Information behaviors and cognitive modes used for cyber situation assessment

The purpose of this dissertation research was to examine the information behaviors and cognitive modes used by expert cyber defenders when completing cyber situation assessment tasks (SA-tasks) of different complexities. Theoretical propositions from Library and Information Science (LIS) task-complexity research and the Cognitive Continuum Theory (CCT) informed the theoretical framework. LIS task-complexity research predicts that increased task complexity results in numerous changes in information-source and information-type use. The CCT predicts that increased task complexity results in a shift from analytical to intuitive cognition. A multiple-case studies design was selected as the research approach. The Critical Decision Method served as the basis for semi-structured, retrospective interviews conducted with 21 expert cyber defenders from small defense companies. The data analysis techniques included directed content analysis, pattern matching, and statistical analysis (the Freeman-Halton extension of Fisher's Exact test). The main findings of this study are as cyber SA-task complexity increased, the expert cyber defenders sought more technical information, used more external sources, including external experts, and based their information behaviors on intuitive cognition. These findings support several of the theoretical predictions from LIS task-complexity research and the CCT. The findings are important because they show that the expert cyber defenders base their information behaviors on years of experience in the cyber defense domain and on years of experience in designing their own companies' security postures. Each company has its own security posture as well as its own level of acceptance of risk. Therefore, cyber situation assessment tools need a design that can be tailored for each company. Additionally, methods are needed to elicit the intuitive processes used by expert cyber defenders in order to train novice cyber defenders as well as other expert cyber professionals taking over the experts' localized cyber defense roles.