Effects of cyber security knowledge on attack detection

<p>Ensuring cyber security is a complex task that relies on domain knowledge and requires cognitive abilities to determine possible threats from large amounts of network data. This study investigates how knowledge in network operations and information security influence the detection of intrusions in a simple network. We developed a simplified Intrusion Detection System (IDS), which allows us to examine how individuals with or without knowledge in cyber security detect malicious events and declare an attack based on a sequence of network events. Our results indicate that more knowledge in cyber security facilitated the correct detection of malicious events and decreased the false classification of benign events as malicious. However, knowledge had less contribution when judging whether a sequence of events representing a cyber-attack. While knowledge of cyber security helps in the detection of malicious events, situated knowledge regarding a specific network at hand is needed to make accurate detection decisions. Responses from participants that have knowledge in cyber security indicated that they were able to distinguish between different types of cyber-attacks, whereas novice participants were not sensitive to the attack types. We explain how these findings relate to cognitive processes and we discuss their implications for improving cyber security.</p

Cognition and Technology

As the previous chapters emphasized, the human cognition—and the technology necessary to support it—are central to Cyber Situational Awareness. Therefore, this chapter focuses on challenges and approaches to integration of information technology and computational representations of human situation awareness. To illustrate these aspects of CSA, the chapter uses the process of intrusion detection as a key example. We argue that effective development of technologies and processes that produce CAS in a way properly aligned with human cognition calls for cognitive models—dynamic and adaptable computational representations of the cognitive structures and mechanisms involved in developing SA and processing information for decision making. While visualization and machine learning are often seen among the key approaches to enhancing CSA, we point out a number of limitations in their current state of development and applications to CSA. The current knowledge gaps in our understanding of cognitive demands in CSA include the lack of a theoretical model of cyber SA within a cognitive architecture; the decision gap, representing learning, experience and dynamic decision making in the cyberspace; and the semantic gap, addressing the construction of a common language and a set of basic concepts about which the security community can develop a shared understanding.</p

Observed Variability and Values Matter: Toward a Better Understanding of Information Search and Decisions from Experience

The search for different options before making a consequential choice is a central aspect of many important decisions, such as mate selection or purchasing a house. Despite its importance, surprisingly little is known about how search and choice are affected by the observed and objective properties of the decision problem. Here, we analyze the effects of two key properties in a binary choice task: the options' observed and objective values, and the variability of payoffs. First, in a large public data set of a binary choice task, we investigate how the observed value and variability relate to decision-makers' efforts and preferences during search. Furthermore, we test how these properties influence the chance of correctly identifying the objectively maximizing option, and how they affect choice. Second, we designed a novel experiment to systematically analyze the role of the objective difference between the options. We find that a larger objective difference between options increases the chance for correctly identifying the maximizing option, but it does not affect behavior during search and choice.</p

A Cognitive Model of Dynamic Cooperation With Varied Interdependency Information

<p>We analyze the dynamics of repeated interaction of two players in the Prisoner's Dilemma (PD) under various levels of interdependency information and propose an instance-based learning cognitive model (IBL-PD) to explain how cooperation emerges over time. Six hypotheses are tested regarding how a player accounts for an opponent's outcomes: the selfish hypothesis suggests ignoring information about the opponent and utilizing only the player's own outcomes; the extreme fairness hypothesis weighs the player's own and the opponent's outcomes equally; the moderate fairness hypothesis weighs the opponent's outcomes less than the player's own outcomes to various extents; the linear increasing hypothesis increasingly weighs the opponent's outcomes at a constant rate with repeated interactions; the hyperbolic discounting hypothesis increasingly and nonlinearly weighs the opponent's outcomes over time; and the dynamic expectations hypothesis dynamically adjusts the weight a player gives to the opponent's outcomes, according to the gap between the expected and the actual outcomes in each interaction. When players lack explicit feedback about their opponent's choices and outcomes, results are consistent with the selfish hypothesis; however, when this information is made explicit, the best predictions result from the dynamic expectations hypothesis.</p