LDR 551_Book 5 Flashcards
What is the title of the paper by Sundaramurthy, Sathya Chandran, et al.?
A Human Capital Model for Mitigating Security Analyst Burnout
What method did researchers use to study SOC analyst burnout?
Anthropological study
What is the main conclusion of the study on SOC burnout?
Burnout is a human capital management problem
What did the researchers identify as connecting factors affecting analyst morale?
Multiple vicious cycles
What is the core model developed by the researchers called?
Human capital model for mitigating security analyst burnout
What are the four factors in the SOC human capital model?
Growth, Skills, Empowerment, Creativity
What happens if one factor in the SOC human capital model trends negatively?
Leads to a vicious cycle
What is the key driver of growth in the SOC human capital model?
Variety in job tasks
What should be used to eliminate mundane work in SOCs?
Automation
How are skills defined in the SOC human capital model?
Development and continuous improvement of analysts’ skill-set
What can cause analysts to look externally for new opportunities?
Skills no longer growing
Sources of WSO Training
On-the-job experiences, peer-directed, formal training
Purpose of on-the-job training
Honing skills through daily experiences
Examples of on-the-job training
Tabletop exercises, Purple Team exercises, penetration testing, Red Teaming
Key driver of analyst empowerment
Trust in SOC skills
Definition of empowerment
Analysts can do their job efficiently
Common problems in empowerment
New teams, politics, past mistakes
Recommended action for empowerment
Slowly build trust with peer-reviewed process
Definition of creativity
Ability to handle novel operational scenarios
Key driver of creativity
Empowerment to solve challenges uniquely
Common problems in creativity
Over-prescribed procedures, lack of time
Recommended action for creativity
Free time for improvements, encourage learning
Purpose of reflection in SOC
Review procedures to find bottlenecks
Purpose of automation in SOC
Eliminate repetitive tasks, improve efficiency
Tools for operational efficiency
SOAR, EDR, SIEM, scripts
What is the goal of finding repetitive tasks?
To automate tasks using scripts, SIEM, EDR, or SOAR.
How does automation affect analysts’ morale and creativity?
Improves morale and provides a creative outlet.
What happens when analysts develop new automated tasks?
Their job becomes easier.
What is the bi-directional connection noted by researchers?
Operational efficiency and job satisfaction.
How does human capital affect operational efficiency?
Skilled analysts make operations efficient.
How does automation impact operations?
Accelerates operations, especially repetitive tasks.
What influence does operational efficiency have on analysts?
Creates a positive influence.
Why are metrics crucial for SOC?
Communicate SOC’s value and ROI to management.
What can happen if bad metrics are used?
Can create falsely low perception.
How does improved operational efficiency affect metrics?
Improves consistency and shortens response times.
What happens when SOC perception improves?
Budget stays flowing or increases.
What is the most important feedback loop for SOC?
Management support fed by SOC metrics.
What was hard to define according to researchers?
Good, representative, operational metrics.
When are analysts more receptive to feedback?
When they believe in the metrics.
What should metrics show besides incident data?
Meaningful effort by the SOC.
What is the negative effect of bad metrics?
Masks problems and leads to negative consequences.
What can result from analysts being overburdened?
Burnout due to overwork.
What is a focus area for new analysts to prevent burnout?
Growth and skills development.
What should be the biggest focus areas for new analysts?
Growth and skills
What happens if new analysts max out their capabilities quickly?
They won’t stay long
How should new analysts’ learning be paced?
As fast as they can handle
When should new tasks be added for new analysts?
As soon as they master current tasks
What indicates it’s time to push new analysts toward new tasks?
When they look bored or “cherry pick” alerts
What types of training should be provided to new analysts?
On-the-job, peer-led, and formal training
What is the goal of the training for new analysts?
To reach tier 2 level quickly
What should never happen to experienced analysts?
Finding the “ceiling” of learning
What should be provided if no one is left to train experienced analysts?
Additional outside training
How can creativity help experienced analysts?
By creating new and difficult challenges
What should experienced analysts be given to leverage their skills?
Vague descriptions and autonomy
What should be done to leverage experienced analysts’ power?
Assign new tools, automation, improvements
How should tasks be geared for optimal growth?
Toward the edge of their capabilities
What state do tasks at the edge of capabilities induce?
Flow state
What is essential for understanding employees’ capabilities?
Regular one-on-one meetings
What is “Deep Work”?
Distraction-free concentration pushing cognitive limits
What has exponentially increased in corporate communications over the last few decades?
