 3

Q6 13 1.85 0.689 1 3

Q7 13 1.31 0.630 1 3

Q8 13 1.69 0.947 1 4

Q9 13 1.54 0.519 1 2

Q10 13 1.85 0.801 1 3

Q11 13 1.69 0.751 1 3

Q12 13 1.69 0.630 1 3

Q13 13 1.85 0.689 1 3

Q14 13 1.54 0.660 1 3

Q15 13 1.62 0.650 1 3

Q16 13 1.46 0.660 1 3

Q17 13 1.85 0.689 1 3

Q18 13 1.46 0.519 1 2

Q19 13 2.00 1.000 1 4

Q20 13 1.69 0.480 1 2

Q21 13 1.54 0.660 1 3

Q22 13 1.31 0.480 1 2

Q23 13 1.54 0.660 1 3

Q24 13 1.85 0.689 1 3

Q25 13 1.54 0.519 1 2

Q26 13 1.46 0.519 1 2

Q27 13 1.77 0.599 1 3

90

Table 8 (continued)

Descriptive Statistics

N Mean Std. Deviation Minimum Maximum

Q28 13 1.31 0.480 1 2

Q29 13 1.77 0.832 1 3

Q30 13 1.62 0.768 1 3

Q31 13 1.23 0.439 1 2

Q32 13 1.69 0.751 1 3

Q33 13 1.62 0.650 1 3

Q34 13 1.92 0.641 1 3

Q35 13 1.77 0.725 1 3

Q36 13 1.92 0.954 1 4

Q37 13 1.85 0.801 1 3

Q38 13 1.77 0.927 1 4

Q39 13 1.69 0.751 1 3

Q40 13 1.62 0.768 1 3

Q41 13 2.31 1.377 1 6

Q42 13 2.69 1.251 1 6

Q43 13 2.46 1.266 1 6

Q44 13 2.62 1.660 1 6

Q45 13 2.08 1.382 1 6

Q46 13 2.23 1.363 1 6

Q47 13 2.46 1.266 1 6

Q48 13 2.38 1.261 1 6

Q49 13 2.38 1.325 1 6

Q50 13 2.23 1.363 1 6

Two Delphi participants dropped out of the study during Round 4, bringing down the

number of participants in the final round to 11. Except for a few very minor changes to

grammatical aspects of the questions, the panel did not propose any major changes in Round 4.

91

They did not add any new questions in Round 4. Kendall’s coefficient increased to 0.212 in

Round 4. As per the percent agreement method, for all the 50 questions, panel members came to

100% agreement that all the questions were relevant and were potential candidates for Phase 2 of

the research study. While Kendall’s coefficient of consensus increased by 33% in the final round,

the consensus built using the percent agreement method remained at 100%. These consensus

readings aided in the conclusion that Round 4 brought stability to the entire survey. Hence the

researcher decided to terminate the Delphi study at Round 4. At the end of the fourth round of

the survey, 50 questions remained, and these 50 questions became the input to the EFA phase

(Phase 2) of the study. Descriptive statistics for this round are provided in Table 9.

Table 9

Delphi Round 4 – Descriptive Statistics

Descriptive Statistics

N Mean Std. Deviation Minimum Maximum

Q1 11 1.09 0.302 1 2

Q2 11 1.27 0.467 1 2

Q3 11 1.36 0.505 1 2

Q4 11 1.36 0.505 1 2

Q5 11 1.18 0.405 1 2

Q6 11 1.55 0.522 1 2

Q7 11 1.27 0.467 1 2

Q8 11 1.36 0.505 1 2

Q9 11 1.36 0.505 1 2

Q10 11 1.73 0.905 1 3

Q11 11 1.36 0.505 1 2

Q12 11 1.36 0.505 1 2

Q13 11 1.36 0.505 1 2

92

Table 9 (continued)

Descriptive Statistics

N Mean Std. Deviation Minimum Maximum

Q14 11 1.27 0.467 1 2

Q15 11 1.64 0.674 1 3

Q16 11 1.64 0.674 1 3

Q17 11 1.73 0.647 1 3

Q18 11 1.64 0.674 1 3

Q19 11 1.82 0.603 1 3

Q20 11 1.36 0.505 1 2

Q21 11 1.27 0.467 1 2

Q22 11 1.55 0.688 1 3

Q23 11 1.27 0.467 1 2

Q24 11 1.55 0.522 1 2

Q25 11 1.36 0.505 1 2

Q26 11 1.55 0.522 1 2

Q27 11 1.64 0.674 1 3

Q28 11 1.36 0.674 1 3

Q29 11 1.64 0.809 1 3

Q30 11 1.45 0.688 1 3

Q31 11 1.27 0.647 1 3

Q32 11 1.45 0.688 1 3

Q33 11 2.00 0.894 1 4

Q34 11 2.00 1.000 1 4

Q35 11 1.45 0.688 1 3

Q36 11 1.64 1.027 1 4

Q37 11 1.73 0.786 1 3

Q38 11 1.36 0.674 1 3

Q39 11 1.55 0.688 1 3

Q40 11 1.45 0.688 1 3

Q41 11 2.18 1.471 1 6

93

Table 9 (continued)

Descriptive Statistics

N Mean Std. Deviation Minimum Maximum

`Q42 11 2.18 1.471 1 6

Q43 11 2.45 1.864 1 6

Q44 11 2.64 1.362 1 6

Q45 11 2.36 1.567 1 6

Q46 11 2.27 1.421 1 6

Q47 11 2.27 1.489 1 6

Q48 11 2.55 1.809 1 6

Q49 11 2.45 1.864 1 6

Q50 11 2.36 1.912 1 6

EFA

There was no hypothesis testing involved in this research study, but construct validity of

the survey instrument was performed. The researcher used the KMO measure of sampling

adequacy to validate the sample size. As per Field (2013), a value greater than or equal to 0.9 is

marvelous. SPSS produced a value of 0.926 for the KMO test on the above sample. The output

from the KMO test is included in Table 10.

Table 10

Sample Adequacy Test

KMO Measure of Sampling Adequacy .926

Bartlett’s Test of Sphericity Approx. Chi-Square 4700.035

df 946

Sig. .000

The researcher next performed a correlation of 50 items/questions as recommended by

Field (2013). The analysis procedure is described in Figure 6. Tabachnick and Fidell (2007)

94

suggested that any correlation between variables that is less than 0.3 is indicative of weak

correlation. Field further asserted that researchers should exclude any variable with many

occurrences of weak correlation and should consider them for factor analysis instead. Yong and

Pearce (2013) concurred on eliminating variables with many occurrences of correlation

coefficients less than 0.3. Based on the above citations, the researcher eliminated six questions

from the list of 50 questions: Q41, Q42, Q46, Q31, Q51, and Q12. This elimination left 44

questions for the next part of the data analysis.

Figure 6. Phase 2 – EFA study.

95

Factor extraction was the next step as given in Figure 6. Williams et al. (2010) asserted

that principal axis factoring is the most useful method to extract factors. Yong and Pearce (2013)

stated that scree plot is a method that many research studies have used to identify the number of

factors. The researcher applied both these methods to extract factors. Eigenvalues are the

deciding parameters in concluding the factors as per the principal axis factoring method. Kaiser

(1960) recommended that researchers should include factors with eigenvalues greater than 1.

Based on this approach, nine factors emerged for this study.

Table 11

Total Variance Explained (SPSS)

Total Variance Explained

Factor Initial Eigenvalues Extraction Sums of Squared

Loading

Rotation

Sums

of Squared

Loadings

Total % of

Variance

Cumulative

%

Total % of

Variance

Cumulative

%

Cumulative

%

1 15.937 36.221 36.221 15.457 35.129 35.129 10.472

2 2.182 4.96 41.181 1.731 3.934 39.063 18.423

3 1.862 4.149 45.33 1.404 3.191 42.257 25.755

4 1.345 3.057 48.387 0.868 1/972 44.226 32.221

5 1.266 2.878 51.265 0.788 1.791 46.017 38.443

6 1.2 2.727 53.991 0.719 1.634 47.652 43.542

7 1.149 2.612 56.603 0.676 1.537 49.189 47.051

8 1.061 2.412 59.015 0.595 1.351 50.54 49.708

9 1.043 2.371 61.386 0.571 1.299 51.389 51.839

As per Table 11, nine factors accounted for 61% of cumulative variance before rotation

and 52% after rotation. All nine factors have eigenvalues more than 1.

96

Based on the scree plot analysis in Figure 7, the inflection point happens just after 5 on

the x-axis. While there is a difference between the scree plot and an eigenvalue-based approach

for a given number of extracted factors, factor rotation methods are very effective in deciding the

number of factors based on the factor loadings. Da Veiga et al. (2007) recognized that a factor

loading of more than 0.3 is a meaningful value and variables that load more than 0.3 are

necessary for any given factor for this study. Rotated factor level details from the SPSS tool are

given in Table 12.

Figure 7. SPSS scree plot analysis.

97

Table 12

Rotated Factor Matrix – SPSS Output

Rotated Factor Matrixa

Factor

1 2 3 4 5 6 7 8 9

Q54 0.667 0.181 0.155 0.147 0.199 0.144 0.106

Q48 0.639 0.239 0.125 0.139 0.110 0.191 0.135

Q53 0.614 0.112 0.157 0.153 0.158 0.342

Q55 0.612 0.154 0.173 0.169 0.193

Q52 0.604 0.208 0.223 0.125 0.211

Q49 0.589 0.135 0.156 0.117 0.469 0.108 0.126

Q50 0.575 0.152 0.111 0.192 0.223 0.168

Q56 0.503 0.119 0.146 0.220 0.443

Q57 0.501 0.231 0.252 0.208 0.179 -0.183

Q18 0.185 0.612 0.126 0.153

Q19 0.131 0.608 0.154 0.153 0.232 0.187

Q23 0.606 0.276 0.250 0.142

Q30 0.187 0.424 0.271 0.307 0.211 0.177

Q36 0.203 0.402 0.198 0.314 0.182 0.142 0.309 0.277

Q16 0.140 0.366 0.236 0.265 0.191 0.322

Q20 0.238 0.362 0.216 0.182 0.184 0.176 0.215 0.136 0.212

Q7 0.154 0.204 0.746 0.112

Q8 0.150 0.710 0.124 0.122 0.108 0.103 0.215

Q9 0.227 0.177 0.611 0.158 0.145 0.121 0.107 -0.173

Q10 0.187 0.213 0.543 0.143 0.172 0.102 0.288 0.297

Q11 0.280 0.225 0.437 0.242 0.203 0.200 0.253

Q37 0.253 0.122 0.666 0.117 0.242 0.184

Q27 0.221 0.195 0.216 0.556 0.223 0.158 0.122

Q26 0.226 0.242 0.179 0.503 0.188 0.103 -0.112 0.286

Q43 0.132 0.160 0.419 0.185 0.278 0.281

Q38 0.253 0.227 0.101 0.384 0.220 0.133 0.105 0.114

98

Table 12 (continued)

Rotated Factor Matrixa

Factor

1 2 3 4 5 6 7 8 9

Q22 0.194 0.228 0.321 0.354 0.191 0.269 0.260 0.184

Q29 0.198 0.323 0.132 0.325 0.225 0.276 0.320 0.155 0.243

Q25 0.237 0.114 0.147 0.159 0.643 0.132

Q15 0.139 0.328 0.186 0.121 0.522 0.103 0.157

Q14 0.160 0.365 0.226 0.229 0.407 0.227 -0.110

Q24 0.187 0.287 0.173 0.151 0.401 0.210 0.187 0.109 0.116

Q39 0.199 0.256 0.170 0.162 0.401 0.301

Q28 0.246 0.278 0.210 0.375 0.390 0.214

Q35 0.235 0.177 0.141 0.184 0.289 0.220 0.263 0.218

Q44 0.188 0.162 0.234 0.194 0.676 0.110

Q34 0.199 0.268 0.330 0.327 0.421 0.146

Q45 0.240 0.211 0.182 0.131 0.391 0.151 0.201 0.112

Q40 0.276 0.236 0.320 0.381 0.222 0.101

Q32 0.182 0.239 0.112 0.257 0.282 0.362 0.260

Q33 0.306 0.342 0.193 0.169 0.342 0.109

Q17 0.156 0.331 0.321 0.251 0.108 0.132 0.382

Q13 0.141 0.273 0.255 0.174 0.280 0.131 0.343 0.330

Q21 0.209 0.247 0.182 0.205 0.252 0.220 0.507

a Rotation converged in nine iterations. Extraction method: Principal Axis Factoring.

