An experimental and cognitive approach to cybersecurity for building a secure cyberspace (PhD)

Abstract

Attacks on cyberinfrastructure are increasing day-by-day. Due to the widespread nature of cyber-attacks and their financial consequences, there is an urgent need to focus attention on investigating how certain factors like monetary motivation (e.g., costs and benefits of actions from the attacker’s and defender’s viewpoint), technology constraints (e.g., how the network responds to defender’s patching actions), and environmental factors (e.g., information available to players about opponent’s actions and payoffs), may influence adversary’s and defender’s attack-and-defend decisions in the cyber world. The primary goal of this thesis is to investigate the impact of the factors mentioned above on the decisions of people performing as adversaries (hackers) and defenders (attackers) in cyber-security games using both lab-based experiments and computational cognitive models. To understand the role of monetary motivations, three different experiments were conducted. First, the role of monetary motivations on hacker’s and analyst’s decisions was investigated using a security game across three different experimental setups. In the first experiment, both hackers and analysts were rewarded for attack and defend actions, respectively, and human participants performing as hackers and analysts were made to play against optimal Nash counterparts. Through these human-Nash games, human participants' deviations from their optimal proportions against their Nash counterparts were evaluated. Results revealed that, compared to the baseline, monetary rewards for human hackers and analysts caused a decline in the attack and defend actions. In addition, rewarding human hackers for undetected attacks made analysts deviate significantly from their optimal behavior. Next, another experiment was conducted to investigate the monetary motivations' role on human hackers and analysts when human participants played against human opponents rather than Nash opponents. Results revealed that monetary motivations had a significant effect on hackers and analysts when compared to the baseline. In the third experiment on motivations, the influence of monetary penalties on analysts for their misses and false alarms was investigated. Results revealed that penalties on analysts had a significant effect on analyst’s and hacker’s decision-making when compared to the baseline. To understand the cognitive mechanisms that drive hackers’ and analysts’ decisions, computational cognitive models based upon Instance-based Learning (IBL) theory, a theory of decisions made by relying upon recency and frequency of experienced information, were developed. Results from IBL models calibrated to experimental data revealed that both hackers and analysts relied heavily upon recent and frequent information. Furthermore, IBL models were calibrated to human data collected in games involving monetary penalties on analysts. Results revealed that an IBL model that was calibrated on conditions involving monetary penalties for analysts generalized accurately to conditions involving monetary rewards for analysts and hackers. To understand the influence of technology constraints (how the network responds to the defender’s patching actions), an experiment was conducted involving Markov security games (MSGs). In MSGs, the current state of the network is determined by the last action of analyst players, and the objective of this experiment was to investigate the influence of the patching process on the attack-and-defend decisions of hackers and analysts. In an effective patching condition, the probability of the network being in a non-vulnerable state was 90% after patching by the analyst; whereas, in less-effective patching, the network's probability of being in the nonvulnerable state was 50% after patching by the analyst. Results revealed that the proportion of attack and defend actions were similar between effective and less-effective conditions. Furthermore, although the proportion of defend actions were similar between vulnerable and non-vulnerable states, the proportion of attack actions were smaller in the non-vulnerable state compared to the vulnerable state. Most of the time, both players deviated significantly from their Nash equilibria in different conditions and states. A cognitive model based upon IBL theory was further developed to understand the cognitive processes involved in hacker’s and analyst’s decisions. The model revealed low (high) reliance on recency and frequency, attention to the opponent’s actions, and cognitive noise for a hacker (analyst) in effective patching. Whereas, it revealed opposite results for less-effective patching. Finally, to understand the role of environmental factors (availability or non-availability of interdependence information), an experiment was conducted in which interdependence information (i.e., information about actions and payoffs of opponents) available to hackers and analysts was varied. In one condition, both players had complete information about each other's actions and payoffs; whereas, this information was missing in a second (control) condition. Results showed that information caused both analysts and hackers to increase their proportion of defend and attack actions, respectively. The implications of our results across monetary motivations, technology constraints, and environmental factors on cyber decision-making in the real world are highlighted.