Email communications
What has replaced or augmented email in recent years for real-time communication?
Slack, Teams, and other chat platforms
What problem do new collaboration tools introduce despite addressing email issues?
Interrupting deep work
How often do employees who use Slack check their channels on average?
Once every five minutes
What is a significant challenge in a dynamic SOC environment?
Maintaining focus while context-switching
What do neuroscientists and psychologists say about our attention?
It is fundamentally single-tasked
What must be given to minimize burnout and keep people in their “flow channel”?
Time and space for deep work
What is the goal in promoting deep work?
Reduce or eliminate shallow work
What percentage of time did a SOC team spend on shallow work in a recent consulting engagement?
About 70%
What should SOC tools and processes promote?
Deep work by leaving room for focus
What model is useful for understanding human behavior in performance management?
Thomas Gilbert’s Behavior Engineering Model (BEM)
What should managers consider when an employee is not meeting expectations?
Both environment and individual motivations
What are the three external factors in the BEM?
Data, Resources, Incentives
What are the three internal factors in the BEM?
Knowledge, Capacity, Motives
What is crucial for staff retention and burnout mitigation?
Optimize for growth, skills, empowerment, and creativity
What is beneficial for both the organization and team mental health?
Good organizational practices
What can prevent people who enjoy their work from having a bad experience?
Effective techniques
What can help save good talent if employees aren’t interested in their job?
Job rotations to other groups
What can minimize factors that influence burnout?
Commitment
What is culture according to Ben Horowitz?
How your team makes decisions when you’re not there
What should you do to build the SOC culture you want?
Know yourself and your limitations
What should you provide to encourage desired behaviors and decisions?
Constructive feedback
What is the first step in building a better team culture?
Define and communicate your values
What should you gather to ensure your culture is moving in the right direction?
Metrics like turnover and retention rates
What can higher-than-usual turnover indicate?
You may have a culture problem.
What should you be open to from your team to build trust?
Criticism and feedback.
What should you examine in the context of team values?
Your own mistakes.
What is building a positive culture described as?
An iterative process.
What is culture compared to in its cyclical nature?
Human capital.
What are signs you have a culture problem?
High turnover, failing priorities, shocking actions.
Who are the possible culture-breaking personality types?
The Heretic, The Flake, The Jerk, The Prophet of Rage.
What might indicate a culture problem despite good processes and people?
Team not operating at a high level.
What are signs your team may be off track?
High turnover, low satisfaction, shocking actions.
What should you do if a team member surprises you with bad behavior?
Investigate whether it’s an aberration or pattern.
What might you need to do with disruptive team members?
Identify and take action.
What are common failures in building a positive team culture?
Not correcting behaviors, negative incentives, poor communication.
What is a manager’s job in terms of team expectations?
Manage expectations and highlight risks.
What is “management debt”?
Convenient solutions causing long-term issues.
What is management debt?
Incurring too much management debt can result in management bankruptcy.
Name common forms of management debt.
Two in the box, matching offers, lacking performance management, disliked tasks.
What is the risk of promoting two co-leads?
Confusion about roles and responsibilities.
What happens when an analyst gets a higher offer elsewhere?
Morale dips and retention problems increase.
Why should matching offers be a temporary solution?
It is not a long-term retention strategy.
Why might teams lack formal performance management processes?
To avoid becoming “too corporate.”
What is the consequence of no performance management?
Performance suffers, and issues are unidentified.
Why is constructive feedback necessary?
To maintain performance, even in high-performing teams.
What is a common issue with keeping people on tasks they dislike?
They may leave, taking key knowledge with them.
What is essential for building a positive SOC culture?
Constant attention, iteration, and communication
Who can be your best allies in building SOC culture?
Human resources, benefits managers, finance team
What should you do with culture-breaking behaviors?
Address them quickly and decisively
What must you have to resolve management debt?
A plan to resolve it at the first opportunity
What is essential to show SOC ROI and justify budget?
Getting SOC metrics right
What famous quote by Peter Drucker is mentioned about metrics?
You cannot manage what you cannot measure
Why are SOC metrics challenging yet crucial?
They show ROI, justify budget, and validate operations
What is the goal of the metrics module?
To derive useful metrics tied to SOC objectives
What is the OKR system and who invented it?
Objectives and Key Results, invented by Andrew Grove
What book discusses separating “important” from “urgent”?
The 4 Disciplines of Execution
What is the purpose of the book “Measure What Matters”?
To lay out the OKR system.
What does the book “The 4 Disciplines of Execution” focus on?