Before interpreting extracted factors, it is necessary to rotate them. Factor rotation leads

to better interpretation since unrotated factors are ambiguous (Yong & Pearce, 2013). There are

two types of rotation: quartimax and varimax. As per Yong and Pearce (2013), varimax rotation

reduces the number of variables that load onto a factor, whereas quartimax rotation reduces the

number of factors. Two major aims of this research are relevant here. The first aim was to extract

the common underlying factors from the variables. The second aim was to optimize and distill

99

the questions in the survey to generate a meaningful instrument. Hence the researcher chose

varimax rotation. In Table 12, Factors 1 through 6 are easily identifiable with the help of strong

factor loadings. It includes all the loadings with a value of 0.3 and above. In Table 12, there is a

clear decrease in the loadings for Factor 1 after Q57. Similarly, for Factor 2, the loadings reduce

after Q20. Extending the same concept up to Factor 6, there are strong factor loadings in the

range of 0.4 to 0.6.

However, in the case of Factor 7, only two loadings were close to each other (for Q17

and Q13). But, there are strong loadings in Q49 and Q30 for Factor 7, and they also happen to be

cross-loadings. The researcher needed to decide whether to drop a cross-loading item from the

analysis (Costello & Osborne, 2005). As per Costello and Osborne (2005) usually researchers do

not consider cross-loadings if there are other strong loadings that are above 0.5. But in the case

of Factor 7, all the factor loadings were in the range of 0.3 to 0.46. The eigenvalue for Factor 7 is

1.149 (Table 11). These four questions dealt with closely connected areas of the security analytic

domain such as SOC, network anomalies, and tuning. Due to the interconnectedness of the four

loadings mentioned above, the researcher calculated Cronbach’s alpha for all these four factor

loadings to ascertain whether to include Factor 7 in the final list of factors based on the reliability

aspect of the factor. The result of Cronbach’s alpha gave a value of 0.69 for Factor 7 with the

four items mentioned above. Since the rounded value is 0.7, the minimum mark mandated by

Field (2013), the researcher included Factor 7 in the list of factors for this research study. Factors

8 and 9 listed above do not display strong factor loadings. Hence, they are not on the final list of

factors. To summarize, the researcher retained Factors 1 through 7 for further analysis. Factor 8

had only one factor loading and hence the researcher discarded it.

100

Reliability analysis. Reliability analysis is usually a proven technique to establish

instrument reliability. Cortina (1993) asserted that it is easy to ascertain the reliability of an

instrument using the value for Cronbach’s alpha. Field (2013) opined that if the value for

Cronbach’s Alpha is in the range of 0.7 to 0.8, then the instrument reliability is acceptable. Any

value less than 0.7 is not an accepted value for proving the reliability of an instrument. The

researcher performed a reliability test for the list of 44 variables or questions at both the

instrument level and the factor level, the results of which follow.

The reliability of the instrument demonstrates that the instrument measures what it should

measure and that the results are applicable and generalizable to a larger population (Cronbach,

1951). As Table 13 and Table 14 show, reliability at the instrument level is 0.959, suggesting

that the instrument is very cohesive in its reliability.

Table 13

Reliability – Overall Instrument Level

Reliability Statistics

Cronbach’s Alpha Cronbach’s Alpha Based on Standardized Items No, of Items

.958 .959 44

Table 14

Case Processing Summary

Case Processing Summary

N %

Cases Valid 206 100.0

Excludeda 0 .0

Total 206 100.0

a. Listwise deletion based on all variables in the procedure. Scale: Overall_instrument_level.

101

All the 44 items are closely connected and measure the same set of underlying constructs. The

researcher also computed Cronbach’s alpha at factor level to ensure reliability at the individual

factor level. The results are in Table 15.

Table 15

Cronbach’s Alpha at Factor Level

Factor Number of Items Eigenvalue Cronbach’s Alpha

1 9 15.937 0.883

2 7 2.182 0.829

3 5 1.826 0.838

4 7 1.345 0.839

5 6 1.266 0.82

6 6 1.2 0.796

7 4 1.149 0.693

After factor rotation and removal of the double-counting items (Q49 and Q30), 42

questions formed the final output of this study, and they are included in the Appendix A.

Naming of factors. Based on the questions that the researcher categorized after factor

rotation, some common themes for every factor emerged, and the researcher used those common

themes to name the factors. Williams et al. (2010) recommended that factor naming is a

subjective task for the researcher, based on the context of the research and the results of data

analysis. After many rounds of thematic analysis of the questions, the researcher developed the

following table of factor names. More applications of these factors are provided in Chapter 5.

Table 16 provides the details on factor names.

102

Table 16

Factor Names

Factor # Themes/Keywords from Survey Questions Factor Name

Factor 1 Big data platform, incident management and reduction,

correlation, attack detection, network and user behavioral

anomalies

Large-scale security

event analysis

Factor 2 Tool usability, user interface, SOC productivity,

scalability, tuning and false positives, user training

Functional utilization

Factor 3 Correlation analysis, attack prevention, security incident

detection, and suspicious network activity/events

Incident detection and

correlation analysis

Factor 4 Security posture, security health, security process

improvement, reporting capabilities, compliance

management, vulnerability management

Governance and CISO

metrics

Factor 5 Use cases, log sources, categories of log sources, and use

case review

Log source and use

case management

Factor 6 Distributed denial of service (DDoS) attack detection,

authentication attack detection, monitoring, SOC

operational efficiency, actionable intelligence

Threat and operational

intelligence

Factor 7 Real-time attack detection, SOC and network anomaly Real-time attack and

anomaly detection

Summary

This chapter has presented and discussed the results of both Phase 1 and Phase 2 of the

research study. For Phase 1 of the study, four Delphi rounds took place, allowing the participants

to provide their inputs. The researcher applied Kendall’s coefficient and the percent agreement

method to assess the consensus, leading to a 50-question survey instrument. After the fourth

round of Delphi study, 50 questions went to Phase 2 of the research. Phase 2 (the EFA part of the

study) applied a five-step method to perform analysis and to filter out variables or questions that

did not fit into the overall survey instrument. The researcher eliminated six variables or questions

even before conducting factor analysis during the correlation analysis stage (R-matrix). Forty-

four questions formed the input to the factor extraction step. The researcher eliminated two

103

cross-loading questions after the factor rotation, resulting in 42 variables or questions. Thus, the

researcher achieved construct validity using the EFA technique. The researcher validated the

reliability of the instrument using Cronbach’s alpha. The researcher computed Cronbach’s alpha

for all seven factors and found that all these factors were within the acceptable limits, thereby

validating the entire instrument as reliable.

104

CHAPTER 5. DISCUSSION, IMPLICATIONS, AND RECOMMENDATIONS

Introduction

This chapter contains a summary of the results and a discussion of the impact of this

study on the future of research in the domain of security analytics. Cardenas et al. (2013)

summarized the evolution of the security analytics domain by defining three levels of maturity:

(a) Intrusion detection and prevention system (IDPS) related analytics, (b) security information

and event management (SIEM) analytics, and (c) big data-related security analytics. There were

three research questions to this study. The first omnibus question dealt with the determination of

factors that determine the successful implementation of security analytic tools as a whole. The

second dealt with the determination of factors that impact the successful implementation of non-

big data security analytic tools. The third dealt with the determination of factors that impact the

successful implementation of big data-based security analytic tools. Apart from addressing these

questions, the development of a survey instrument dedicated to security analytic domain,

grounded in theory and expert opinion, was another major goal of this research. There is a

summary of those results in the following sections.

Summary of the Results

Even though security analytics tools and products have been in existence for close to 10

years, there was a gap in the literature in terms of a lack of assessment of these tools, and there

was also a lack of expert-validated survey instrument with a theoretical foundation. Hinde (2005)

provided the first introduction to security analytics with respect to fraud detection but did not

105

build an assessment framework. The basis of this research was the understanding that an expert-

validated instrument in security analytics will form the trigger for more research questions in this

area. This study addressed the suggestion of Ferketich et al. (1993) that the development of a

survey instrument is the best way to establish foundational research in any new or unexplored

area. This research has successfully accomplished the above goals, as explained in the following

salient points: (a) the researcher has extracted factors that impact the implementations using

Phase 1 and Phase 2 of the study, (b) Phase 1 applied the Delphi research method to produce an

initial survey instrument, (c) Phase 2 applied exploratory factor analysis (EFA) to refine this

instrument and to arrive at factors, and (d) the researcher used Cronbach’s alpha to validate the

reliability of the survey instrument.

All the results were very satisfactory in producing quantitative results. For example, the

Delphi study concluded in four rounds, ending with good consensus among participants, and the

final round of Delphi had 11 participants complete the survey instrument. Stability emerged

between the third and fourth rounds. True to the opinions expressed by Heiko (2012) in his

consensus and stability research for Delphi studies, good consensus and stability emerged using

the percent agreement method and Kendall’s coefficient in this study. Very few changes

occurred between the third and fourth rounds of Delphi, thereby rendering the instrument more

stable.

