Graduation Year


Document Type




Degree Name

Doctor of Philosophy (Ph.D.)

Degree Granting Department

Computer Science and Engineering

Major Professor

Xinming Ou, Ph.D.

Committee Member

Adriana Iamnitchi, Ph.D.

Committee Member

Jarred Ligatti, Ph.D.

Committee Member

Nasir Ghani, Ph.D.

Committee Member

Raj Rajagopalan, Ph.D.

Committee Member

Michael Wesch, Ph.D.


Ethnography, Human Aspects of Security, Operational Security, Tacit Knowledge


Security Operation Centers (SOCs) have become an integral component of business organizations all over the world. The concept of a SOC has existed for a few years now yet there is no systematic study documenting the occurrences of their operations. A lack of documented operational knowledge makes it a challenge for security researchers interested in improving operational efficiency through algorithms, tools, and processes.

SOC environments operate under a secrecy culture as a result of which researchers are not trusted by analysts and their managers. This lack of trust leads to only superficial information through methods such as interviews. Moreover, security analysts perform their tasks using hunches that are difficult to articulate and express to an interviewing researcher. This knowledge is called tacit knowledge. Capturing rich tacit knowledge is crucial for researchers to build useful and usable operational tools.

This thesis proposes use of long-term participant observation from cultural anthropology as a research methodology for security researchers to study SOC analysts and their managers. Over a period of four and a half years seven students in Computer Science, graduate and undergraduate, were trained by an anthropologist in using fieldwork techniques to study humans. They then took jobs as security analysts at five different SOCs belonging to academia and corporations.

We made unexpected discoveries in pursuit of tacit operational knowledge. The first discovery was identification of human capital mismanagement of analysts as the root cause of analyst burnout. Specifically, a vicious cycle among analyst skills, empowerment, creativity, and growth causes analysts to lose morale and eventually leave the job. In fact burnout is a manifestation of number of tensions that are inherent in a security operations setting. This leads to our second discovery of recognizing and managing contradictions as a prerequisite for SOC innovation. Failure to acknowledge them can lead to dysfunctions in a SOC such as analyst burnout. Informed by the findings regarding the social aspects of SOC operations we attained the intended goal of capturing tacit operational knowledge. The thesis documents our experience in tacit knowledge capture through design of a framework for detecting phishing emails in near real-time.

Studying human aspects of security operations and cyber-security in general must be done within a social and organizational context. This thesis proposes long-term participant observation of practitioners and end-users as a viable methodology to conduct cyber-security research in general.