Using Wargaming to Model Cyber Defense Decision-Making: Observation-Based Research in Locked Shields
DOI:
https://doi.org/10.34190/eccws.23.1.2270Keywords:
Decision-making, Defensive Cyber Operations, Wargaming, Locked ShieldsAbstract
Defensive Cyber Operations (DCO) in complex environments, such as cyber wargames, require in-depth cybersecurity knowledge and the ability to make quick decisions. In a typical DCO, execution rarely follows a pre-planned path because of extensive adversary influence, challenging an already complex decision-making environment. Decision-making models have been extensively studied from perspectives of military operations and business management, but they are not sufficiently researched in the context of cyber. This paper responds to this need by examining the decision-making models of DCO leaders in a live-fire wargame environment. This study was conducted by observing leaders of cyber operations during the world's largest live-fire cyber exercise, NATO Locked Shield 2023. In this exercise, the blue teams plan and execute their defensive cyber operation in a realistic operational environment, while the red team conducts attacks against the defended environment. The large-scale, wargaming-style environment of Locked Shield is one of the best environments for modelling DCO decision-making models; in this exercise, the DCO is broad and multi-faceted, a perspective which cannot be achieved in a typical capture-the-flag competition or a single security incident. DCO leaders must be able to manage two distinct decision-making processes with different sets of required skills to be successful in the mission. While the primary process relates to the execution and evolution of the pre-designed plan with traditional operational leadership skills, the secondary process deals with unplanned and deliberately caused cyber-related events that require a deep understanding of cybersecurity. In this respect, the main contribution of this research is the constructed decision-making model of the DCO leader. This model is based on observations collected and presented in the context of multiple well-known decision-making frameworks. This model can be further used to train future DCO leaders and assess artificial intelligence's usability to support and automate decision-making in such operations.
Downloads
Published
Issue
Section
License
Copyright (c) 2024 European Conference on Cyber Warfare and Security

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.