By Dr. Zak Fry
What Is Cyberpsychology and Why Do We Need to Understand It?
The current cybersecurity landscape is complex – staying ahead of cyber attackers requires cutting-edge understanding and mastery of many relevant subdomains. While GrammaTech and others have spent decades researching novel ways to defend against cyber-attacks from a systems and software standpoint, there is increasing interest in understanding the cyberpsychology of attackers to craft better human-aware defenses. Cyberpsychology studies how people think, feel and behave in digital environments – current findings suggest that established general psychological principles may not universally apply in cyber-environments. As a marketing team might leverage general psychology to improve advertisement effectiveness, better understanding of cyberpsychology enables cyber-defenders to craft more informed defenses against cyberattacks.
RESCIND: Hacking the Hacker
The field of cyberpsychology and studying how cognitive biases lead to suboptimal decision making continues to grow in popularity – GrammaTech recently led a team on the IARPA “Reimagining Security with Cyberpsychology-Informed Network Defenses” (ReSCIND) program. Attackers attempt to find and exploit vulnerabilities in systems – ReSCIND borrows from and counters this strategy by developing mechanisms for measuring and exploiting cognitive biases in cyber attacker behavior. Specifically, we examine concepts like over-confidence, aversion to loss or detection, and potentially incorrect beliefs about gained information to identify instances where attackers behave irrationally or unknowingly increase the difficulty of their tasks. By studying this novel angle of cybersecurity, we can craft more comprehensive defensive strategies for critical cyber deployments.
How GrammaTech Reverse-Engineered the Hacker
The developed cyber-informed defensive tactics are grounded in human subject research where we tested cognitive hypotheses on participants in real-world cyberattack settings. While cognitive biases are well-understood in non-cyber domains (e.g., marketing, social interactions, workplace dynamics), it is not assumed that the same conclusions translate to cyber behaviors, by default. To evaluate cognitive effects in a cyber context, we developed an in-depth human study that mimics a real-world academic-style network where various hacking objectives were presented to participants. We inserted behavioral measurement mechanisms (e.g., “how many attempts are made for a certain task”, “how long was spent on a certain task”) into the developed testbed at critical points for individual attack vectors. Dozens of qualified participants completed the study with varying levels of success on individual attack-style tasks.
Our Results
We studied fourteen canonical biases in both cyber and non-cyber contexts, including gambler’s fallacy, confirmation bias, hot stove effect, sunk cost fallacy, etc. As an example, the “endowment effect” suggests that someone will irrationally over-value something they were given (or “endowed with”) relative to its real worth when making critical decisions. In a cyber context, this could apply to various scenarios including access to a system or artifact, obtaining sensitive information or data, and control over critical system functionality. In our experimentation we specifically measured attackers’ preference to continue attacking an arbitrary system versus a protected system for which they were explicitly “endowed” with credentials. We found that both treatment and control group users (i.e., those we were trying to influence and those we were not, respectively) were overwhelmingly inclined to remain on the target machine. This cyber-focused result does not match the general findings related to the endowment effect – this suggests there are critical differences in bias susceptibility and causal effects between established results and cyber contexts, attackers, and behaviors, which motivates further study in this area. Based on our experiments, the most cyber-actionable biases include gambler’s fallacy, sunk cost fallacy, default and distinctiveness effects, hot stove effect, and cognitive load effect. Those that showed less cyber-focused promise include base rate neglect, endowment effect, mere exposure effect, and near-miss bias.
For more details check out our publications in the Annual Review of Cybertherapy and Telemedicine:
Deceptive Patterns and Defence: Teaching Cognitive Biases through Gamification
The Human Behind the Hack: Exploiting the Representativeness Heuristic to Combat Cyber-Attacks
The Hacker is Vulnerable Too: How Cognitive Science Can Inform Cybersecurity
What’s Next?
We plan to continue contributing to the growing community studying cyberpsychological effects and explore additional areas where the developed behavioral monitoring and influence techniques might apply. Currently we are exploring opportunities to apply these approaches to domains including insider threat detection, identification of criminal activity patterns, and official process compliance checking. We invite any interested readers to reach out for more information.