Chapter 2 presented a literature analysis of the security analytics domain. It indicated a

gap in the literature in terms of a lack of expert-validated survey instrument to broadly assess

security analytics tools. The goal of developing a survey instrument is to identify factors that

determine a successful implementation of security analytic tools. The research questions are

applicable to all three generations of security analytic tools. These three generations of tools

106

were categorized by Cardenas et al. (2013). Chapter 2 discussed both the operational and the

strategic aspects of the security analytic tools. The literature review covered tool performance,

scalability, user interface, user training, actionable intelligence, correlational ability, SOC

interface, and incident management. The theoretical foundation for this research came from five

major theories: (a) game theory, (b) computational learning theory, (c) DS theory or evidence

theory, (d) the MapReduce programming model, and (e) TAM-3. Chapter 2 discussed

applications of these theories in the field of security analytics with examples. Questions in the

final survey instrument indirectly alluded to the above theories. Chapter 2 included a discussion

of commercial surveys of security analytics tools and their limitations. The researcher distilled

appropriate concepts from the security analytic domain towards the end of Chapter 2 for

inclusion in the survey instrument. These concepts took the form of seed questions for the field

study. The output of the field study consisted of 32 questions. These questions went to Delphi

Round 1 to initiate the Delphi study. Based on the opinions on quantitative surveys by

Pinsonneault and Kraemer (1993), the researcher wove these concepts in as survey questions

during the field study.

Chapter 3 discussed the methodology for both Phase 1 and Phase 2. It explained the

research design in detail using flow diagrams. It explained the quantitative Delphi method and its

usefulness in arriving at a consensus for emerging areas of research, based on Garson (2014). It

applied discussions on quantitative Delphi by Garson in the formulation of initial questions using

a five-point Likert-type scale. Chapter 3 also explained Delphi consensus methods based on the

elaborate work done by Heiko (2012). In addition to this, Chapter 3 discussed participant

selection for the Delphi study. The Delphi study was an extensive and complicated process that

the researcher executed with full adherence to Belmont principles and other ethical principles.

107

There was a discussion of data collection for both Phase 1 (Delphi) and Phase 2 (EFA) with

emphasis on the sample size and the rationale behind it. Finally, the researcher employed a

multistep process for establishing instrument validity using EFA. The researcher demonstrated

the reliability of the survey instrument using Cronbach’s alpha. Seven factors had emerged by

the end of Phase 2 of this research study. Those seven factors accounted for 57% of the total

variance before rotation and accounted for 47% after varimax rotation. Those factors were (a)

large-scale security event analysis, (b) functional utilization, (c) incident detection and

correlation analysis, (d) governance and CISO metrics, (e) log source and use case management,

(f) threat and operational intelligence, and (g) real-time attack and anomaly detection

Discussion of the Results

Security Analytics Implementation – Seven Success Factors

EFA was a major part of the second phase of this research study. This part fulfilled the

construct validity requirement of this study. Vonhof (2015) utilized a similar approach to identify

factors for his research study on telework adoption. This section explains seven factors that

impact the successful implementation of a security analytic tool (Table 17). Factors may not

come from the core part of the security analytic tool. There could be subfactors that are external

to the implementation. It is necessary to assess both intrinsic and extrinsic aspects of the tool

landscape to arrive at the name of the factors. For example, Factor 1 is large-scale security event

analysis. This factor explains the ability of the tool and its environs to perform large-scale event

analysis. Even though the tool primarily drives large-scale security event analysis, computing

power, and network bandwidth at the implementation site indirectly influence the

implementation success.

108

Table 17

Factor Definitions

Factor # Factor Name Factor explanation

Factor 1 Large-scale security event

analysis

This factor is the ability of the security

analytic tool to perform large-scale security

event analysis, and this factor is closely

related to big data tools.

Factor 2 Functional utilization Function utilization is the ability of the users

to effectively utilize the tool to achieve

higher levels of security.

Factor 3 Incident detection and

correlation analysis

Incident detection is the ability of the tool to

identify suspicious events by performing

correlation analysis.

Factor 4 Governance and CISO metrics Governance factor refers to the capability of

the tool to support CISO level metrics and

reporting.

Factor 5 Log source and use case

management

Log sources are identified by business

stakeholders in collaboration with tool

experts.

Factor 6 Threat and operational

intelligence

Threat intelligence refers to the ability of the

tool to provide input to the security

operations center resources.

Factor 7 Real-time attack and anomaly

detection

This factor refers to the tool’s ability to

detect an attack in real-time and report it.

Factor 1: Large-scale security event analysis. The ability of a security analytic tool to

perform large-scale security event analysis is an important factor. While many tools in the

current market have this ability, this factor points to all the sub-factors and the depth of the tool’s

scalability to perform large-scale security event analysis. Oltsik (2013) argued that big data-

based security analytic tools will provide better incident detection and incident response. Several

survey questions in the instrument address subfactors to this factor. RQ3 focuses on big data-

driven security analytics. All the big data-related questions in the survey loaded into Factor 1.

Nine survey questions cover this factor. The large-scale security event analysis factor completely

109

answers RQ3. As per the EFA (Phase 2) results, the majority opinion pointed to big data security

analytic tools being useful as supplementary tools to existing tools and products.

Factor analysis indicated that simulation of security incidents (e.g., malware infection)

and prediction of potential attack scenarios were also important subfactors in this study. The

predictive ability of big data security analytic tools is a major decision-making point for many

customers involved in the initial purchase cycle of these tools. Colbaugh and Glass (2011)

discussed the possibility of such tools predicting future attack situations and timelines. Big data

survey questions and underlying factors have vindicated the solid opinion of Colbaugh and

Glass. These tools exploit the historical data of past attacks and attack situations in detecting

attack scenarios. Wheelus et al. (2016) developed a unique solution for threat intelligence

analytics, and they used the HIVE tool to query the output of the security analytics. Bou-Harb et

al. (2016) utilized the concept of behavioral service graphs to detect user behavioral anomalies.

Based on the above discussions, it is clear that large-scale security event analysis factor has the

following sub-factors: (a) attack prediction, (b) attack simulation, (c) query capability, and (d)

anomaly detection

Factor 2: Functional utilization. RQ2 had six factors that emerged from the EFA.

Factors 2 through 7, as presented in Chapter 4, relate to RQ2. While Factor 1 was fully

representative of big data security analytics, all the other factors belonged to non-big-data

security analytics, thereby directly answering RQ2. In summary, one factor emerged for big data

security analytics (RQ3) and six factors for non-big data security analytics emerged from EFA

(Phase 2). Functional utilization refers to the ability of the security analytics tool to empower the

users and administrators of the tool in using its innate capabilities. Factor analysis strongly

pointed to the user’s ability to understand the tool within a one-year period is an important aspect

110

of the implementation. Venkatesh and Bala (2008) introduced the concept of user perception of

any new technology. Seven survey questions loaded into this factor. Some of the subfactors that

emerged from the factor analysis are as follows.

Shackleford (2014) opined that close to 48% of the users of security analytic tools were

unsatisfied by the training they received. Factor analysis indicated that both functional and

technical training on the tool is a significant influencer in user perception of security analytic

tools. The user interface was yet another aspect influencing the success of security analytic tool

implementation. Crespo and Garwood (2014) argued that the user interface plays a powerful role

in helping the user to understand the tool. Shackleford (2016) found that SOC analysts lack the

skills to deal with security analytic tools. Rules and scalability are other influencers in the

successful implementation of any security analytic tool. The survey instrument that underwent

EFA produced Factor 2, that is, functional utilization. The above-discussed influencers form the

following subfactors: (a) user understanding, (b) user training, (c) SOC interface, (d) rules and

scalability, and (e) user interface.

Factor 3: Incident detection and correlation analysis. EFA produced six factors for

RQ2. Factor 3 is incident detection and correlation analysis. Incident detection is a common

thread among the questions that belong to this factor. Crespo and Garwood (2014) researched the

problem of botnets and recommended that a deeper analysis of security incidents is necessary to

detect all types of security incidents. Correlation analysis of heterogeneous log sources is yet

another influencer in Factor 3. Alserhani (2016) presented an alert fusion approach using

correlational analysis. Five survey questions loaded into this factor. These influencers form the

subfactors incident detection and correlation analysis.

111

Factor 4: Governance and CISO metrics. The fourth factor that the EFA identified is

governance and CISO metrics. Most of the influencers in this group pointed to extrinsic

subfactors. For example, security analytic tools do not necessarily produce all the metrics

necessary for enterprise-level security governance. Hence outputs from security analytic tools, in

the form of reports or dashboard, is a major input to governance metrics. Gordas (2014)

discussed the relevant points in implementing a security analytic tool for small and medium-level

enterprises. Metrics was a major aspect of this discussion. Factor 4 directly addressed RQ2.

Compliance with laws and auditing requirements are very important influencers in the

implementation of security analytic tools. Many security analytic tools support both external

compliance with laws and internal compliance to IT mandates of the corporation. Van de

Moosdijk et al. (2015) discussed in detail the ability of SIEM tools to support compliance

requirements. O’Hara (2010) revealed that network-level attacks are a major concern to the

security posture and security health of even giants like Google Corporation. Many questions that

loaded into this factor focused on security posture and health. Quantitative measurements of

posture and health are regular inputs to CISOs. Reports and dashboards on governance regularly

go to CISOs to apprise the office about the security posture of the organization. Seven questions

from the survey instrument loaded into this factor. Based on the above citations and discussions,

the following subfactors apply to this factor: (a) security posture, (b) security metrics, (c)

compliance, and (d) executive reporting.

Factor 5: Log source and use case management. The fifth factor is log source and use

case management. Like Factor 4, this factor also included some extrinsic variables and

influencers. Some of the common threads for this factor are log sources and use cases. Log

sources are boarded into the security analytic tool from all the locations of any given

112

organization. Log sources also include heterogeneous logs from all the business groups within an

organization. Van de Moosdijk et al. (2015) provided extensive details about log sources in their

work on SIEM governance. Identifying and boarding log sources is a team effort and not

necessarily an intrinsic ability of a security analytic tool. Use cases are the driving points for

both rules and log sources.

Van de Moosdijk et al. (2015) discussed the application of use cases and rules in their

SIEM discussion. Use cases are the result of the requirements of business groups. For example, a

data loss prevention or firewall log may be a valid input to a security analytic tool. The

individual business group needs to identify the business case. This aspect drives home the point

that security analytic tools cannot attain success by their attributes alone. Many inputs from the

IT landscape of the organization are necessary to attain success in protecting the network and

data, using security analytic tools. Identifying and understanding the root causes of a cyber-

attack or a data breach is key to preventing future attacks. Root cause analysis performed on any

attack reveals the vulnerable parts of the organization’s network and data. This kind of analysis

feeds into the use case management process. Nicolett and Kavanagh (2013) categorized learning

from root cause analysis as a critical capability of security analytic tools. Six questions from the

survey instrument loaded into this factor. Based on the above discussions, the subfactors for this

factor are (a) use case management, (b) log source management, and (c) incident root cause

analysis process.

Factor 6: Threat and operational intelligence. The sixth factor is the threat and

operational intelligence. Many of the questions that loaded for this factor focus on faster

detection of specific types of cyber-attacks like Distributed denial of service (DDoS) attack after

implementation of the security analytic tool. In other words, the build-up of threat intelligence

113

and operational intelligence for SOC analysts is the common thread in these questions. Yen et al.

