Authentication is a major component in protecting the security of online user services. An effective implementation of security policies requires compliance from users, who are one class of key stakeholders in the cybersecurity policy decision problem. We examine this multiple stakeholder decision problem by conducting a virtual public values forum, a policy decision structuring methodology to characterize stakeholder values by eliciting essential trade‐offs among conflicting objectives. We assess trade‐offs for a sample of users to explore heterogeneity in user values and the relationship of trade‐offs to both individual user characteristics and online context. We obtained responses from 265 online service users and elicited their trade‐offs among three conflicting objectives related to authentication security: (1) maximizing security, (2) maximizing convenience, and (3) minimizing cost. Using an additive multiattribute value model with four attributes, we obtained scaling coefficients that denote the relative valuation of each attribute to the decision maker and discovered that for the attribute ranges considered, security followed by cost receive the highest priority; however, there is a group of respondents who consider convenience to have higher valuation than either cost or security. We also explore the relationships between user characteristics (self-efficacy, response efficacy, response cost, and perceived severity) and the calculated scaling coefficients.
This study examines how exploiting biases in probability judgment can enhance deterrence using a fixed allocation of defensive resources. We investigate attacker anchoring heuristics for conjunctive events with missing information to distort attacker estimates of success for targets with equal defensive resources. We designed and conducted a behavioral experiment functioning as an analog cyber attack with multiple targets requiring three stages of attack to successfully acquire a target. Each stage is associated with a probability of successfully attacking a layer of defense, reflecting the allocation of resources for each layer. There are four types of targets that have nearly equal likelihood of being successfully attacked, including one type with equally distributed success probabilities over every layer and three types with success probabilities that are concentrated to be lowest in the first, second, or third layer. Players are incentivized by a payoff system that offers a reward for successfully attacked targets and a penalty for failed attacks. We collected data from a total of 1,600 separate target selections from 80 players and discovered that the target type with the lowest probability of success on the first layer was least preferred among attackers, providing the greatest deterrent. Targets with equally distributed success probabilities across layers were the next least preferred among attackers, indicating greater deterrence for uniform‐layered defenses compared to defenses that are concentrated at the inner (second or third) levels. This finding is consistent with both attacker anchoring and ambiguity biases and an interpretation of failed attacks as near misses.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.