Cognitive Hacking and the Value of Information

Computer and network security present great challenges to our evolving information society and economy. The variety and complexity of cybersecurity attacks that have been developed parallel the variety and complexity of the information technologies that have been deployed, with no end in sight for either. We delineate between two classes of information systems attacks: autonomous attacks and cognitive attacks. Autonomous attacks operate totally within the fabric of the computing and networking infrastructures. For example, the well-know Unicode attack against older, unpatched versions of Microsoft's Internet Information Server (IIS) can lead to root/administrator access. Once such access is obtained, any number of undesired activities by the attacker is possible. For example, files containing private information such as credit card numbers can be downloaded and used by an attacker. Such an attack does not require any intervention by users of the attacked system, hence we call it an "autonomous" attack. By contrast, a cognitive attack requires some change in users' behavior, affected by manipulating their perception of reality. The attack's desired outcome cannot be achieved unless human users change their behaviors in some way. Users' modified actions are a critical link in a cognitive attack's sequencing.