Categorization of Events in Security Scenarios
An essential skill in security involves categorizing events based on observed event attributes. That is, determining threat level and priority of the event when choosing an appropriate response action. To explore the basic mechanisms of learning and decision making, we conducted two experiments wherein participants were asked to categorize security events into four categories on the basis of the cues that define each event. Participants had no prior knowledge about the relationship between events and categories and through 128 categorization trials they had to learn the relationship between them using feedback received per trial in terms of rewards (higher reward for appropriate categorization). Results from the experiments demonstrate the significant role of task abstraction and experiment context in the categorization success. The effect of heuristics and knowledge on categorization performance was measured and compared. We conclude with recommendation for future experiments on learning and decision making in security event categorization.