Jouni Ihanus

Jouni Ihanus

Because situation awareness matters.

Publications

Conference Papers

COMING SOON: Integrating Deception Technologies into Cyber Defence Ecosystems: Enhancing Cyber Situation Awareness through Multi-Layered Monitoring

Published in , 2026

ACCEPTED: Deception technologies (DTs) can strengthen Cyber Situation Awareness (CSA) by producing low-noise, high-fidelity telemetry from adversary interactions. Building on prior work on medicaldevice modelling, ransomware analysis, and phase-based detection structuring, we examine how DTs can be integrated into broader cyber defence ecosystems. We synthesise five perspectives—technical, architectural, process, cognitive, and operational—and propose a Construction Model that treats deception telemetry as both a sensor input and an analytical catalyst within multi-layered monitoring. The model links DT deployments with fusion, reasoning, and feedback loops to improve visibility, correlation, and human–machine collaboration in SOC operations. Our key contribution is a structured pathway from deception sensing to actionable CSA in adaptive, intelligence-driven defence practices.

Recommended citation: Ihanus, Kokkonen, Mikkonen

COMING SOON: Analysis of Cyber Incident - The Role of the Deception Technologies

Published in , 2026

IN REVIEW: Ensuring the ability to analyse and gain Cyber Situation Awareness (CSA) of the modern cyber operational environment is a significant challenge. One of the reasons for this problem is the multi-layered nature of the cyber environment, which is inherently complex, difficult to understand and constantly changing. This poses a challenge to incident analysis and therefore to the creation of the CSA. One method of improving visibility in the cyber environment is the use of deception technologies. This paper examines deception technologies to understand their role in supporting the incident analysis process. Finally, we propose a construction model for improving incident analysis using deception technologies. In addition, the results of the analysis are discussed and future research topics are identified.

Recommended citation: Ihanus, Kokkonen, Sarjakivi, Mikkonen

Demonstration and Evaluation of Defensive Cyber Operations Decision-Making Model

Published in European Conference on Cyber Warfare and Security, 2025

As technology has evolved, the world has become more dependent on digital services. Businesses are digitalizing their core processes to better match their clients’ needs and critical infrastructure providers are seeking performance improvements from digitalization. When assets are digital, cybercriminals and nation-states are increasing their offensive activities in the cyber domain. As a result of this, cyberattacks are growing in complexity and speed, forcing defenders to advance in their capabilities to respond to these threats. One key element in developing defensive capabilities is to understand the underlying decision-making models providing the basis for more effective tooling, operation planning, and organizational models. The purpose of this paper is to address this need by demonstrating a Defensive Cyber Operations (DCO) decision-making model constructed based on a wargaming exercise, to assess the usability and transferability of the model to real-world cyber operations and to further develop the model based on the feedback received. The research is based on the Design Science Research methodology and focuses on the demonstration and evaluation phases of the selected methodology. The constructed decision-making model was presented to an expert panel, consisting of 17 experienced professionals of 7 nationalities. They were selected based on their known experience of cyber operations or by the recommendation of previously interviewed panel members. The panel contributed to the model with their evaluation and ideas for improvement. Based on the findings of the expert panel, the model was further developed to include a clear notion of escalation for activities requiring a higher mandate, stronger collaboration and reporting with upstream managers and external stakeholders. In addition, several minor improvements were made to improve the usability of the model. The improved DCO decision model presented in this paper is endorsed by the expert panel as applicable and transferable to real-life DCOs, thus laying the groundwork for future research into automation and artificial intelligence augmentation of faster and more accurate DCO decision-making.

Recommended citation: Sarjakivi, P., Ihanus, J., & Moilanen, P. (2025). Demonstration and Evaluation of Defensive Cyber Operations Decision-Making Model. In C. Lipps, & B. Han (Eds.), Proceedings of the 24th European Conference on Cyber Warfare and Security (pp. 628-637). Academic Conferences International. Proceedings of the European Conference on Cyber Warfare and Security, 24. https://doi.org/10.34190/eccws.24.1.3540
Download Paper

Using Wargaming to Model Cyber Defense Decision-Making: Observation-Based Research in Locked Shields

Published in European Conference on Cyber Warfare and Security, 2024

Defensive Cyber Operations (DCO) in complex environments, such as cyber wargames, require in-depth cybersecurity knowledge and the ability to make quick decisions. In a typical DCO, execution rarely follows a pre-planned path because of extensive adversary influence, challenging an already complex decision-making environment. Decision-making models have been extensively studied from perspectives of military operations and business management, but they are not sufficiently researched in the context of cyber. This paper responds to this need by examining the decision-making models of DCO leaders in a live-fire wargame environment. This study was conducted by observing leaders of cyber operations during the world’s largest live-fire cyber exercise, NATO Locked Shield 2023. In this exercise, the blue teams plan and execute their defensive cyber operation in a realistic operational environment, while the red team conducts attacks against the defended environment. The large-scale, wargaming-style environment of Locked Shield is one of the best environments for modelling DCO decision-making models; in this exercise, the DCO is broad and multi-faceted, a perspective which cannot be achieved in a typical capture-the-flag competition or a single security incident. DCO leaders must be able to manage two distinct decision-making processes with different sets of required skills to be successful in the mission. While the primary process relates to the execution and evolution of the pre-designed plan with traditional operational leadership skills, the secondary process deals with unplanned and deliberately caused cyber-related events that require a deep understanding of cybersecurity. In this respect, the main contribution of this research is the constructed decision-making model of the DCO leader. This model is based on observations collected and presented in the context of multiple well-known decision-making frameworks. This model can be further used to train future DCO leaders and assess artificial intelligence’s usability to support and automate decision-making in such operations.

