Variabler av vikt för förmågan att analysera säkerhetsloggar

Within the project Exercises and experiments for operational capability in the cyber environment, studies will be performed of cyber security log analysis capability. This report provides a general overview of log analysis in cyber security and identifies variables presumed to be of great importance for its success. On the highest level of abstraction, three parts are identified as important: collection of information, automatic analysis and manual analysis. Variables believed to important for collection of information are the placement of sensors, information collected about the monitored system and threat intelligence; variables judged as most important for automatic analysis are the type of analysis performed, its accuracy and its computational performance; variables judged as important for the manual analysis are the workspace's design as well as the log analyst's cognitive ability, knowledge, system resources and information resources. Based on the overview, a number of research questions which the project may attempt to answer.