User personas

Last modified: Wed Oct 02 2024 16:09:21 GMT+0200 (Central European Summer Time)

MISP user personas

These personas are fictitious but are concrete representations of the people using MISP. We can use these personas to keep in mind who we are working for, what are their needs, and what MISP should do for them. These personas come from OSINT on current MISP users (Gitter chats, GitHub issues, LinkedIn) and other sources of information about cybersecurity.

Primary personas

Farrah and Adam represent the users that are the most important to us.

Farrah

The Threat Hunter

Farrah works as a threat intelligence for a security service provider in Malaysia that offers a range of cybersecurity solutions. He leads a threat intelligence team made up of experienced intelligence analysts who are former military/government employees and contractors.

Farrah uses MISP to analyze malware, gather information about specific adversary groups, and discover emerging threats. He also uses MISP for data normalization (consolidating data across different source formats), de-duplication (removal of duplicate information), and enrichment (removal of false positives, scoring of indicators, and the addition of context).

"In order to effectively address threats, you must maintain a team focused on monitoring, generating and triaging alerts"

Role

Lead Threat Intelligence Analyst

His primary goals are to:

He uses MISP to:

His objectives are to:

Adam

The Remediator

Adam is part of the Computer Security Incident Response Team (CSIRT) at a Belgian cybersecurity consulting firm. His responsibilities involve incident response, incident coordination, threat intelligence, and vulnerability management. He monitors potential threats, investigates attacks, and works with other security personnel to reduce the impact and severity of an attack.

Adam uses MISP to monitor incidents, provide early warnings/alerts about incidents, respond to incidents and provide incident analysis and situational awareness.

“A breach alone is not a disaster, but mishandling it is. The goal is to handle the situation in a way that limits damage and reduces recovery and time costs”

Role

Incident Response

His primary goals are to:

He uses MISP to:

His objectives are to:

Secondary personas

Tina, Henry, Jacob, and Sarah represent other users that are also important to us.

Tina

The Fraud Catcher

Tina works as a fraud analyst at a National bank in Canada. She is responsible for investigating any forgery or theft within customers' accounts and transactions on behalf of the bank.

Tina uses MISP to find and share financial indicators in order to detect financial frauds.

"Fighting fraud with threat intelligence is all about alerting"

Role

Fraud analyst

Her primary goals are to:

She uses MISP to:

Her objectives are to:

Henry

The Enforcer

Henry is a law enforcement officer living in Florida, USA. He works with the Digital Forensics and Incident Response (DFIR) team. He is responsible for investigating digital security incidents, identifying digital assets targeted during attacks, and documenting all findings.

He uses MISP to support or bootstrap his DFIR cases.

"I worry about what I don’t know, not what I know"

Role

Law Enforcement Officer

His primary goals are to:

He uses MISP to:

His objectives are to:

Jacob

The Veteran

Jacob is a cybersecurity consultant for organizations looking to secure their infrastructure. He has founded a cybersecurity agency that provides threat intel and security consulting services to small and medium-sized businesses.

Jacob uses MISP to investigate threats and find IOCs. He works with many clients and typically wants to integrate MISP into existing client solutions.

"There’s a difference between threat data and threat intelligence"

Role

Cyber Security consultant

His primary goals are to:

He uses MISP to:

His objectives are to:

Jay

The Inquisitor

Jay is a risk analyst for a large technology company in the USA. He is responsible for identifying and predicting risks, as well as forecasting the cost of certain attacks to the organization.

Jay uses MISP data to learn about the broad threat landscape and analyze the likelihood of certain risks, so as to gain situational awareness.

"The more certain you can be about the probability of a specific exploit impacting your environment, the easier it is to manage risk"

Role

Risk analyst

His primary goals are to:

He uses MISP to:

His objectives are to:

Sarah

The Fact Checker

Sarah is a disinformation researcher and journalist working for a large American newspaper. She works with security researchers around the world to investigate cybercrimes and report disinformation. In the past, she has written about national security and geopolitics. She is used to making decisions on what should or shouldn't be published or shared.

Sarah uses MISP to collaborate with security researchers and investigate disinformation as it happens.

"Decisions as to what is or isn't published or shared go far beyond what is technically interesting"

Role

Disinformation researcher and journalist

Her primary goals are to:

She uses MISP to:

Her objectives are to:

Other personas

Malcolm represents users that we care about but aren't so important to us.

Malcolm

The Data Expert

Malcolm is a data scientist for a telecom operator in the USA. He assists the Security Operations Center with tasks related to anomaly detection, exploratory data analysis, data visualization, modeling, and optimization of security solutions.

Malcolm uses data from MISP alongside natural language processing, predictive modeling, and other data science techniques to assess, prioritize, and even predict risk. He can process threat data to help with alert prioritization and data-driven decision making.

"It is a mistake to theorize before one has data. Insensibly, one begins to twist facts to suit theories, instead of theories to suit facts"

Role

Data Scientist

His primary goals are to:

He uses MISP to:

His objectives are to: