CREATE Research on Cybersecurity
Cybersecurity threats pose a pervasive and growing risk. Richard John and his research team have conducted several studies addressing three critical behavioral issues in cybersecurity. One concerns the design of user systems to attenuate cyber threats that are consistent with user preferences and trade-offs among competing objectives. Such systems must balance multiple user objectives such as minimizing vulnerability, maximizing convenience, maximizing efficiency, and minimizing cost. User education and training will not be effective in contexts in which the security system is inconsistent with user preferences. The team identified heterogeneities in trade-offs among such conflicting user objectives in the context of systems designed to maximize information privacy. User trade-offs among features of systems designed to mitigate phishing attacks and authentication failures were quantified for a diverse sample. Extreme groups of users were identified for which security was virtually “priceless” or worth absolutely nothing. Results suggest that one size does not fit all, and that systems should be tailored to the preferences and trade-offs of particular users and institutions of users.
Another critical issue concerns the role of judgment biases and heuristics in cybersecurity risk perception and decision-making, independent of value trade-offs. The team developed scenarios designed to measure decision competence and identify biases in user perceptions in an array of cybersecurity dilemmas. They developed and tested a latent variable model of employee intentions to comply with cybersecurity policy. Appraisal of previous near-miss cyber events is a critical determinant of decision making in ambiguous cyber threat situations. They also constructed a reliable psychometric scale to measure user near-miss appraisal in cybersecurity contexts and demonstrated construct validity.
Deterrence is an important but understudied behavioral topic, particularly in cybersecurity domains. We have conducted experiments on the psychology of cyber deterrence using behavioral games. The motivation for this research is to discover attacker cognitive biases that affect attack decision making and to leverage these biases in the design of more effective cyber defenses. The team designed a 3-way experimental game with two defenders and an attacker. Results indicated that deterrence was contingent on defenders’ coordination; greater deterrence resulted when defenses were negatively correlated (substituting), holding total defense resources constant. A follow-up study created a behavioral cyber-attack game and manipulated layering of constant defense resources across three system levels requiring penetration for a successful attack. Results indicated that concentration of defenses on the perimeter resulted in the greatest deterrence, likely due to probability biases related to attacker anchoring and near-miss biases. Future research is planned to extend the behavioral research on deterrence to a wider range of cognitive biases. In addition, plans are to replicate the behavioral deterrence findings in more realistic field settings.
The major direction of research by Milind Tambe’s research team, including Omkar Thakoor and others, in this area has been a game-theoretic model of Cyber Deception. In this problem, the goal is to mitigate the reconnaissance abilities of attackers by using a deceptive camouflage on the system configurations to induce an inaccurate understanding of the true network configuration and vulnerabilities, as this uncertainty about the network can lead attackers to spend more time in reconnaissance efforts, increasing the chances of detection. This model, called the Cyber Camouflage Games (CCG) captures the general-sum scenarios of the game and can handle uncertainty in game parameters. Optimizing the effectiveness of deception crucially depends on modeling the preferences and capabilities of the attacker. The simulation-based evaluation of the solutions demonstrates their effectiveness in handling the uncertainty. The team has ongoing efforts on conducting human subject studies for the CCG model using the test-bed VyberVAN, and initial pilot studies indicate a risk-averse behavior in humans and the defense strategies can be fine-tuned to obtain better payoffs against such attackers.
Another research direction this team has pursued on cyber security is on Deceptive Signaling. Recent literature in security games with fully rational attacker has shown that deceptive signaling by the defender can convince an attacker to withdraw. This work explores whether deceptive signaling can also be applied to boundedly rational attackers. To learn the bounded rational behavior of the attacker, extensive human subject experiments are conducted using an online game. The game simulates the scenario of an inside attacker trying to steal sensitive information from company computers. Further applications of decision tree and neural network-based models are applied to learn the attacker compliance with signaling. The Subjective Utility Quantal Response Model (SUQR) was used to fit the human subject data collected to represent the attacker compliance with signaling. Based on these machine learning models of a boundedly rational attacker’s response to signaling, the team developed a theory that balanced signaling and deception that increases attacker compliance and improves defender utility. They present game-theoretic algorithms to solve for signaling schemes based on the learned models of attacker compliance with signaling, and the human subject results show that algorithms based on learned models of attacker behavior lead to better attacker compliance and improved defender utility.
