Imagine a complex, multi-stage attack is unfolding on your network. A brute-force attack on a database, a privilege escalation, and the first signs of ransomware on a backup server. You have two analysts looking at the exact same logs and alerts. One reports a few isolated issues. The other sees the full kill chain and identifies the attack’s true objective.
What’s the difference between them? Is it a better tool? Luck? Or something deeper?
For CISOs, understanding what drives effective cyber threat identification is the key to building a truly elite security team. A recent study published in the Journal of Cases on Information Technology provides a data-driven answer. By analyzing how security professionals performed in a simulated cyber attack, the research moves beyond buzzwords and reveals the specific human factors that truly matter under pressure.
Putting Analysts to the Test: Key Findings from a Simulated Cyber Attack
The study used a gamified questionnaire to immerse 49 cybersecurity professionals in a realistic attack scenario involving a data breach and ransomware. Their performance wasn’t just about getting the right answer; it was about how they got there. The findings offer profound lessons for any leader managing a security operations team.
Expertise Isn’t Just a Title: It’s a Measurable Performance Multiplier
The most significant finding was the clear, statistical difference between experts and novices. The research showed that professionals with specialized education and deep experience were significantly better at:
- Identifying the full scope of the complex attack.
- Understanding the interrelationships between different malicious events.
- Writing longer, more detailed, and more accurate incident reports.
This confirms a critical point: while foundational knowledge is important, deep, domain-specific expertise is what enables analysts to connect the dots in a sophisticated cyber threat identification scenario.
Persistence Pays Off, But “Calling for Help” Doesn’t
In a fascinating and somewhat counter-intuitive discovery, the study found that better performance was strongly correlated with perseverance (the number of steps an analyst took to investigate) and the length of their final report.
However, the number of support calls an analyst made to a colleague did not correlate with a better final grade. This suggests that while collaboration is important, a successful outcome is driven by a methodical, persistent investigation process, not just by quick escalations. Those who prematurely reported the incident without gathering enough data consistently failed to identify the full attack.
Confidence Doesn’t Equal Competence
Perhaps one of the most important lessons for any leader: the study found no significant correlation between a participant’s self-reported confidence and their actual performance.
An analyst could be completely confident in their incorrect conclusion. This highlights the critical need for objective, evidence-based processes in the SOC. It’s a data-backed reminder that security decisions must be built on a foundation of verification and peer review, not just an individual’s level of assurance.
How to Build a High-Performing Threat Detection Process: A CISO’s Guide
The implications of this research are clear. Improving cyber threat identification is not about buying another tool; it’s about refining the human processes within your team. Here are four actionable takeaways for CISOs:
- Invest in Deep Expertise, Not Just General Training. The study proves that domain-specific knowledge is a key performance driver. Go beyond basic certifications and invest in advanced, hands-on training that builds true subject matter experts within your team.
- Build a Process That Rewards Perseverance. Your SOC’s workflow should encourage deep investigation. Are your analysts incentivized to close tickets quickly, or are they given the time and tools to follow a complex trail of evidence to its conclusion?
- Standardize and Value Detailed Reporting. The research shows a direct link between comprehensive reports and successful threat identification. Emphasize a culture where detailed, evidence-based communication is a core measure of success.
Implement a “Trust, But Verify” Culture. Given that confidence is not a reliable indicator of accuracy, build a process of peer review and collaborative analysis for critical incidents. This ensures that every conclusion is validated, strengthening your overall decision-making.
The Human Element as Your Strongest Link
Ultimately, this study shows that the human element doesn’t have to be your weakest link. It can be your greatest strategic asset. By understanding the cognitive factors that drive high performance and building robust processes that cultivate expertise, persistence, and verification, you can transform your security team from a defensive line into a proactive, highly effective threat detection engine.
For Further Reading:
This blog post is based on the insights presented in the academic paper: Lugo, R. G., Juozapavicius, A., Lapin, K., Ask, T. F., Knox, B. J., & Sütterlin, S. (2025). Human-Centric Approach to Cyber Threat Identification: The Role of Cognition, Experience, and Education in Decision-Making. Journal of Cases on Information Technology, 27(1). https://doi.org/10.4018/JCIT.368220
