• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
    • Cyber COI
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
    • Cyber COI
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
  • Cyber COI
/ Journal Issues / Games People Play Behavior and Security / BECO: Behavioral Economics of Cyberspace Operations

BECO: Behavioral Economics of Cyberspace Operations

Published in Journal of Cyber Security and Information Systems
Volume: 2 Number: 2 - Games People Play Behavior and Security

Author: Victoria Fineberg
Posted: 02/09/2016 | Leave a Comment

Incorporation of Biases in Economics, Cybersecurity, and CO

The integration of psychological findings of behavior and judgment into economics, i.e., the progression from SE to BE, required revisions of mainstream economic methods. According to Rabin, the difference between psychology and economics is that “while psychology investigates humans in all their richness, economics requires models that are not so rich as to retard the process of drawing out their economic implications” (1996, p. 2). Psychologists provide the breadth of information about the human psyche, and economists then use the filters of simplicity and tractability to select the psychological findings that enable them to build meaningful economic models.

Economic methods include methodological individualism, mathematical formalization of assumptions, logical analysis of the relationship between conclusions and assumptions, and empirical field testing. In SE, methodological individualism consists of two basic components: actors have well-defined preferences and they rationally maximize these preferences. BE revises these components by applying empirical evidence from psychology to the economic assumption-making to modify the nature of the preferences (Rabin, 1996, Section 2), demonstrate systematic errors that individuals commit when maximizing their utility functions (Rabin, 1996, Section 3), and describe scenarios where the very concept of people maximizing their preferences does not hold (Rabin, 1996, Section 4). Some cognition-based modifications are relatively easy to incorporate into economic models; other psychological findings raise awareness of the model shortcomings and improve economics on an ad hoc basis. Psychologists and experimental economists conduct controlled laboratory experiments to generate hypotheses, and economists test these hypotheses in uncontrolled field studies. Likewise, BECO is a hypothesis for integrating BE models into the CO Concepts of Operations (CONOPS) to be tested in field studies, as illustrated in Figure 5.

becofig5

BECO will identify psychology and BE findings that could provide meaningful CONOPS enhancements. As with BE, some of these findings will be incorporated into CONOPS directly, while others will be used to raise awareness and improve the operations on an ad hoc basis.

BECO Solution and Innovation

BECO is a proposed framework for increasing the effectiveness of Cyberspace Operations, such as those of USCYBERCOM, by defining a risk management framework of the CO cognitive dimension. BECO identifies biases in the operational judgment and decision-making and seeks their mitigation on the friendly side and their exploitation on the adversary side. In this context, “the friendly side” refers to the United States and its allies, and “the adversary side” refers to states and non-state entities opposing the U.S. in cyberspace.

BECO Description

BEC model. BECO is an application of BEC to CO, where BEC is a framework for conducting BE-based cybersecurity risk management (Fineberg, 2014). BEC is defined in three dimensions of Cyberactors, Security Services, and Controls as depicted in Figure 6.

Image14621_fmt

Figure 6. BEC framework.

Cyberactors are classes of individuals defined by their distinct cyber roles of Users, Defenders, and Attackers. Users are seeking functional capabilities of cyberspace, Defenders are protecting cyberspace, and Attackers are exploiting cyberspace. Security Services are classes of features that ensure proper cyberspace operation and include Confidentiality, Integrity, and Availability.Confidentiality is protection of the user information, Integrity is protection of cyber systems and data from unauthorized access and malicious manipulation, and Availability is the user’s ability to use cyberspace systems and data. Controls are risk-management responses for upholding cybersecurity including Identification, Response, and Prevention. Identification uncovers significant cognitive biases that apply to various scenarios, Response mitigates biases on the friendly side and exploits biases on the adversary side, and Prevention encompasses research, training and other preparation.

The BEC cube can be used for comprehensive Risk Management and for selecting and controlling the greatest risks. In the Risk Assessment phase, cognitive vulnerabilities are represented by one or more squares on the Cyberactor-Security Services surface; and in the Risk Response phase, mitigation is selected along the Controls axis.

BECO model. BECO applies BEC to CO exemplified by the USCYBERCOM’s mission. The principal distinctions between the two frameworks are their respective scopes and sets of actors. The scope of BEC is the general cybersecurity risk management, whereas the scope of BECO is risk management of the full-spectrum CO, as depicted in Figure 7. The BEC RMF is applied to each BECO actor, thus creating a five-dimensional analysis space of Cyberactors, Security Services, Controls, Planning Levels, and Lines of Operation.

Image14629_fmt

Figure 7. BECO framework.

