Scenario-based training for deception detection

Computer defense is not perfect. Each year hackers exploit hundreds of vulnerabilities in information systems even though millions of dollars are spent on information security. Firewalls, intrusion detection systems and patch management software all help to increase systems security, but they are only perimeter defenses. Once inside, a hacker can do significant damage and the vulnerability to deception is great. At that point, users become the last line of defense. This paper describes two field studies in which scenario-based training was used to teach information systems users how detect deception in the information they use. The first study provided deception detection training to human resource specialists who queried a database to get the need information to make decision about personnel in their organization. Deceptive data was planted in the database. The second provided training to communications specialists using a computer based training systems called Agent99. In both studies scenarios were developed as a foundation of the training programs provided. The use of the scenarios helped to keep the participants involved and focused on the training. More importantly, the subjects who received the scenario based training curriculum improved their knowledge of deception and their ability to detect deceptive data in information systems.

[1]  Joan Robson,et al.  Evaluating On-line Teaching , 2000 .

[2]  John P. Campbell,et al.  Modeling the performance prediction problem in industrial and organizational psychology. , 1990 .

[3]  Jay F. Nunamaker,et al.  Training Professionals to Detect Deception , 2003, ISI.

[4]  N Moray,et al.  Trust, control strategies and allocation of function in human-machine systems. , 1992, Ergonomics.

[5]  D. Hung Theories of Learning and Computer-Mediated Instructional Technologies , 2001 .

[6]  J. Bruner Acts of meaning , 1990 .

[7]  R. Sternberg,et al.  The Psychology of Intelligence , 2002 .

[8]  D. R. Davies,et al.  Human vigilance performance , 1969 .

[9]  Judee K. Burgoon,et al.  Interpersonal deception: V. Accuracy in deception detection , 1994 .

[10]  Thomas B. Sheridan,et al.  TRUSTWORTHINESS OF COMMAND AND CONTROL SYSTEMS , 1988 .

[11]  D. H. Mills The Logic and Limits of Trust , 1983 .

[12]  Robert W. Zmud,et al.  Opportunities for Strategic Information Manipulation through New Information Technology , 1990 .

[13]  R. Power CSI/FBI computer crime and security survey , 2001 .

[14]  Wynne W. Chin The partial least squares approach for structural equation modeling. , 1998 .

[15]  Jay F. Nunamaker,et al.  Designing Agent99 Trainer: A Learner-Centered, Web-Based Training System for Deception Detection , 2003, ISI.

[16]  N. Moray,et al.  Trust in automation. Part II. Experimental studies of trust and human intervention in a process control simulation. , 1996, Ergonomics.

[17]  Gordon B. Davis,et al.  Can Humans Detect Errors in Data? Impact of Base Rates, Incentives, and Goals , 1997, MIS Q..

[18]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[19]  Robert W. Zmud,et al.  Inducing Sensitivity to Deception in Order to Improve Decision Making Performance: A Field Study , 2002, MIS Q..

[20]  Gregg H. Gunsch,et al.  The effect of external safeguards on human-information system trust in an information warfare environment , 2001, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[21]  James J. Lindsay,et al.  Cues to deception. , 2003, Psychological bulletin.

[22]  Paul E. Johnson,et al.  Fraud Detection: Intentionality and Deception in Cognition , 1993 .