On a regular basis, a variety of events take place in computer systems: program launches,
firewall updates, user logins, and so on. To secure information resources, modern organisations
have established security management systems. In cyber incident management, reporting and
awareness-raising are a critical to identify and respond to potential threats in organisations.
Security equipment operation systems record ’all’ events or actions, and major abnormalities
are signaling via alerts based on rules or patterns. Investigation of these alerts is handled by
specialists in the incident response team.
Security professionals rely on the information in alert messages to respond appropriately. Incident
response teams do not audit or trace the log files until an incident happens. Insufficient information
in alert messages, and machine-friendly rather than human-friendly format cause cognitive
overload on already limited cybersecurity human resources. As a result, only a smaller number of
threat alerts are investigated by specialist staff and security holes may be left open for potential
attacks.
Furthermore, incident response teams have to derive the context of incidents by applying prior
knowledge, communicate with the right people to understand what has happened, and initiate the
appropriate actions. Insufficient information in alert messages and stakeholders’ participation
raise challenges for the incident management process, which may result in late responses. In other
words, cybersecurity resources are overburdened due to a lack of information in alert messages
that provide an incomplete picture of a subject (incident) to assist with necessary decision making.
The need to identify and track local and global sources in order to process and understand the
critical elements of threat information causes cognitive overload on the company’s currently
limited cybersecurity professionals.
This problem can be overcome with a fully integrated report that clarifies the subject (incident) in
order to reduce overall cognitive burden. Instead of spending additional time to investigating each
subject of incident, which is dependent on the person’s expertise and the amount of time he has, a detailed report of incident can be utilised as an input of human-analyst. If cyber experts’ cognitive
loads can be reduced, their response time efficiency may improves. The relationship between
achieving incident management agility through contextual analytical with a comprehensive report
and reducing human cognition overload is still being studied. There is currently a research gap in
determining the key relationships between explainable Artificial Intelligence (AI) models and
other technologies used in security management to gain insight into how explainable contextual
analytics can provide distinct response capabilities. When using an explainable AI model for
event modelling, research is necessary on how to improve self and shared insight about cyber
data by gathering and interpreting security knowledge to reduce cognitive burden on analysts.
Due to the fact that the level of cyber security expertise depends on prior knowledge or the results
of a thorough report as an input, explainable intelligent models for understanding the inputs
have been proposed. By enriching and interpreting security data in a comprehensive humanreadable
report, analysts can get a better understanding of the situation and make better decisions.
Explainable intelligent models are proposed in cyber incident management by interpreting
security logs and cybersecurity alerts, and include a model which can be used in fraud detection
where a large number of financial transactions necessitates the involvement of a human in the
analysis process.
In cyber incident management application, a wide and diverse amount of data are digested,
and a report in natural language is developed to assist cyber analysts’ understanding of the
situation. The proposed model produced easy-to-read reports/stories by presenting supplementary
information in a novel narrative framework to communicate the context and root cause of the alert.
It has been confirmed that, when compared to baseline reports, a more comprehensive report
that answers core questions about the actor (who), riskiness (what), evidence (why), mechanism
(how), time (when), and location (where) that support making real-time decisions by providing
incident awareness. Furthermore, a common understanding of an incident and its consequences
was established through a graph, resulting in Shared Situation Awareness (SSA) capability (the
acquisition of cognition through collaboration with others).
A knowledge graph, also known as a graph to semantic knowledge, is a data structure that
represents various properties and relationships between objects. It has been widely researched
and utilised in information processing and organisation. The knowledge graph depicts the various
connections between the alert and relevant information from local and global knowledge bases.
It interpreted knowledge in a human-readable format to enable more engagement in the cyber
incident management. The proposed models are also known as explainable intelligence because
they can reduce the cognitive effort required to process a large amount of security data. As a
result, self-awareness and shared awareness of what is happening in cybersecurity incidents have
been accomplished. The analyses and survey evaluation empirically demonstrated the models’
success in reducing significant overload on expert cognition, bringing more comprehensive information about the incident, and interpreting knowledge in a human-readable format to enable
greater participation in cyber incident management.
Finally, the intelligent model of knowledge graph is provided for transaction visualisation for fraud
detection, an important challenge in security research. As with the same incident management
challenges, fraud detection methods need to be more transparent by explaining their results in
more detail. Despite the fact that fraudulent practices are always evolving, investigating money
laundering based on an explainable AI that uses graph analysis, assist in the comprehension of
schemes. A visual representation of the complex interactions that occur in transactions between
money sender and money receiver, with explanations of human-readable aspects for easier
digestion is provided. The proposed model, which was used in transaction visualisation and fraud
detection, was highly regarded by domain experts. The Digital Defense Hackathon in December
2020 demonstrated that the model is adaptable and widely applicable (received first place in the
Hackathon competition).