Exploring the Effects of “Low and Slow” Cyber Attacks on Team Decision Making

Mancuso, Vincent; Funke, Gregory J.; Finomore, Victor; Knott, Benjamin A.

doi:10.1177/1541931213571084

Cited by 8 publications

(6 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To date, most of this research has been focused on social engineering tactics (e.g. Kelly et al, 2012;Hong et al, 2013), and information operations (Finomore et al, 2013;Mancuso et al, 2013), but these represent a small sample of possible vectors that could affect humans.…”

Section: Methodologicalmentioning

confidence: 99%

“…Previous research considering the outcome of cyber attacks has been limited and mainly focused on decision making outcomes, rather than on more sensitive effects that may be longitudinal (e.g. Finomore et al, 2013;Hong et al, 2013;Kelly et al, 2012;Mancuso et al, 2013). As new types of attacks emerge, and with the constant threat of traditional cyber attacks looming, future research must aim to understand the full scope of operational outcomes across technological, human-centered, and socio-organizational variables.…”

Section: Operationalmentioning

confidence: 99%

See 1 more Smart Citation

Human Factors of Cyber Attacks

Mancuso

Strang²,

Funke

et al. 2014

Proceedings of the Human Factors and Ergonomics Society Annual

Self Cite

View full text Add to dashboard Cite

Cyber security has been a growing focus within the human factors community. Over the last several years, human-centered cyber research has provided valuable insights into the cognitive and collaborative work within cyber operations, but has largely ignored how the genesis, intentions, methods and outcomes of cyber attacks impact human-related outcomes. Leveraging insights from other, more technologically focused communities, the goal of this paper is to synthesize previous work and to present a unified, descriptive framework of cyber attacks. Our framework, which consists of three dimensions, adversarial, methodological, and operational, aims to maintain the rich interactions between the components of a cyber attack while offering a further abstraction useful to future human factors research. We present each dimension in terms of the previous techno-centered research, demonstrate how the human factors community can contribute to our understanding, and ground each within the context of the StuxNet virus.

show abstract

Section: Methodologicalmentioning

confidence: 99%

Section: Operationalmentioning

confidence: 99%

Human Factors of Cyber Attacks

Mancuso

Strang²,

Funke

et al. 2014

Proceedings of the Human Factors and Ergonomics Society Annual

Self Cite

View full text Add to dashboard Cite

show abstract

“…Regarding IT-Security incidents in a hospital environment, there are few published studies. Behavioral research on victims of cyberattacks and the consequences of such attacks have applied different approaches to investigate the stress levels 26 , socio-psychological impacts 27 , and effects on team performance in general 28 . These works have highlighted a strong interaction between psychological and technical factors in a subject area of public interest.…”

mentioning

confidence: 99%

Behavioral responses to a cyber attack in a hospital environment

Willing

Dresen

Gerlitz

et al. 2021

Sci Rep

View full text Add to dashboard Cite

Technical and organizational steps are necessary to mitigate cyber threats and reduce risks. Human behavior is the last line of defense for many hospitals and is considered as equally important as technical security. Medical staff must be properly trained to perform such procedures. This paper presents the first qualitative, interdisciplinary research on how members of an intermediate care unit react to a cyberattack against their patient monitoring equipment. We conducted a simulation in a hospital training environment with 20 intensive care nurses. By the end of the experiment, 12 of the 20 participants realized the monitors’ incorrect behavior. We present a qualitative behavior analysis of high performing participants (HPP) and low performing participants (LPP). The HPP showed fewer signs of stress, were easier on their colleagues, and used analog systems more often than the LPP. With 40% of our participants not recognizing the attack, we see room for improvements through the use of proper tools and provision of adequate training to prepare staff for potential attacks in the future.

show abstract

“…The aim of such attacks is to evade detection for long durations, allowing them to cause as much harm as possible. As a result, such attacks are sometimes referred to as "low and slow" (e.g., Mancuso et al, 2013).It is unknown how effective operators are likely to be at detecting and correctly diagnosing the symptoms of low and slow cyber attacks. Recent research by Hirshfield and colleagues (2015) suggests that the symptoms of the attack may need to be extreme in order to gain operator recognition.…”

mentioning

confidence: 99%

mentioning

confidence: 99%

When actions speak louder than words: Using changes in operator behavior and system efficiency measures to detect the presence of a cyber attack

Satterfield¹,

Mancuso

Strang

et al. 2018

Proceedings of the Human Factors and Ergonomics Society Annual

Self Cite

View full text Add to dashboard Cite

Increases in cyber incidents have required substantial investments in cyber defense for national security. However, adversaries have begun moving away from traditional cyber tactics in order to escape detection by network defenders. The aim of some of these new types of attacks is not to steal information, but rather to create subtle inefficiencies that, when aggregated across a whole system, result in decreased system effectiveness. The aim of such attacks is to evade detection for long durations, allowing them to cause as much harm as possible. As a result, such attacks are sometimes referred to as "low and slow" (e.g., Mancuso et al., 2013).It is unknown how effective operators are likely to be at detecting and correctly diagnosing the symptoms of low and slow cyber attacks. Recent research by Hirshfield and colleagues (2015) suggests that the symptoms of the attack may need to be extreme in order to gain operator recognition. This calls into question the utility of relying on operators for detection altogether. Therefore, one goal for this research was to provide an initial exploration of attack deception and magnitude on operator behavior, performance, and potential detection of the attack.Operators in these systems are not passive observers, however, but active agents attempting to further their task goals. As a result, operators may alter their behavior in response to degraded system capabilities. This suggests that changes in the pattern and frequency of operator behavior following the inception of a cyber attack could potentially be used to detect its onset, even without the operator being fully aware of those changes (Mancuso et al., 2014). Similarly, since low and slow attacks are designed to degrade overall system effectiveness, performance measures of system efficiency, such as frequency and duration of tasks completed, may provide additional means to detect an ongoing cyber attack. As such, a second goal for the present research was to determine whether changes in operator behavior and system efficiency metrics could act as indicators of an active low and slow cyber attack.Participants in this experiment performed a multiunmanned aerial vehicle (UAV) supervisory control task. During the task, participant control over their UAVs was disrupted by a simulated cyber attack that caused affected UAVs to stop flying toward participant-selected destinations and enter an idle state. Aside from halting along their designated flight path, idled UAVs displayed no other indication of the cyber attack. The frequency of cyber attacks increased with time-on-task, such that attacks were relatively infrequent at the beginning of the task, occurring once in every five destination assignments made, and were ubiquitous by the end of the task, occurring after each destination assignment.Attack deception was manipulated with regard to participants' approximate screen gaze location at the time of a cyber attack. In the overt condition, UAVs entered the idle state near the participant's current focal area (indexed by the l...

show abstract

Exploring the Effects of “Low and Slow” Cyber Attacks on Team Decision Making

Cited by 8 publications

References 29 publications

Human Factors of Cyber Attacks

Human Factors of Cyber Attacks

Behavioral responses to a cyber attack in a hospital environment

When actions speak louder than words: Using changes in operator behavior and system efficiency measures to detect the presence of a cyber attack

Contact Info

Product

Resources

About