Conference Situational Awareness

Confluence, again… first up, along with Doug Clow I’m one of the Awareness, Interaction & Memory co-chairs for LAK13, the Third International Learning Analytics & Knowledge Conference [LAK13 on Lanyrd] (and let me make this absolutely clear, memory is not legacy… and awareness is not just amplification (thanks, Kay…;-))

Part of the role is drumming up awareness of, and hopefully participation in, the conference itself; part of it will relate to helping folk get the most out of it whilst its on; and part of it will be about building on and making the most of the various conference activities after the event. As befits the theme of conference, we’ll also be looking to turn conference related into activity into datasets that we can put to work and hopefully extract value from. To a certain extent, I guess we could characterise part of this activity as “conference awareness”, or even conference situational awareness, which feeds into…

…a call from DSTL (the Defence Science and Technology bit of the MoD, the bit of DERA, as was, that wasn’t sold off as Qinetiq, I guess?) on Cyber Situational Awareness:

Cyber Situational Awareness (Cyber SA) in an MOD context can be defined as the ability for MOD to understand the effect that a Cyber event (ie an attack on us, or some action we could take ourselves) could have on the ability for the MOD enterprise to conduct its business. Enterprise in this context means the day-to-day business of MOD, and the military operations it conducts – eg the supply chain, the pay system, the training of its personnel. It should be able to evaluate the implications and impact of a particular piece of action and feed that information back into the decision-support process. Being able to achieve Cyber SA is a key enabler to allow MOD to defend all of its digital assets and freedom to operate in Cyberspace.

Linkages and dependencies between Cyberspace ‘layers’
We can try to visualise the various components of Cyber SA in a number of ways. The Cyber SA Layer Diagram (Figure 1) is one such method of depicting how users interact with Cyberspace. The elements of Cyberspace are represented as a series of layers, from the physical lay-down of digital assets up through the information layer to the human layers.

The physical layer (real world and network) consists of a geographic aspect – the physical location of elements of a network, such as under the sea, or under the ground or in a building – and the physical network components, which consists of: physical hardware and infrastructure (wired, wireless and optical); and the physical connections (wires, cables, radio frequency, satellite communications, routers, servers and computers).
Parts of MOD do monitor and gain SA on certain individual layers, but no-one in MOD gains an understanding of all the layers.

The logical layer (information) consists of the logical connections that exist between network nodes. A node is any physical device connected to a computer network; for example, computers, personal digital assistants and cell phones.
The logical layer includes applications and data and protocols that enable interactions across the physical layer, along with the configuration of individual networks. Characteristics of the logical layer:
• draws together a variety of information feeds from both open and closed sources
• fusion of sources to improve the overall information credence
• dealing with uncertainty and conflicts in the information – corroboration and believability
• information also gained from human and socio cultural intelligence.
The logical layer also includes details of communication service providers, transfer protocols, internet domain names and ownership information.

The social layer (persona, people and social) consists of the details that connect people to Cyberspace and the actual people and groups who interact by using the networks. Unique addresses or titles are matched to virtual addresses, which in turn map to the physical layer.
A single person can have multiple personas; and equally, multiple people can share a single persona.
How do we provide a level of assurance to the decision maker that we have the correct information? How do we measure our effect in this area?
The social layer can be further analysed through sub-areas such as, social networking, operating procedures, maintenance, and security.
Cyber SA will use this information as a feed to inform an understanding of who we are likely to be the instigators of attacks on us – eg malicious criminal groups, or state/non state sponsored hackers.
An understanding of the linkages and dependencies between the Cyberspace layers is key to gaining Cyber SA. Being able to understand and quantify an event in Cyberspace that occurs on a particular layer is challenging, but gaining an understanding of how such an event affects and impacts the other layers and the resulting impact it has on the real world is more challenging still.
We need to be able to identify and comprehend the interdependencies, influence and interaction (causes and effects) that exist between the Cyber layers and how we can mitigate these effects to maintain MOD’s freedom of manoeuvre in Cyberspace.

True Cyber SA should enable a decision maker to gain an understanding of all these layers, the linkages and dependencies between them and the impact that an event has in any particular layer on the ‘real world’

Here’s another little nugget I found in the slides that went with the call town hall meeting, taken (I think) from the Joint Doctrine Publication JDP 04 – Understanding:

(Whilst doctrine statements can often be long, jargon and acronym filled documents, they do often contain the occasional graphic, word equation or conceptualisation that can actually be quite rich when considered in other domains. I haven’t read JDP04 yet, but I have popped it onto my toread list…)

What actually jumped out at me from the call document in the context of LAK13 situational awareness was this:

Another interesting example was identified at the recent London 2012 Olympic Games where it was identified that tweets relating to the congestion of the Olympic park entrances had a direct effect on crowd flow through the site.
– This phenomena was a demonstration of the interaction between the Cyber layers.
— How do we extrapolate meaning from occurrences like this in real time and project that meaning onto the SA picture?
— We are likely to be transcending the Cyber layers in the process, so how do we capture this information and understand the impact that it has on wider Cyberspace?

So for example: could activity in the online social layer around a particular topic cause shifts in the way folk attend different sessions in the physical conference? Or could action at a distance, eg from participants not physically attending the conference, influence physical activity at the conference venue?

(It also reminded me how much the DERA/DSTL folk like layered models;-)

As ever, confluence posts are a good opportunity for me to do a bit of a tab sweep, so here are a couple of related things I have open at the moment:
– Finding Your Friends and Following Them to Where You Are [PDF]
– Beating the event hash tag spammers; I mentioned to Kirsty that Twitter has a “blocked user” call in the (authenticated) API, so it’s possible to look up folk who have recently been blocked by an arbitrary user. I’m thinking this might be interesting in the context of a dreamcatcher filter, as well as pondering the extent to which a dreamcatcher idea might work in a situational awareness setting?
– Online Journalism Blog – Get Involved in a New HMI Project: Investigating CCGs (Clinical Commissioning Groups); this is one of those areas where there are multiple sources of disconnected information, that when fused using a mosaic theory technique, may start to reveal structures that folk would rather weren’t common knowledge…