The vigilance paradox: automation reliance inside the modern SOC

Abstract

Purpose The purpose of this study is to measure how susceptible security analysts are to these cognitive factors. Automation and artificial intelligence (AI) are increasingly leveraged in Security Operations Centers (SOCs) to assist security analysts in managing growing alert volumes and escalating threats. However, their rapid integration introduces the cognitive risks of automation complacency (AC) which can lead to automation bias (AB) among security analysts. Design/methodology/approach This study adopted a mixed-methods approach. First, this study conducted four qualitative SOC observations to validate the alert overload issue. Next, this study collected large-scale survey data (n = 696) to assess the research model, investigating the interplay between the automation-induced phenomena of AB and AC, trust in automation and dual information processing techniques among security analysts. The model was analyzed using the partial least squares (PLS) algorithm. Finally, to validate the quantitative findings, this study conducted structured interviews with 29 security analysts. Findings This study found that security analysts strategically reallocate their cognitive resources toward manual, non-automated tasks. This inadvertently leads to the complacent behavior of reduced monitoring, increasing the reliance on automated results. The results show that systematic verification procedures act as a mitigating factor. Research limitations/implications Only security analyst residing inside the USA was selected for inclusion, limiting the generalization of the findings. Future studies could expand on the sample to provide a more global perspective of results. This work was also not confined to one stage of the incident response lifecycle. Future work could explore whether automation-induced phenomena is different at detection versus response stages, for example. Future studies can conduct experiments or longitudinal observations in SOCs to get a firsthand behavioral view of practices, opposed to self-report evaluations. Originality/value This study enriched the Information Systems literature by evaluating the antecedents of AB and their effects on analysts’ susceptibility to automation overreliance. This study specifically focuses on the automation-rich environment of a SOC, garnering insights from expert automation users. In addition, this study deconstructs the monolithic concept of automation complacency and empirically models its attitudinal (Alleviating Workload) and behavioral (Monitoring) components as distinct constructs, revealing a ‘tale of two complacencies’.