Developing a measure of adversarial thinking in social engineering scenarios

Social engineering is a major issue for organizations. In this paper, we propose that increasing adversarial thinking can improve individual resistance to social engineering attacks. We formalize our understanding of adversarial thinking using Utility Theory. Next a measure of adversarial thinking in a text-based context. Lastly the paper reports on two studies that demonstrate the effectiveness of the newly developed measure. We show that the measure of adversarial thinking has variability, can be manipulated with training, and that it is not influenced significantly by priming. The paper also shows that social engineering training has an influence on adversarial thinking and that practicing against an adversarial conversational agent has a positive influence on adversarial thinking

Knowledge and Skills Needed to Craft Successful Cybersecurity Strategies

Daily advancing technologies and next-generation networks are creating entirely dierent digital environments for people, organizations, and governments within the next several years. Because cybersecurity provision in such environments involves many actors and must overcome many evolving threats and challenges, strategies must be responsive and multi-pronged. Development and execution of suficiently savvy strategies to face the complex problems in this context necessitate identification of all the actors and operations that aect, directly or indirectly, on the cybersecurity of the digital ecosystems. In this study, we seek to provoke thinking about how actors and stakeholders could get better at crafting successful cybersecurity strategies, and identify and integrate specic types of skills required to formulation these strategies taking into account where decisions are actually made. This work provides an insight into cybersecurity education, calibrating and differentiating knowledge and skills to make the right demands on the right actors who have the authority and responsiveness to introduce change from multiple entry points. This enables practitioners to adopt more hands-on approaches that can be helpful to improve transparency, accountability and collaboration across levels of a socio-technical system

Who\u27s In and Who\u27s Out?: What\u27s Important in the Cyber World?

The aim of this paper is to offer an introduction to the exploding field of cybersecurity by asking what are the most important concepts or topics that a new member of the field of cybersecurity should know. This paper explores this question from three perspectives: from the realm of business and how the cyber world is intertwined with modern commerce, including common weaknesses and recommendations, from the academic arena examining how cybersecurity is taught and how it should be taught in a classroom or laboratory environment, and lastly, from the author’s personal experience with the cyber world. Included information includes scholarly journals, news sources, special interest books, academic curricula, and relevant experience. By blending together information procured from these three distinct environments, this paper proposes a number of the most important concepts and lessons that one should know as they begin their career, whether professional or academic, in the cyber world

Improving the Cybersecurity of Cyber-Physical Systems Through Behavioral Game Theory and Model Checking in Practice and in Education

This dissertation presents automated methods based on behavioral game theory and model checking to improve the cybersecurity of cyber-physical systems (CPSs) and advocates teaching certain foundational principles of these methods to cybersecurity students. First, it encodes behavioral game theory\u27s concept of level-k reasoning into an integer linear program that models a newly defined security Colonel Blotto game. This approach is designed to achieve an efficient allocation of scarce protection resources by anticipating attack allocations. A human subjects experiment based on a CPS infrastructure demonstrates its effectiveness. Next, it rigorously defines the term adversarial thinking, one of cybersecurity educations most important and elusive learning objectives, but for which no proper definition exists. It spells out what it means to think like a hacker by examining the characteristic thought processes of hackers through the lens of Sternberg\u27s triarchic theory of intelligence. Next, a classroom experiment demonstrates that teaching basic game theory concepts to cybersecurity students significantly improves their strategic reasoning abilities. Finally, this dissertation applies the SPIN model checker to an electric power protection system and demonstrates a straightforward and effective technique for rigorously characterizing the degree of fault tolerance of complex CPSs, a key step in improving their defensive posture

Train as you Fight: Evaluating Authentic Cybersecurity Training in Cyber Ranges

Humans can play a decisive role in detecting and mitigating cyber attacks if they possess sufficient cybersecurity skills and knowledge. Realizing this potential requires effective cybersecurity training. Cyber range exercises (CRXs) represent a novel form of cybersecurity training in which trainees can experience realistic cyber attacks in authentic environments. Although evaluation is undeniably essential for any learning environment, it has been widely neglected in CRX research. Addressing this issue, we propose a taxonomy-based framework to facilitate a comprehensive and structured evaluation of CRXs. To demonstrate the applicability and potential of the framework, we instantiate it to evaluate Iceberg CRX, a training we recently developed to improve cybersecurity education at our university. For this matter, we conducted a user study with 50 students to identify both strengths and weaknesses of the CRX

Cyberscience Undergraduate Faculty and School Official Perspectives of the Innovation and Implementation of Curriculum for Inclusion

AbstractA disproportionate number of European American male students are enrolled in cyberscience undergraduate degree programs, despite attempts to attract diverse student populations in the field. The purpose of the basic qualitative study was to gain a better understanding on how cyberscience academic experts perceive the challenges related to the disproportionate number of European American male students enrolled in cyberscience degree programs nationwide and how to attract college students from diverse backgrounds for cyberscience programs. Using Rogers’s diffusion of innovation, the research questions explored cyberscience academic expert perceptions of the challenges of enrollment in cyberscience programs and attracting students from diverse backgrounds. Purposeful sampling was used to recruit individuals who met the definition of academic experts in cyberscience and with knowledge of the challenges posed by the disproportionate number of European American male students in the cyberscience field. Data were collected using semistructured interviews with eight participants. Data were analyzed using a priori and open coding of interview transcripts. Four conclusions can be drawn from the findings: all experts agree that diversity is needed in the field and that higher education has an important role in bringing about diversity, more workers are needed in the United States, several academic experts do not see cyberscience curriculum as appropriate to address the need for more diversity, and there is a consensus that properly briefed and informed college and university enrollment teams do have a key role in bringing about this needed diversity. Positive social change may occur because the findings could inform university officials on how to attract diverse populations, thereby increasing inclusion in this field while addressing the job shortage

Cyberscience Undergraduate Faculty and School Official Perspectives of the Innovation and Implementation of Curriculum for Inclusion

AbstractA disproportionate number of European American male students are enrolled in cyberscience undergraduate degree programs, despite attempts to attract diverse student populations in the field. The purpose of the basic qualitative study was to gain a better understanding on how cyberscience academic experts perceive the challenges related to the disproportionate number of European American male students enrolled in cyberscience degree programs nationwide and how to attract college students from diverse backgrounds for cyberscience programs. Using Rogers’s diffusion of innovation, the research questions explored cyberscience academic expert perceptions of the challenges of enrollment in cyberscience programs and attracting students from diverse backgrounds. Purposeful sampling was used to recruit individuals who met the definition of academic experts in cyberscience and with knowledge of the challenges posed by the disproportionate number of European American male students in the cyberscience field. Data were collected using semistructured interviews with eight participants. Data were analyzed using a priori and open coding of interview transcripts. Four conclusions can be drawn from the findings: all experts agree that diversity is needed in the field and that higher education has an important role in bringing about diversity, more workers are needed in the United States, several academic experts do not see cyberscience curriculum as appropriate to address the need for more diversity, and there is a consensus that properly briefed and informed college and university enrollment teams do have a key role in bringing about this needed diversity. Positive social change may occur because the findings could inform university officials on how to attract diverse populations, thereby increasing inclusion in this field while addressing the job shortage