Cyber security is increasingly seen as the management of economic trade-offs: balancing losses from actual attacks (e.g., monetary costs, psychological costs due to loss of privacy, etc.) against the costs of threat/attack mitigation mechanisms (e.g., monetary costs, degradation of performance and productivity, etc.). While tackling this multi-attribute decision problem in a highly dynamic and uncertain environment, individuals frequently diverge from rationality. To better understand the deviation from rational behavior and to find effective ways to remediate this (when necessary), a systematic study will be undertaken with the results used to model the human behavior of malicious actors (attackers), non-malicious actors - those who intend to maintain the security of a system (defenders) and actors whose behavior/attitudes are indifferent to system security, but do not intend to attack the system (end users). The research methodology involves: (1) generating representative scenarios of various attack / mitigation decision problems, (2) conducting surveys using scenario simulations to identify the drivers of human behavior relative to each scenario, (3) developing models of human behavior that involve the application of various normative and descriptive models from behavioral economics, (4) comparing the outcomes of the models, (5) conducting controlled laboratory experiments with human subjects to reveal differences between predicted and observed user behavior, (6) using the developed models to help determine what measures can be employed to change human behavior, and (7) implementing, simulating, and evaluating the developed models in a multi-agent system. The project has three key tasks: (1) Explore what factors drive an adversary to select a particular cyber-attack and what motivates the benign user to either take or not take action. The proposed research also will examine what steps can be taken to change human behavior - either to not attack, take certain attack paths, or, for a benign user, take steps to avoid or mitigate an attack. (2) Explore the potential difference between optimal and actual security decisions, to determine when and why deviation from the optimal decision occurs, and identify effective means to correct deviations from rationality that impede the realization of good security outcomes. (3) Investigate how attackers can take advantage of the gap between perceived and actual risk, as well as attackers? risk taking behavior. This is critical to ensuring the development and implementation of effective monitoring and mitigation technologies. The research will develop techniques and models delivering the foundation for future security-focused behavioral modeling research, provide much needed empirical data, and produce a software toolkit for developing, testing and evaluating methods and models to study human security decision-making.
SBE: Medium: Understanding and Influencing Security and Privacy Decision-making