46000 IDS Events
46000 IDS Events

Last last night I could not sleep and so I ended up on the couch watching a NatGeo program about the accident investigation regarding Turkish Airlines Flight 1951 which crashed on 25 February 2009. In that program on Flight 1951 I had a chance to watch a few interview segments with Mica Endsley who discussed situational awareness as it relates to the cockpit. I really admire her work on SA.

Cyberspace situational awareness is interesting because in order to realize cyberspace situational awareness it is necessary to find a way to model and represent cyberspace in such a way that humans can see and interact in the cyber domain. Mica Endsley correctly points out that machines and software are primary used to augment and assist humans in the decision-making process. However, not all people agree with this approach, and some believe because humans can make errors, so they think it may be better to find ways for machines and software make the decisions instead of humans.

In a nutshell, Turkish Airlines Flight 1951 crashed because of a combination of events. At that time the Turkish Airlines Boeing 737-800 auto-throttle was connected to a faulty radio altitude sensor (the pilot’s visual radio altimeter). This faulty altitude sensor was reading -8 feet and caused an alarm which instructed pilots to put down the landing gear and when on landing approach would flare (nose up) the aircraft in landing posture and move the engine throttles back to idle, in preparation for landing. Because of a unique situation at Amsterdam Schiphol Airport Turkish Airlines Flight 1951 (please read the NASA System Failure Case StudY for details) the crew noticed the problem “too late to take appropriate action to increase the thrust and recover the aircraft before it stalled and crashed“.

One of the many lessons learned from an analysis of the 2009 crash of Turkish Airlines Flight 1951 is that pilots should disable autopilot or auto-throttle while landing in situations where there are radio altimeter discrepancies. In other words, because sensors can fail or give faulty information, it is imperative the pilots keep there eyes on airspeed and altitude at all times. This case illustrates the important of human cognitive situational-awareness when surrounded by machine automation and sensors. Furthermore, “looking out the window” often provides more accurate situational knowledge than relying solely on instrumentation; especially when the sensors are faulty or have conflicting readings.

Cyberspace situational awareness requires a human-in-the-loop in the same way as traditional situational awareness requires a human-in-the-loop. However in cyberspace, we don’t have the luxury of easily being about to “look out the window” because cyberspace is, more the most part, invisible to humans. This is why creating a visual representation of cyberspace is critically important.

In the air, on land, or in the ocean, in also in space, situational awareness technologies are designed, for the most part, to assist a “human-in-the-loop” decision maker. Engineers and scientists design sensors (radar, sonar, infrared sensors, to name a few) to help human visualize what we cannot see; but like in the case of Turkish Airlines Flight 1951, if we can see with our own eyes that the sensors are wrong, we should turn off the automated systems controlled by faulty sensors.

As cyberspace continues to grow and evolve, we must keep in mind that the lessons learned in years of human cognitive experience in “traditional” situational awareness also apply to cyberspace; but cyberspace requires a visual way for us represent cyberspace so we can “see the unseeable”. This is why it is important that we create new and innovative ways to visualize cyberspace.

The featured image (above) in this brief post illustrates a baby-step in the direction of realizing cyberspace situational awareness. This image illustrates over 46,000 IDS events clustered by country and ip address and rendered as a force-directed graph. The two “red dots” in the image highlight two “Priority 1” IDS alerts out of over 46,000 alerts.