Cognitive Playbook Creation

Stages of Argument-Driven Inquiry

Stage 1: Identification of the Task and the Guiding Question

What is the purpose for the playbook? What activity is being investigated / explained?

Stage 2: Design a Method and Collect Data

What sensor data feeds and contextual data sources do you need? Is there already an Ontology and Reify Config?

Stage 3: Analyze Data and Develop an Initial Cognitive Playbook to Produce a Logical Argument

The results semantic graph should contain a logical argument that answers the guiding question and explains the evidence.

Stage 4: Argument Session ——> Collect More Data If Needed

Test the initial playbook and look at the logical argument in the semantic graph results to see if playbook is producing a clear explanation of the evidence. If needed, collect additional contextual information to support the argument (explanation of the activity) to inform decision makers.

Stage 5: Explicit and Reflective Discussion

Capture any challenges, ideas, and feedback from creating the cognitive playbook.

Stage 6: Write an Investigation Report

If the playbook should send a report of the findings such as a CASE investigation report, a STIX threat intelligence report, or a local SOC report this is where you’d create it based on the playbook and logical argument semantic graph that was produced by the playbook. The report should include 3 sections: the question of the investigation, the playbook used, and the logical argument results.

Stage 7: Peer Review (Can be blind review depending on size of organization/community)

Get the new playbook reviewed by your peers. Your peers should validate that the playbook answers the question and fully explains the observed evidence. NOTE: Cognitive playbooks, reify configs, and ontologies can be imported and exported for sharing with communities of interest.

Stage 8: Revise and Submit the Cognitive Playbook

The original cognitive playbook is revised based on the results of the peer review process and submitted for operational use. 

Remember, symbolic AI cognitive playbooks capture the human domain expert’s experience (know how) working with the integrated information, context, and knowledge to answer questions and explain observations in the data. The cognitive playbooks enable the symbolic AI ‘expert system’ to mimic the human experts since they follow the same step by step process encoded in the cognitive playbook to answer the question.

Written by Shawn Riley
Shawn Riley serves as the Chief Visionary Officer and Technical Advisor to the CEO for Shawn also volunteers as the Executive Vice President, Strategic Cyberspace Science and Board of Directors member at the non-profit Centre for Strategic Cyberspace + Security Science in London, England, UK. Shawn is an industry thought leader in the NSA's Science of Security virtual organization with a focus on applied cybersecurity science and AI-driven science in security operations.