Originally published by the Annual Review of Cybertherapy and Telemedicine
Authors: Kamilya Salibayeva, Alexander Thorpe, Luke French, Zachary P. Fry, Hajime Inoue, Robert Forties, Emma Hewlett, Scott Brown and Ami Eidels
Abstract: As recent security breaches of Australian companies have shown, cybersecurity is an increasing issue for governments and companies in the face of industrial-scale hacking. There exists the potential to reduce hackers’ efficiency by exploiting cognitive vulnerabilities, or cognitive biases that could be exploited by defence systems to lead hackers towards targets that are relatively unrewarding or unlikely to succeed. One such cognitive vulnerability is loss aversion, or an oversensitivity to losses relative to their objective value. The cognitive science literature contains a wealth of knowledge about cognitive biases and how they manifest, but it is necessary to establish that these biases can be measured and potentially exploited in real-world scenarios. Measures of real-world cyber behaviour may be ecologically valid but have not yet been established as face-valid, while established methods may lack ecological validity. To address this, we propose a three-tiered, “Gold-Silver-Bronze” experimental paradigm. Gold represents the most realistic tasks, while Bronze represents tasks most well-supported by the literature. An intermediary Silver tier serves to link the other two. We present a demonstration of this experiment with a cohort of cybersecurity experts. Participants were tasked with gaining access to secured information in a Capture-the-Flag paradigm (Gold), computer-based behavioural tasks (Silver), and established methods of measuring cognitive biases (Bronze). Across the three tiers, our measures could detect when participants responded in ways consistent with loss aversion. Preliminary results indicated these biases could be triggered through manipulation of the tasks’ presentation, thus showing the potential to induce inefficient behaviour in real-world cyber-attacks.