Behavioral Determinants of Target Shifting and Deterrence in an Analog Cyber‐Attack Game

This study examines how exploiting biases in probability judgment can enhance deterrence using a fixed allocation of defensive resources. We investigate attacker anchoring heuristics for conjunctive events with missing information to distort attacker estimates of success for targets with equal defensive resources. We designed and conducted a behavioral experiment functioning as an analog cyber attack with multiple targets requiring three stages of attack to successfully acquire a target. Each stage is associated with a probability of successfully attacking a layer of defense, reflecting the allocation of resources for each layer. There are four types of targets that have nearly equal likelihood of being successfully attacked, including one type with equally distributed success probabilities over every layer and three types with success probabilities that are concentrated to be lowest in the first, second, or third layer. Players are incentivized by a payoff system that offers a reward for successfully attacked targets and a penalty for failed attacks. We collected data from a total of 1,600 separate target selections from 80 players and discovered that the target type with the lowest probability of success on the first layer was least preferred among attackers, providing the greatest deterrent. Targets with equally distributed success probabilities across layers were the next least preferred among attackers, indicating greater deterrence for uniform-layered defenses compared to defenses that are concentrated at the inner (second or third) levels. This finding is consistent with both attacker anchoring and ambiguity biases and an interpretation of failed attacks as near misses.

[1]  P. Ubel,et al.  Measuring Numeracy without a Math Test: Development of the Subjective Numeracy Scale , 2007, Medical decision making : an international journal of the Society for Medical Decision Making.

[2]  M. Dixon,et al.  Near-Miss Effects on Response Latencies and Win Estimations of Slot Machine Players , 2004 .

[3]  Robin L. Dillon,et al.  How Near-Miss Events Amplify or Attenuate Risky Decision Making , 2012, Manag. Sci..

[4]  F. Strack,et al.  Playing Dice With Criminal Sentences: The Influence of Irrelevant Anchors on Experts’ Judicial Decision Making , 2006, Personality & social psychology bulletin.

[5]  Heather Rosoff,et al.  Deterrence of Cyber Attackers in a Three-Player Behavioral Game , 2017, GameSec.

[6]  L. Clark,et al.  Gambling Near-Misses Enhance Motivation to Gamble and Recruit Win-Related Brain Circuitry , 2009, Neuron.

[7]  Robin L. Dillon,et al.  How Near-Misses Influence Decision Making Under Risk: A Missed Opportunity for Learning , 2008, Manag. Sci..

[8]  Magne Jørgensen,et al.  The Impact of Irrelevant and Misleading Information on Software Development Effort Estimates: A Randomized Controlled Field Experiment , 2011, IEEE Transactions on Software Engineering.

[9]  Nils Ole Tippenhauer,et al.  On Attacker Models and Profiles for Cyber-Physical Systems , 2016, ESORICS.

[10]  H. Cooper,et al.  The desirability of control , 1979 .

[11]  Robert T. Clemen,et al.  Subjective Probability Assessment in Decision Analysis: Partition Dependence and Bias Toward the Ignorance Prior , 2005, Manag. Sci..

[12]  R. Sharma Peeping into a Hacker's Mind: Can Criminological Theories Explain Hacking? , 2007 .

[13]  Howard Kunreuther,et al.  Near‐Miss Incident Management in the Chemical Process Industry , 2003, Risk analysis : an official publication of the Society for Risk Analysis.

[14]  R. L. Reid The psychology of the near miss , 1986, Journal of gambling behavior.

[15]  Paul K. Huth DETERRENCE AND INTERNATIONAL CONFLICT: Empirical Findings and Theoretical Debates , 1999 .

[16]  Robin L. Dillon,et al.  Airline Safety Improvement Through Experience with Near‐Misses: A Cautionary Tale , 2016, Risk analysis : an official publication of the Society for Risk Analysis.

[17]  A. Furnham,et al.  A literature review of the anchoring effect , 2011 .

[18]  Garret Ridinger,et al.  Attacker Deterrence and Perceived Risk in a Stackelberg Security Game , 2016, Risk analysis : an official publication of the Society for Risk Analysis.

