Out of Sight but Still In Mind: Making ‘Invisible’ Cyber Threats More Salient Via Concrete Analogies
Authors: Aryn Pyke, Rebecca Bouchelle, David Uzhca
Abstract: It can be easier to conceive of and anticipate physical threats than cyber threats. Cyber threats can involve unseen remote hackers, and capitalize on invisible wireless signals as vectors. As such cyber threats are often out of sight and out of mind. How can we make these abstract, 'invisible' threats more intuitive and salient? We employed concrete analogies to enable future Army Officers to better anticipate cyber threats in tactical contexts. Modern multi-domain battle involves not only physical threats like fire fights and improvised explosive devices (IEDs), but also, increasingly, cyber threats. For example, the enemy may jam, intercept or track communication signals, hack into computing systems to exfiltrate or alter information, and/or hack equipment with electronic and autonomous components (including navigation systems, drones and robots). To ensure readiness, all soldiers, (not only cyber specialists) must have some awareness of this 'threatscape'. We developed the problem anticipation task (PAT) to gauge the degree to which participants would anticipate cyber as well as non-cyber tactical threats. They read a hypothetical mission description and tried to anticipate various problems that could arise. The mission explicitly mentioned several cyber-vulnerable components (e.g., radios, navigation systems, drones, biosensors, cell phones). Prior research using a sample from the same population indicated that about 40% of subjects did not anticipate a single cyber threat (Pyke, Ness, Feltner, in press). The current research used the PAT as a pre- and post-test and included an intervening intervention. Experimental subjects read a passage about a fictitious historical mission set in the 1800s. The version of the passage presented to the experimental group included historical issues (e.g., carrier pigeon intercepted by enemy) that were intended to be analogous to modern cyber-related issues (e.g., wireless communications signal intercepted/tapped by enemy). The intervention for the comparison group involved a passage describing historical issues (e.g., horse losing a shoe) that were intended to be analogous to modern non-cyber related issues (e.g., vehicle breakdown). Note that the link to the corresponding modern situation was not made explicit to the participants, they were just exposed to a historical situation that could lend itself to being analogous to a modern cyber situation. For the experimental group (but not the control) there was a significant gain in the percent of participants who were able anticipate one or more cyber issues. Thus, concrete analogies can serve to make 'invisible' cyber threats more intuitive and easier to anticipate.
Keywords: cybersecurity, cyber analogies, anticipating cyber threats, problem anticipation task (PAT)
Cite this paper: