Incorporation of Biases in Economics, Cybersecurity, and CO
The integration of psychological findings of behavior and judgment into economics, i.e., the progression from SE to BE, required revisions of mainstream economic methods. According to Rabin, the difference between psychology and economics is that “while psychology investigates humans in all their richness, economics requires models that are not so rich as to retard the process of drawing out their economic implications” (1996, p. 2). Psychologists provide the breadth of information about the human psyche, and economists then use the filters of simplicity and tractability to select the psychological findings that enable them to build meaningful economic models.
Economic methods include methodological individualism, mathematical formalization of assumptions, logical analysis of the relationship between conclusions and assumptions, and empirical field testing. In SE, methodological individualism consists of two basic components: actors have well-defined preferences and they rationally maximize these preferences. BE revises these components by applying empirical evidence from psychology to the economic assumption-making to modify the nature of the preferences (Rabin, 1996, Section 2), demonstrate systematic errors that individuals commit when maximizing their utility functions (Rabin, 1996, Section 3), and describe scenarios where the very concept of people maximizing their preferences does not hold (Rabin, 1996, Section 4). Some cognition-based modifications are relatively easy to incorporate into economic models; other psychological findings raise awareness of the model shortcomings and improve economics on an ad hoc basis. Psychologists and experimental economists conduct controlled laboratory experiments to generate hypotheses, and economists test these hypotheses in uncontrolled field studies. Likewise, BECO is a hypothesis for integrating BE models into the CO Concepts of Operations (CONOPS) to be tested in field studies, as illustrated in Figure 5.
BECO will identify psychology and BE findings that could provide meaningful CONOPS enhancements. As with BE, some of these findings will be incorporated into CONOPS directly, while others will be used to raise awareness and improve the operations on an ad hoc basis.
BECO Solution and Innovation
BECO is a proposed framework for increasing the effectiveness of Cyberspace Operations, such as those of USCYBERCOM, by defining a risk management framework of the CO cognitive dimension. BECO identifies biases in the operational judgment and decision-making and seeks their mitigation on the friendly side and their exploitation on the adversary side. In this context, “the friendly side” refers to the United States and its allies, and “the adversary side” refers to states and non-state entities opposing the U.S. in cyberspace.
BEC model. BECO is an application of BEC to CO, where BEC is a framework for conducting BE-based cybersecurity risk management (Fineberg, 2014). BEC is defined in three dimensions of Cyberactors, Security Services, and Controls as depicted in Figure 6.
Figure 6. BEC framework.
Cyberactors are classes of individuals defined by their distinct cyber roles of Users, Defenders, and Attackers. Users are seeking functional capabilities of cyberspace, Defenders are protecting cyberspace, and Attackers are exploiting cyberspace. Security Services are classes of features that ensure proper cyberspace operation and include Confidentiality, Integrity, and Availability.Confidentiality is protection of the user information, Integrity is protection of cyber systems and data from unauthorized access and malicious manipulation, and Availability is the user’s ability to use cyberspace systems and data. Controls are risk-management responses for upholding cybersecurity including Identification, Response, and Prevention. Identification uncovers significant cognitive biases that apply to various scenarios, Response mitigates biases on the friendly side and exploits biases on the adversary side, and Prevention encompasses research, training and other preparation.
The BEC cube can be used for comprehensive Risk Management and for selecting and controlling the greatest risks. In the Risk Assessment phase, cognitive vulnerabilities are represented by one or more squares on the Cyberactor-Security Services surface; and in the Risk Response phase, mitigation is selected along the Controls axis.
BECO model. BECO applies BEC to CO exemplified by the USCYBERCOM’s mission. The principal distinctions between the two frameworks are their respective scopes and sets of actors. The scope of BEC is the general cybersecurity risk management, whereas the scope of BECO is risk management of the full-spectrum CO, as depicted in Figure 7. The BEC RMF is applied to each BECO actor, thus creating a five-dimensional analysis space of Cyberactors, Security Services, Controls, Planning Levels, and Lines of Operation.
Figure 7. BECO framework.
A comprehensive scope of BECO is assured by its incorporation of a comprehensive set of questions “who, why, what, how, when, and where.” “Who” are CO cyberactors, and “why, what, and how” represent actors’ biases and actions. “When” is the time dimension, the timeframe of the strategic, operational, and tactical levels of the CO planning. “Where” is the space dimension, such as the USCYBECOM’s Lines Of Operation (LOO) including DoD Network Operations (DNO), Defensive Cyber Operations (DCO), and Offensive Cyber Operations (OCO). DNO provides typical enterprise security within the defense perimeter, and its risk management corresponds to the original BEC. DCO extends DNO with the maneuver capability outside the perimeter and employs Red Teams. OCO engages in global military actions, in which USCYBERCOM’s attackers are on the friendly side. In CO, the scope of actors expands beyond BEC’s Users, Defenders, and Attackers by the considerations of the friendly and adversary sides as depicted in Figure 8, where the friendly-side USCYBECOM forces are described by Pellerin (2013b).
The friendly side includes Defenders (fD) such as USCYBERCOM’s Cyber Protection Teams (CPT) and National Mission Teams (NMT), Attackers (fA) such as Combat Mission Teams (CMT), and Red Teams (fRT) testing the friendly defenses. On theadversary side, Attackers (aA) are regular BEC attackers and Defenders (aD) are BECO entities whose cognitive biases are exploited by fAs. Insiders (aI) are adversarial actors sabotaging the friendly side from inside the friendly defense perimeter; similarly, Spies (fS) are supporting the friendly side from inside the adversary defense perimeter. BECO Users include both adversary Users (aU) and friendly Users (fU) that may undermine the friendly and the adversary sides, respectively.