A comprehensive scope of BECO is assured by its incorporation of a comprehensive set of questions “who, why, what, how, when, and where.” “Who” are CO cyberactors, and “why, what, and how” represent actors’ biases and actions. “When” is the time dimension, the timeframe of the strategic, operational, and tactical levels of the CO planning. “Where” is the space dimension, such as the USCYBECOM’s Lines Of Operation (LOO) including DoD Network Operations (DNO), Defensive Cyber Operations (DCO), and Offensive Cyber Operations (OCO). DNO provides typical enterprise security within the defense perimeter, and its risk management corresponds to the original BEC. DCO extends DNO with the maneuver capability outside the perimeter and employs Red Teams. OCO engages in global military actions, in which USCYBERCOM’s attackers are on the friendly side. In CO, the scope of actors expands beyond BEC’s Users, Defenders, and Attackers by the considerations of the friendly and adversary sides as depicted in Figure 8, where the friendly-side USCYBECOM forces are described by Pellerin (2013b).

becofig8

The friendly side includes Defenders (fD) such as USCYBERCOM’s Cyber Protection Teams (CPT) and National Mission Teams (NMT), Attackers (fA) such as Combat Mission Teams (CMT), and Red Teams (fRT) testing the friendly defenses. On theadversary side, Attackers (aA) are regular BEC attackers and Defenders (aD) are BECO entities whose cognitive biases are exploited by fAs. Insiders (aI) are adversarial actors sabotaging the friendly side from inside the friendly defense perimeter; similarly, Spies (fS) are supporting the friendly side from inside the adversary defense perimeter. BECO Users include both adversary Users (aU) and friendly Users (fU) that may undermine the friendly and the adversary sides, respectively.

Pages: Page 1 Page 2 Page 3 Page 4

Previous Article:
« Toward Realistic Modeling Criteria of Games in...
Next Article:
Cyber Profiling: Using Instant Messaging Author Writeprints... »

References

Alexander, K. B. (2012). Statement before the Senate Committee on Armed Services. Retrieved fromhttp://www.airforcemag.com/SiteCollectionDocuments/Reports/2012/March2012/Day28/032812alexander.pdf.

Ariely, D. (2009). Predictably irrational: The hidden forces that shape our decisions. Revised and expanded edition. New York, NY: Harper Perennial.

Ariely, D. (2012). The (honest) truth about dishonesty: How we lie to everyone—Especially ourselves. New York, NY: HarperCollins Publishers.

Ariely, D., Loewenstein, G., & Prelec, D. (2000). Coherent arbitrariness: Duration-sensitive pricing of hedonic stimuli around an arbitrary anchor. SSRN. Retrieved from http://papers.ssrn.com/sol3/papers.cfm?abstract_id=243109.

Ariely, D. & Norton, M. I. (2008). How actions create – not just reveal – preferences. Trends in Cognitive Sciences, 12 (1), 13-16.

Festinger, L. (1962). Cognitive dissonance. Scientific American, 207(4), 93-107.

Fineberg, V. (2012). COOP hardening against Black Swans. The Business Continuity and Resiliency Journal, 1(3), 14-24.

Fineberg, V. (2014). BEC: Applying behavioral economics to harden cyberspace. Journal of Cybersecurity and Information Systems, 2(1), 27-33. Retrieved from .

Grossman, D. & Christensen, L. W. (2007). On combat: The psychology and physiology of deadly conflict in war and in peace. 2nd Edition. PPCT Research Publications.

Holton, J. W. (2011). The Pashtun behavior economy: An analysis of decision making in tribal society. Master’s Thesis. Naval Postgraduate School. Monterey, CA. Retrieved from .

Iyengar, S. S. & Lepper, M. R. (2000). When choice is demotivating: Can one desire too much of a good thing? Journal of Personality and Social Psychology, 79(6), 995-1006. Retrieved from .

JP 3-13. (2012). Information operations. Joint Publication 3-13. Retrieved from http://www.dtic.mil/doctrine/new_pubs/jp3_13.pdf.

Kahneman, D. (2006). [Video File]. History and rationality lecture series. Hebrew University. Retrieved from http://www.youtube.com/watch?v=3CWm3i74mHI.

Kahneman, D. (2011). Thinking, fast and slow. New York, NY: Farrar, Straus and Giroux.

Kahneman, D. (2013). [Video File]. Annual Hans Maeder lecture with Nobel Prize-winning psychologist Daniel Kahneman. The New School. Retrieved from http://www.youtube.com/watch?v=l91ahHR5-i0&list=PLUWrLGgGJAm9pm4ANtiGk4VVflf45Hz0P&index=7.

Kahneman, D. & Renshon, J. (2009). Hawkish biases. Expanded version of an essay that appeared in American Foreign Policy and the Politics of Fear: Threat Inflation Since 9/11. New York, NY: Routledge Press, 79-96. Retrieved fromhttp://www.princeton.edu/~kahneman/docs/Publications/Hawkish%20Biases.pdf

Mackay, A. & Tatham S. (2011). Behavioural conflict: Why understanding people and their motives will prove decisive in future conflict. Saffron Walden, Essex, UK: Military Studies Press.

