Evolving Cyber-threats and Countermeasures: Mathematical, Behavioral and Legal Perspectives
Prof. Joachim Meyer and Prof. Ronen Avraham
The proposed research addresses a set of interrelated research questions, combining analytical (optimization), behavioral (experimental economic and psychology) and legal perspectives. From a behavioral modeling perspective we will develop quantitative models to predict users’ behavior in environments with changing threats and information about threats, and we will validate the models with empirical studies (see Meyer, 2004, Meyer et al., 2014, Möller et al., 2011 for some related research). Under what conditions will end-users be particularly vulnerable to attacks? What will affect end-user’s motivation to prevent security threats? We will then extend this research, addressing questions, such as what advice, alerts or nudges can be used so that end users respond positively to this information, avoiding "cry wolf" and information-overload effects, due to which users cease to respond to indications (Akhawe & Porter Felt, 2013)?
We will address these questions from a legal perspective, asking about rules for warning end-users in a rapidly changing environment: When should, for instance, companies be required to alert end-users about emerging threats, to delete end-user accounts because using them may create a risk for the end-user, to cease marketing a service because it can be used to attack end-users, etc.? In this context we will consider the results from the analytic and behavioral parts, trying to predict how different policies regarding the issuing of alerts will affect the overall outcomes at the individual user and at the system level.