Abstract
Many researchers focus on developing virtual testbeds to assess the magnitude of cyberattack damage and evaluate the effectiveness of cyber defense strategies in different cyber attack scenarios. These testbeds provide a controlled and cost-effective environment for simulating attacks and studying their impact on organizational security. One of the major challenges in developing such testbeds is accurately capturing the human factors in cybersecurity. Phishing attacks, in particular, exploit human vulnerabilities and can lead to significant security breaches. However, modeling and simulating human susceptibility to phishing in virtual environments is complex due to the dynamic nature of human behavior and the interplay of various factors. This paper addresses this challenge by proposing an agent-based modeling framework that incorporates human factors to simulate dynamic phishing susceptibility. The framework allows modeler to specify and assign weights to various human factors, such as personality traits and training history, which influence individuals’ susceptibility to phishing attacks. By leveraging this framework, modelers can run virtual cyber attack simulations with dynamically changing phishing susceptibility among the simulated end user agents. This enables the testing and evaluation of different cyber defense strategies in the context of realistic human behavior.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Zografopoulos, I., Ospina, J., Liu, X., Konstantinou, C.: Cyber-physical energy systems security: threat modeling, risk assessment, resources, metrics, and case studies. IEEE Access 9, 29775–29818 (2021)
Crussell, J., Kroeger, T.M., Brown, A., Phillips, C.: Virtually the same: comparing physical and virtual testbeds. In: 2019 International Conference on Computing, Networking and Communications (ICNC), pp. 847–853. IEEE, 2019
Carley, K.M.: Computational organization science: a new frontier. In: Proceedings of the National Academy of Sciences 99, no. suppl_3, 7257–7262 (2002)
IBM: IBM security services 2014 cyber security intelligence index. (2014)
Gosling, S.D., Rentfrow, P.J., Swann, W.B.: A very brief measure of the big-five personality domains. J. Res. Pers. 37(6), 504–528 (2003)
Dobson, G.B., Carley, K.M.: Cyber-FIT: an agent-based modelling approach to simulating cyber warfare. In: Lee, D., Lin, Y.-R., Osgood, N., Thomson, R. (eds.) SBP-BRiMS 2017. LNCS, vol. 10354, pp. 139–148. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60240-0_18
Dobson, G.B., Carley, K.M.: A computational model of cyber situational awareness. In: Thomson, R., Dancy, C., Hyder, A., Bisgin, H. (eds.) SBP-BRiMS 2018. LNCS, vol. 10899, pp. 395–400. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93372-6_43
Shin, J., Dobson, G.B., Carley, K.M., Richard Carley, L.: OSIRIS: organization simulation in response to intrusion strategies. In: Social, Cultural, and Behavioral Modeling: 15th International Conference, SBP-BRiMS 2022, Pittsburgh, PA, USA, September 20–23, 2022, Proceedings, pp. 134–143. Springer International Publishing, Cham (2022). https://doi.org/10.1007/978-3-031-17114-7_13
Shin, J., Richard Carley, L., Dobson, G.B., Carley, K.M.: Modeling and simulation of the human firewall against phishing attacks in small and medium-sized businesses. In: 2023 Annual Modeling and Simulation Conference (ANNSIM), pp. 369–380. IEEE (2023)
Uebelacker, S., Quiel, S.: The social engineering personality framework. In: 2014 Workshop on Socio-Technical Aspects in Security and Trust, pp. 24–30. IEEE (2014)
Parrish, J.L., Bailey, J.L., Courtney, J.F.: A personality based model for determining susceptibility to phishing attacks. Little Rock: University of Arkansas, 285–296 (2009)
Tornblad, M.K., Jones, K.S., Siami Namin, A., Choi, J.: Characteristics that predict phishing susceptibility: a review. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 65, no. 1, pp. 938–942. Sage CA: Los Angeles, CA: SAGE Publications (2021)
Lin, T., et al.: Susceptibility to spear-phishing emails: effects of internet user demographics and email content. ACM Trans. Comput.-Hum. Interact. (TOCHI) 26(5), 1–28 (2019)
Lawson, P., Zielinska, O., Pearson, C., Mayhorn, C.B.: Interaction of personality and persuasion tactics in email phishing attacks. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting, vol. 61, no. 1, pp. 1331–1333. Sage CA: Los Angeles, CA: SAGE Publications (2017)
Purkait, S., De Kumar, S., Suar, D.: An empirical investigation of the factors that influence Internet user’s ability to correctly identify a phishing website. Inf. Manage. Comput. Secur. 22(3), 194–234 (2014)
Ebbinghaus, H.: Memory: a contribution to experimental psychology. Ann. Neurosci. 20(4), 155 (2013)
Kumaraguru, P., Rhee, Y., Acquisti, A., Faith Cranor, L., Hong, J., Nunge, E.: Protecting people from phishing: the design and evaluation of an embedded training email system. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 905–914 (2007)
Kumaraguru, P., Sheng, S., Acquisti, A., Faith Cranor, L., Hong, J.: Lessons from a real world evaluation of anti-phishing training. In: 2008 eCrime Researchers Summit, pp. 1–12. IEEE (2008)
Kumaraguru, P., et al.: Getting users to pay attention to anti-phishing education: evaluation of retention and transfer. In: Proceedings of the Anti-phishing Working Groups 2nd Annual eCrime Researchers Summit, pp. 70–81 (2007)
Kumaraguru, P., et al.: School of phish: a real-world evaluation of anti-phishing training. In: Proceedings of the 5th Symposium on Usable Privacy and Security, pp. 1–12 (2009)
Sheng, S., Holbrook, M., Kumaraguru, P., Faith Cranor, L., Downs, J.: Who falls for phish? A demographic analysis of phishing susceptibility and effectiveness of interventions. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 373–382 (2010)
Acknowledgement
The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This research was supported in part by the Minerva Research Initiative under Grant #N00014-21-1-4012, and by the center for Computational Analysis of Social and Organizational Systems (CASOS) at Carnegie Mellon University. The views and conclusions are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Office of Naval Research or the US Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Shin, J., Carley, K.M., Carley, L.R. (2023). Integrating Human Factors into Agent-Based Simulation for Dynamic Phishing Susceptibility. In: Thomson, R., Al-khateeb, S., Burger, A., Park, P., A. Pyke, A. (eds) Social, Cultural, and Behavioral Modeling. SBP-BRiMS 2023. Lecture Notes in Computer Science, vol 14161. Springer, Cham. https://doi.org/10.1007/978-3-031-43129-6_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-43129-6_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-43128-9
Online ISBN: 978-3-031-43129-6
eBook Packages: Computer ScienceComputer Science (R0)