(2013) discussed the need for security analytic tools to have updated threat intelligence

capabilities. Bou-Harb et al. (2016) extracted actionable intelligence from the security analytic

tool they had built. Malekpour et al. (2014) expounded the ability of learning algorithms to

prevent fraudulent behavior. While actionable intelligence is more helpful in preventing future

attacks and even zero-day attacks, the operational intelligence security analytic tools provide to

SOC analysts will boost the analysts’ productivity by helping them in the monitoring of SOC

operations and log sources. Six questions loaded into this factor. Based on the above discussion,

the subfactors are (a) SOC monitoring, (b) actionable intelligence, and (c) faster attack detection.

Factor 7: Real-time attack and anomaly detection. The seventh factor is real-time

attack and anomaly detection. While there have been discussions of attacks in earlier factors, it is

important to understand that real-time attack detection is a slightly different aspect of security

analytic tools. Traffic behavioral analysis is necessary to detect attacks in real time. Raiyn (2014)

presented a survey cyber-attack detection strategy. SOC analysts increasingly rely on such tools

to understand anomalies and attacks. It is possible to understand anomalous behavior, both user

behavior, and network behavior, using such real-time tools. However, SOC analysts are in the

immediate field of a cyber-attack, and they will be the experts who conclude that an anomaly has

occurred. Elliott (2016) described the functionality of a typical security operation center (SOC)

and the SOC analyst. Four questions loaded into this factor; two of them were cross-loadings. In

Chapter 4, there was an extensive discussion on the reasons for including cross-loadings for

Factor 7. Based on the above discussion, the subfactors are real-time attack detection and

anomaly detection. Anomaly detection is a common influencer in both big data-based security

analytic tools and non-big-data-based tools.

114

Findings

Based on the detailed discussions above, the findings of the research in terms of the seven

factors are well aligned with the concepts presented in the literature review section of Chapter 2.

The survey instrument also included these concepts in the form of survey questions.

Development of the survey instrument focused on security analytics through two phases, along

with its validity and reliability tests, have proven that there indeed was a gap in the literature

regarding non-availability of a survey instrument and a lack of clarity in terms of factors to

consider when implementing a security analytic tool. All the questions at the end of Phase 2 still

maintained a strong connection to the underlying theories. For example, Q54 reads, “The big

data security analytic process in my organization could reduce large datasets into smaller ones

thereby helping incident the response team to focus better on the incident investigation.” This

question clearly portrays the underlying MapReduce model. In another example, Q11, whose

final version is “Correlation of log source data feeding into the security analytic tool has

significantly enhanced the incident detecting capabilities” has a direct connection to the DS

theory concepts explained in Chapter 2. Similarly, Q18, “Owners and users of the security

analytic tool could understand and use the tool fully within one year of its implementation”

alluded to the TAM-3 theoretical constructs explained in Chapter 2.

Conclusions Based on the Results

This research has remedied the lack of a survey instrument to probe research questions in

security analytics. Even though the survey instrument passed through many rounds of refinement

and validation, this research has answered the three basic research questions of this study: ORQ

– “What are the factors that impact the successful implementation of analytic tools?”, RSQ1 –

“What are the factors that determine the successful implementation of non-big data security

115

analytic tools?” and RSQ2 – “What are the factors that determine the successful implementation

of big data security analytic tools?” The final instrument contained 42 questions and these

questions covered seven factors. These seven factors along with their subfactors can help in the

assessment of any security analytic implementation. Cardenas et al. (2013) introduced the

concept of three maturity levels for security analytic tools and processes. These seven factors

apply to all three levels. At the first level of maturity, IDPS can apply some of the factors. For

example, attack detection and anomaly detection applies to IDPS devices and their analytics

landscape. At the second level of maturity, these factors apply to a very great extent to SIEM

devices and tools. In a typical low-end SIEM device with more focus on log processing, large-

scale security event analysis (Factor 1) is not fully applicable. However, other factors are

applicable. At the third level of maturity, a fully grown SIEM solution combined with big data

analytical capability, all factors are fully applicable. A summary of the seven success factors for

any security analytic implementation is in Table 18.

As explained in Chapter 1, these factors will immensely benefit the security program

managers responsible for implementing and measuring the success of security analytic tools and

processes. Based on the factors given above, any given security analytic program manager can

focus on measuring these factors, depending on the specifics of implementation. Managers can

establish the goals of any security analytic program with the help of the above factors. For

example, van de Moosdijk et al. (2015) discussed the different possible components of any

security analytic program implementation. Some financial organizations may focus more on

predicting cyber-attacks. In contrast, a small enterprise will try to establish a minimum program

for the safety of the corporate network. Some healthcare organizations will focus more on

compliance with health care laws.

116

Table 18

Factors and Subfactors

Factor # Factor Name Subfactors

Factor 1 Large-scale security event

analysis

Attack prediction, attack simulation, query

capability, anomaly detection

Factor 2 Functional utilization User understanding, user training, SOC interface,

rules and scalability, user interface

Factor 3 Incident detection and

correlation analysis

Incident detection, correlation analysis

Factor 4 Governance and CISO

metrics

Security posture, security metrics, compliance,

executive reporting

Factor 5 Log source and use case

management

Use case management, Log source management,

incident root cause analysis process

Factor 6 Threat and operational

intelligence

SOC monitoring, actionable intelligence, faster

attack detection

Factor 7 Real-time attack and

anomaly detection

Real-time attack detection, anomaly detection

Nicolett and Kavanagh (2013) produced the survey material for the Gartner research

report, but it lacked theoretical and research considerations. However, the use cases in this

research survey were very broad and detailed. The resulting survey instrument focuses on both

the strategic and the operational side of a security analytic implementation. Real experts in the

industry built the survey instrument in Phase 1 part of the study using the Delphi process. At the

end of the Delphi study, there were 11 experts who contributed to the survey instrument. In the

second phase (EFA), the researcher surveyed many security analytic professionals and refined

the survey instrument. Before managers decide to buy or build a security analytic product, the

factors this research has identified can help in the buying process. Security experts can also use

the factors this study has identified when they build the checklist for any implementation of a

security analytic tool. Crespo and Garwood (2014) described an ideal SIEM analytic engine.

Extending the concept of the analytic engine described by Crespo and Garwood, the seven

117

success factors that this study identified can be an ideal assessment standard for architects and

program managers in the security analytics domain.

One of the discussions in Chapter 2 focused on investment in security analytic tools.

Small and medium enterprises have limited IT budgets. Before investing in security analytic

tools, they ideally should become aware of the factors that impact the successful implementation

of such tools. The factors this research study has identified provide a structure to such enterprises

about the nature of these tools and the processes surrounding them. Chapter 2 discussed a

solution provided by Chari et al. (2013) in detail. The focus of this discussion was on compliance

by internal users to prevent insider attacks. One of the subfactors this study identified was

compliance, both external and internal. Yet another subfactor was anomalous behavior. Chari et

al.’s solution addressed both these subfactors.

Chapter 2 described many types of cyber-attacks and the ability of security analytic

solutions to identify and prevent them. Crespo and Garwood (2014) analyzed the ACDC project

and explained the ability of the project to dilute botnet attacks. Their conclusion was a match to

three subfactors identified in this study; attack prediction, attack simulation, and real-time attack

detection. Yen et al.’s (2013) discussion focused on advanced, persistent type of attacks. Some of

these analytic solutions omitted the reduction of false positives as a necessary goal. Reducing

false positives is in the survey instrument as an individual question. False positives are in Factor

2: Functional utilization. Factor 1 is large-scale security event analysis. Big data-based security

analytic tools related to RQ3. All the big data-related attributes loaded into a single factor –

large-scale security event analysis. Wheelus et al. (2016) discussed a very elaborate solution for

big data-based security analytics. Chapter 2 discussed many use cases of this solution. Attack

prediction, attack simulation, querying analytic results, and anomaly detection were the

118

subfactors of Factor 1. The solution built by Wheelus et al. addressed all these subfactors.

Network anomalies are major use cases for security analytic tools. Big data tools, with their

ability to process large datasets, can identify network anomalies. There are many questions in the

survey instrument dedicated to network analytics. Bhuyan et al. (2014) expounded the

fundamental aspects of network security analytics. Factor 1 covers most of the literature on big

data-related security analytics. Based on the discussions earlier in this section, it is clear that the

literature review, the results in terms of factors, and the survey instrument are in agreement to a

great extent. This agreement leads to the conclusion that the researcher has achieved the

dissertation goals.

Limitations

The researcher delimited the sample size to 200 participants. Chapter 3 explained in

detail that this was sufficient for the EFA. However, in any quantitative analysis involving

surveys, a higher sample size is always better. Yong and Pearce (2013) suggested that a sample

size of 300 or more will reduce the error in the data. Tabachnick and Fidell (2013) professed that

a minimum sample size of 500 is ideal for EFA. Fabrigar, Wegener, MacCallum, and Strahan

(1999) opined that sample sizes for EFA studies vary among researchers. The researcher

undertook this study to extract factors that determine the success of implementation of security

analytic tools and as a secondary goal to produce a survey instrument. Yong and Pearce (2013)

recommended that confirmatory factor analysis is the best way to validate the factors identified

in an EFA study. A confirmatory factor analysis was beyond the scope of this study. However,

future studies may employ confirmatory factor analysis to validate the factors. Any future studies

performed to revalidate the survey instrument produced by this research should consider a bigger

audience with the help of a neutral sponsor.

119

From a security analytic domain perspective, there is one limitation that needs a mention

in this section. Artificial intelligence (AI)-driven security analytics, or cognitive security, is the

current trend. Rao (2016) introduced the concept of Security-360, a cognitive and adaptive

approach to enterprise security, currently under research at IBM research labs. There are many

opinions on cognitive security by leading research labs. However, AI-driven security will have a

major influence in the immediate future. Cardenas et al. (2013) introduced three levels of

maturity for security analytics, with the third level being big data-driven security. Based on this

research study and the current trends in cognitive security, AI-driven security will become the

fourth level of maturity. Even though the survey instrument the researcher has produced in this

research focuses on cyber-attacks, the questions do not cover all the well-known cyber-attacks.

In future versions of this instrument, it will be possible to introduce many probing questions to

focus on the ability of the security analytic tools to handle emerging types of attacks (e.g.,

ransomware attacks). Also, there were not enough questions on cloud-driven security analytics.

Future studies need to address this area. Finally, all the participants in Phase 2 of the study

(EFA) came from the United States and Canada. Future researchers can overcome this limitation.

Implications for Practice

The survey instrument that resulted from this research study also identified seven factors after

the exploratory factor analysis (EFA) study (Phase 2). Information security and cybersecurity

professionals can benefit in many ways from this research study. Many implications of this study

are discussed in this section.

Implications for practitioners. Practitioners can use factors that this research has

generated to assess the implementation of different market leading products. Cerullo, Formicola,

Iamiglio, and Sgaglione (2014) compared leading products like QRadar, ArcSight, and enVision.

