CREATE Research on Cybersecurity

CREATE’s cybersecurity has focused on risks, economics and game-theoretic interventions against cyber threats.  USC’s also conducts cybersecurity research through its Center for Computer Systems Security, which operates the DETER testbed as a national resource for experimentation on resilient design to protect against cyber threats.  Examples of CREATE’s cybersecurity research are provided below.

Biases

CREATE developed scenarios to measure decision competence and identify biases in user perceptions in an array of cybersecurity dilemmas. We developed and tested a latent variable model of employee intentions to comply with cybersecurity policy. We found that previous near-miss cyber events are a critical determinant of decision making in ambiguous cyber threat situations. We also constructed a psychometric scale to measure user near-miss appraisal in cybersecurity contexts and demonstrated validity.

Deterrence

We have conducted experiments on the psychology of cyber deterrence using behavioral games, to discover attacker cognitive biases that affect attack decision making and to leverage these biases in the design of more effective cyber defenses. We designed a 3-way experimental game with two defenders and an attacker. We found that deterrence was contingent on defenders’ coordination, with greater deterrence when defenses were negatively correlated (substituting), holding total defense resources constant. We also created a behavioral cyber-attack game, layering constant defense resources across three system levels requiring penetration for a successful attack. Concentration of defenses on the perimeter resulted in the greatest deterrence, likely due to probability biases related to attacker anchoring and near-miss biases. Future research will extend the behavioral research to a wider range of cognitive biases. In addition, we plan to replicate the behavioral deterrence findings in more realistic field settings.

Game-Theory

CREATE has studied game-theoretic models of Cyber Deception, using a deceptive camouflage on system configurations, leading attackers to spend more time in reconnaissance, increasing the chances of detection. Our Cyber Camouflage Games (CCG) model captures the general-sum scenarios of the game and can handle uncertainty in game parameters. The effectiveness of deception depends on modeling the preferences and capabilities of attackers. Our simulation-based evaluation of solutions demonstrates effectiveness in handling the uncertainty. Ongoing efforts include human subject studies for the CCG model, using the test-bed VyberVAN. Pilot studies indicate risk-averse behaviors and defense strategies can be fine-tuned to obtain better payoffs against such attackers.

Deceptive Signaling

Deceptive Signaling research has shown that deceptive signaling by the defender can convince an attacker to withdraw. Our work explores whether deceptive signaling can also be applied to boundedly rational attackers. To learn the behavior of the attacker, extensive human subject experiments were conducted using an online game. The game simulates the scenario of an inside attacker trying to steal sensitive information from company computers. Further applications of decision tree and neural network-based models were applied to learn attacker compliance with signaling. The Subjective Utility Quantal Response Model (SUQR) was used to fit the human subject data collected to represent the attacker compliance with signaling. Based on these machine learning models, the team developed a theory that balanced signaling and deception that increases attacker compliance and improves defender utility. Game-theoretic algorithms solved for signaling schemes based on the learned models of attacker compliance with signaling, and the human subject results show that algorithms based on learned models of attacker behavior lead to better attacker compliance and improved defender utility.

Economic Consequence Analysis Tool (E- CAT)

Adam Rose and his research team have focused on the economic consequences of cyber-attacks on ports and on automobile manufacturing, as well as on natural disasters that affect cyber systems economy-wide. This work includes developing a cyber-attack module for the Economic Consequence Analysis Tool (E- CAT) software system, which enables rapid estimates of national economic impacts of such events. The team has also investigated resilience in post-disaster response to restore functionality of cyber systems and the economic activities they serve. We found that cyber-attacks can have extensive potential macroeconomic consequences, but resilience is a powerful tool in reducing business interruption losses to cyber systems directly and supply chains in general.

Computable General Equilibrium (CGE) Models

CREATE has shown how a dozen types of resilience tactics to cope with cyber disruptions can be incorporated into state-of-the-art computable general equilibrium (CGE) models. These tactics include, for example, substituting other inputs for cyber services, back-up systems, and business relocation. They also include tactics that can reduce losses to the downstream supply-chain by curtailment of cyber services. Complex CGE analyses have also been transformed into a reduced-form approach that simulates hundreds of scenarios and uses the output as synthetic data for regression analyses. The regression results can then be readily incorporated into the E- CAT decision-support system software. Future research includes improving the parameters of the CGE model to reflect advances in cyber technology and custom-tailoring additional E-CAT modules to specific types of cyber threats and targets.

Benefit-Cost Analysis

Scott Farrow has analyzed costs and benefits of cyber investment decisions. Farrow found that the Gordon and Loeb model was equivalent to a generalized homeland security model that can include limitations on changes in the probability of attack, simultaneous effects on probability and loss, diversion of attack, and shared defenses. Investigation of the microeconomics of cybersecurity resulted in more clearly defined metrics for losses due to cyber breaches or productivity gains from cyber investments. Integration of information into standard microeconomics also facilitates use of econometric tools to analyze consumers and firms.

References

Cooney, S., P. Vayanos, T.H. Nguyen, C. Gonzalez, C. Lebiere, E.A Cranford, and M. Tambe. 2019. Warning Time: Optimizing Strategic Signaling for Security against Boundedly Rational Adversaries. Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS). Montreal, Canada.