Economic Consequence Analysis Tool (E- CAT)
Adam Rose and his research team have focused on the economic consequences of cyber-attacks on ports and on automobile manufacturing, as well as on natural disasters that affect cyber systems economy-wide. This work includes developing a cyber-attack module for the Economic Consequence Analysis Tool (E- CAT) software system, which enables rapid estimates of national economic impacts of such events. The team has also focused the research on resilience in terms of post-disaster response to restore functionality of cyber systems and the economic activities they serve. The research indicates that cyber-attacks can have extensive potential macroeconomic consequences, but that resilience is a powerful tool in reducing business interruption losses to cyber systems directly and supply chains in general.
Computable General Equilibrium (CGE) Models
A good deal of this research has been devoted to methodological advances. This includes showing how a dozen types of resilience tactics to cope with cyber disruptions can be incorporated into state-of-the-art computable general equilibrium (CGE) models. These tactics include, for example, substituting other inputs for cyber services, the use of back-up systems, and business relocation. They also include tactics that can reduce losses to the downstream supply-chain when inputs dependent on cyber services have been curtailed by, for example, import substitution and production rescheduling. Complex CGE analyses have also been transformed into a reduced-form approach that simulates hundreds of scenarios and uses the output as synthetic data for regression analyses. The regression results can then be readily incorporated into the E- CAT decision-support system software. Future research includes improving the parameters of the CGE model to reflect advances in cyber technology and custom-tailoring additional E-CAT modules to specific types of cyber threats and targets.
Scott Farrow’s research specializes in the evaluation of Government investments, often using benefit-cost analysis. He has capitalized on a career that spans both academic and government, including serving as Chief Economist of the Government accountability Office. His specialized experience with cyber security includes time spent embedded in the Cybersecurity and Infrastructure Security Agency of DHS, then the Office of Cybersecurity and Communications in the National Infrastructure and Protection Directorate. His publications on cybersecurity (focus on the economic analysis of cyber investment decisions, including issues related to the Gordon and Loeb model. The Gordon and Loeb model was shown to be equivalent to a generalized homeland security model that can include limitations on changes in the probability of attack, simultaneous effects on probability and loss, diversion of attack, and shared defenses. His work on the microeconomics of cybersecurity resulted in more clearly defined metrics for losses due to cyber breaches or productivity gains from cyber investments. The integration of information into standard microeconomics also facilitates use of econometric and other tools to analyze the empirics of the consumer and the firm.
Cooney, S., P. Vayanos, T.H. Nguyen, C. Gonzalez, C. Lebiere, E.A Cranford, and M. Tambe. 2019. Warning Time: Optimizing Strategic Signaling for Security against Boundedly Rational Adversaries. Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS). Montreal, Canada.
Cranford, E.A., C. Lebiere, C. Gonzalez, S. Cooney, P. Vayanos, and M. Tambe. 2018. Learning about Cyber Deception through Simulations: Predictions of Human Decision Making with Deceptive Signals in Stackelberg Security Games. Proceedings of the Annual Meeting of the Cognitive Science Society (CogSci). Madison, WI.
Cui, J., H. Rosoff, and R.S. John. 2017. Deterrence of cyber attackers in a three-player behavioral game. In S. Rass, B. An, C. Kiekintveld, F. Fang, and S. Schauer (Eds.), Decision and Game Theory for Security: GameSec 2017. New York: Springer.
Cui, J., H. Rosoff, and R.S. John. 2020. Responses to cyber near-misses: A scale to measure individual differences. In S. Chatterjee, R. Brigantic, and A. Waterworth (Eds.), Applied Risk Analysis for Guiding Homeland Security Policy and Decisions. New York: Wiley, forthcoming.
Farrow, S., 2016. Cybersecurity: Integrating Information into the Microeconomics of the Consumer and the Firm, Journal of Information Security 7: 281-90.