120

They provided a deep technical analysis. However, it will be ideal to use the seven factors this

research has generated to assess such tools, along with the subfactors. Security consulting

organizations may use the factors extracted during this research study to meet their clients’

needs. When a security analytic tool implementation takes place in any organization,

measurement of success of the implementation and its benefits is a key performance indicator

(KPI) to the executives. Metrics defined based on these factors and subfactors can be useful as

benchmarks to measure the implementation success. For example, in this study, incident

detection is part of Factor-3. Mateski et al. (2012) defined many metrics around incident data.

Average incident count, when repeatedly measured for every month, can help the organization

set some benchmark values. This benchmark will help to identify any outliers and its causes

thereby driving investigations on security incidents. Van de Moosdijk et al. (2015) examined

security governance using analytic tools. The components they discussed in their research can

blend with the factors extracted in this research to bolster security governance in any

organization.

Implications for researchers. Researchers can break down these factors and subfactors

further to serve the needs of security architects. For example, attack simulation is a subfactor.

Many algorithms and other technical data points make up this subfactor. It is necessary to

measure the effectiveness of such techniques to assess the success of this subfactor in any

implementation. It is also possible to extend factors from this study to technical aspects of

security analytics. Yen et al. (2013) discussed the implementation of their Beehive security

analytic tool. The processing speed of log sources was a major metric in their study. This metric

will roll up under Factor 5 (log management and use case management). All of these examples

may be of interest to the research community.

121

Recommendations for Further Research

There are many avenues for further research based on the results of this study. Factor 3 in

this research study is incident detection and correlation analysis. Incident detection is key to any

type of investigation that can confirm an attack or data breach. Security analytic tools can

produce inbuilt reports as discussed by van de Moosdijk et al. (2015) in their research on SIEM.

Researchers can further probe the impact of correlation analysis on identifying security incidents

using statistical techniques. For example, they can explore whether there is a causal relationship

between correlation and incident detection. There are many types of correlation tools and

engines. Rosa et al. (2015) compared different correlation engines and their speeds and

processing power.

Identifying factors that are useful to assess a successful implementation of security

analytic tool was the primary goal of this investigation. Measurement of those factors using

either a quantitative approach or a qualitative approach was not within the scope of this study.

Measurements are usually made using metrics that could be either quantitative or qualitative.

This research study ended with the identification of factors. Metrics for measuring the factors

and subfactors, once defined in a separate study, will extend this research to be a more

productive tool. Factor-3 included correlation analysis. For example, the speed of correlation

engine is measured by the number of security events processed per second. Mateski et al. (2012)

included security threat metrics as a part of their research at Sandia Labs. Similar operational

metrics can be produced based on the factors that are identified in this research study.

Cloud computing has emerged as the future of IT. Many organizations are migrating

towards the cloud. With the emergence of less expensive cloud infrastructures, security analytic

tools are migrating to the cloud. Yam, Baldwin, Shiu, and Ioannidis (2011) provided their

122

opinion on investment in cloud computing and its future. The survey instrument produced in this

research study can be easily customized to include questions on security analytics in a cloud

environment. Even though a security analytic tool and its functions remain almost the same in a

cloud environment, the infrastructure is not anymore a standalone infrastructure and hence

certain tool functionalities are impacted by the cloud environment. Exploring the entire study or

parts of the study for the cloud environment is yet another future research option. Many factors

identified in this research study are applicable to the cloud environment.

User acceptance of any new technology is not attained easily. Venkatesh and Bala (2008)

defined TAM-3 variables as a part of their enhancement to the technology acceptance model.

Perceived usefulness (PU) and perceived ease of use (PEOU) are two variables that are

commonly used to assess the user acceptance of any new technology. While this research study

focused on a broader goal of identifying success factors, there was no in-depth probing of the

user acceptance aspects of the security analytic products and tools. For example, the perceived

ease of use (PEOU) of any given architecture is a promising area to generate more research

questions in the field of security analytics. Functional utilization (Factor 2) is the factor suitable

for exploring further on the TAM-3 related research questions.

Log source and use case management (Factor 5) is an important area of security

analytics. Van de Moosdijk et al. (2015) discussed log sources and use cases in their work on

SIEM tools. Effect of log sources on security incidents is an area of research that can add value

to future studies. Business stakeholders identify use cases that need to be included for analysis in

a security analytic tool. For example, email server logs are a good candidate to be boarded into a

security analytic tool as a log source. Once a log source is boarded, there is a high potential for

security incident data to be impacted by the new log source.

123

Conclusion

This study investigated three research questions in the security analytics domain, in

addition to producing a survey instrument whose construct validity and reliability were fully

validated. The first question pertained to factors that impact the successful implementation of

security analytics tools as a whole. The second question pertained to factors that impact the

successful implementation of non-big data security analytics tools. The third question pertained

to factors that impact the successful implementation of big data security analytics tools. Phase 1

of this study used a Delphi iterative process to produce a survey instrument. The Delphi process

went through four rounds and produced a 50-question survey instrument. In Phase 2, this survey

instrument underwent further refinement by eliminating eight more questions. The final survey

instrument consisted of 42 questions dedicated to the area of security analytics. Phase 2

employed an EFA study that produced seven factors and 23 subfactors. This chapter has

discussed the results and limitations of this research study in detail. It has also presented future

research possibilities with a focus on implications for practice. Since the survey instrument has

undergone refinement through many rounds, future research in security analytics can easily

employ this instrument by performing a confirmatory factor analysis and by exploring many

other possible variable relationships and research questions based on the extracted factors.

124

REFERENCES

Adams, D. P., & Miles, T. P. (2013). The application of Belmont Report principles to policy

development. Journal of Gerontological Nursing, 39(1), 16–21. doi:10.3928/00989134-

20131028-07

Ahlan, A. R., & Ahmad, B. I. E. (2014). User acceptance of health information technology (HIT)

in developing countries: a conceptual model. Procedia Technology, 16, 1287–1296.

Alserhani, F. M. (2016). Alert correlation and aggregation techniques for reduction of security

alerts and detection of multistage attack. International Journal of Advanced Studies in

Computers, Science and Engineering, 5(2), 1–7.

Avella, J. R. (2016). Delphi panels: Research design, procedures, advantages, and challenges.

International Journal of Doctoral Studies, 11, 305–321.

Barron, E. N. (2013). Game theory: An introduction (Vol. 2). Hoboken, NJ: Wiley.

Bhuyan, M. H., Bhattacharyya, D. K., & Kalita, J. K. (2014). Network anomaly detection:

Methods, systems and tools. IEEE Communications Surveys & Tutorials, 16(1), 303–336.

Blum, A. L. (1994). Relevant examples and relevant features: Thoughts from computational

learning theory. In AAAI Fall Symposium on Relevance. Menlo Park, CA: AAAI Press.

Retrieved from https://aaai.org/Papers/Symposia/Fall/1994/FS-94-02/FS94-02-005.pdf

Bou-Harb, E., Scanlon, M., & Fackha, C. (2016). Behavioral service graphs: A big data approach

for prompt investigation of internet-wide infections. In 2016, 8th IFIP International

conference on new technologies, mobility and security (NTMS) (pp. 1–5). Larnaca,

Cyprus: IEEE. http://doi.org/10.1109/NTMS.2016.7792437

Boudreau, M.-C., Gefen, D., & Straub, D. W. (2001). Validation in information systems

research: A state-of-the-art assessment. MIS Quarterly,

25(1),1. http://doi.org/10.2307/3250956

Bowers, K., Hart, C., Juels, A., & Triandopoulos, N. (2013). Securing the data in big data

security analytics. IACR Cryptology ePrint Archive, 2013, 625.

Buczak, A. L., & Guven, E. (2016). A survey of data mining and machine learning methods for

cybersecurity intrusion detection. IEEE Communications Surveys & Tutorials, 18(2),

1153-1176

Burton, L. J., & Mazerolle, S. M. (2011). Survey instrument validity part I: Principles of survey

instrument development and validation in athletic training education research. Athletic

Training Education Journal, 6(1), 27–35.

Carroll, T. E., & Grosu, D. (2011). A game theoretic investigation of deception in network

security. Security and Communication Networks, 4(10), 1162–1172. doi:10.1002/sec.242

125

Cardenas, A. A., Manadhata, P. K., & Rajan, S. P. (2013). Big data analytics for security. IEEE

Security & Privacy, 11(6), 74–76. doi:10.1109/MSP.2013.138

Cerullo, G., Formicola, V., Iamiglio, P., & Sgaglione, L. (2014). Critical infrastructure

protection: Having SIEM technology cope with network heterogeneity. arXiv preprint.

arXiv:1404.7563.

Chari, S., Habeck, T., Molloy, I., Park, Y., & Teiken, W. (2013). A big data platform for

analytics on access control policies and logs. In Proceedings of the 18th ACM Symposium

on Access Control Models and Technologies – SACMAT ’13, USA, 1–264.

doi:10.1145/2462410.2462433

Charishma, P., & Venkatesh, K. (2015). Big data security analytic solution using Splunk.

International Journal of Engineering Research and Applications, 5(4 [Part 3]), 50–53.

Retrieved from http://www.ijera.com

Chaturvedi, M., Narain Singh, A., Prasad Gupta, M., & Bhattacharya, J. (2014). Analyses of

issues of information security in Indian context. Transforming Government: People,

Process and Policy, 8(3), 374–397.

Chen, L. (2009). Curse of dimensionality. In Encyclopedia of Database Systems (pp. 545-546).

Springer US.

Chen, P. C. (2013). Experience-based cyber security analytics (Doctoral dissertation). Available

from ACM Digital Library. (UMI No. AAI3576193)

Cheng, F., Azodi, A., Jaeger, D., & Meinel, C. (2013). Multi-core supported high performance

security analytics. In 2013 IEEE 11th International Conference on Dependable,

Autonomic and Secure Computing, USA, 621–626. doi:10.1109/DASC.2013.136

Chung, K., Kamhoua, C. A., Kwiat, K. A., Kalbarczyk, Z. T., & Iyer, R. K. (2016). Game theory

with learning for cyber security monitoring. In 2016 IEEE 17th International symposium

on high assurance systems engineering (HASE) (pp. 1–8). Orlando, FL:

IEEE. http://doi.org/10.1109/HASE.2016.48

Chuvakin, A. (2010). The complete guide to log and event management. Retrieved

from http://www.novell.com/docrep/2010/03/Log_Event_Mgmt_WP_DrAntonChuvakin

_March2010_Single_en.pdf

Chuvakin, A. (2016). Demystifying security analytics: Data, methods, use cases. Paper presented

at the RSA Conference (2016, March). San Francisco, CA.

Retrieved from https://www.rsaconference.com/writable/presentations/file_upload/air-

t09-demystifying-security-analytics-data-methods-use-cases-final.pdf

Colbaugh, R., & Glass, K. (2011). Proactive defense for evolving cyber threats. In Proceedings

of 2011 IEEE International Conference on Intelligence and Security Informatics, ISI

2011 (pp. 125–130). Washington, DC: IEEE. doi:10.1109/ISI.2011.5984062

126

Cooper, W. W., Gallegos, A., & Granof, M. H. (1995). A Delphi study of goals and evaluation

criteria of state and privately owned Latin American airlines. Socio-Economic Planning

Sciences, 29(4), 273–285.