NIST 800-39. (2011). Managing information security risk: Organization, mission, and information system view. NIST Special Publication 800-39. Gaithersburg, MD: Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology. Retrieved fromhttp://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf.

Pellerin, C. (2013a). Cyber Command adapts to understand cyber battlespace. U.S. Department of Defense. Retrieved fromhttp://www.defense.gov/news/newsarticle.aspx?id=119470.

Pellerin, C. (2013b). DOD readies elements crucial to Cyber Operations. U.S. Department of Defense. Retrieved fromhttp://www.defense.gov/news/newsarticle.aspx?id=120381.

Rabin, M. (1996). Psychology and Economics. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.42.9558&rep=rep1&type=pdf.

Stavridis, J. G. & Parker, E. C. III. (2012). Sailing the cyber sea. JFQ, 65(2), 61-67.

Taleb, N. N. (2010). The Black Swan: The impact of the highly improbable. New York, NY: Random House.

Taleb, N. N. (2012). Antifragile: Things that gain from disorder. New York, NY: Random House.

Thaler, R. H. & Sunstein, C. R. (2009). Nudge: Improving decisions about health, wealth, and happiness. London, England: Penguin Books.

U.S. Cyber Command. (2013). United States Strategic Command factsheet: U.S. Cyber Command. Retrieved from http://www.stratcom.mil/factsheets/Cyber_Command/.

Author

Victoria Fineberg
Victoria Fineberg
Victoria Fineberg is a Principal Information Assurance Engineer at the Defense Information Systems Agency (DISA). She is a Certified Information Systems Security Professional (CISSP) and has completed Chief Information Officer (CIO) and Chief Information Security Officer (CISO) programs at the National Defense University’s (NDU) iCollege. Victoria holds a Masters Degree in Mechanical Engineering from the University of Illinois at Urbana-Champaign, is a licensed Professional Engineer and a Senior Member of IEEE. Prior to DISA, Victoria worked for Bell Labs at Lucent Technologies. Her professional interests include cyber security, risk analysis, and the impact of cognitive biases on cyber operations.

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Richard "Rick" Aldrich

CSIAC SME and member of the American Bar Association's Information Security Committee, Richard "Rick" Aldrich, gives updated snapshots of evolving developments in cyberlaw, policy, standards, court cases and industry legal frameworks. His latest work discusses cybersecurity issues of interest to security managers.

Read SME's Contributed Content

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

CSIAC Journal - Artificial Intelligence

CSIAC Journal Cover Volume 7 Number 1

This edition of the CSIAC Journal highlights three very different views of complex situations where AI might, should, and does intersect with our ability to use AI effectively.

Read the Journal

Recent Video Podcasts

  • Publishing Domain Specific Source Code for Reuse and Maintenance Series: CSIAC Webinars
  • 5 Best Practices for Software Security Series: The CSIAC Podcast
  • Authenticating Devices in Fog Multi-Access Computing Environments through a Wireless Grid Resource Sharing Protocol Series: The CSIAC Podcast
  • Machine-Learning Techniques to Protect Critical Infrastructure From Cybersecurity Incidents or Equipment Incidents Series: CSIAC Webinars
  • Cyber Deconflicted: Understanding the Layers of Cyberspace Series: CSIAC Webinars
View all Podcasts

Upcoming Events

Feb 12

DeveloperWeek SF Bay Area

February 12, 2020 - February 16, 2020
San Francisco CA
United States
Feb 23

BSidesSF

February 23, 2020 - February 24, 2020
San Francisco CA
United States
Feb 29

BSidesTampa

February 29, 2020
Tampa FL
United States
Jun 15

QCon New York

June 15, 2020 - June 19, 2020
New York City NY
United States
Jul 13

OSCON

July 13, 2020 - July 16, 2020
Portland OR
United States
View all Events

Recently Active Members

Profile picture of walkerkoagel98
Profile picture of jreade
Profile picture of mackaybe
Profile picture of rmmm
Profile picture of CSIACAdmin
Profile picture of Mogo
Profile picture of stevechan
Profile picture of jyelle01
Profile picture of PraveenWATI
Profile picture of j.p.doherty
Profile picture of Mathieu Schram
Profile picture of balbuena14
Profile picture of pixelhunters
Profile picture of Rvnth
Profile picture of biggswe
Profile picture of khunearylikethebird
Profile picture of JSchempp
Profile picture of marchbol

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
USD(R&E) LogoUS Department of Defense LogoDoD IACs LogoDTIC LogoTEMS Logo

Copyright 2019, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Necessary Always Enabled