Övning, träning och prövning inom logganalys

The purpose of this report is to describe how training for log analysts should be effectively conducted through development of exercise scenarios and design of training. This requires knowledge and understanding of the log analyst's work, human abilities, and how training should be conducted. The analysts work includes gathering information and carrying out automatic and manual analysis. In these three stages they typically perform four tasks: configure sensors for data collection, monitor the system to identify anomalies, analyze selected events, and take appropriate action when threats are identified. Based on these tasks key areas of human factors research were identified to clarify human abilities, limitations and methods for measuring performance. From the model of situational awareness we described how log analysts were affected by the environment, task, and individual factors such as memory and attention. We also described the individual's behavior with situational awareness (perception, understanding and prediction), decision making and action. Then training and testing were explained, with feedback to participants as a key factor for positive learning. Finally, seven examples of training design for the log analyst were proposed.