Cortina, J. M. (1993). What is coefficient alpha? An examination of theory and applications.

Journal of Applied Psychology, 78(1), 98–104.

Costello, A. B., & Osborne, J. W. (2005). Best practices in exploratory factor analysis: Four

recommendations for getting the most from your analysis. Practical Assessment,

Research & Evaluation, 10(7), 1–9.

Crespo, B. G.-N., & Garwood, A. (2014). Fighting botnets with cyber-security analytics: Dealing

with heterogeneous cyber-security information in new generation SIEMs. In 2014 Ninth

International Conference on Availability, Reliability and Security (pp. 192–198).

Fribourg, Switzerland: IEEE. doi:10.1109/ARES.2014.33

Cronbach, L. J. (1951). Coefficient alpha and the internal structure of tests. Psychometrika,

16(3), 297–334.

Curtis, B., Krasner, H., & Iscoe, N. (1988). A field study of the software design process for large

systems. Communications of the ACM, 31(11), 1268–1287.

Cybenko, G., & Landwehr, C. E. (2012). Security analytics and measurements. IEEE Security &

Privacy Magazine, 10(3), 5–8. doi:10.1109/MSP.2012.75

Da Veiga, A., Martins, N., & Eloff, J. H. (2007). Information security culture–Validation of an

assessment instrument. Southern African Business Review, 11(1), 147–166.

Davis, F. D., Jr. (1986). A technology acceptance model for empirically testing new end-user

information systems: Theory and results (Doctoral dissertation). Retrieved from

http://www.researchgate.net/

Davidson, P. L. (2013). The Delphi technique in doctoral research: Considerations and rationale.

Review of Higher Education and Self-Learning, 6(22), 53–65.

Dawis, R. V. (1987). Scale construction. Journal of Counseling Psychology, 34(4), 481.

Dean, J., & Ghemawat, S. (2010). MapReduce: A flexible data processing tool. Communications

of the ACM, 53(1), 72–77.

Dittrich, D., & Kenneally, E. (2012). Applying ethical principles to information and

communication technology research: A companion to the Department of Homeland

Security Menlo Report. Retrieved from

http://www.dhs.gov/sites/default/files/publications/CSD-MenloPrinciplesCOMPANION-

20120103-r731.pdf

127

Duffield, C. (1993). The Delphi technique: A comparison of results obtained using two expert

panels. International Journal of Nursing Studies, 30(3), 227–237.

Ehsan, H., & Khan, F. A. (2012, June). Malicious AODV: implementation and analysis of

routing attacks in MANETs. In Trust, Security and Privacy in Computing and

Communications (TrustCom), 2012 IEEE 11th International Conference (pp. 1181-

1187). IEEE.

Elliott, T. (2016). Predominance of using security information and event management tools to

enhance security analytics for mitigating threats (Doctoral dissertation). Available from

Dissertations & Theses @ Utica College. (Order No. 10183247). Retrieved from

https://search.proquest.com/docview/1853118200?accountid=28902

Fabrigar, L. R., Wegener, D. T., MacCallum, R. C., & Strahan, E. J. (1999). Evaluating the use

of exploratory factor analysis in psychological research. Psychological Methods, 4(3),

272.

Ferketich, S., Phillips, L., & Verran, J. (1993). Development and administration of a survey

instrument for cross‐cultural research. Research in Nursing & Health, 16(3), 227–230.

Field, A. (2013). Discovering statistics using IBM SPSS statistics. Thousand Oaks, CA: Sage.

Fielder A., Panaousis E., Malacaria P., Hankin C., & Smeraldi, F. (2014) Game Theory Meets

Information Security Management. In N. Cuppens-Boulahia, F. Cuppens, S. Jajodia, A.

Abou El Kalam, & T. Sans (Eds.), ICT Systems security and privacy protection. SEC

2014. IFIP Advances in Information and Communication Technology,

Vol 428 (pp. 15–29). Heidelberg, Germany: Springer.

Gantsou, D. (2015). On the use of security analytics for attack detection in vehicular ad hoc

networks. In 2015 International conference on cyber security of smart cities, industrial

control system and communications (SSIC), China. 1–6. doi:10.1109/SSIC.2015.7245674

Garrido-Moreno, A., & Padilla-Meléndez, A. (2011). Analyzing the impact of knowledge

management on CRM success: The mediating effects of organizational factors.

International Journal of Information Management, 31(5), 437–444.

Garson, G. D. (2014). The Delphi method in quantitative research. Asheboro, NC: Statistical

Associates.

Glass, K., & Colbaugh, R. (2011). Web analytics for security informatics. In Proceedings – 2011

European Intelligence and Security Informatics Conference, EISIC 2011, USA. 214–219.

doi:10.1109/EISIC.2011.66

Gliddon, D. G. (2006). Forecasting a competency model for innovation leaders using a modified

Delphi technique (Doctoral dissertation). Available from ProQuest Dissertations &

Theses Global. (Order No. 3292523)

128

Gold, R. (1967). Optimal binary sequences for spread spectrum multiplexing (corresp.). IEEE

Transactions on Information Theory, 13(4), 619–621.

Goldman, S. A. (1995). Computational learning theory. doi:10.1007/3-540-59119-2

Goodman, C. M. (1987). The Delphi technique: A critique. Journal of Advanced Nursing, 12(6),

729–734.

Gordas, V. (2014). Implementing information security management system in SMEs and

ensuring effectiveness in its governance. Egham, Surrey, UK: Information Security

Group. Retrieved from http://www.ma.rhul.ac.uk/static/techrep/2014/RHUL-MA-2014-

6.pdf

Grublješič, T., & Jaklič, J. (2015). Business intelligence acceptance: The prominence of

organizational factors. Information Systems Management, 32(4), 299–315.

Gunaydin, H. M. (2006). The Delphi method. Optimization Group. Retrieved from

http://www.iyte.edu.tr/~muratgunaydin/delphi.htm

Han, Z. (2012). Game theory in wireless and communication networks: theory, models, and

applications. Cambridge: Cambridge University Press.

Hasson, F., Keeney, S., & McKenna, H. (2000). Research guidelines for the Delphi survey

technique. Journal of Advanced Nursing, 32(4), 1008–1015.

Hathaway, O., Crootof, R., Levitz, P., Nix, H., Nowlan, A., Perdue, W., & Spiegel, J. (2012).

The law of cyber-attack. California Law Review, 100(4), 817–885. Retrieved

from http://www.jstor.org/stable/23249823

Heiko, A. (2012). Consensus measurement in Delphi studies: Review and implications for future

quality assurance. Technological Forecasting and Social Change, 79(8), 1525–1536.

Hinde, S. (2005). No state can exist without the confidence of the people. Computer Fraud &

Security, 2005(8), 18-20

Howarth, F. (2014). Security intelligence: Solving the puzzle for actionable insight. London, UK:

Bloor Research. Retrieved from http://www.bloorresearch.com

Hsu, C. C., & Sandford, B. A. (2007). The Delphi technique: Making sense of consensus.

Practical Assessment, Research & Evaluation, 12(10), 1–8.

Hu, H., Wen, Y., Chua, T.-S., & Li, X. (2014). Toward scalable systems for big data analytics: A

technology tutorial. IEEE Access, 2, 652–687. doi:10.1109/ACCESS.2014.2332453

Iivari, J. (1991). A paradigmatic analysis of contemporary schools of IS development. European

Journal of Information Systems, 1(4), 249.

129

Janssens, W., de Pelsmacker, P., & van Kenhove, P. (2008). Marketing research with SPSS.

Boston, MA: Pearson Education.

Jupp, V. (2006). The Sage dictionary of social research methods. Thousand Oaks, CA: Sage.

Kaiser, H. F. (1960). The application of electronic computers to factor analysis. Educational and

Psychological Measurement, 20(1), 141–151.

Kavanagh, K. M., Rochford, O., & Bussa, T. (2015). Magic quadrant for security information

and event management. Gartner, Tech. Rep

Kent, K. (2007). Guide to computer security log management. Gaithersburg, MD: National

institute of standards and technology. Retrieved

from http://logrhythm.com/Portals/0/resources/NIST Guide Log Mgmt SP800-

92.pdf%5Cnhttp://m.sagedatasecurity.com/pdfs/SP800-92-NIST-Guide-to-Log-

Management.pdf

Kohlas, J., & Monney, P.-A. (1994). Theory of evidence – A survey of its mathematical

foundations, applications and computational aspects. ZOR – Mathematical Methods of

Operations Research, 39(21), 35–68.

Leclerc, G., Lefrancois, R., Dubé, M., Hébert, R., & Gaulin, P. (1998). The self-actualization

concept: A content validation. Journal of Social Behavior and Personality, 13(1), 69.

Lee, Y., Kozar, K. A., & Larsen, K. R. T. (2003). The technology acceptance model: Past,

present, and future. Communications of the Association for Information Systems, 12(1),

752–780. Retrieved from http://aisel.aisnet.org

Liang, X., & Xiao, Y. (2013). Game theory for network security. IEEE Communications Surveys

& Tutorials, 15(1), 472–486.

Liu, P., Zang, W., & Yu, M. (2005). Incentive-based modeling and inference of attacker intent,

objectives, and strategies. ACM Transactions on Information and System Security, 8(1),

78–118. doi:10.1145/1053283.1053288

Lops, P., de Gemmis, M., Semeraro, G., Narducci, F., & Musto, C. (2011). Leveraging the

linkedin social network data for extracting content-based user profiles. In Proceedings of

the Fifth ACM Conference on Recommender Systems - RecSys ’11 (p. 293). New York,

NY: ACM Press. http://doi.org/10.1145/2043932.2043986

Lu, Y., & K. (Ram) Ramamurthy. (2011). Understanding the link between information

technology capability and organizational agility: An empirical examination. MIS

Quarterly, 35(4), 931–954. Retrieved from http://www.jstor.org/stable/41409967

130

Mahmood, T., & Afzal, U. (2013). Security analytics: big data analytics for cybersecurity: A

review of trends, techniques and tools. In 2013 2nd National Conference on Information

Assurance (NCIA) (pp. 129–134). Rawalpindi, Pakistan:

IEEE. http://doi.org/10.1109/NCIA.2013.6725337

Malekpour, M., Khademi, M., & Minae-bidgoli, B. (2014). A hybrid data mining method for

intrusion and fraud detection in e-Banking systems. Journal of computational intelligence

and electronic systems, 3,1–6. http://doi.org/10.1166/jcies.2014.1068

Malhotra, N. (1981). A scale to measure self-concepts, person concepts, and product concepts.

