A Descriptive Model for Modelling Attacker Decision-Making in Cyber-Deception
B. R. Turner, O. Guidetti, N. M. Karie, R. Ryan, Y. Yan
TL;DR
This paper identifies a gap in cyber-deception research: existing models typically assume attackers have already chosen to engage. It proposes a cognitively grounded descriptive model with five interacting components—belief, scepticism, deception fidelity, reconnaissance, and experience—to predict engagement decisions prior to exploitation. The authors justify a linear, interpretable formulation and illustrate how engagement outputs can be bounded probabilities, suitable for integration with Bayesian, MDP, and RL frameworks. A planned series of Capture the Flag experiments, augmented with behavioral and biometric data, is described to validate and refine the model. Overall, the work aims to provide a cognitively realistic, analytically tractable basis for designing and evaluating cyber-deception strategies.
Abstract
Cyber-deception is an increasingly important defensive strategy, shaping adversarial decision making through controlled misinformation, uncertainty, and misdirection. Although game-theoretic, Bayesian, Markov decision process, and reinforcement learning models offer insight into deceptive interactions, they typically assume an attacker has already chosen to engage. Such approaches overlook cognitive and perceptual factors that influence an attacker's initial decision to engage or withdraw. This paper presents a descriptive model that incorporates the psychological and strategic elements shaping this decision. The model defines five components, belief (B), scepticism (S), deception fidelity (D), reconnaissance (R), and experience (E), which interact to capture how adversaries interpret deceptive cues and assess whether continued engagement is worthwhile. The framework provides a structured method for analysing engagement decisions in cyber-deception scenarios. A series of experiments has been designed to evaluate this model through Capture the Flag activities incorporating varying levels of deception, supported by behavioural and biometric observations. These experiments have not yet been conducted, and no experimental findings are presented in this paper. These experiments will combine behavioural observations with biometric indicators to produce a multidimensional view of adversarial responses. Findings will improve understanding of the factors influencing engagement decisions and refine the model's relevance to real-world cyber-deception settings. By addressing the gap in existing models that presume engagement, this work supports more cognitively realistic and strategically effective cyber-deception practices.