Numerous studies of human user behaviours in cybersecurity tasks have used traditional research methods, such as self-reported surveys or empirical experiments, to identify relationships between various factors of interest and user security performance. This work takes a different approach, applying computational cognitive modelling to research the decision-making of cybersecurity users. The model described here relies on cognitive memory chunk activation to analytically simulate the decision-making process of a user classifying legitimate and phishing emails. Suspicious-seeming cues in each email are processed by examining similar, past classifications in long-term memory. We manipulate five parameters (Suspicion Threshold; Maximum Cues Processed; Weight of Similarity; Flawed Perception Level; Legitimate-to-Phishing Email Ratio in long-term memory) to examine their effects on accuracy, email processing time and decision confidence. Furthermore, we have conducted an empirical, unattended study of US participants performing the same task. Analyses on the empirical study data and simulation output, especially clustering analysis, show that these two research approaches complement each other for more insightful understanding of this phishing detection task. The analyses also demonstrate several limitations of this computational model that cannot easily capture certain user types and phishing detection strategies, calling for a more dynamic and sophisticated model construction.
Anderson, J.R. (1996) ACT: A Simple Theory of Complex Cognition. American Psychologist, 51, 4 (April 1996). 355-365.
Cranford, E.A., Lebiere, C., Rajivan, P., Aggarwal, P., and Gonzalez, C. (2019) Modeling Cognitive Dynamics in End-User Response to Phishing Emails. Proceedings of the 17th Annual Meeting of the International Conference on Cognitive Modelling, 35-40.
Dutt, V., Ahn, Y., and Gonzalez, C. (2013) Cyber Situation Awareness: Modeling Detection of Cyber Attacks With Instance-Based Learning Theory. Human Factors 55, 3 (June 2013). 605-618. https://doi.org/10.1177/0018720812464045
Gavett, B.E., Zhao, R., John, S.E., Bussell, C.A., Roberts, J.R., and Yue, C. (2017) Phishing Suspiciousness in Older and Younger Adults: The Role of Executive Functioning. PLoS ONE 12, 2 (February 2017). https://doi.org/10.1371/journal.pone.0171620
Laird, J.E. (2012) The Soar Cognitive Architecture. The MIT Press, Cambridge, MA.
Lin, T., Capecci, D.E., Ellis, D.M., Rocha, H.A., Dommaraju, S., Oliveira, D.S., and Ebner, N.C. (2019) Susceptibility to Spear-Phishing Emails: Effects of Internet User Demographics and Email Content. ACM Transactions on Computer-Human Interaction 26, 5, Article 32 (July 2019). https://doi.org/10.1145/3336141
Molinaro, K.A. and Bolton, M.L. (2018) Evaluating the applicability of the double system lens model to the analysis of phishing email judgments. Computers & Security, 77 (August 2018). 128-137. https://doi.org/10.1016/j.cose.2018.03.012
Parsons, K., Butavicius, M., Delfabbro, P., and Lillie, M. (2019) Predicting Susceptibility to Social Influence in Phishing Emails. International Journal of Human-Computer Studies 128 (August 2019). 17-26. https://doi.org/10.1177/0018720816665025
Shonman, M., X. Li, H. Zhang, and A. Dahbura (2018) Simulating Phishing Email Processing with Instance-Based Learning and Cognitive Chunk Activation. Brain Informatics (BI 2018) (December 2018). Lecture Notes in Computer Science, 11309. 468-478. https://doi.org/10.1007/978-3-030-05587-5_44
Singh, K., Aggarwal, P., Rajivan, P., and Gonzalez, C. (2019) Training to Detect Phishing Emails: Effects of the Frequency of Experienced Phishing Emails. Proceedings of the Human Factors and Ergonomics Society 2019 Annual Meeting, 453-457. https://doi.org/10.1177/1071181319631355
Sun, R. (2008) Introduction to Computational Cognitive Modeling. In The Cambridge Handbook of Computational Psychology. Cambridge University Press, pages 3-19.
Symantec (2018) Internet Security Threat Report, vol. 23. Symantec Corporation. symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf (retrieved 1 March 2022).
Veksler, V.D. and Buchler, N. (2016) Know Your Enemy: Applying Cognitive Modeling in Security Domain. Presented at the 38th Annual Meeting of the Cognitive Science Society, Philadelphia, PA, August 2016.
Veksler, V.D., Buchler, N., Hoffman, B.E., Cassenti, D.N., Sample, C., and Sugrim, S. (2018) Simulations in Cyber-Security: A Review of Cognitive Modeling of Network Attackers, Defenders, and Users. Frontiers in Psychology 9, Article 691 (May 2018). https://doi.org/10.3389/fpsyg.2018.00691
Vergelis, M., Shcherbakova, T., and Sidorina, T. (2019) Spam and phishing in Q1. Securelist. https://securelist.com/spam-and-phishing-in-q1-2019/90795 (retrieved 1 March 2022).
Verizon (2021) 2021 Data Breach Investigations Report. https://www.verizon.com/business/resou rces/reports/2021/2021-data-breach-investigations-report.pdf (retrieved 20 March 2022).
Vishwanath, A., Harrison, B., and Ng, Y.J. (2016) Suspicion, Cognition, and Automaticity Model of Phishing Susceptibility. Communication Research 45, 8 (December 2018). 1146-1166. https://doi.org/10.1177/0093650215627483
Zhang, H., S. Singh, X Li, A Dahbura, and M. Xie (2018) Multitasking and Monetary Incentive in a Realistic Phishing Study. Proceedings of the 32nd International BCS Human Computer Interaction Conference (HCI). https://doi.org/10.14236/ewic/HCI2018.115