Journal of marketing research, 18(4), 456–464. doi:10.2307/3151339

Mateski, M. E., Trevino, C. M., Veitch, C. K., Michalski, J. T., Harris, J. M., Maruoka, S., &

Frye, J. N. (2012). Cyber threat metrics. Albuquerque, NM: Sandia National

Laboratories. Retrieved from http://prod.sandia.gov/techlib/access-

control.cgi/2012/122427.pdf

Mayhew, M., Atighetchi, M., Adler, A., & Greenstadt, R. (2015). Use of machine learning in big

data analytics for insider threat detection. In MILCOM 2015 - 2015 IEEE Military

Communications Conference (pp. 915–922). Tampa, FL, USA:

IEEE. http://doi.org/10.1109/MILCOM.2015.7357562

Mensch, S., & Wilkie, L. (2011). Information security activities of college students: An

exploratory study. Journal of Management Information and Decision Sciences, 14(2), 91.

Mohammed, N., Fung, B. C. M., & Debbabi, M. (2011). Anonymity meets game theory: Secure

data integration with malicious participants. VLDB Journal, 20(4), 567–588.

doi:10.1007/s00778-010-0214-6

Nash, J. F. (1950). Equilibrium points in n-person games. Proceedings of the National Academy

of Sciences, 36(1), 48–49 (Original work published 1950)

National Institutes of Health, Office of Human Subjects Research. (1979). The Belmont Report:

Ethical principles and guidelines for the protection of human subjects of research.

Washington, DC: Government Printing Office.

Newsom, J. (2005). A quick primer on exploratory factor analysis. In SEM (pp. 1–4). Retrieved

from http://web.cortland.edu/andersmd/psy341/efa.pdf

Nicolett, M., & Kavanagh, K. M. (2013). Critical capabilities for security information and event

management. Stamford, CT: Gartner RAS Core Research. Retrieved from

http://dss.lv/f/Critical_Capabilities_for_Security_Information_and_Event_Management_-

_2013_Q1Labs_IBM_Security_Systems.pdf

O’Hara, G. (2010). Cyber-espionage: A growing threat to the American economy. CommLaw

Conspectus, 19, 241.

131

Okoli, C., & Pawlowski, S. D. (2004). The Delphi method as a research tool: An example, design

considerations and applications. Information & Management, 42(1), 15–29.

Oltsik, J. (2013, April 1). Defining big data security analytics [Blog post]. Retrieved from

https://www.csoonline.com/article/2224394/cisco-subnet/defining-big-data-security-

analytics.html

Orlikowski, W. J., & Baroudi, J. J. (1991). Studying information technology in organizations:

Research approaches and assumptions. Information Systems Research, 2(1), 1–28.

Panigrahi, S., Sural, S., & Majumdar, A. K. (2009). Detection of intrusive activity in databases

by combining multiple evidences and belief update. In 2009 IEEE Symposium on

Computational Intelligence in Cyber Security (pp. 83–90). IEEE.

http://doi.org/10.1109/CICYBS.2009.4925094

Pathirage, C., Amaratunga, R. D., & Haigh, R. (2005). Knowledge management research within

the built environment: research methodological perspectives. In 5th international

postgraduate conference in the built and human environment. The Lowry, Salford

Quays,UK: University of Huddersfield. Retrieved from

http://eprints.hud.ac.uk/22699/%0AThe

Pierazzi, F., Casolari, S., Colajanni, M., & Marchetti, M. (2016). Exploratory security analytics

for anomaly detection. Computers & Security, 56, 28–49.

Pinsonneault, A., & Kraemer, K. L. (1993). Survey research methodology in management

information systems: An assessment (No. URB-022). UC Irvine: Center for Research on

Information Technology and Organizations. Retrieved from

http://escholarship.org/uc/item/6cs4s5f0

Pinto, A. (2014). Secure because math: A deep dive on machine learning based monitoring [PDF

document]. Retrieved from http://docs.huihoo.com/blackhat/usa-2014/us-14-Pinto-

Secure-Because-Math-A-Deep-Dive-On-Machine-Learning-Based-Monitoring-WP.pdf

Putnam, J. W., Spiegel, A. N., & Bruininks, R. H. (1995). Future directions in education and

inclusion of students with disabilities: A Delphi investigation. Exceptional Children,

61(6), 553–576.

Puri, C., & Dukatz, C. (2015). Analyzing and predicting security event anomalies: Lessons

learned from a large enterprise big data streaming analytics deployment. In 2015 26th

International Workshop on Database and Expert Systems Applications (DEXA) (pp. 152–

158). Valencia, Spain: IEEE. http://doi.org/10.1109/DEXA.2015.46

Qin, X., Wang, H., Li, F., Zhou, B., Cao, Y., Li, C., … Wang, S. (2012). Beyond simple

integration of RDBMS and MapReduce – Paving the way toward a unified system for big

data analytics: Vision and progress. Proceedings – 2nd International Conference on

Cloud and Green Computing and 2nd International Conference on Social Computing and

Its Applications, CGC/SCA 2012 (pp. 716–725). Washington, DC: IEEE.

doi:10.1109/CGC.2012.39

132

Raiyn, J. (2014). A survey of cyber attack detection strategies. International Journal of Security

and Its Applications, 8(1), 247–256.

Rao, J. R. (2016). Preface: Security intelligence. IBM Journal of Research and Development,

60(4), 1.

Razaq, A., Tianfield, H., & Barrie, P. (2016). A big data analytics based approach to anomaly

detection. In Proceedings of the 3rd IEEE/ACM International Conference on Big Data

Computing, Applications and Technologies - BDCAT ’16 (pp. 187–193). New York, NY:

ACM Press. http://doi.org/10.1145/3006299.3006317

Rosa, L., Alves, P., Cruz, T., Simoes, P., & Monteiro, E. (2015). A comparative study of

correlation engines for security event management. In Proceedings of the 10th

International Conference on Cyber Warfare and Security (p. 11). Kruger National Park,

South Africa: Acpil. Retrieved from citeulike-article-id:13744694

Roy, S., Ellis, C., Shiva, S., Dasgupta, D., Shandilya, V., & Wu, Q. (2010). A survey of game

theory as applied to network security. In 2010 43rd Hawaii International Conference on

System Sciences (pp. 1–10). Honolulu, HI: IEEE. http://doi.org/10.1109/HICSS.2010.35

Sadi, S., & Noordin, M. F. (2011). Developing and validating an instrument for measuring M-

commerce adoption: An exploratory analysis. International Journal of Network and

Mobile Technologies, 20(Sp.), 1–8.

Salih, A., Ma, X., & Peytchev, E. (2017). Implementation of hybrid artificial intelligence

technique to detect covert channels attack in new generation internet protocol IPv6.

In Leadership, Innovation and Entrepreneurship as Driving Forces of the Global

Economy (pp. 173–190). New York, NY: Springer International Publishing.

Sagiroglu, S., & Sinanc, D. (2013, May). Big data: A review. In Collaboration Technologies and

Systems (CTS), 2013 International Conference on (pp. 42–47). Washington, DC: IEEE.

Schales, D. L., Christodorescu, M., Rao, J. R., Sailer, R., Stoecklin, M. P., & Venema, W.

(2011). Stream computing for large-scale, multi-channel cyber threat analytics:

Architecture, implementation, deployment and lessons learned. IBM Research Report.

Retrieved from http://www.research.ibm.com/

Schinagl, S., Schoon, K., & Paans, R. (2015, January). A framework for designing a security

operations centre (SOC). In System sciences (HICSS), 2015 48th Hawaii International

Conference on (pp. 2253–2262). Washington, DC: IEEE.

Schrittwieser, S., Mulazzani, M., & Weippl, E. (2013). Ethics in security research which lines

should not be crossed? In 2013 IEEE Security and Privacy Workshops (pp. 1–4). San

Francisco, CA: IEEE. http://doi.org/10.1109/spw.2013.6914700

Shackleford, D. (2014). Analytics and intelligence survey 2014. A SANS survey. Retrieved from

http://www.sans.org

133

Shackleford, D. (2016). SANS 2016 security analytics survey. A SANS Survey. Retrieved from

http://www.sans.org

Shafer, G. (1976). A mathematical theory of evidence (Vol. 1). Princeton, NJ: Princeton

University Press.

Singh, K., Guntuku, S. C., Thakur, A., & Hota, C. (2014). Big data analytics framework for peer-

to-peer botnet detection using random forests. Information Sciences, 278, 488–497.

Skulmoski, G., Hartman, F., & Krahn, J. (2007). The Delphi method for graduate research.

Journal of Information Technology Education: Research, 6(1), 1–21.

Spector, P. E., & Meier, L. L. (2014). Methodologies for the study of organizational behavior

processes: How to find your keys in the dark. Journal of Organizational Behavior, 35(8),

1109–1119.

Spitzner, L. (2003). Honeypots: Catching the insider threat. In Computer Security Applications

Conference, 2003. Proceedings. 19th Annual (pp. 170–179). Washington, DC: IEEE.

Štemberger, M. I., Manfreda, A., & Kovačič, A. (2011). Achieving top management support

with business knowledge and role of IT/IS personnel. International Journal of

Information Management, 31(5), 428–436.

Stroeh, K., Madeira, E. R. M., & Goldenstein, S. K. (2013). An approach to the correlation of

security events based on machine learning techniques. Journal of Internet Services and

Applications, 4(1), 7.

Tabachnick, B. G., & Fidell, L. S. (2013). Using multivariate statistics (6th ed.). Boston, MA:

Pearson Education.

Talabis, M., McPherson, R., Miyamoto, I., & Martin, J. (2014). Information security analytics:

Finding security insights, patterns and anomalies in big data. London, United Kingdom:

Syngress.

Taylor-Powell, E. (2002). Quick tips collecting group data: Delphi technique. Quick Tips #4

Program Data and Evaluation. Madison, WI: University of Wisconsin. Retrieved from

http://www.uwex.edu/ces/pdande/resources/index.html

TechAmerica Foundation: Federal Big Data Commission. (2012). Demystifying big data: A

practical guide to transforming the business of government. Washington, D.C.: Tech

America Foundation's Federal Big Data Commission. Retrieved from

https://breakinggov.com/documents/demystifying-big-data-a-practical-guide-to-

transforming-the-bus/

Thompson, M. A. (2013). Predicting threat potential using cyber sensors (Doctoral dissertation).

Available from ProQuest Dissertations & Theses Global. (Order No. 3573605)

134

Tripathi, S., Gupta, B., Almomani, A., Mishra, A., & Veluru, S. (2013). Hadoop based defense

solution to handle distributed denial of service (DDoS) attacks. Journal of Information

Security, 04(03), 150–164. doi:10.4236/jis.2013.43018

Turocy, T. L., & von Stengel, B. (2001). Game theory* (Report No. Rep. LSE-CDAM-2001-09).

Draft prepared for the Encyclopedia of Information systems. Department of Mathematics,

London School of Economics, London, UK.

Valiant, L. G. (1984). A theory of the learnable. Communications of the ACM, 27(11), 1134–

1142.

