Home > Research > Publications & Outputs > Many Phish in the C : A Coexisting-Choice-Crite...

Electronic data

View graph of relations

Many Phish in the C : A Coexisting-Choice-Criteria Model of Security Behavior

Research output: Working paper

Published

Standard

Many Phish in the C : A Coexisting-Choice-Criteria Model of Security Behavior. / Embrey, Iain; Kaivanto, Kim Kaleva.

Lancaster : Lancaster University, Department of Economics, 2018. (Economics Working Papers Series).

Research output: Working paper

Harvard

Embrey, I & Kaivanto, KK 2018 'Many Phish in the C : A Coexisting-Choice-Criteria Model of Security Behavior' Economics Working Papers Series, Lancaster University, Department of Economics, Lancaster.

APA

Embrey, I., & Kaivanto, K. K. (2018). Many Phish in the C : A Coexisting-Choice-Criteria Model of Security Behavior. (Economics Working Papers Series). Lancaster University, Department of Economics.

Vancouver

Embrey I, Kaivanto KK. Many Phish in the C : A Coexisting-Choice-Criteria Model of Security Behavior. Lancaster: Lancaster University, Department of Economics. 2018 Nov. (Economics Working Papers Series).

Author

Embrey, Iain ; Kaivanto, Kim Kaleva. / Many Phish in the C : A Coexisting-Choice-Criteria Model of Security Behavior. Lancaster : Lancaster University, Department of Economics, 2018. (Economics Working Papers Series).

Bibtex

@techreport{8d8a70b7d7df4a83bf49dce7a46f4061,
title = "Many Phish in the C : A Coexisting-Choice-Criteria Model of Security Behavior",
abstract = "Normative decision theory proves inadequate for modeling human responses to the social-engineering campaigns of Advanced Persistent Threat (APT) attacks. Behavioral decision theory fares better, but still falls short of capturing social-engineering attack vectors, which operate through emotions and peripheral-route persuasion. We introduce a generalized decision theory, under which any decision will be made according to one of multiple coexisting choice criteria. We denote the set of possible choice criteria by C. Thus the proposed model reduces to conventional Expected Utility theory when |CEU| = 1, whilst Dual-Process (thinking fast vs. thinking slow) decision making corresponds to a model with |CDP| = 2. We consider a more general case with C >= 2, which necessitates careful consideration of how, for a particular choice-task instance, one criterion comes to prevail over others. We operationalize this with a probability distribution that is conditional upon traits of the decision maker as well as upon the context and the framing of choice options. Whereas existing Signal Detection Theory (SDT) models of phishing detection commingle the different peripheral-route persuasion pathways, in the present descriptive generalization the different pathways are explicitly identified and represented. A number of implications follow immediately from this formulation, ranging from the conditional nature of security-breach risk to delineation of the prerequisites for valid tests of security training. Moreover, the model explains the `stepping-stone' penetration pattern of APT attacks, which has confounded modeling approaches based on normative rationality. ",
keywords = "phishing, social engineering, peripheral-route persuasion, advanced persistent threat, choice criteria, dual-process theory, latent class model",
author = "Iain Embrey and Kaivanto, {Kim Kaleva}",
year = "2018",
month = nov,
language = "English",
series = "Economics Working Papers Series",
publisher = "Lancaster University, Department of Economics",
type = "WorkingPaper",
institution = "Lancaster University, Department of Economics",

}

RIS

TY - UNPB

T1 - Many Phish in the C : A Coexisting-Choice-Criteria Model of Security Behavior

AU - Embrey, Iain

AU - Kaivanto, Kim Kaleva

PY - 2018/11

Y1 - 2018/11

N2 - Normative decision theory proves inadequate for modeling human responses to the social-engineering campaigns of Advanced Persistent Threat (APT) attacks. Behavioral decision theory fares better, but still falls short of capturing social-engineering attack vectors, which operate through emotions and peripheral-route persuasion. We introduce a generalized decision theory, under which any decision will be made according to one of multiple coexisting choice criteria. We denote the set of possible choice criteria by C. Thus the proposed model reduces to conventional Expected Utility theory when |CEU| = 1, whilst Dual-Process (thinking fast vs. thinking slow) decision making corresponds to a model with |CDP| = 2. We consider a more general case with C >= 2, which necessitates careful consideration of how, for a particular choice-task instance, one criterion comes to prevail over others. We operationalize this with a probability distribution that is conditional upon traits of the decision maker as well as upon the context and the framing of choice options. Whereas existing Signal Detection Theory (SDT) models of phishing detection commingle the different peripheral-route persuasion pathways, in the present descriptive generalization the different pathways are explicitly identified and represented. A number of implications follow immediately from this formulation, ranging from the conditional nature of security-breach risk to delineation of the prerequisites for valid tests of security training. Moreover, the model explains the `stepping-stone' penetration pattern of APT attacks, which has confounded modeling approaches based on normative rationality.

AB - Normative decision theory proves inadequate for modeling human responses to the social-engineering campaigns of Advanced Persistent Threat (APT) attacks. Behavioral decision theory fares better, but still falls short of capturing social-engineering attack vectors, which operate through emotions and peripheral-route persuasion. We introduce a generalized decision theory, under which any decision will be made according to one of multiple coexisting choice criteria. We denote the set of possible choice criteria by C. Thus the proposed model reduces to conventional Expected Utility theory when |CEU| = 1, whilst Dual-Process (thinking fast vs. thinking slow) decision making corresponds to a model with |CDP| = 2. We consider a more general case with C >= 2, which necessitates careful consideration of how, for a particular choice-task instance, one criterion comes to prevail over others. We operationalize this with a probability distribution that is conditional upon traits of the decision maker as well as upon the context and the framing of choice options. Whereas existing Signal Detection Theory (SDT) models of phishing detection commingle the different peripheral-route persuasion pathways, in the present descriptive generalization the different pathways are explicitly identified and represented. A number of implications follow immediately from this formulation, ranging from the conditional nature of security-breach risk to delineation of the prerequisites for valid tests of security training. Moreover, the model explains the `stepping-stone' penetration pattern of APT attacks, which has confounded modeling approaches based on normative rationality.

KW - phishing

KW - social engineering

KW - peripheral-route persuasion

KW - advanced persistent threat

KW - choice criteria

KW - dual-process theory

KW - latent class model

M3 - Working paper

T3 - Economics Working Papers Series

BT - Many Phish in the C : A Coexisting-Choice-Criteria Model of Security Behavior

PB - Lancaster University, Department of Economics

CY - Lancaster

ER -