human_like_security_reasoning.csv

scenario_id,domain,situation,context,human_thought_process,possible_mistake,correct_decision,risk_level,explanation
1,cybersecurity,Multiple failed login attempts,Corporate VPN,"Could be user error or brute force. Need to check IP pattern and timing.","Disable all VPN access","Block suspicious IP and alert SOC",medium,"Targeted blocking avoids disruption"
2,system,Server disk usage suddenly full,Production Linux server,"Logs or backups might have grown unexpectedly.","Delete random files","Analyze disk usage and clean safely",high,"Blind deletion risks data loss"
3,network,High latency reported,Office LAN,"Is this congestion, faulty switch, or external issue?","Restart all devices","Trace route and isolate bottleneck",medium,"Root cause analysis saves time"
4,cybersecurity,Phishing email reported,Employee inbox,"Check sender domain and email headers.","Ignore single report","Analyze and warn all users",high,"Early warning prevents spread"
5,system,CPU spike at night,Cloud VM,"Scheduled job or malicious process?","Reboot VM","Check cron jobs and running processes",high,"Reboot hides root cause"
6,network,Packet loss detected,ISP connection,"Could be ISP issue or local cable fault.","Change router immediately","Test locally and contact ISP",medium,"Avoid unnecessary replacement"
7,cybersecurity,Unknown USB plugged in,Office PC,"USB could contain malware.","Open files to check","Isolate system and scan USB",high,"USB attacks are common"
8,system,Application crashes repeatedly,Production app,"Check logs before blaming code.","Redeploy blindly","Inspect error logs",medium,"Logs reveal exact issue"
9,cybersecurity,Password reuse detected,User audit,"User convenience vs security risk.","Ignore minor reuse","Force password reset",medium,"Reuse increases breach risk"
10,network,WiFi speed drops,Campus WiFi,"Too many users or interference?","Increase bandwidth","Change channel and optimize APs",low,"Optimization is cheaper"
11,cybersecurity,Admin login from new country,Cloud console,"Could be travel or compromise.","Disable admin","Verify activity and MFA logs",high,"Context matters"
12,system,Memory leak suspected,Backend service,"Gradual memory growth indicates leak.","Restart service","Profile memory usage",high,"Restart is temporary fix"
13,network,DNS resolution slow,Internal DNS,"Cache or upstream issue?","Switch public DNS","Fix internal DNS config",medium,"Internal reliability matters"
14,cybersecurity,Ransomware note found,User system,"Immediate isolation needed.","Pay ransom","Disconnect system and start IR",critical,"Containment is priority"
15,system,Backup job failed,Database server,"Storage or permission issue?","Ignore single failure","Investigate immediately",high,"Backups are critical"
16,network,Firewall blocking legit traffic,Enterprise firewall,"Rule misconfiguration likely.","Disable firewall","Adjust specific rule",high,"Firewall protects network"
17,cybersecurity,Suspicious PowerShell script,System logs,"PowerShell often abused.","Delete script","Analyze source and intent",high,"Forensics needed"
18,system,Time drift observed,Distributed system,"Clock mismatch affects logs.","Ignore seconds drift","Sync NTP across systems",medium,"Time consistency matters"
19,network,VPN users disconnected,Remote workforce,"Server overload or ISP issue?","Restart VPN server","Check load and logs",medium,"Restart may worsen issue"
20,cybersecurity,API key exposed in repo,Public GitHub,"Key likely compromised.","Do nothing","Revoke and rotate key",critical,"Keys must be rotated"
21,system,Service dependency missing,Microservices,"Config mismatch after deploy.","Rollback immediately","Fix dependency config",medium,"Rollback not always needed"
22,network,ARP spoofing suspected,LAN network,"Unusual MAC-IP mapping.","Ignore alerts","Enable ARP inspection",high,"ARP attacks enable MITM"
23,cybersecurity,User clicks suspicious link,Office laptop,"Endpoint may be compromised.","Scold user","Scan system and educate",medium,"Education reduces future risk"
