Victoria Fineberg is a Principal Information Assurance Engineer at the Defense Information Systems Agency (DISA). She is a Certified Information Systems Security Professional (CISSP) and has completed Chief Information Officer (CIO) and Chief Information Security Officer (CISO) programs at the National Defense University’s (NDU) iCollege. Victoria holds a Masters Degree in Mechanical Engineering from the University of Illinois at Urbana-Champaign, is a licensed Professional Engineer and a Senior Member of IEEE. Prior to DISA, Victoria worked for Bell Labs at Lucent Technologies. Her professional interests include cyber security, risk analysis, and the impact of cognitive biases on cyber operations.
This paper proposes a risk-management framework Behavioral Economics of Cyberspace Operations (BECO) for hardening Cyberspace Operations (CO) with the Behavioral Economics (BE) models of cognitive biases in judgment and decision-making. In applying BE to CO, BECO augments a common assumption of a rational cyber warrior with more realistic expressions of human behavior in cyberspace. While the current development of the cyber workforce emphasizes education and training, BECO addresses typical conditions under which rational decision-making fails and knowledge is neglected. The BECO framework encompasses a full set of cyber actors, including attackers, defenders, and users on the friendly and adversary sides, across the full CO spectrum in space and time, and offers a structured approach to the cognitive bias mitigation.
This article describes several cybersecurity innovations. First, it proposes to integrate behavioral economics’ findings of biases in judgment and decision-making into cyber strategies, policies, and guidance using a new framework called Behavioral Economics of Cybersecurity, or BEC. Second, it aligns BEC with NIST’s Risk Management Framework by treating persistent human biases as a special type of vulnerabilities in the Risk Assessment phase and by controlling these biases in the Risk Response phase. Third, it defines the BEC structure using a Zachman-like two-dimensional framework of cyberactors (Users, Defenders and Attackers) from three cybersecurity perspectives (Confidentiality, Integrity and Availability). The paper also provides examples of how common cybersecurity exploits map into the BEC framework.