Leeuwen, J.V. (2004). Approaches in Machine Learning. In W. Verhaegh, E. Aarts, & J. Korst

(Eds.), Algorithms in ambient intelligence (pp. 151–166). New York, NY: Springer.

http://doi.org/10.1007/978-94-017-0703-9_8

Van de Moosdijk, J., Wagenaar, D., & Final, S. (2015). Addressing SIEM. Retrieved from

http://www.vurore.nl/images/vurore/downloads/scripties/2030-Def-scriptie-Jarno-van-de-

Moosdijk---daan-Wagenaar.pdf

Venkatesh, V., & Bala, H. (2008). Technology acceptance model 3 and a research agenda on

interventions. Decision Sciences, 39(2), 273–315. doi:10.1111/j.1540-5915.2008.00192.x

Vonhof, J. J. (2015). Middle management and telework adoption: Development of an instrument

using Delphi and exploratory factor analysis for the financial services industry (Doctoral

dissertation). Available from ProQuest Dissertations & Theses Global. (Order No.

3684229).

Von Neumann, J., & Morgenstern, O. (2007). Theory of games and economic behavior.

Princeton, NJ: Princeton University Press.

Wei, Z., Tang, H., Yu, F. R., Wang, M., & Mason, P. (2014). Trust establishment with data

fusion for secure routing in MANETs. In 2014 IEEE International Conference on

Communications (ICC) (pp. 671–676). Sydney, NSW, Australia: IEEE.

http://doi.org/10.1109/ICC.2014.6883396

Wheelus, C., Bou-Harb, E., & Zhu, X. (2016). Towards a big data architecture for facilitating

cyber threat intelligence. In 2016 8th IFIP International Conference on New

Technologies, Mobility and Security (pp. 1–15). Washington, DC: IEEE.

http://doi.org/10.1109/NTMS.2016.7792484

Williams, B., Onsman, A., & Brown, T. (2010). Exploratory factor analysis: A five-step guide

for novices. Journal of Emergency Primary Health Care, 8(3), 116–131. Retrieved from

http://www.tandfonline.com/doi/abs/10.1080/09585190701763982

Worrell, J. L., di Gangi, P. M., & Bush, A. A. (2013). Exploring the use of the Delphi method in

accounting information systems research. International Journal of Accounting

Information Systems, 14(3), 193–208.

135

Yam, C.-Y., Baldwin, A., Shiu, S., & Ioannidis, C. (2011). Migration to cloud as real option:

investment decision under uncertainty. In 2011 IEEE 10th International Conference on

Trust, Security and Privacy in Computing and Communications (pp. 940–949).

Washington, DC: IEEE. http://doi.org/10.1109/TrustCom.2011.130

Yen, T., Oprea, A., & Onarlioglu, K. (2013). Beehive: Large-scale log analysis for detecting

suspicious activity in enterprise networks. Proceedings of the 29th Annual Computer

Security Applications Conference (pp. 199–208). New York, NY: ACM.

doi:10.1145/2523649.2523670

Yong, A. G., & Pearce, S. (2013). A beginner’s guide to factor analysis: Focusing on exploratory

factor analysis. Tutorials in Quantitative Methods for Psychology, 9(2), 79–94.

Yu, D., & Frincke, D. (2005). Alert confidence fusion in intrusion detection systems with

extended Dempster-Shafer theory. In Proceedings of the 43rd Annual Southeast Regional

Conference on - ACM-SE 43 (p. 142). New York, NY: ACM Press.

http://doi.org/10.1145/1167253.1167289

Zadrozny, P., & Kodali, R. (2013). Getting Data into Splunk. In Big Data Analytics Using

Splunk (pp. 9-30). Apress, Berkeley, CA.

Zomlot, L., Sundaramurthy, S. C., Luo, K., Ou, X., & Rajagopalan, S. R. (2011). Prioritizing

intrusion analysis using Dempster-Shafer theory. In Proceedings of the 4th ACM

Workshop on Security and Artificial Intelligence - AISec ’11 (p. 59). New York, NY:

ACM Press. http://doi.org/10.1145/2046684.2046694

136

STATEMENT OF ORIGINAL WORK

Academic Honesty Policy

Capella University’s Academic Honesty Policy (3.01.01) holds learners accountable for the

integrity of work they submit, which includes but is not limited to discussion postings,

assignments, comprehensive exams, and the dissertation or capstone project.

Established in the Policy are the expectations for original work, rationale for the policy,

definition of terms that pertain to academic honesty and original work, and disciplinary

consequences of academic dishonesty. Also stated in the Policy is the expectation that learners

will follow APA rules for citing another person’s ideas or works.

The following standards for original work and definition of plagiarism are discussed in the

Policy:

Learners are expected to be the sole authors of their work and to acknowledge the

authorship of others’ work through proper citation and reference. Use of another person’s

ideas, including another learner’s, without proper reference or citation constitutes

plagiarism and academic dishonesty and is prohibited conduct. (p. 1)

Plagiarism is one example of academic dishonesty. Plagiarism is presenting someone

else’s ideas or work as your own. Plagiarism also includes copying verbatim or

rephrasing ideas without properly acknowledging the source by author, date, and

publication medium. (p. 2)

Capella University’s Research Misconduct Policy (3.03.06) holds learners accountable for research

integrity. What constitutes research misconduct is discussed in the Policy:

Research misconduct includes but is not limited to falsification, fabrication, plagiarism,

misappropriation, or other practices that seriously deviate from those that are commonly

accepted within the academic community for proposing, conducting, or reviewing

research, or in reporting research results. (p. 1)

Learners failing to abide by these policies are subject to consequences, including but not limited to

dismissal or revocation of the degree.

137

Statement of Original Work and Signature

I have read, understood, and abided by Capella University’s Academic Honesty Policy (3.01.01)

and Research Misconduct Policy (3.03.06), including Policy Statements, Rationale, and

Definitions.

I attest that this dissertation or capstone project is my own work. Where I have used the ideas or

words of others, I have paraphrased, summarized, or used direct quotes following the guidelines

set forth in the APA Publication Manual.

Learner name

and date Sethuraman K Srinivas, 11 April 2018

138

APPENDIX A. RESEARCHER-DESIGNED SECURITY ANALYTICS SURVEY

This survey instrument may not be used without the expressed written consent of the author

[email protected], © Sethuraman K Srinivas, 2018

Survey Instrument – Final list of 42 security analytic questions

Q7 A security analytic tool implemented in my organization has accelerated the detection and

prevention of cyber-attacks and data breaches

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q8 Implementation of a security analytic tool was able to uncover new categories of attacks /

anomalies that were previously undetected

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q9 Implementation of a security analytic tool immediately resulted in increased detection rate of

security incidents across the organization

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q10 Implementation of a security analytic tool increased awareness among security analysts

about suspicious network and system activities.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q11 Correlation of log source data feeding into the security analytic tool has significantly

enhanced the incident detecting capabilities.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

139

Q13 Tuning of rules in the security analytic tool is carried out on a regular basis (and also on as-

needed basis) to enhance detection of threats and attacks

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q14 Categories of log sources feeding into the security analytic tool cover all business units of

my organization. Example of categories are network logs, endpoint logs, critical application logs,

cloud related logs and referential data.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q15 Log sources feeding into the security analytics tool covers all locations of my organization

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q16 Out of box correlation rules provided by the security analytic tool were effective at

addressing potential attack scenarios

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q17 The security analytic tool provided real-time analytical capabilities that improved the

insights of Security Operational Center (SOC) security analysts within one year of its

implementation.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

140

Q18 Owners and users of the security analytic tool were able to fully understand and use the tool

within one year of its implementation

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q19 Both the technical and functional users of the security analytic tool were provided the

needed training on the tool to perform their functions using the tool

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q20 Tuning of the security analytic tool (including alert correlation) was done on a regular basis

to reduce the number of false positives.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q22 Implementation of the security analytic tool has resulted in more positive compliance

assessment results

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q23 The graphical user interface (GUI) aspect of the security analytic tool is user friendly for the

tool administrators

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q24 Use cases are periodically reviewed and updated based on changes to the threat landscape

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

141

Q25 Business process owners contribute to use cases for the security analytic tool in my

organization

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q26 In my opinion, the security analytic tool is faster at detecting breaches or attacks and raising

alerts compared to earlier processes used by my organization

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q27 In my opinion, implementation of the security analytic tool has improved the security health

of internal networks in my organization.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q28 Implementation of the security analytic tool has positively impacted the incident response

process within my organization

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q29 Metrics and reports from the security analytic tool provided sufficient actionable insights to

my organization’s CISO / CIO team

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

142

Q30 The security analytic tool brought about measurably improved results (within 6 months) for

the analysts in charge of security operation center (SOC)

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q32 The security analytic tool is able to leverage inputs from intrusion detection and prevention

systems (IDPS log sources) systems, in protecting my IT assets

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q33 Actionable intelligence to be followed up on by security analyst(s) was directly generated

by the security analytic tool within 6 months after its implementation.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q34 Identification and monitoring of critical log sources feeding into the security analytic tool

occurs on a regular basis

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q36 The security analytics tool implemented in my organization is able to scale to meet the

growing demands of my organization.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

143

Q37 In my opinion, the security analytic tool improved the overall security posture of my

organization

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q38 Reporting capabilities available inside the security analytic tool are sufficient to fulfill the

IT governance requirements of my organization

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q39 Root cause analysis is performed on high severity incidents created through alerts in the

security analytic tool.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q40 After implementing the security analytics tool, additional security operation center (SOC)

analysts were required to process the increased number of new offenses or tickets.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q43 The security analytic tool implemented in my organization is able to pro-actively discover

network and application level vulnerabilities.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

144

Q44 An increase in detection of authentication related security incidents was observed within 1

year of implementing the security analytic tool.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q45 An increase in detection of denial of service (DoS & DDoS) incidents was observed within

6 months of implementing the security analytic tool

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Some organizations employ big-data analytics to supplement and enhance a security information

and event management (SIEM) tool or an equivalent. Some organizations use big data tools as a

mainstream security analytics tool. Big data in this context refers to employing one or more

products like Hadoop, MapReduce, Pig, Mahout, IBM Infosphere BigInsights or equivalent to

enhance security analytic capabilities. Big data related questions are grouped together to help the

participant to focus on the context of big data.

Q48 A big data platform in my organization supplements existing security tools and products

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q49 A Big data security analytic platform/tool in my organization provided deeper insights into

anomalous network situations.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q50 In my opinion, big data security analytic platform/tool in my organization benefited from

past data experience which reduced the time to detect potential attack situations.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

145

Q52 A big data security analytic platform/tool provides users with flexibility to interact and

query from large volumes of security data.

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q53 A Big data security analytic platform/tool was able to successfully correlate structured and

unstructured data to enhance incident detection rate

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q54 Big data security analytic process in my organization was able to reduce large data-sets into

smaller ones thereby helping incident response team to better focus on incident investigation

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q55 Big data analytic functions were able to enhance the knowledge of security analysts by

simulating security incidents. (for example: malware infection)

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q56 Big data predictive functions were able to predict potential compromises

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)

Q57 Anomalous insider behavior across the organization was easily identified by big data based

security analytic tool

 Strongly agree (1)  Agree (2)  Neutral (3)  Disagree (4)  Strongly disagree (5)