LDR 551_Book 5 Flashcards
1
Q
What is the title of the paper by Sundaramurthy, Sathya Chandran, et al.?
A
A Human Capital Model for Mitigating Security Analyst Burnout
2
Q
What method did researchers use to study SOC analyst burnout?
A
Anthropological study
3
Q
What is the main conclusion of the study on SOC burnout?
A
Burnout is a human capital management problem
4
Q
What did the researchers identify as connecting factors affecting analyst morale?
A
Multiple vicious cycles
5
Q
What is the core model developed by the researchers called?
A
Human capital model for mitigating security analyst burnout
6
Q
What are the four factors in the SOC human capital model?
A
Growth, Skills, Empowerment, Creativity
7
Q
What happens if one factor in the SOC human capital model trends negatively?
A
Leads to a vicious cycle
8
Q
What is the key driver of growth in the SOC human capital model?
A
Variety in job tasks
9
Q
What should be used to eliminate mundane work in SOCs?
A
Automation
10
Q
How are skills defined in the SOC human capital model?
A
Development and continuous improvement of analysts’ skill-set
11
Q
What can cause analysts to look externally for new opportunities?
A
Skills no longer growing
12
Q
Sources of WSO Training
A
On-the-job experiences, peer-directed, formal training
13
Q
Purpose of on-the-job training
A
Honing skills through daily experiences
14
Q
Examples of on-the-job training
A
Tabletop exercises, Purple Team exercises, penetration testing, Red Teaming
15
Q
Key driver of analyst empowerment
A
Trust in SOC skills
16
Q
Definition of empowerment
A
Analysts can do their job efficiently
17
Q
Common problems in empowerment
A
New teams, politics, past mistakes
18
Q
Recommended action for empowerment
A
Slowly build trust with peer-reviewed process
19
Q
Definition of creativity
A
Ability to handle novel operational scenarios
20
Q
Key driver of creativity
A
Empowerment to solve challenges uniquely
21
Q
Common problems in creativity
A
Over-prescribed procedures, lack of time
22
Q
Recommended action for creativity
A
Free time for improvements, encourage learning
23
Q
Purpose of reflection in SOC
A
Review procedures to find bottlenecks
24
Q
Purpose of automation in SOC
A
Eliminate repetitive tasks, improve efficiency
25
Tools for operational efficiency
SOAR, EDR, SIEM, scripts
26
What is the goal of finding repetitive tasks?
To automate tasks using scripts, SIEM, EDR, or SOAR.
27
How does automation affect analysts' morale and creativity?
Improves morale and provides a creative outlet.
28
What happens when analysts develop new automated tasks?
Their job becomes easier.
29
What is the bi-directional connection noted by researchers?
Operational efficiency and job satisfaction.
30
How does human capital affect operational efficiency?
Skilled analysts make operations efficient.
31
How does automation impact operations?
Accelerates operations, especially repetitive tasks.
32
What influence does operational efficiency have on analysts?
Creates a positive influence.
33
Why are metrics crucial for SOC?
Communicate SOC's value and ROI to management.
34
What can happen if bad metrics are used?
Can create falsely low perception.
35
How does improved operational efficiency affect metrics?
Improves consistency and shortens response times.
36
What happens when SOC perception improves?
Budget stays flowing or increases.
37
What is the most important feedback loop for SOC?
Management support fed by SOC metrics.
38
What was hard to define according to researchers?
Good, representative, operational metrics.
39
When are analysts more receptive to feedback?
When they believe in the metrics.
40
What should metrics show besides incident data?
Meaningful effort by the SOC.
41
What is the negative effect of bad metrics?
Masks problems and leads to negative consequences.
42
What can result from analysts being overburdened?
Burnout due to overwork.
43
What is a focus area for new analysts to prevent burnout?
Growth and skills development.
44
What should be the biggest focus areas for new analysts?
Growth and skills
45
What happens if new analysts max out their capabilities quickly?
