Abstract
This research investigates why high-accuracy, AI-driven provenance-based intrusion detection systems (PIDSs) can demonstrate impressive technical performance, yet frequently do not gain enterprise adoption. It asks the question: How do key stakeholder groups, including security analysts, compliance officers, and IT leadership, interpret and negotiate PIDS output, and under what situational conditions does socio-technical negotiation enable stable deployment? This study uses the Social Construction of Technology (SCOT) framework, and emphasizes interpretive flexibility, closure, and stabilization to track how stakeholder groups assigned value to explainability, auditability, and operational viability. This mixed-methods research design utilized an original Quality of Attribution (QoA) assessment by quantifying the detected root-cause accuracy of attribution, the false-positive rate of misclassification, and the cost incurred by the analyst to triage a detected event. The work combines the QoA assessment with SCOT-informed semi-structured interviews and the analysis of policy discourse. Ongoing preliminary findings are expected to indicate that a gain in QoA, augmented by an exploitable landscape of transparently annotated provenance visualizations, cryptographic audit metadata, and an inference latency faster than 200 ms aligns with stakeholder norms around trust, compliance, and integration. By overlaying socio-technical thresholds onto an Adoption Framework (from Exploration to Negotiation to Stabilization), this work is expected to provide vendor organizations with actionable design principles, as well as extend STS scholarship on the socially constructed nature of algorithmic artifacts and organizational contexts.
