Many phish in the C$\mathcal{C}$ : A coexisting‐choice‐criteria model of security behavior

Normative decision theory proves inadequate for modeling human responses to the socialengineering campaigns of Advanced Persistent Threat (APT) attacks. Behavioral decision theory fares better, but still falls short of capturing social-engineering attack vectors, which operate through emotions and peripheral-route persuasion. We introduce a generalized decision theory, under which any decision will be made according to one of multiple coexisting choice criteria. We denote the set of possible choice criteria by C. Thus the proposed model reduces to conventional Expected Utility theory when | CEU| = 1, whilst Dual-Process (thinking fast vs. thinking slow) decision making corresponds to a model with | CDP| = 2. We consider a more general case with | C| ≥ 2, which necessitates careful consideration of how, for a particular choice-task instance, one criterion comes to prevail over others. We operationalize this with a probability distribution that is conditional upon traits of the decision maker as well as upon the context and the framing of choice options. Whereas existing Signal Detection Theory (SDT) models of phishing detection commingle the different peripheral-route persuasion pathways, in the present descriptive generalization the different pathways are explicitly identified and represented. A number of implications follow immediately from this formulation, ranging from the conditional nature of security-breach risk to delineation of the prerequisites for valid tests of security training. Moreover, the model explains the ‘stepping-stone’ penetration pattern of APT attacks, which has confounded modeling approaches based on normative rationality.

[1]  Bias-Trigger Manipulation and Task-Form Understanding in Monty Hall , 2014 .

[2]  G. Harrison,et al.  Expected utility theory and prospect theory: one wedding and a decent funeral , 2009 .

[3]  Franziska Marquart,et al.  Communication and persuasion : central and peripheral routes to attitude change , 1988 .

[4]  R. Cialdini Influence: The Psychology of Persuasion , 1993 .

[5]  K. VanLehn Mind Bugs: The Origins of Procedural Misconceptions , 1990 .

[6]  A. Tversky,et al.  An axiomatization of cumulative prospect theory , 1993 .

[7]  Andrew M. Parker,et al.  Robustness of Decision-Making Competence: Evidence from two measures and an 11-year longitudinal study. , 2018, Journal of behavioral decision making.

[8]  J. Swait,et al.  The Influence of Task Complexity on Consumer Choice: A Latent Class Model of Decision Strategy Switching , 2001 .

[9]  Baruch Fischhoff,et al.  Setting Priorities in Behavioral Interventions: An Application to Reducing Phishing Risk , 2018, Risk analysis : an official publication of the Society for Risk Analysis.

[10]  Mark J. Safferstone Information Rules: A Strategic Guide to the Network Economy , 1999 .

[11]  D. Stahl Boundedly rational rule learning in a guessing game , 1996 .

[12]  Mark I. Hwang,et al.  Decision making under time pressure: A model for information systems research , 1994, Inf. Manag..

[13]  Philippe Jehiel,et al.  Analogy-based expectation equilibrium , 2004, J. Econ. Theory.

[14]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[15]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[16]  Tyler Moore,et al.  Information security: where computer science, economics and psychology meet , 2009, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[17]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[18]  R. Frank Passions Within Reason: The Strategic Role of the Emotions , 1990 .

[19]  R. Aumann,et al.  Unraveling in Guessing Games : An Experimental Study , 2007 .

[20]  Tian Lin,et al.  Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing , 2017, CHI.

[21]  Casey Rothschild,et al.  Adversarial risk analysis with incomplete information: a level-k approach. , 2012, Risk analysis : an official publication of the Society for Risk Analysis.

[22]  Adam N. Joinson,et al.  Individual differences in susceptibility to online influence: A theoretical review , 2017, Comput. Hum. Behav..

[23]  Charles R. Plott,et al.  The control of game form recognition in experiments: understanding dominant strategy failures in a simple two person “guessing” game , 2009 .

[24]  Luis C. Corchón,et al.  Addiction and Cue-Triggered Decision Processes. , 2004, The American economic review.

[25]  K. Kaivanto The Effect of Decentralized Behavioral Decision Making on System‐Level Risk , 2014, Risk analysis : an official publication of the Society for Risk Analysis.

[26]  M. Keane,et al.  Behavior in a dynamic decision problem: An analysis of experimental evidence using a bayesian type classification algorithm , 2004 .

[27]  D. Kahneman Thinking, Fast and Slow , 2011 .

[28]  S. Frederick Journal of Economic Perspectives—Volume 19, Number 4—Fall 2005—Pages 25–42 Cognitive Reflection and Decision Making , 2022 .

[29]  G. Loewenstein Out of control: Visceral influences on behavior , 1996 .

[30]  D. Stahl,et al.  On Players' Models of Other Players: Theory and Experimental Evidence , 1995 .

[31]  J. de Houwer,et al.  Automaticity: a theoretical and conceptual analysis. , 2006, Psychological bulletin.

[32]  G. Loewenstein Emotions in Economic Theory and Economic Behavior , 2000 .

[33]  Terence A. Shimp,et al.  Consumer vulnerability to scams, swindles, and fraud: A new theory of visceral influences on persuasion , 2001 .

[34]  Jonathan J. Rusch The "Social Engineering" of Internet Fraud , 2003 .

[35]  Christopher Hadnagy,et al.  Social Engineering: The Art of Human Hacking , 2010 .

[36]  David I. Laibson,et al.  A Cue-Theory of Consumption , 2001 .

[37]  Andrew M. Parker,et al.  Published online in Wiley InterScience (www.interscience.wiley.com) DOI: 10.1002/bdm.481 Decision-making Competence: External Validation through an Individual-differences Approach , 2005 .

[38]  OF MANAGEMENT AND BUDGET Revisions to the Standards for , 2022 .

[39]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[40]  Daniel G. Goldstein,et al.  We Don't Quite Know What We Are Talking About , 2007 .

[41]  Glenn W. Harrison,et al.  Latent process heterogeneity in discounting behavior , 2012 .

[42]  Iain P. Embrey Series 2017 / 032 States of Nature and States of Mind : A Generalised Theory of Decision-Making , evaluated by application to Human Capital Development , 2017 .

[43]  R. Nagel,et al.  Barcelona Economics Working Paper Series Finite Mixture Analysis of Beauty- Contest Data Using Generalised Beta Distributions a Finite Mixture Analysis of Beauty-contest Data Using Generalized Beta Distributions * , 2010 .

[44]  Andrew Daly,et al.  Allowing for heterogeneous decision rules in discrete choice models: an approach and four case studies , 2011 .

[45]  A. Tversky,et al.  Advances in prospect theory: Cumulative representation of uncertainty , 1992 .