A Sociotechnical, Practitioner-Centered Approach to Technology Adoption in Cybersecurity Operations: An LLM Case

TL;DR

This study demonstrates that a sociotechnical, practitioner-centered co-creation approach effectively facilitates the adoption of LLM-based tools in cybersecurity operations, overcoming traditional barriers and improving workflow efficiency.

Contribution

It introduces a sociotechnical, ethnographic co-creation methodology for developing and implementing LLM tools in SOCs, addressing trust and usability challenges.

Findings

Co-creation reduces workflow disruption and enhances interpretability of LLM tools.

Practitioner involvement shifts perceptions from skepticism to sustained adoption.

The approach aligns technology with operational needs, overcoming traditional barriers.

Abstract

Technology for security operations centers (SOCs) has a storied history of slow adoption due to concerns about trust and reliability. These concerns are amplified with artificial intelligence, particularly large language models (LLMs), which exhibit issues such as hallucinations and inconsistent outputs. To assess whether LLM-based tools can improve SOC efficiency, we embedded two PhD researchers within a multinational company SOC for six months of ethnographic fieldwork. We identified recurring challenges, such as repetitive tasks, fragmented/unclear data, and tooling bottlenecks, and collaborated directly with practitioners to develop LLM companion tools aligned with their operational needs. Iterative refinement reduced workflow disruption and improved interpretability, leading from skepticism to sustained adoption. Ethnographic analysis indicates that this shift was enabled by our sociotechnical co-creation process consistent with Nonaka's SECI model. This framework explains the common challenges in traditional SOC technology adoption, including workflow misalignment, rigidity against evolving threats and internal requirements, and stagnation over time. Our findings show that the co-creation approach can overcome these old barriers and create a new paradigm for creating usable technology for cybersecurity operations.