A Case Study on the Use of Representativeness Bias as a Defense Against Adversarial Cyber Threats
Briland Hitaj, Grit Denker, Laura Tinnel, Michael McAnally, Bruce DeBruhl, Nathan Bunting, Alex Fafard, Daniel Aaron, Richard D. Roberts, Joshua Lawson, Greg McCain, Dylan Starink
TL;DR
The paper investigates whether representativeness bias in attackers can be exploited to enhance cyber defense. It introduces bias triggers within capture-the-flag events (Rep1a and Rep1b) and uses a within-subject design at HITB and ECSC to measure effects on attacker decisions and time allocation. Results show no significant effect on initial path choices but reveal significant differences in time spent on non-vulnerable versus vulnerable paths in Rep1b, with mixed patterns across conferences; linear mixed-effects modeling confirms substantive effects of event, challenge, and condition. The work demonstrates the feasibility of psychology-informed active defenses and outlines a path toward bias sensors and broader bias repertoire to improve cyber resilience.
Abstract
Cyberspace is an ever-evolving battleground involving adversaries seeking to circumvent existing safeguards and defenders aiming to stay one step ahead by predicting and mitigating the next threat. Existing mitigation strategies have focused primarily on solutions that consider software or hardware aspects, often ignoring the human factor. This paper takes a first step towards psychology-informed, active defense strategies, where we target biases that human beings are susceptible to under conditions of uncertainty. Using capture-the-flag events, we create realistic challenges that tap into a particular cognitive bias: representativeness. This study finds that this bias can be triggered to thwart hacking attempts and divert hackers into non-vulnerable attack paths. Participants were exposed to two different challenges designed to exploit representativeness biases. One of the representativeness challenges significantly thwarted attackers away from vulnerable attack vectors and onto non-vulnerable paths, signifying an effective bias-based defense mechanism. This work paves the way towards cyber defense strategies that leverage additional human biases to thwart future, sophisticated adversarial attacks.