Setting priorities and ensuring follow-through.
What are the two main activities of a SOC?
Ops and improvements.
What is the purpose of metrics in a SOC?
To measure a business process.
What is a metric?
A tool used to measure something.
What is a KPI?
A tool to track key area performance.
What additional component does a KPI have compared to a metric?
Target/Threshold Value.
What is the goal of a KPI?
To maintain the status quo.
What is the difference between a metric and a KPI?
KPIs include target values.
What do car dashboard gauges represent?
Calculations of some metric with current value
What additional feature do dashboard gauges usually include?
Bounds of “normal”
Why are oil temperature and pressure gauges considered KPIs?
Show if temperature/pressure is too high/low
What do metrics with bounds and thresholds indicate?
Ongoing processes needing action if exceeded
What is an example of an objective in OKRs?
Minimize successful phishing
What defines key results in OKRs?
Specific, measurable progress indicators
What is an example of a key result for minimizing phishing?
Fewer than five phishing infections per week
What components are required for a key result?
Metric, current value, target value, start value
How are key results different from KPIs?
Temporary for new initiatives, not daily measures
What is the purpose of KPIs?
Continual measure of daily operations
How can OKRs help when KPIs are out of line?
Develop objectives and key results to fix issues
What do daily operations KPIs measure?
Business as usual processes
What do OKRs measure in SOC goals?
Improvements and initiatives
What question do KPIs answer?
Are we operating as expected?
What is the role of OKRs according to Perdoo?
Define and measure initiatives for key results
What is the source of the SOC-centric chart modification?
Perdoo’s blog post on OKRs and KPIs
What are the first two steps in the SOC process overview?
Collect Goals, Clarify Meaning
What is the purpose of metrics in security cases?
Drive decisions or demonstrate value
What should metrics for a managed service SOC reflect?
Alerts handled, incidents reported, customer interactions closed
What should metrics for a national or HQ-level SOC focus on?
Campaign analysis, intelligence from subordinate SOCs
What does a problem well-stated represent?
A problem half solved
What is a key aspect of successful metrics?
Top-down derived metrics for goal alignment
What system is mentioned for goal alignment in metrics?
Goal Question Metric (GQM)
What technique helps guarantee the usefulness of a metric?
Tie the collection to a “why”
What is the Goal Question Metric (GQM) system?
System for deriving metrics from goals
What are the three steps in the GQM system?
Decide goals, questions, and needed data
What makes a metric useful according to GQM?
It answers a question about meeting objectives
What is the first step in bringing metric information to an organization?
Categorizing the data you have or want
What should you do if you want to improve your current metrics?
Start with collecting additional metrics
What are the four criteria for a good metric according to Andrew Jaquith?
Consistently measured, cheap, cardinal, unit-based
What is a bad metric according to Andrew Jaquith?
Metrics relying on human judgment without strict guidelines
Why is the frequency of metrics production important?
Minimize delay between measurement and reaction
What is the OODA loop?
Observe, Orient, Decide, Act
How should you match your metrics sample rate?
To the rate of what you’re measuring
What happens without frequent measurements?
Signs of being off track may go unnoticed
How should good metrics be gathered?
Effortlessly, automated, short timescale
What is the goal of quick-moving metrics?
Minimize delay between measurement and reaction
What is an example of a poor sampling rate?
Checking for spam email waves once a day
How should KPIs be documented?
With measure, target/threshold, source, frequency
What should the frequency of sampling be compared to?
Rate of the event occurring
What should you document in an organized database?
KPIs and metrics
What fields should you track for metrics?
Measure, Target/Threshold, Source, Frequency
What question should you ask when identifying KPIs?
What does “operating as normal” mean?
What are examples of “as normal” targets?
Customer requirements, SOC goals, history
What do daily operational measures provide?
Context by limits and thresholds
What should you consider for daily operational measures?
Define “business as usual” or “operating as normal”
What might define “normal” for SOC?
Telemetry, alert queue, incidents, work backlog
Where might the definition of “normal” come from?
Externally defined or historical data
What is important for MSSPs regarding “operating as normal”?
Hitting SLAs or key promises
What is a hard goal for internal SOC measures?
99.9% of active assets reporting security data
What should you do if a numeric goal is hard to define?
Look for anomalies based on history
What makes a metric a candidate for a KPI?
Key area of operation needing monitoring
What should be done with key data on a dashboard?
Ensure they stay within correct parameters
What do operational metrics and KPIs represent?
Key data available on a near-constant basis
What should you consider when choosing SOC metrics?