24,system,High I/O wait,Database server,"Disk bottleneck or query issue.","Add more RAM","Optimize queries or storage",high,"Correct resource matters"
25,network,Load balancer uneven traffic,Web servers,"Health checks misconfigured.","Restart LB","Fix health check rules",medium,"Restart hides config issue"
26,cybersecurity,Malware detected by AV,Endpoint,"False positive or real?","Ignore AV","Quarantine and analyze",high,"Ignoring AV is dangerous"
27,system,Config file overwritten,Server reboot,"Automation tool issue.","Manually edit","Fix automation script",medium,"Automation errors repeat"
28,network,Port scan detected,Firewall logs,"Recon activity likely.","Ignore low volume","Block source and monitor",medium,"Early blocking helps"
29,cybersecurity,Privilege escalation attempt,Server logs,"Serious breach indicator.","Restart server","Investigate immediately",critical,"Restart destroys evidence"
30,system,Service starts slowly,Application server,"Cold start or dependency delay.","Increase CPU","Optimize startup sequence",low,"Performance tuning needed"
31,network,MTU mismatch issue,VPN tunnel,"Fragmentation causing drops.","Ignore small drops","Align MTU settings",medium,"MTU mismatch common issue"
32,cybersecurity,Social engineering call,Helpdesk,"Caller urgency suspicious.","Reset password","Verify identity strictly",high,"Social attacks bypass tech"
33,system,Database connection timeout,App backend,"Pool exhaustion likely.","Restart DB","Increase pool and fix leaks",high,"Restart is temporary"
34,network,Duplicate IP detected,Office LAN,"Static IP conflict.","Restart device","Resolve IP assignment",low,"Conflict causes instability"
35,cybersecurity,Unusual outbound traffic,Server firewall,"Possible data exfiltration.","Ignore off-hours","Analyze destination and volume",critical,"Data loss risk"
36,system,Log files missing,Server audit,"Rotation or tampering?","Assume rotation","Check audit policies",high,"Logs are evidence"
37,network,Switch port flapping,Data center,"Cable or NIC fault.","Ignore alerts","Replace cable/NIC",medium,"Hardware issues degrade network"
38,cybersecurity,MFA disabled by user,Account settings,"Security weakened.","Allow for convenience","Force MFA re-enable",high,"MFA is critical"
39,system,Kernel panic observed,Linux server,"Hardware or driver issue.","Reboot repeatedly","Analyze crash dump",critical,"Repeated panic worsens damage"
40,network,BGP route change detected,ISP network,"Possible hijack.","Ignore brief change","Verify routing integrity",critical,"Routing attacks are severe"
41,cybersecurity,Unauthorized software installed,Employee PC,"Policy violation.","Uninstall silently","Investigate intent",medium,"Could be insider threat"
42,system,Service health check failing,Monitoring alert,"False alert or real issue?","Mute alert","Verify service status",medium,"Alerts guide action"
43,network,Wireless rogue AP detected,Office,"Possible evil twin.","Ignore unknown AP","Locate and remove AP",high,"Rogue AP steals data"
44,cybersecurity,Email attachment opened,User system,"Malware risk.","Wait for symptoms","Scan immediately",high,"Early detection helps"
45,system,Environment variables missing,App deploy,"Config error.","Hardcode values","Fix environment config",medium,"Hardcoding is unsafe"
46,network,Excessive broadcast traffic,LAN,"Loop or misconfig.","Restart switches","Find loop and fix STP",high,"Broadcast storms are dangerous"
47,cybersecurity,Session hijack suspected,Web app,"Token leakage?","Ignore rare case","Invalidate sessions",high,"Sessions must be protected"
48,system,Cache inconsistency,Distributed cache,"Stale data served.","Disable cache","Fix invalidation logic",medium,"Cache improves performance"
49,network,Slow file transfers,SFTP server,"Encryption overhead or disk?","Disable encryption","Optimize disk and cipher",medium,"Security should remain"
50,cybersecurity,Unknown scheduled task,System audit,"Persistence technique.","Ignore if idle","Investigate task origin",high,"Persistence enables long attacks"