Farrow, S. and J. Szanton, 2016. Cybersecurity Investment Guidance: Extensions of the Gordon and Loeb Model, Journal of Information Security 7:15-28.
Kusumastuti, S., H. Rosoff, and R.S John. 2019. Characterizing conflicting user values for cyber authentication using a virtual public values forum. Decision Analysis 16(3): 157-171.
Kusumastuti, S., H. Rosoff, J. Blythe, and R.S. John. 2019. An empirical behavioral study of deterrence: An analog cyber-attack simulation game. Risk Analysis.
Nguyen, K., H. Rosoff, and R.S. John. 2016. The effects of attacker identity and individual user characteristics on the value of information privacy. Computers in Human Behavior 55: 372-383.
Nguyen, K., H. Rosoff, and R.S. John. 2017. Valuing information security from a phishing attack. Journal of Cybersecurity 3(3): 159-171.
Rose, A. 2017. Economic Consequence Analysis of Maritime Cyber Threats, in J. DiRenzo, N. Drumhiller, and F. Roberts (eds.), Maritime Cyber Security. Washington, DC: Westphalia Press.
Rose, A. 2019. Incorporating Cyber Resilience into Computable General Equilibrium Models, in Y. Okuyama and A. Rose (eds.), Modeling Spatial and Economic Impacts of Disasters. Cham Switzerland: Springer Nature.
Rose, A. and Z. Chen. 2020. Resilience to a Cyber-Attack on the Detroit Automobile Industry: A Computable General Equilibrium Approach, in P. Nijkamp, E. Glaeser and K. Kourtit (eds.), Urban Empires. Heidelberg: Springer, forthcoming.
Rose, A. and N. Miller. 2020. Measurement of Cyber Resilience from an Economic Perspective, in S. Chatterjee, R. Brigantic and A. Waterworth (eds.) Applied Risk Analysis for Guiding Homeland Security Policy and Decisions. New York: Wiley, forthcoming.
Rose, A., N. Miller, J. Eyer, and J. Banks. 2019. Economic Mitigation of and Resilience to Cyber Threats, in A. Kott and I. Linkov (eds.), Cyber Resilience of Systems and Networks. Heidelberg: Springer.
Rose, A., F. Prager, Z. Chen, and S. Chatterjee. 2017. Economic Consequence Analysis of Disasters: The E-CAT Software Tool. Singapore: Springer.
Rosoff, H., J. Cui, and R.S. John. 2013. Heuristics and biases in cyber security dilemmas. Environment, Systems, and Decisions 33(4): 517-529.
Rosoff, H., J. Cui, and R.S. John. 2014. Behavioral experiments exploring victims’ response to cyber-based financial fraud and identity theft scenario simulations. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS). Menlo Park, CA.
Ryutov, T., N. Sintov, M. Zhao, and R.S. John. 2017. Predicting information security policy compliance intention and behavior for six employee-based risks. Journal of Information Privacy and Security 13(4): 260-281.
Schlenker, A., O. Thakoor, H. Xu, F. Fang, M. Tambe, L. Tran-Thanh, P. Vayanos, and Y. Vorobeychik. 2018. Deceiving Cyber Adversaries: A Game Theoretic Approach. Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS). Stockholm, Sweden.
Sue Wing, I., D. Wei, A. Rose and A. Wein. 2018. Economic Consequences of the HayWired Earthquake Scenario. Final Report to the U.S. Geological Survey, CREATE, USC, Los Angeles, CA.
Thakoor, O., M. Tambe, P. Vayanos, H. Xu, and C. Kiekintveld. 2018. General-Sum Cyber Deception Games under Partial Attacker Valuation Information. Proceedings of the International Conference on Autonomous Agents and Multiagent Systems (AAMAS). Montreal, Canada.
Thakoor, O., M. Tambe, P. Vayanos, H. Xu, C. Kiekintveld, and F. Fang. 2019. Cyber Camouflage Games for Strategic Deception. Proceedings of the Conference on Decision and Game Theory for Security (GameSec). Stockholm, Sweden.