They won't stay long
46
How should new analysts' learning be paced?
As fast as they can handle
47
When should new tasks be added for new analysts?
As soon as they master current tasks
48
What indicates it's time to push new analysts toward new tasks?
When they look bored or "cherry pick" alerts
49
What types of training should be provided to new analysts?
On-the-job, peer-led, and formal training
50
What is the goal of the training for new analysts?
To reach tier 2 level quickly
51
What should never happen to experienced analysts?
Finding the "ceiling" of learning
52
What should be provided if no one is left to train experienced analysts?
Additional outside training
53
How can creativity help experienced analysts?
By creating new and difficult challenges
54
What should experienced analysts be given to leverage their skills?
Vague descriptions and autonomy
55
What should be done to leverage experienced analysts' power?
Assign new tools, automation, improvements
56
How should tasks be geared for optimal growth?
Toward the edge of their capabilities
57
What state do tasks at the edge of capabilities induce?
Flow state
58
What is essential for understanding employees' capabilities?
Regular one-on-one meetings
59
What is "Deep Work"?
Distraction-free concentration pushing cognitive limits
60
What has exponentially increased in corporate communications over the last few decades?
Email communications
61
What has replaced or augmented email in recent years for real-time communication?
Slack, Teams, and other chat platforms
62
What problem do new collaboration tools introduce despite addressing email issues?
Interrupting deep work
63
How often do employees who use Slack check their channels on average?
Once every five minutes
64
What is a significant challenge in a dynamic SOC environment?
Maintaining focus while context-switching
65
What do neuroscientists and psychologists say about our attention?
It is fundamentally single-tasked
66
What must be given to minimize burnout and keep people in their "flow channel"?
Time and space for deep work
67
What is the goal in promoting deep work?
Reduce or eliminate shallow work
68
What percentage of time did a SOC team spend on shallow work in a recent consulting engagement?
About 70%
69
What should SOC tools and processes promote?
Deep work by leaving room for focus
70
What model is useful for understanding human behavior in performance management?
Thomas Gilbert's Behavior Engineering Model (BEM)
71
What should managers consider when an employee is not meeting expectations?
Both environment and individual motivations
72
What are the three external factors in the BEM?
Data, Resources, Incentives
73
What are the three internal factors in the BEM?
Knowledge, Capacity, Motives
74
What is crucial for staff retention and burnout mitigation?
Optimize for growth, skills, empowerment, and creativity
75
What is beneficial for both the organization and team mental health?
Good organizational practices
76
What can prevent people who enjoy their work from having a bad experience?
Effective techniques
77
What can help save good talent if employees aren't interested in their job?
Job rotations to other groups
78
What can minimize factors that influence burnout?
Commitment
79
What is culture according to Ben Horowitz?
How your team makes decisions when you're not there
80
What should you do to build the SOC culture you want?
Know yourself and your limitations
81
What should you provide to encourage desired behaviors and decisions?
Constructive feedback
82
What is the first step in building a better team culture?
Define and communicate your values
83
What should you gather to ensure your culture is moving in the right direction?
Metrics like turnover and retention rates
84
What can higher-than-usual turnover indicate?
You may have a culture problem.
85
What should you be open to from your team to build trust?
Criticism and feedback.
86
What should you examine in the context of team values?
Your own mistakes.
87
What is building a positive culture described as?
An iterative process.
88
What is culture compared to in its cyclical nature?
Human capital.
89
What are signs you have a culture problem?
High turnover, failing priorities, shocking actions.
90
Who are the possible culture-breaking personality types?
The Heretic, The Flake, The Jerk, The Prophet of Rage.
91
What might indicate a culture problem despite good processes and people?
Team not operating at a high level.
92
What are signs your team may be off track?
High turnover, low satisfaction, shocking actions.
93
What should you do if a team member surprises you with bad behavior?
Investigate whether it's an aberration or pattern.
