Abstract:
Attacks on cyberinfrastructure are increasing day-by-day. Due to the widespread nature
of cyber-attacks and their financial consequences, there is an urgent need to focus attention on
investigating how certain factors like monetary motivation (e.g., costs and benefits of actions
from the attacker’s and defender’s viewpoint), technology constraints (e.g., how the network
responds to defender’s patching actions), and environmental factors (e.g., information available
to players about opponent’s actions and payoffs), may influence adversary’s and defender’s
attack-and-defend decisions in the cyber world. The primary goal of this thesis is to investigate
the impact of the factors mentioned above on the decisions of people performing as adversaries
(hackers) and defenders (attackers) in cyber-security games using both lab-based experiments
and computational cognitive models.
To understand the role of monetary motivations, three different experiments were
conducted. First, the role of monetary motivations on hacker’s and analyst’s decisions was
investigated using a security game across three different experimental setups. In the first
experiment, both hackers and analysts were rewarded for attack and defend actions, respectively,
and human participants performing as hackers and analysts were made to play against optimal
Nash counterparts. Through these human-Nash games, human participants' deviations from their
optimal proportions against their Nash counterparts were evaluated. Results revealed that,
compared to the baseline, monetary rewards for human hackers and analysts caused a decline in
the attack and defend actions. In addition, rewarding human hackers for undetected attacks made
analysts deviate significantly from their optimal behavior. Next, another experiment was
conducted to investigate the monetary motivations' role on human hackers and analysts when human participants played against human opponents rather than Nash opponents. Results
revealed that monetary motivations had a significant effect on hackers and analysts when
compared to the baseline. In the third experiment on motivations, the influence of monetary
penalties on analysts for their misses and false alarms was investigated. Results revealed that
penalties on analysts had a significant effect on analyst’s and hacker’s decision-making when
compared to the baseline. To understand the cognitive mechanisms that drive hackers’ and
analysts’ decisions, computational cognitive models based upon Instance-based Learning (IBL)
theory, a theory of decisions made by relying upon recency and frequency of experienced
information, were developed. Results from IBL models calibrated to experimental data revealed
that both hackers and analysts relied heavily upon recent and frequent information. Furthermore,
IBL models were calibrated to human data collected in games involving monetary penalties on
analysts. Results revealed that an IBL model that was calibrated on conditions involving
monetary penalties for analysts generalized accurately to conditions involving monetary rewards
for analysts and hackers.
To understand the influence of technology constraints (how the network responds to the
defender’s patching actions), an experiment was conducted involving Markov security games
(MSGs). In MSGs, the current state of the network is determined by the last action of analyst
players, and the objective of this experiment was to investigate the influence of the patching
process on the attack-and-defend decisions of hackers and analysts. In an effective patching
condition, the probability of the network being in a non-vulnerable state was 90% after patching
by the analyst; whereas, in less-effective patching, the network's probability of being in the nonvulnerable
state was 50% after patching by the analyst. Results revealed that the proportion of
attack and defend actions were similar between effective and less-effective conditions.
Furthermore, although the proportion of defend actions were similar between vulnerable and
non-vulnerable states, the proportion of attack actions were smaller in the non-vulnerable state
compared to the vulnerable state. Most of the time, both players deviated significantly from their
Nash equilibria in different conditions and states.
A cognitive model based upon IBL theory was further developed to understand the
cognitive processes involved in hacker’s and analyst’s decisions. The model revealed low (high)
reliance on recency and frequency, attention to the opponent’s actions, and cognitive noise for a
hacker (analyst) in effective patching. Whereas, it revealed opposite results for less-effective
patching.
Finally, to understand the role of environmental factors (availability or non-availability of
interdependence information), an experiment was conducted in which interdependence
information (i.e., information about actions and payoffs of opponents) available to hackers and
analysts was varied. In one condition, both players had complete information about each other's
actions and payoffs; whereas, this information was missing in a second (control) condition.
Results showed that information caused both analysts and hackers to increase their proportion of defend and attack actions, respectively. The implications of our results across monetary
motivations, technology constraints, and environmental factors on cyber decision-making in the real world are highlighted.