Society For Risk Analysis Annual Meeting 2016
Session Schedule & Abstracts
* Disclaimer: All presentations represent the views of the authors, and not the organizations that support their research. Please apply the standard disclaimer that any opinions, findings, and conclusions or recommendations in abstracts, posters, and presentations at the meeting are those of the authors and do not necessarily reflect the views of any other organization or agency. Meeting attendees and authors should be aware that this disclaimer is intended to apply to all abstracts contained in this document. Authors who wish to emphasize this disclaimer should do so in their presentation or poster. In an effort to make the abstracts as concise as possible and easy for meeting participants to read, the abstracts have been formatted such that they exclude references to papers, affiliations, and/or funding sources. Authors who wish to provide attendees with this information should do so in their presentation or poster.
|Chair(s): Richard John, Jinshui Cui|
Sponsored by Security and Defense Specialty Group
W1-C.1 8:30 am Deterrence: Exploiting the connection between affect, risk perception and self-efficacy to demotivate an adversary. Burns WJ*; Decision Research firstname.lastname@example.org|
Abstract: This presentation discusses an approach to understanding and facilitating deterrence in the context of domestic threats to commercial aviation and other high valued domestic targets. A theoretical framework is put forth for enhancing deterrence by exploiting the connection between affect, perceived risk, and self-efficacy. There is an extensive scientific literature that looks at the connection between these three factors and how to correct misperceptions. This study seeks to exploit these inherent biases as a way to deter an adversary from seeking to defeat a security system. An example is offered to illustrate the concept.
W1-C.2 8:50 am Defender-User Coordination and Attacker Deterrence in a Three-way Behavioral Cyber Security Game. Cui J*, John RS, Rosoff H; University of Southern California email@example.com|
Abstract: This study focuses on cyber attackersâ€™ choices in a three-way cyber security game involving attackers, defenders, and users. An attacker can choose to attack the defender (a 2-step action) or the user (a 1-step action) or not to attack. Conversely, the defenders and users select either a standard or enhanced security level. In Experiment 1, a total of 175 respondents played as attackers over 20 rounds of the game and were incentivized based on their performance. The uncertainties involve both defendersâ€™ and usersâ€™ security choices, as well as exogenous uncertainty about the outcome. Defendersâ€™ and usersâ€™ marginal security levels were held constant, while the relationship between their security levels was manipulated as either complementing, substituting, or nearly independent. In Experiment 2, a total of 497 respondents played as attackers over 30 rounds of a similar game where the outcome of attackerâ€™s move was only contingent upon defendersâ€™ and userâ€™s security levels. The relationship between defendersâ€™ and usersâ€™ strategies was again manipulated as either complementing, substituting, or independent. We found that there was greater deterrence (cyber attackers choosing not to attack) for negatively correlated defenses than for independent defenses in both experiments. The effect was stronger under exogenous outcome uncertainty. We also manipulated defendersâ€™ and usersâ€™ marginal security levels in Experiment 2. As predicted, there was greater deterrence associated with greater likelihood of enhanced security for both defenders and users. Attackers were more likely to attack defenders (users) when defenders (users) had greater likelihood of standard security than users (defenders). In addition, we found that attackers were more likely to shift from attacking users to defenders after learning users had enhanced security. Attackers were less likely to continue the second step of defender hack (deterred) after learning defenders had enhanced security.
W1-C.3 9:09 am An Interactive Real-time Behavioral Game For Cyber Security. Kusumastuti SA*, Rosoff F, John RS; University of Southern California firstname.lastname@example.org|
Abstract: This study describes an experiment in the form of a cyber security game with three players: attacker, defender, and user. Attacker is given 3 choices: attack the defender, attack the user or not attack anyone. The defender and user are given 2 choices, to defend either with standard or enhanced security. The outcome of the game depends on the combination of the three playerâ€™s choice of action. The likelihood of successfully defending from attacks for the defender and user may be enhanced by cooperating in making their security decisions, therefore there is an incentive to adjust oneâ€™s choices according to the other. In this game we observe whether the capability for the defender to see the userâ€™s choice or vice versa would affect their own choice of security level. In addition, we observe if the attacker is sensitive to the level of coordination between attacker and user choices, particularly their likelihood to be deterred from making an attack.This experiment is implemented in o-tree, an online behavioral game platform that allows simultaneous interactive multiplayer games and uses online participants from Amazon Mechanical Turk.
W1-C.4 9:30 am Behavioral Experimentation Of Cyber Attacker Deterrence With Deter Testbed. Rosoff H*, Blythe J, Kusumastuti S, John R; University of Southern California email@example.com|
Abstract: Deterrence is now being considered as a strategy to prevent and defend against cyber attacks. One part of implementing this strategy is having a powerful defense. If the defenderâ€™s security can sufficiently make an attack exceedingly difficult, an attacker might choose not to attack. The challenges of enhanced security are that the number of potential attackers is numerous, there are limited barriers to entry and there is ample opportunity for concealment. In addition, unique to cyber space is the significant distance between attacker and defender at the time of attack, and the potential for attacker concealment. We study the complexities of cyber deterrence by conducting behavioral experiments with DETER (cyber defense technology experimental research interface) on the effects of enhanced security on attacker and defender decision making. By using DETER a more realistic exchange of the iterative process between the attacker and defender can be monitored allowing for collected data to more aptly represent their interactions when deterrence strategies are implemented. In our experiment, participantsâ€™ role play as attackers confronted by different defense strategies. Specifically, we study the deterrent effect of layered security and monitoring, in the pursuit of various targets. Layered security is defined as either: (1) a series of moderately effective defense components where each covers the gaps in the otherâ€™s protective capabilities or (2) a â€śbest of breedâ€ť defense where one component of the integrated layers is implemented and extremely effective. Monitoring is defined as either: (1) a sophisticated monitoring system that when in operation detects all threats; however, this system is randomized and as such is only turned on at specific times, or (2) a less sophisticated monitoring system that is in operation all the time. We assess whether the attacker continues with the planned attack, is diverted to another target, or chooses not to attack after acquiring knowledge about the defensive security in place.
[back to schedule]