94
What might you need to do with disruptive team members?
Identify and take action.
95
What are common failures in building a positive team culture?
Not correcting behaviors, negative incentives, poor communication.
96
What is a manager's job in terms of team expectations?
Manage expectations and highlight risks.
97
What is "management debt"?
Convenient solutions causing long-term issues.
98
What is management debt?
Incurring too much management debt can result in management bankruptcy.
99
Name common forms of management debt.
Two in the box, matching offers, lacking performance management, disliked tasks.
100
What is the risk of promoting two co-leads?
Confusion about roles and responsibilities.
101
What happens when an analyst gets a higher offer elsewhere?
Morale dips and retention problems increase.
102
Why should matching offers be a temporary solution?
It is not a long-term retention strategy.
103
Why might teams lack formal performance management processes?
To avoid becoming "too corporate."
104
What is the consequence of no performance management?
Performance suffers, and issues are unidentified.
105
Why is constructive feedback necessary?
To maintain performance, even in high-performing teams.
106
What is a common issue with keeping people on tasks they dislike?
They may leave, taking key knowledge with them.
107
What is essential for building a positive SOC culture?
Constant attention, iteration, and communication
108
Who can be your best allies in building SOC culture?
Human resources, benefits managers, finance team
109
What should you do with culture-breaking behaviors?
Address them quickly and decisively
110
What must you have to resolve management debt?
A plan to resolve it at the first opportunity
111
What is essential to show SOC ROI and justify budget?
Getting SOC metrics right
112
What famous quote by Peter Drucker is mentioned about metrics?
You cannot manage what you cannot measure
113
Why are SOC metrics challenging yet crucial?
They show ROI, justify budget, and validate operations
114
What is the goal of the metrics module?
To derive useful metrics tied to SOC objectives
115
What is the OKR system and who invented it?
Objectives and Key Results, invented by Andrew Grove
116
What book discusses separating "important" from "urgent"?
The 4 Disciplines of Execution
117
What is the purpose of the book "Measure What Matters"?
To lay out the OKR system.
118
What does the book "The 4 Disciplines of Execution" focus on?
Setting priorities and ensuring follow-through.
119
What are the two main activities of a SOC?
Ops and improvements.
120
What is the purpose of metrics in a SOC?
To measure a business process.
121
What is a metric?
A tool used to measure something.
122
What is a KPI?
A tool to track key area performance.
123
What additional component does a KPI have compared to a metric?
Target/Threshold Value.
124
What is the goal of a KPI?
To maintain the status quo.
125
What is the difference between a metric and a KPI?
KPIs include target values.
126
What do car dashboard gauges represent?
Calculations of some metric with current value
127
What additional feature do dashboard gauges usually include?
Bounds of "normal"
128
Why are oil temperature and pressure gauges considered KPIs?
Show if temperature/pressure is too high/low
129
What do metrics with bounds and thresholds indicate?
Ongoing processes needing action if exceeded
130
What is an example of an objective in OKRs?
Minimize successful phishing
131
What defines key results in OKRs?
Specific, measurable progress indicators
132
What is an example of a key result for minimizing phishing?
Fewer than five phishing infections per week
133
What components are required for a key result?
Metric, current value, target value, start value
134
How are key results different from KPIs?
Temporary for new initiatives, not daily measures
135
What is the purpose of KPIs?
Continual measure of daily operations
136
How can OKRs help when KPIs are out of line?
Develop objectives and key results to fix issues
137
What do daily operations KPIs measure?
Business as usual processes
138
What do OKRs measure in SOC goals?
Improvements and initiatives
139
What question do KPIs answer?
Are we operating as expected?
140
What is the role of OKRs according to Perdoo?
Define and measure initiatives for key results
141
What is the source of the SOC-centric chart modification?
Perdoo's blog post on OKRs and KPIs
142
What are the first two steps in the SOC process overview?
Collect Goals, Clarify Meaning
143
What is the purpose of metrics in security cases?
