Many phish in the C : A coexisting-choice-criteria model of security behavior

Embrey, Iain and Kaivanto, Kim (2023) Many phish in the C : A coexisting-choice-criteria model of security behavior. Risk Analysis, 43 (4). pp. 783-799. ISSN 0272-4332

Full text not available from this repository.

Abstract

Normative decision theory proves inadequate for modeling human responses to the social-engineering campaigns of Advanced Persistent Threat (APT) attacks. Behavioral decision theory fares better, but still falls short of capturing social-engineering attack vectors, which operate through emotions and peripheral-route persuasion. We introduce a generalized decision theory, under which any decision will be made according to one of multiple coexisting choice criteria. We denote the set of possible choice criteria by C. Thus the proposed model reduces to conventional Expected Utility theory when | C_EU | = 1, whilst Dual-Process (thinking fast vs. thinking slow) decision making corresponds to a model with | C_DP | = 2. We consider a more general case with | C | >= 2, which necessitates careful consideration of *how*, for a particular choice-task instance, one criterion comes to prevail over others. We operationalize this with a probability distribution that is conditional upon traits of the decision maker as well as upon the context and the framing of choice options. Whereas existing Signal Detection Theory (SDT) models of phishing detection commingle the different peripheral-route persuasion pathways, in the present descriptive generalization the different pathways are explicitly identified and represented. A number of implications follow immediately from this formulation, ranging from the conditional nature of security-breach risk to delineation of the prerequisites for valid tests of security training. Moreover, the model explains the 'stepping-stone' penetration pattern of APT attacks, which has confounded modeling approaches based on normative rationality.

Item Type:
Journal Article
Journal or Publication Title:
Risk Analysis
Uncontrolled Keywords:
/dk/atira/pure/subjectarea/asjc/2700/2737
Subjects:
?? advanced persistent threatchoice criteriadual-process theorylatent class modelphishingperipheral-route persuasionstates of mindsocial engineeringdecision theoryphysiology (medical)safety, risk, reliability and qualityd81d91 ??
ID Code:
170938
Deposited By:
Deposited On:
27 May 2022 15:15
Refereed?:
Yes
Published?:
Published
Last Modified:
15 Jul 2024 22:38