Decision-Making Biases in Cybersecurity: Measuring the Impact of the Sunk Cost Fallacy to Delay Attacker Behavior

Cyber operations are a complex sociotechnical system where humans and computers are operating in an environments in constant flux, as new technology and procedures are applied. Once inside the network, establishing a foothold, or beachhead, malicious actors can collect sensitive information, scan targets, and execute an attack.Increasing defensive capabilities through cyber deception shows great promise by providing an opportunity to delay and disrupt an attacker once network perimeter security has already been breached. Traditional Human Factors research and methods are designed to mitigate human limitations (e.g., mental, physical) to improve performance. These methods can also be used combatively to upend performance. Oppositional Human Factors (OHF), seek to strategically capitalize on cognitive limitations by eliciting decision-making errors and poor usability. Deceptive tactics to elicit decision-making biases might infiltrate attacker processes with uncertainty and make the overall attack economics unfavorable and cause an adversary to make mistakes and waste resources. Two online experimental platforms were developed to test the Sunk Cost Fallacy in an interactive, gamified, and abstracted version of cyber attacker activities. This work presents the results of the Cypher platform. Offering a novel approach to understand decision-making and the Sunk Cost Fallacy influenced by factors of uncertainty, project completion and difficulty on progress decisions. Results demonstrate these methods are effective in delaying attacker forward progress, while further research is needed to fully understand the context in which decision-making limitations do and do not occur. The second platform, Attack Surface, is described. Limitations and lessons learned are presented for future work.