Drive decisions or demonstrate value
144
What should metrics for a managed service SOC reflect?
Alerts handled, incidents reported, customer interactions closed
145
What should metrics for a national or HQ-level SOC focus on?
Campaign analysis, intelligence from subordinate SOCs
146
What does a problem well-stated represent?
A problem half solved
147
What is a key aspect of successful metrics?
Top-down derived metrics for goal alignment
148
What system is mentioned for goal alignment in metrics?
Goal Question Metric (GQM)
149
What technique helps guarantee the usefulness of a metric?
Tie the collection to a "why"
150
What is the Goal Question Metric (GQM) system?
System for deriving metrics from goals
151
What are the three steps in the GQM system?
Decide goals, questions, and needed data
152
What makes a metric useful according to GQM?
It answers a question about meeting objectives
153
What is the first step in bringing metric information to an organization?
Categorizing the data you have or want
154
What should you do if you want to improve your current metrics?
Start with collecting additional metrics
155
What are the four criteria for a good metric according to Andrew Jaquith?
Consistently measured, cheap, cardinal, unit-based
156
What is a bad metric according to Andrew Jaquith?
Metrics relying on human judgment without strict guidelines
157
Why is the frequency of metrics production important?
Minimize delay between measurement and reaction
158
What is the OODA loop?
Observe, Orient, Decide, Act
159
How should you match your metrics sample rate?
To the rate of what you're measuring
160
What happens without frequent measurements?
Signs of being off track may go unnoticed
161
How should good metrics be gathered?
Effortlessly, automated, short timescale
162
What is the goal of quick-moving metrics?
Minimize delay between measurement and reaction
163
What is an example of a poor sampling rate?
Checking for spam email waves once a day
164
How should KPIs be documented?
With measure, target/threshold, source, frequency
165
What should the frequency of sampling be compared to?
Rate of the event occurring
166
What should you document in an organized database?
KPIs and metrics
167
What fields should you track for metrics?
Measure, Target/Threshold, Source, Frequency
168
What question should you ask when identifying KPIs?
What does "operating as normal" mean?
169
What are examples of "as normal" targets?
Customer requirements, SOC goals, history
170
What do daily operational measures provide?
Context by limits and thresholds
171
What should you consider for daily operational measures?
Define "business as usual" or "operating as normal"
172
What might define "normal" for SOC?
Telemetry, alert queue, incidents, work backlog
173
Where might the definition of "normal" come from?
Externally defined or historical data
174
What is important for MSSPs regarding "operating as normal"?
Hitting SLAs or key promises
175
What is a hard goal for internal SOC measures?
99.9% of active assets reporting security data
176
What should you do if a numeric goal is hard to define?
Look for anomalies based on history
177
What makes a metric a candidate for a KPI?
Key area of operation needing monitoring
178
What should be done with key data on a dashboard?
Ensure they stay within correct parameters
179
What do operational metrics and KPIs represent?
Key data available on a near-constant basis
180
What should you consider when choosing SOC metrics?
Each stage of the SOC process
181
What defines "normal" for collection and triage?
Potential metrics and KPIs
182
What are we looking for in metrics and KPIs?
Goal-aligned, clear, convenient measures
183
What should metrics help the team do?
Monitor for issues or answer questions
184
How should improvement goals be written?
Objectives with specific and quantifiable key results
185
What should objectives and key results clarify?
End state, actions, success measurement
186
What is the purpose of Key Results in OKRs?
Measure if objectives are successfully met
187
What should happen to phishing-based incidents as a Key Result example?
Drop to below five per week
188
Why is breaking down projects important?
Clarifies how initiatives tie to objectives
189
What should you do if key results aren't materializing?
Replace or re-evaluate the initiative
190
What is the purpose of monitoring KPIs?
Detect anomalies and "out of normal" events
191
What should you do if an initiative doesn't move the key results?