Each stage of the SOC process
What defines “normal” for collection and triage?
Potential metrics and KPIs
What are we looking for in metrics and KPIs?
Goal-aligned, clear, convenient measures
What should metrics help the team do?
Monitor for issues or answer questions
How should improvement goals be written?
Objectives with specific and quantifiable key results
What should objectives and key results clarify?
End state, actions, success measurement
What is the purpose of Key Results in OKRs?
Measure if objectives are successfully met
What should happen to phishing-based incidents as a Key Result example?
Drop to below five per week
Why is breaking down projects important?
Clarifies how initiatives tie to objectives
What should you do if key results aren’t materializing?
Replace or re-evaluate the initiative
What is the purpose of monitoring KPIs?
Detect anomalies and “out of normal” events
What should you do if an initiative doesn’t move the key results?
Try a new approach or identify why
What is the next challenge after defining OKRs and KPIs?
Tackle both operational tasks and improvements
Why are people drawn to operational tasks?
Seen as the most immediate and important need
What is the risk of focusing only on day-to-day tasks?
Potentially at the cost of long-term improvement
What is the purpose of the 4 Disciplines of Execution (4DX)?
Drive continuous improvement and avoid daily firefighting
What is the first principle of 4DX?
Focus on the Wildly Important Goal (WIG)
What is a WIG according to 4DX?
Most important objective needing special attention
How do you define a WIG?
Identify starting line, finish line, and deadline
What does SOC stand for?
Security Operations Center
What is the Eisenhower Matrix used for?
Ranking tasks by urgency and importance
What should you prioritize according to the Eisenhower Matrix?
Non-urgent and important tasks
What is the key insight from this section?
Delaying urgent, unimportant tasks for important ones
What is the focusing question from “The ONE Thing”?
What’s the ONE Thing you can do to make everything else easier or unnecessary?
What is the theory of constraints?
Methodology to improve system performance by addressing bottlenecks
How do you identify a bottleneck in a system?
Look for the step with the lowest bandwidth where items pile up
What is the only way to improve a system according to the theory of constraints?
Increase throughput at the bottleneck
Where should you take measurements in a process?
At every useful stage of the process
What are lead measures?
Metrics that track activities driving a goal
What are lag measures?
Metrics that track the success of a goal
What is a lag measure?
A metric measuring past events
Why aren’t lag measures often the best metrics?
They lack predictive power
What is a lead measure?
Metrics measuring process inputs
Why do lead measures have predictive power?
They measure process inputs determining outputs
What matters most in achieving goals according to 4DX?
Controlling lead measures
What is an example of a lag measure in weight loss?
Weight on the scale
Why doesn’t tracking weight help achieve weight loss?
It only shows past results
What are examples of lead measures in weight loss?
Diet and exercise
What happens when inputs are controlled?
Outputs must follow
What is the third principle in 4DX?
Keeping a compelling scoreboard
What is a compelling scoreboard in 4DX?
A player-centric progress view
Why is a scoreboard important in 4DX?
Creates engagement and focus
What is the fourth principle in 4DX?
Creating a cadence of accountability
What are the three questions in a commitments report?
Did I meet commitments? Did they move the scoreboard? What will I commit to?
Why are people more likely to commit to their own ideas?
Autonomy and creativity
What drives morale and engagement in 4DX?
Seeing positive impact on WIG
What are the two key ideas behind 4DX’s success?
Creating a winnable game, facilitating engagement
Why are employees more likely to respect deadlines they set themselves?
They feel more ownership and responsibility.
What effect do personal commitments between teammates have?
They feel like personal promises.
What does the 4DX system allow teammates to see?
Positive impact of their actions.
What is the goal of the 4DX system?
Set team on a course to success.
What are metrics?
Measurements with a current value.
What are KPIs?
Measurements plus a target/threshold.
What are OKRs?
Measurements plus a defined start, end, current value.
What does the 4DX process emphasize?
Finding and focusing on WIG.
What should you consider when creating good metrics?
Problems you’re trying to solve.
What is the goal of metrics for projects?
Define how close you are to completing.
What does the OKR system help with?
Separating the goal, actions, and measures.
What challenge exists beyond measuring improvement projects?
Validating people take time to work on them.
What system helps confirm execution on initiatives?
The 4 Disciplines of Execution (4DX).
What does the 4DX system create?
A winnable game.
What is reflected in the improvement of daily metrics?
Effectiveness of the SOC and ROI.
What is the key concept in information security discussed in the text?
Prioritization.
