Reducing Information Overload: Because Even Security Experts Need to Blink

TL;DR

This paper evaluates various clustering methods and embedding models to automate and significantly reduce the information overload faced by CERT analysts, improving efficiency while maintaining data integrity.

Contribution

It systematically assesses 196 clustering and embedding combinations to identify effective, minimal-configuration solutions for consolidating security information.

Findings

Clustering reduces information processing by over 90%.

Deep clustering achieves high semantic homogeneity.

Potential to save over 3.75 work hours annually per analyst.

Abstract

Computer Emergency Response Teams (CERTs) face increasing challenges processing the growing volume of security-related information. Daily manual analysis of threat reports, security advisories, and vulnerability announcements leads to information overload, contributing to burnout and attrition among security professionals. This work evaluates 196 combinations of clustering algorithms and embedding models across five security-related datasets to identify optimal approaches for automated information consolidation. We demonstrate that clustering can reduce information processing requirements by over 90% while maintaining semantic coherence, with deep clustering achieving homogeneity of 0.88 for security bug report (SBR) and partition-based clustering reaching 0.51 for advisory data. Our solution requires minimal configuration, preserves all data points, and processes new information within five minutes on consumer hardware. The findings suggest that clustering approaches can significantly enhance CERT operational efficiency, potentially saving over 3.750 work hours annually per analyst while maintaining analytical integrity. However, complex threat reports require careful parameter tuning to achieve acceptable performance, indicating areas for future optimization. The code is made available at https://github.com/PEASEC/reducing-information-overload.