Try a new approach or identify why
192
What is the next challenge after defining OKRs and KPIs?
Tackle both operational tasks and improvements
193
Why are people drawn to operational tasks?
Seen as the most immediate and important need
194
What is the risk of focusing only on day-to-day tasks?
Potentially at the cost of long-term improvement
195
What is the purpose of the 4 Disciplines of Execution (4DX)?
Drive continuous improvement and avoid daily firefighting
196
What is the first principle of 4DX?
Focus on the Wildly Important Goal (WIG)
197
What is a WIG according to 4DX?
Most important objective needing special attention
198
How do you define a WIG?
Identify starting line, finish line, and deadline
199
What does SOC stand for?
Security Operations Center
200
What is the Eisenhower Matrix used for?
Ranking tasks by urgency and importance
201
What should you prioritize according to the Eisenhower Matrix?
Non-urgent and important tasks
202
What is the key insight from this section?
Delaying urgent, unimportant tasks for important ones
203
What is the focusing question from "The ONE Thing"?
What's the ONE Thing you can do to make everything else easier or unnecessary?
204
What is the theory of constraints?
Methodology to improve system performance by addressing bottlenecks
205
How do you identify a bottleneck in a system?
Look for the step with the lowest bandwidth where items pile up
206
What is the only way to improve a system according to the theory of constraints?
Increase throughput at the bottleneck
207
Where should you take measurements in a process?
At every useful stage of the process
208
What are lead measures?
Metrics that track activities driving a goal
209
What are lag measures?
Metrics that track the success of a goal
210
What is a lag measure?
A metric measuring past events
211
Why aren't lag measures often the best metrics?
They lack predictive power
212
What is a lead measure?
Metrics measuring process inputs
213
Why do lead measures have predictive power?
They measure process inputs determining outputs
214
What matters most in achieving goals according to 4DX?
Controlling lead measures
215
What is an example of a lag measure in weight loss?
Weight on the scale
216
Why doesn't tracking weight help achieve weight loss?
It only shows past results
217
What are examples of lead measures in weight loss?
Diet and exercise
218
What happens when inputs are controlled?
Outputs must follow
219
What is the third principle in 4DX?
Keeping a compelling scoreboard
220
What is a compelling scoreboard in 4DX?
A player-centric progress view
221
Why is a scoreboard important in 4DX?
Creates engagement and focus
222
What is the fourth principle in 4DX?
Creating a cadence of accountability
223
What are the three questions in a commitments report?
Did I meet commitments? Did they move the scoreboard? What will I commit to?
224
Why are people more likely to commit to their own ideas?
Autonomy and creativity
225
What drives morale and engagement in 4DX?
Seeing positive impact on WIG
226
What are the two key ideas behind 4DX's success?
Creating a winnable game, facilitating engagement
227
Why are employees more likely to respect deadlines they set themselves?
They feel more ownership and responsibility.
228
What effect do personal commitments between teammates have?
They feel like personal promises.
229
What does the 4DX system allow teammates to see?
Positive impact of their actions.
230
What is the goal of the 4DX system?
Set team on a course to success.
231
What are metrics?
Measurements with a current value.
232
What are KPIs?
Measurements plus a target/threshold.
233
What are OKRs?
Measurements plus a defined start, end, current value.
234
What does the 4DX process emphasize?
Finding and focusing on WIG.
235
What should you consider when creating good metrics?
Problems you're trying to solve.
236
What is the goal of metrics for projects?
Define how close you are to completing.
237
What does the OKR system help with?
Separating the goal, actions, and measures.
238
What challenge exists beyond measuring improvement projects?
Validating people take time to work on them.
239
What system helps confirm execution on initiatives?
The 4 Disciplines of Execution (4DX).
240
What does the 4DX system create?
A winnable game.
241
What is reflected in the improvement of daily metrics?
Effectiveness of the SOC and ROI.
242
What is the key concept in information security discussed in the text?
Prioritization.