Cranford, E.A., C. Lebiere, C. Gonzalez, S. Cooney, P. Vayanos, and M. Tambe. 2018. Learning about Cyber Deception through Simulations: Predictions of Human Decision Making with Deceptive Signals in Stackelberg Security Games. Proceedings of the Annual Meeting of the Cognitive Science Society (CogSci). Madison, WI.

Cui, J., H. Rosoff, and R.S. John. 2017. Deterrence of cyber attackers in a three-player behavioral game. In S. Rass, B. An, C. Kiekintveld, F. Fang, and S. Schauer (Eds.), Decision and Game Theory for Security: GameSec 2017. New York: Springer.

Cui, J., H. Rosoff, and R.S. John. 2021. Responses to cyber near-misses: A scale to measure individual differences. In S. Chatterjee, R. Brigantic, and A. Waterworth (Eds.), Applied Risk Analysis for Guiding Homeland Security Policy and Decisions. New York: Wiley, forthcoming.

Farrow, S., 2016. Cybersecurity: Integrating Information into the Microeconomics of the Consumer and the Firm, Journal of Information Security 7: 281-90.

Farrow, S. and J. Szanton, 2016. Cybersecurity Investment Guidance: Extensions of the Gordon and Loeb Model, Journal of Information Security 7:15-28.

Kusumastuti, S., H. Rosoff, and R.S John. 2019. Characterizing conflicting user values for cyber authentication using a virtual public values forum. Decision Analysis 16(3): 157-171.

Kusumastuti, S., H. Rosoff, J. Blythe, and R.S. John. 2019. An empirical behavioral study of deterrence: An analog cyber-attack simulation game. Risk Analysis.

Nguyen, K., H. Rosoff, and R.S. John. 2016. The effects of attacker identity and individual user characteristics on the value of information privacy. Computers in Human Behavior 55: 372-383.

Nguyen, K., H. Rosoff, and R.S. John. 2017. Valuing information security from a phishing attack. Journal of Cybersecurity 3(3): 159-171.

Rose, A. 2017. Economic Consequence Analysis of Maritime Cyber Threats, in J. DiRenzo, N. Drumhiller, and F. Roberts (eds.), Maritime Cyber Security. Washington, DC: Westphalia Press.

Rose, A. 2019. Incorporating Cyber Resilience into Computable General Equilibrium Models, in Y. Okuyama and A. Rose (eds.), Modeling Spatial and Economic Impacts of Disasters. Cham Switzerland: Springer Nature.

Rose, A. and Z. Chen. 2020. Resilience to a Cyber-Attack on the Detroit Automobile Industry: A Computable General Equilibrium Approach, in P. Nijkamp, E. Glaeser and K. Kourtit (eds.), Urban Empires. Heidelberg: Springer, forthcoming.

Rose, A. and N. Miller. 2020. Measurement of Cyber Resilience from an Economic Perspective, in S. Chatterjee, R. Brigantic and A. Waterworth (eds.) Applied Risk Analysis for Guiding Homeland Security Policy and Decisions. New York: Wiley, forthcoming.

Rose, A., N. Miller, J. Eyer, and J. Banks. 2019. Economic Mitigation of and Resilience to Cyber Threats, in A. Kott and I. Linkov (eds.), Cyber Resilience of Systems and Networks. Heidelberg: Springer.

Rose, A., F. Prager, Z. Chen, and S. Chatterjee. 2017. Economic Consequence Analysis of Disasters: The E-CAT Software Tool. Singapore: Springer.

Rosoff, H., J. Cui, and R.S. John. 2013. Heuristics and biases in cyber security dilemmas. Environment, Systems, and Decisions33(4): 517-529.

Rosoff, H., J. Cui, and R.S. John. 2014. Behavioral experiments exploring victims’ response to cyber-based financial fraud and identity theft scenario simulations. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). Menlo Park, CA.

Ryutov, T., N. Sintov, M. Zhao, and R.S. John. 2017. Predicting information security policy compliance intention and behavior for six employee-based risks. Journal of Information Privacy and Security 13(4): 260-281.

Schlenker, A., O. Thakoor, H. Xu, F. Fang, M. Tambe, L. Tran-Thanh, P. Vayanos, and Y. Vorobeychik. 2018. Deceiving Cyber Adversaries: A Game Theoretic Approach. Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS). Stockholm, Sweden.

Sue Wing, I., D. Wei, A. Rose, and A. Wein. 2021. Economic Consequences of the HayWired Earthquake Scenario—Digital and Utility Network Linkages and Resilience, in S. Detweiler and A. Wein (eds.), The HayWired Earthquake Scenario—Societal Consequences, U.S. Geological Survey Scientific Investigations Report 2017–5013–R–W.

Sue Wing, I., D. Wei, A. Rose and A. Wein. 2018. Economic Consequences of the HayWired Earthquake Scenario. Final Report to the U.S. Geological Survey, CREATE, USC, Los Angeles, CA.

Thakoor, O., M. Tambe, P. Vayanos, H. Xu, and C. Kiekintveld. 2018. General-Sum Cyber Deception Games under Partial Attacker Valuation Information. Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS). Montreal, Canada.

Thakoor, O., M. Tambe, P. Vayanos, H. Xu, C. Kiekintveld, and F. Fang. 2019. Cyber Camouflage Games for Strategic Deception. Proceedings of the Conference on Decision and Game Theory for Security (GameSec). Stockholm, Sweden.