Recommended citation: Sarjakivi, P., Ihanus, J., & Moilanen, P. (2024). Using Wargaming to Model Cyber Defense Decision-Making : Observation-Based Research in Locked Shields. In M. Lehto, & M. Karjalainen (Eds.), Proceedings of the 23rd European Conference on Cyber Warfare and Security (23, pp. 457-464). Academic Conferences International Ltd. Proceedings of the European Conference on Cyber Warfare and Security. https://doi.org/10.34190/eccws.23.1.2270
Download Paper

Refining Cyber Situation Awareness with Honeypots in Case of a Ransomware Attack

Published in Springer, Cham, 2024

The cyber threat landscape is vast and unstable. One of the top threats in the present moment is ransomware, which is constantly spreading in prevalence. To protect organisations’ cyber operating environment, ability to perceive elements relating to this threat is crucial. At the same time, many security controls face challenges in terms of fidelity of the security events. In this paper, honeypot technology is studied to support situation awareness in case of a ransomware attack. Especially detection capabilities of the honeypots are considered from the perspective of technical characteristic of ransomware. As a conclusion, we propose a construction model for enhancing cyber situation awareness using honeypots during various stages of a ransomware attack. Additionally, the analysed results are explained with identified future research topics.

Recommended citation: Ihanus, J., Kokkonen, T., Hämäläinen, T. (2024). Refining Cyber Situation Awareness with Honeypots in Case of a Ransomware Attack. In: Rocha, Á., Adeli, H., Dzemyda, G., Moreira, F., Poniszewska-Marańda, A. (eds) Good Practices and New Perspectives in Information Systems and Technologies. WorldCIST 2024. Lecture Notes in Networks and Systems, vol 985. Springer, Cham. https://doi.org/10.1007/978-3-031-60215-3_10
Download Paper

Modelling Medical Devices with Honeypots: A Conceptual Framework

Published in Springer, Cham, 2022

Cyber security plays an important role in the modern smart hospital environment. In these environments, one of the key assets brought to attention are the medical devices. Cyber threats relating to medical devices may affect patient safety, privacy, and hospital operations. As these devices are relatively closed on the technical level, possibilities to collect log information about security incidents are limited. At the same time, a wide variety of data is needed to create comprehensive situation awareness of the cyber operating environment. Aware of these challenges, one interesting solution to gather medical device related sensor data are the honeypots. In this paper, honeypot technology is studied to support the situation awareness in medical device networks. Especially detection capabilities of the honeypot systems are considered from the perspective of challenges in technical visibility relating to medical devices. These capabilities focus on the sensor data that honeypots can provide in different attack phases. As a conclusion these metrics are summarized in the construction model, which can be applied to healthcare environment.

Recommended citation: Ihanus, J., Kokkonen, T., Hämäläinen, T. (2022). Modelling Medical Devices with Honeypots: A Conceptual Framework. In: Rocha, A., Adeli, H., Dzemyda, G., Moreira, F. (eds) Information Systems and Technologies. WorldCIST 2022. Lecture Notes in Networks and Systems, vol 468. Springer, Cham. https://doi.org/10.1007/978-3-031-04826-5_15
Download Paper

Modelling Medical Devices with Honeypots

Published in Springer, Cham, 2020

Cyber security is one of the key priorities in the modern digitalised and complex network totality. One of the major domains of interest is the healthcare sector where a cyber incident may cause unprecedented circumstances. In the healthcare domain there are abundant networked systems, software and hardware, which may be vulnerable for a cyber intrusion or incident. For cyber resilience, it is important to know the status of the valuable assets under attention. Sensor information has a significant role for achieving the comprehension of the valuable assets in the cyber domain. While networked medical devices form an important asset group in healthcare environment, one interesting solution to gather sensor information are the honeypots. In this paper, honeypot technology is studied for the healthcare domain. Especially typical characteristics of medical devices are considered from the perspective of modelling the medical devices with honeypots. The technical priorities are studied and concluded with the discovered future research topics.

Recommended citation: Ihanus, J., Kokkonen, T. (2020). Modelling Medical Devices with Honeypots. In: Galinina, O., Andreev, S., Balandin, S., Koucheryavy, Y. (eds) Internet of Things, Smart Spaces, and Next Generation Networks and Systems. NEW2AN ruSMART 2020 2020. Lecture Notes in Computer Science(), vol 12525. Springer, Cham. https://doi.org/10.1007/978-3-030-65726-0_26
Download Paper