Many Phish in the C: A Coexisting-Choice-Criteria Model of Security Behavior

Normative decision theory proves inadequate for modeling human responses to the social-engineering campaigns of Advanced Persistent Threat (APT) attacks. Behavioral decision theory fares better, but still falls short of capturing social-engineering attack vectors, which operate through emotions and peripheral-route persuasion. We introduce a generalized decision theory, under which any decision will be made according to one of multiple coexisting choice criteria. We denote the set of possible choice criteria by C. Thus the proposed model reduces to conventional Expected Utility theory when |CEU| = 1, whilst Dual-Process (thinking fast vs. thinking slow) decision making corresponds to a model with |CDP| = 2. We consider a more general case with C >= 2, which necessitates careful consideration of how, for a particular choice-task instance, one criterion comes to prevail over others. We operationalize this with a probability distribution that is conditional upon traits of the decision maker as well as upon the context and the framing of choice options. Whereas existing Signal Detection Theory (SDT) models of phishing detection commingle the different peripheral-route persuasion pathways, in the present descriptive generalization the different pathways are explicitly identified and represented. A number of implications follow immediately from this formulation, ranging from the conditional nature of security-breach risk to delineation of the prerequisites for valid tests of security training. Moreover, the model explains the `stepping-stone' penetration pattern of APT attacks, which has confounded modeling approaches based on normative rationality.

[1]  Adam N. Joinson,et al.  Individual differences in susceptibility to online influence: A theoretical review , 2017, Comput. Hum. Behav..

[2]  Glenn W. Harrison,et al.  Latent process heterogeneity in discounting behavior , 2012 .

[3]  Iain P. Embrey Series 2017 / 032 States of Nature and States of Mind : A Generalised Theory of Decision-Making , evaluated by application to Human Capital Development , 2017 .

[4]  G. Loewenstein Emotions in Economic Theory and Economic Behavior , 2000 .

[5]  R. Nagel,et al.  Barcelona Economics Working Paper Series Finite Mixture Analysis of Beauty- Contest Data Using Generalised Beta Distributions a Finite Mixture Analysis of Beauty-contest Data Using Generalized Beta Distributions * , 2010 .

[6]  Terence A. Shimp,et al.  Consumer vulnerability to scams, swindles, and fraud: A new theory of visceral influences on persuasion , 2001 .

[7]  Jonathan J. Rusch The "Social Engineering" of Internet Fraud , 2003 .

[8]  Luis C. Corchón,et al.  Addiction and Cue-Triggered Decision Processes. , 2004, The American economic review.

[9]  A. Tversky,et al.  Advances in prospect theory: Cumulative representation of uncertainty , 1992 .

[10]  K. Kaivanto The Effect of Decentralized Behavioral Decision Making on System‐Level Risk , 2014, Risk analysis : an official publication of the Society for Risk Analysis.

[11]  J. Swait,et al.  The Influence of Task Complexity on Consumer Choice: A Latent Class Model of Decision Strategy Switching , 2001 .

[12]  J. Ciardi Fast and Slow , 1975 .

[13]  G. Loewenstein Out of control: Visceral influences on behavior , 1996 .

[14]  Casey Rothschild,et al.  Adversarial risk analysis with incomplete information: a level-k approach. , 2012, Risk analysis : an official publication of the Society for Risk Analysis.

[15]  D. Stahl,et al.  On Players' Models of Other Players: Theory and Experimental Evidence , 1995 .

[16]  David I. Laibson,et al.  A Cue-Theory of Consumption , 2001 .

[17]  Mark I. Hwang,et al.  Decision making under time pressure: A model for information systems research , 1994, Inf. Manag..

[18]  Bias-Trigger Manipulation and Task-Form Understanding in Monty Hall , 2014 .

[19]  Andrew M. Parker,et al.  Published online in Wiley InterScience (www.interscience.wiley.com) DOI: 10.1002/bdm.481 Decision-making Competence: External Validation through an Individual-differences Approach , 2005 .

[20]  D. Stahl Boundedly rational rule learning in a guessing game , 1996 .

[21]  Rui Chen,et al.  Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model , 2011, Decis. Support Syst..

[22]  OF MANAGEMENT AND BUDGET Revisions to the Standards for , 2022 .

[23]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[24]  S. Frederick Journal of Economic Perspectives—Volume 19, Number 4—Fall 2005—Pages 25–42 Cognitive Reflection and Decision Making , 2022 .

[25]  Tyler Moore,et al.  Information security: where computer science, economics and psychology meet , 2009, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[26]  Philippe Jehiel,et al.  Analogy-based expectation equilibrium , 2004, J. Econ. Theory.

[27]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[28]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[29]  Andrew Daly,et al.  Allowing for heterogeneous decision rules in discrete choice models: an approach and four case studies , 2011 .

[30]  Christopher Hadnagy,et al.  Social Engineering: The Art of Human Hacking , 2010 .

[31]  K. VanLehn Mind Bugs: The Origins of Procedural Misconceptions , 1990 .

[32]  Andrew M. Parker,et al.  Robustness of Decision-Making Competence: Evidence from two measures and an 11-year longitudinal study. , 2018, Journal of behavioral decision making.

[33]  Mark J. Safferstone Information Rules: A Strategic Guide to the Network Economy , 1999 .

[34]  D. Kahneman Thinking, Fast and Slow , 2011 .

[35]  A. Tversky,et al.  An axiomatization of cumulative prospect theory , 1993 .

[36]  Daniel G. Goldstein,et al.  We Don't Quite Know What We Are Talking About , 2007 .

[37]  Baruch Fischhoff,et al.  Setting Priorities in Behavioral Interventions: An Application to Reducing Phishing Risk , 2018, Risk analysis : an official publication of the Society for Risk Analysis.

[38]  J. de Houwer,et al.  Automaticity: a theoretical and conceptual analysis. , 2006, Psychological bulletin.

[39]  G. Harrison,et al.  Expected utility theory and prospect theory: one wedding and a decent funeral , 2009 .

[40]  R. Cialdini Influence: The Psychology of Persuasion , 1993 .

[41]  M. Keane,et al.  Behavior in a dynamic decision problem: An analysis of experimental evidence using a bayesian type classification algorithm , 2004 .

[42]  R. Frank Passions Within Reason: The Strategic Role of the Emotions , 1990 .

[43]  R. Aumann,et al.  Unraveling in Guessing Games : An Experimental Study , 2007 .

[44]  Tian Lin,et al.  Dissecting Spear Phishing Emails for Older vs Young Adults: On the Interplay of Weapons of Influence and Life Domains in Predicting Susceptibility to Phishing , 2017, CHI.

[45]  Charles R. Plott,et al.  The control of game form recognition in experiments: understanding dominant strategy failures in a simple two person “guessing” game , 2009 .

[46]  Franziska Marquart,et al.  Communication and persuasion : central and peripheral routes to attitude change , 1988 .