From Individual Decisions from Experience to Behavioral Game Theory: Lessons for Cybersecurity (original) (raw)
Related papers
Understanding Cyber Situational Awareness in a Cyber Security Game involving
International Journal on Cyber Situational Awareness
Intrusion Detection Systems (IDSs) help in creating cyber situational awareness for defenders by providing recommendations. Prior research in simulation and game-theory has revealed that the presence and accuracy of IDS-like recommendations influence the decisions of defenders and adversaries. In the current paper, we present novel analyses of prior research by analyzing the sequential decisions of defenders and adversaries over repeated trials. Specifically, we developed computational cognitive models based upon Instance-Based Learning Theory (IBLT) to capture the dynamics of the sequential decisions made by defenders and adversaries across numerous conditions that differed in the IDS's availability and accuracy. We found that cognitive mechanisms based upon recency, frequency, and variability helped account for adversarial and defender decisions better than the optimal Nash solutions. We discuss the implications of our results for adversarial-and-defender decisions in the cyber-world.
International Journal on Cyber Situational Awareness, 2019
Current research in cyber-security is not focused on human decision-making. The primary objective of this study is to address this gap and investigate how cognitive processes proposed by Instance-based Learning Theory (IBLT) like reliance on recency and frequency, attention to opponent's actions, and cognitive noise are influenced by the effectiveness of vulnerability patching. Data involving participants performing as hackers and analysts was collected in a lab-based experiment in two patching conditions: effective (N = 50) and less-effective (N = 50). In effective (less-effective) patching, computer systems were in a non-vulnerable state (i.e., immune to cyber-attacks) 90% (50%) of the time after patching. An IBL model accounted for human decisions and revealed low (high) reliance on recency and frequency, attention to opponent's actions, and cognitive noise for hacker (analyst) in effective patching. Whereas, it revealed opposite results for less-effective patching. We highlight the implications of our findings for cyber decisionmaking.
Modeling Social Information in Conflict Situations through Instance-Based Learning Theory
Behavior in conflict situations can be influenced by the social information that individuals have about their opponents. This paper tests whether an existent Instance-based Learning (IBL) model, built using the Instance-based Learning Theory (IBLT) to explain behavior in a single-person binary-choice task (BCT), can predict behavior in a two-player iterated prisoner's dilemma (IPD) game. The same IBL model is generalized to two conditions in the IPD: Social, where individuals have information about their opponents and their choices; and Non-social, where individuals and opponents lack this information. We expect the single-person IBL model to predict behavior in the Non-social condition better than in the Social condition. However, due to the structural differences between BCT and IPD, we also expect only moderately good model predictions in the Non-social condition. Our results confirm these expectations. These findings highlight the need for additional cognitive mechanisms to account for social information in conflict situations.
Human Factors: The Journal of the Human Factors and Ergonomics Society, 2020
Objective We aim to learn about the cognitive mechanisms governing the decisions of attackers and defenders in cybersecurity involving intrusion detection systems (IDSs). Background Prior research has experimentally studied the role of the presence and accuracy of IDS alerts on attacker’s and defender’s decisions using a game-theoretic approach. However, little is known about the cognitive mechanisms that govern these decisions. Method To investigate the cognitive mechanisms governing the attacker’s and defender’s decisions in the presence of IDSs of different accuracies, instance-based learning (IBL) models were developed. One model (NIDS) disregarded the IDS alerts and one model (IDS) considered them in the instance structure. Both the IDS and NIDS models were trained in an existing dataset where IDSs were either absent or present and they possessed different accuracies. The calibrated IDS model was tested in a newly collected test dataset where IDSs were present 50% of the time a...
Cyber attacks, the disruption of normal functioning of computers in a network due to malicious events (threats), are becoming widespread and the role of security analysts is becoming important in protecting networks by accurately and timely detecting cyber attacks. In this paper, we investigate the role of two internal factors, similarity and experience, and an external factor, strategy of an attacker, to influence a simulated analyst's detection of cyber attacks. We use an existing cognitive model, based upon instance-based learning theory, which represents the decision-making process of a security analyst. We manipulate the attack strategy, experience, and similarity assumptions and evaluate their effects on model's accurate and timely detection of cyber attacks. Results revealed that although experience and strategy played a significant role in cyber attack detection; the role of similarity was much smaller. We highlight the implications of our findings for training human security analysts in their job.
Cyber Situation Awareness through Instance-Based Learning
Principles, Methods and Applications
In a corporate network, the situation awareness (SA) of a security analyst is of particular interest. The current work describes a cognitive Instance-Based Learning (IBL) model of an analyst’s recognition and comprehension processes in a cyber-attack scenario. The IBL model first recognizes network events based upon events’ situation attributes and their similarity to past experiences (instances) stored in the model’s memory. Then, the model comprehends a sequence of observed events as being a cyber-attack or not, based upon instances retrieved from its memory, similarity mechanism used, and the model’s risk-tolerance. The execution of the model generates predictions about the recognition and comprehension processes of an analyst in a cyber-attack. A security analyst’s decisions in the model are evaluated based upon two cyber-SA metrics of accuracy and timeliness. The chapter highlights the potential of this research for design of training and decision support tools for security ana...
The need for game-based learning methods to address cyber threats
European Conference on Games Based Learning
Cyber security threats are increasingly a serious concern to organisations, with an annual worldwide cost of a trillion dollars in 2021. Potentially the most significant contributor to cyber security threats is the human element, yet this has typically been insufficiently addressed in proposed solutions. Significant resources have been allocated to software, training and other solutions designed to tackle this threat, yet existing methods to improve cyber security have failed to deliver the desired results. Commonly cited issues include the lack of engagement in training, leading to disinterest and a ‘one size fits all’ approach, meaning some groups benefit from training more than others. This study will examine the need for game-based training methods in addressing cyber security threats caused by human error. Game-based training methods have previously been proposed to improve engagement in training and this study will discuss other potential benefits of game-based training. The a...
Learning About Simulated Adversaries from Human Defenders using Interactive Cyber-Defense Games
arXiv (Cornell University), 2023
Given the increase in cybercrime, cybersecurity analysts (i.e. Defenders) are in high demand. Defenders must monitor an organization's network to evaluate threats and potential breaches into the network. Adversary simulation is commonly used to test defenders' performance against known threats to organizations. However, it is unclear how effective this training process is in preparing defenders for this highly demanding job. In this paper, we demonstrate how to use adversarial algorithms to investigate defenders' learning of defense strategies, using interactive cyber defense games. Our Interactive Defense Game (IDG) represents a cyber defense scenario that requires constant monitoring of incoming network alerts and allows a defender to analyze, remove, and restore services based on the events observed in a network. The participants in our study faced one of two types of simulated adversaries. A Beeline adversary is a fast, targeted, and informed attacker; and a Meander adversary is a slow attacker that wanders the network until it finds the right target to exploit. Our results suggest that although human defenders have more difficulty to stop the Beeline adversary initially, they were able to learn to stop this adversary by taking advantage of their attack strategy. Participants who played against the Beeline adversary learned to anticipate the adversary and take more proactive actions, while decreasing their reactive actions. These findings have implications for understanding how to help cybersecurity analysts speed up their training.