Are Cyber Attackers Thinking Fast and Slow? Exploratory Analysis Reveals Evidence of Decision-Making Biases in Red Teamers

Abstract: We report on whether cyber attacker behaviors contain decision making biases. Data from a prior experiment were analyzed in an exploratory fashion, making use of think-aloud responses from a small group of red teamers. The analysis provided new observational evidence of traditional decision-making biases in red team behaviors (confirmation bias, anchoring, and take-the-best heuristic use). These biases may disrupt red team decisions and goals, and simultaneously increase their risk of detection. Interestingly,… Show more

“…Deception presence specifically alters the gain versus loss perspective of interacting with machines in the network toward uncertainty. Framing was also observed in prior research in which telling red team members that deception may be present in the network, versus not, led them to further investigate machines to determine if they were real or fake-even when that was not the central mission (Ferguson-Walter et al, 2017;Gutzwiller et al, 2019).…”

“…Researchers have only begun to study humans in their various roles across all operational segments of cyber, from the naïve user to the advanced professional (Bennett et al, 2018;Buchler et al, 2018;Ferguson-Walter et al, 2019;Gutzwiller et al, 2015Gutzwiller et al, , 2018Gutzwiller et al, , 2019Johnson, 2022;Sawyer et al, 2014;Trent et al, 2016Trent et al, , 2019. More recently, this research has expanded to more offense-related cybersecurity operations, using hackers and penetration testers, and even early models of behaviors (Aggarwal et al, 2016(Aggarwal et al, , 2017Cranford et al, 2020aCranford et al, , 2020b.…”

“…In that experiment, researchers showed that decision-making biases are present and identifiable; the communications of these experts showed that they committed confirmation bias. These red teamers also showed anchoring effects (Gutzwiller et al, 2019) by becoming fixated on machines on the network that they thought were particularly vulnerable.…”

“…The community of cyber operators and researchers generally agree that psychological components address a key source of variance that hardware- or software-oriented security solutions lack. These components are understudied but are often highly impactful (Borghetti et al, 2017; Gutzwiller et al, 2019).…”

Exploratory Analysis of Decision-Making Biases of Professional Red Teamers in a Cyber-Attack Dataset

“…Deception presence specifically alters the gain versus loss perspective of interacting with machines in the network toward uncertainty. Framing was also observed in prior research in which telling red team members that deception may be present in the network, versus not, led them to further investigate machines to determine if they were real or fake-even when that was not the central mission (Ferguson-Walter et al, 2017;Gutzwiller et al, 2019).…”

“…Researchers have only begun to study humans in their various roles across all operational segments of cyber, from the naïve user to the advanced professional (Bennett et al, 2018;Buchler et al, 2018;Ferguson-Walter et al, 2019;Gutzwiller et al, 2015Gutzwiller et al, , 2018Gutzwiller et al, , 2019Johnson, 2022;Sawyer et al, 2014;Trent et al, 2016Trent et al, , 2019. More recently, this research has expanded to more offense-related cybersecurity operations, using hackers and penetration testers, and even early models of behaviors (Aggarwal et al, 2016(Aggarwal et al, , 2017Cranford et al, 2020aCranford et al, , 2020b.…”

“…In that experiment, researchers showed that decision-making biases are present and identifiable; the communications of these experts showed that they committed confirmation bias. These red teamers also showed anchoring effects (Gutzwiller et al, 2019) by becoming fixated on machines on the network that they thought were particularly vulnerable.…”

“…The community of cyber operators and researchers generally agree that psychological components address a key source of variance that hardware- or software-oriented security solutions lack. These components are understudied but are often highly impactful (Borghetti et al, 2017; Gutzwiller et al, 2019).…”

Exploratory Analysis of Decision-Making Biases of Professional Red Teamers in a Cyber-Attack Dataset

“…Traditionally, research has focused on reducing biases and decision-making errors, but OHF research examined the impact of biases on cyber attacker decisionmaking, intending to disrupt cyber attacker performance by inducing or intensifying biases that degrade attacker performance. For example, individual red team hackers operating as a team in a real network were found to show preliminary evidence of multiple biases, including framing effects, the sunk-cost bias, irrational escalation, illusion of control, the take-the-best bias, confirmation bias, and anchoring bias (Gutzwiller et al, 2018;Gutzwiller et al, 2019). Because cyber attackers commonly operate within teams, cognitive biases can cascade to impact the performance of the rest of the team.…”

Investigating Cyber Attacker Team Cognition

Lie Another Day: Demonstrating Bias in a Multi-round Cyber Deception Game of Questionable Veracity