[19]  Jayant Gadge,et al.  Port scan detection , 2008, 2008 16th IEEE International Conference on Networks.

[20]  Jian Hua,et al.  How Can We Deter Cyber Terrorism? , 2012, Inf. Secur. J. A Glob. Perspect..

[21]  Lixuan Zhang,et al.  Illegal Computer Hacking: An Assessment of Factors that Encourage and Deter the Behavior , 2007 .

[22]  Jacob Cohen,et al.  A power primer. , 1992, Psychological bulletin.

[23]  G. Northcraft,et al.  Experts, amateurs, and real estate: An anchoring-and-adjustment perspective on property pricing decisions , 1987 .

[24]  L. Clark,et al.  Near-wins and near-losses in gambling: A behavioral and facial EMG study , 2014, Psychophysiology.

[25]  P. Ubel,et al.  Validation of the Subjective Numeracy Scale: Effects of Low Numeracy on Comprehension of Risk Communications and Utility Elicitations , 2007, Medical decision making : an international journal of the Society for Medical Decision Making.

[26]  G. Gigerenzer How to Make Cognitive Illusions Disappear: Beyond “Heuristics and Biases” , 1991 .

[27]  Song Guo,et al.  Can we beat legitimate cyber behavior mimicking attacks from botnets? , 2012, 2012 Proceedings IEEE INFOCOM.

[28]  Jonathan Baron,et al.  Ambiguity and rationality , 1988 .

[29]  H. Robbins Some aspects of the sequential design of experiments , 1952 .

[30]  H. Rosoff,et al.  Public Response to a Near‐Miss Nuclear Accident Scenario Varying in Causal Attributions and Outcome Uncertainty , 2018, Risk analysis : an official publication of the Society for Risk Analysis.

[31]  Siew H. Chan,et al.  An Empirical Investigation Of Hacking Behavior , 2011, BIS 2011.

[32]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[33]  Maya Bar-Hillel,et al.  Representativeness and fallacies of probability judgment , 1984 .

[34]  George Cybenko,et al.  Quantitative Metrics and Risk Assessment: The Three Tenets Model of Cybersecurity , 2013 .

[35]  Michael Jetter,et al.  Anchoring in financial decision-making: Evidence from Jeopardy! , 2017 .

[36]  William J. Burns,et al.  Near‐Misses and Future Disaster Preparedness , 2014, Risk analysis : an official publication of the Society for Risk Analysis.

[37]  Alex R. Piquero,et al.  ON AMBIGUITY IN PERCEPTIONS OF RISK:IMPLICATIONS FOR CRIMINAL DECISION MAKING AND DETERRENCE* , 2011 .

[38]  A. Tversky,et al.  The hot hand in basketball: On the misperception of random sequences , 1985, Cognitive Psychology.

[39]  Oksanen Ville,et al.  Theory of Deterrence and Individual Behavior. Can Lawsuits Control File Sharing on the Internet , 2007 .

[40]  Heather Rosoff,et al.  Portfolio analysis of layered security measures. , 2015, Risk analysis : an official publication of the Society for Risk Analysis.

[41]  Mark R Dixon,et al.  Using a computer simulation of three slot machines to investigate a gambler’s preference among varying densities of near-miss alternatives , 2007, Behavior research methods.

[42]  Michel Cukier,et al.  RESTRICTIVE DETERRENT EFFECTS OF A WARNING BANNER IN AN ATTACKED COMPUTER SYSTEM , 2014 .

[43]  Tony Lingham,et al.  How Hackers Think: A Study of Cybersecurity Experts and Their Mental Models , 2013 .

[44]  F. Pearson,et al.  Toward an Intergration of Criminological Theories , 1985 .

[45]  Colin Camerer,et al.  Decision processes for low probability events: Policy implications , 1989 .

[46]  Brent Wible A Site Where Hackers Are Welcome: Using Hack-In Contests To Shape Preferences and Deter Computer Crime , 2003 .

[47]  Robin L Dillon,et al.  Why Near‐Miss Events Can Decrease an Individual's Protective Response to Hurricanes , 2011, Risk analysis : an official publication of the Society for Risk Analysis.