Human Subtlety Proofs: Using Computer Games to Model Cognitive Processes for Cybersecurity

ABSTRACT This article describes an emerging direction in the intersection between human–computer interaction and cognitive science: the use of cognitive models to give insight into the challenges of cybersecurity (cyber-SA). The article gives a brief overview of work in different areas of cyber-SA where cognitive modeling research plays a role, with regard to direct interaction between end users and computer systems and with regard to the needs of security analysts working behind the scenes. The problem of distinguishing between human users and automated agents (bots) interacting with computer systems is introduced, as well as ongoing efforts toward building Human Subtlety Proofs (HSPs), persistent and unobtrusive windows into human cognition with direct application to cyber-SA. Two computer games are described, proxies to illustrate different ways in which cognitive modeling can potentially contribute to the development of HSPs and similar cyber-SA applications.

[1]  G. Miller,et al.  Cognitive science. , 1981, Science.

[2]  David P. Benjamin A Cognitive Approach to Intrusion Detection , 2007, 2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications.

[3]  Xin Luo,et al.  Improving multiple-password recall: an empirical study , 2009, Eur. J. Inf. Syst..

[4]  Rick Wash,et al.  Influencing mental models of security: a research agenda , 2011, NSPW '11.

[5]  D. Paul Benjamin,et al.  Using a Cognitive Architecture to Automate Cyberdefense Reasoning , 2008, 2008 Bio-inspired, Learning and Intelligent Systems for Security.

[6]  Richard C. Atkinson,et al.  Human Memory: A Proposed System and its Control Processes , 1968, Psychology of Learning and Motivation.

[7]  Simon Farrell,et al.  An introduction to cognitive modeling , 2015 .

[8]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[9]  Merrill Warkentin,et al.  Introducing the Check-Off Password System (COPS): An Advancement in User Authentication Methods and Information Security , 2004, J. Organ. End User Comput..

[10]  Wayne D. Gray,et al.  Milliseconds Matter: an Introduction to Microstrategies and to Their Use in Describing and Predicting Interactive Behavior Milliseconds Matter: an Introduction to Microstrategies and to Their Use in Describing and Predicting Interactive Behavior , 2022 .

[11]  Luis A. Leiva,et al.  μcaptcha: Human Interaction Proofs Tailored to Touch-Capable Devices via Math Handwriting , 2015, Int. J. Hum. Comput. Interact..

[12]  Ben F. Barton,et al.  User-friendly password methods for computer-mediated information systems , 1984, Comput. Secur..

[13]  L. Jean Camp,et al.  Implementing Mental Models , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[14]  Eric Chown,et al.  Cognitive Modeling , 2014, Computing Handbook, 3rd ed..

[15]  Cleotilde Gonzalez,et al.  Cognition and Technology , 2014, Cyber Defense and Situational Awareness.

[16]  Shane T. Mueller,et al.  Alphabetic letter identification: effects of perceivability, similarity, and bias. , 2012, Acta psychologica.

[17]  Yang-Wai Chow,et al.  CAPTCHA Challenges for Massively Multiplayer Online Games: Mini-game CAPTCHAs , 2010, 2010 International Conference on Cyberworlds.

[18]  C. Allen,et al.  Stanford Encyclopedia of Philosophy , 2011 .

[19]  John R Anderson,et al.  An integrated theory of the mind. , 2004, Psychological review.

[20]  Cleotilde Gonzalez,et al.  From Individual Decisions from Experience to Behavioral Game Theory: Lessons for Cybersecurity , 2013, Moving Target Defense.

[21]  David L. Roberts,et al.  Detecting abnormal user behavior through pattern-mining input device analytics , 2015, HotSoS.

[22]  David B. Kaber,et al.  International Journal of Human-computer Interaction a Cognitive Modeling Approach to Decision Support Tool Design for Anesthesia Provider Crisis Management a Cognitive Modeling Approach to Decision Support Tool Design for Anesthesia Provider Crisis Management , 2022 .

[23]  Allen Newell,et al.  The psychology of human-computer interaction , 1983 .

[24]  J. Blythe,et al.  A dual-process cognitive model for testing resilient control systems , 2012, 2012 5th International Symposium on Resilient Control Systems.

[25]  Wayne A. Wickelgren,et al.  Speed-accuracy tradeoff and information processing dynamics , 1977 .

[26]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[27]  Kang Lee,et al.  The influence of symbolic literacy on memory: testing Plato's hypothesis. , 2001, Canadian journal of experimental psychology = Revue canadienne de psychologie experimentale.

[28]  Ting Yu,et al.  On mouse dynamics as a behavioral biometric for authentication , 2011, ASIACCS '11.

[29]  Zhenyu Wu,et al.  Battle of Botcraft: fighting bots in online games with human observational proofs , 2009, CCS.

[30]  William L. Scherlis,et al.  Science of Security Hard Problems: A Lablet Perspective , 2012 .

[31]  Allen Newell,et al.  SOAR: An Architecture for General Intelligence , 1987, Artif. Intell..

[32]  Borka Jerman-Blazic,et al.  Why That Picture? Discovering Password Properties in Recognition-Based Graphical Authentication , 2016, Int. J. Hum. Comput. Interact..

[33]  I.,et al.  Fitts' Law as a Research and Design Tool in Human-Computer Interaction , 1992, Hum. Comput. Interact..

[34]  Bonnie M. Muir,et al.  Trust in automation. I: Theoretical issues in the study of trust and human intervention in automated systems , 1994 .

[35]  Cleotilde Gonzalez,et al.  Cyber Situation Awareness: Modeling the Security Analyst in a Cyber-Attack Scenario through Instance-Based Learning , 2011, DBSec.