Mental Firewall Breached: Leveraging Cognitive Biases for Enhanced Cybersecurity

Abstract: Humans commonly use heuristics (“mental shortcuts”) to make rapid decisions. While these processes are efficient, they can produce systematic errors, referred to as cognitive biases, that can lead to decrements in task performance. To explore whether triggers for cognitive biases might be employed to interfere with a cyber-attacker’s decision making, and if so to what extent, the current study used a simplified, game-like cyber-attack scenario on a vulnerable banking application. Specifically, we examined the effects of two manipulations of anchoring bias and asymmetric dominance effects in a 2x2x3 between-subjects design. Across 10 “attack rounds” or blocks, 196 participants encountered at least 5 and no more than 10 bank accounts serving as experimental trials. Participants decided to either “steal” the money from each account, or “skip” the account. Actions selected resulted in an increase to their probability of being detected on subsequent trials, but the probabilities were not revealed to the participants. To induce a potential anchoring effect, information received in pre-task instruction was manipulated to provide either an arbitrary but specific number of bank accounts they could attack before detection, or vague instruction cautioning against stealing from “too many” accounts. Additionally, values associated with the initial bank account presented on each attack round varied, including both very high, standard, and very low values, to determine how anchoring effects from those amounts influenced subsequent decisions. To capture asymmetric dominance, participants also selected a choice of potential systems with either two (Asymmetry Absent) or three (Asymmetry Present) options. After finishing the experimental task, participants performed the Balloon Analogue Risk Task (BART) to explore if risk taking behavior was associated with any key aspects of performance. Findings suggest an instructional anchor at the start of the session did not affect the number of times participants were detected, nor did it influence the average amount of money they stole from accounts. We did find evidence to support the impact of account value anchors in both the average amount of money stolen and the number of times participants got caught, however, these behaviors were only significantly impacted by the account value anchor in the absence of an instructional anchor. These findings show that cognitive biases can influence decision making in this task, but their effects are mitigated when a bias is manipulated concurrently from different sources. Asymmetric dominance effects were only found in the conditions that were given a specific instructional anchor as part of the anchoring manipulation, which might reflect that the order of the instructional content and attack selection played a role in attention. Analysis of participants’ behavior on the BART test supported the notion that the presence of specific information in a task produced behaviors related to risk-taking propensity. Overall, these findings offer some proof of concept for the potential use of cognitive biases to influence and detect cyber attacker behaviors, but also suggest a level of caution is appropriate when seeking to integrate multiple biases into cyber contexts. Other findings and potential implications are discussed.

Keywords: Cybersecurity, Cognitive Biases, Oppositional Human Factors

DOI: 10.54941/ahfe1004769

Cite this paper:

​