Computers beating humans in chess isn’t news. What may be news to some people is that the best chess player isn’t a computer or a human. It’s a human using a computer. In chess circles, they call this human-computer team strategy a centaur.
We have some man-versus-machine problems in Cyber Security as well. We use computers effectively to record and process large numbers of incidents. There are so many incidents that no human can possibly look at them all, so we ask the computers to find the incidents that are interesting. Incidents that are interesting are often called IOCs (Indicators of Compromise). Still, we have so many IOCs that we would really like the computers to find interesting IOCs (IIOCs?).
The problem is that “interesting” isn’t really a natural calculation for a computer. Frequency is a natural calculation for a computer. So, when a computer is looking for interesting IOCs, it will often instead tell you about frequency. A single IOC at a machine is not interesting, but five IOCs at a single machine is. This is solid machine logic, but worrisome from a cyber-perspective. The question “How many IOCs does it take to hack a machine?” is much like the question “How many licks does it take to get to the center of a tootsie pop?” There is no standard. One IOC may do the trick.
What we need is a computer that’s specially designed to see patterns. We need a computer specially designed to see exceptions. Luckily we already have one. Humans. Thanks to our evolutionary training, humans are the world’s best pattern recognition machines. We’re also great at picking out exceptions. Anybody who wasn’t good at hearing that one weird noise in the grass was weeded out of the gene pool a long time ago.
Given that, I think focusing the Cyber conversation on AI that makes humans irrelevant may make for good science fiction or good marketing, but it makes for bad Cyber Security. Look, we know that there’s a shortage in trained Cyber Security professionals that’s not going away soon. I think a focus on making these professionals more productive is more useful than one that focuses on making them irrelevant.
The centaur concept is great in theory, but it holds many challenges for interface design in cyber. As we’ve stated, it’s very easy to calculate frequency and bubble up high frequency IOCs to the top of the pile. We need to understand that this is not going to work for us.
Imagine that you’re working for the weather service and you’re designing a dashboard to deal with weather emergencies. You know that it’s a big country and that there’s weather happening on literally every square inch. You’re going to need to show this in some form of summary. I guess we could start with one of those giant Red/Yellow/Green weather indicators. If most of the country is sunny, we’re certainly green, no? Now you, like me, can cringe every time you walk into a SOC and see that the Cyber-Threat level is Amber or some such nonsense. How does that affect the actions of everyone in the room? What does that even mean?
The real trick to designing an interface is to get into the mind of the user in front of the screen. What questions are they asking? What decisions are they contemplating? How do we help them? There are no easy answers in designing the next generation centaur interface, but it’s work we desperately need. What do you think?