A Human Study of Cognitive Biases in Web Application Security

TL;DR

This study investigates how cognitive biases like Satisfaction of Search and Loss Aversion influence decision-making in web application security CTF challenges, revealing biases impact success and offering insights for improved cybersecurity training.

Contribution

It introduces a controlled human study analyzing cognitive biases in CTF tasks, highlighting their effect on attacker performance and suggesting strategies to leverage biases for better security education.

Findings

Participants with Satisfaction of Search bias found 25% fewer flags.

Cognitive biases significantly affect decision-making in security challenges.

Insights can inform improved cybersecurity training methods.

Abstract

Cybersecurity training has become a crucial part of computer science education and industrial onboarding. Capture the Flag (CTF) competitions have emerged as a valuable, gamified approach for developing and refining the skills of cybersecurity and software engineering professionals. However, while CTFs provide a controlled environment for tackling real world challenges, the participants' decision making and problem solving processes remain under explored. Recognizing that psychology may play a role in a cyber attacker's behavior, we investigate how cognitive biases could be used to improve CTF education and security. In this paper, we present an approach to control cognitive biases, specifically Satisfaction of Search and Loss Aversion, to influence and potentially hinder attackers' effectiveness against web application vulnerabilities in a CTF style challenge. We employ a rigorous quantitative and qualitative analysis through a controlled human study of CTF tasks. CTF exercises are widely used in cybersecurity education and research to simulate real world attack scenarios and help participants develop critical skills by solving security challenges in controlled environments. In our study, participants interact with a web application containing deliberately embedded vulnerabilities while being subjected to tasks designed to trigger cognitive biases. Our study reveals that many participants exhibit the Satisfaction of Search bias and that this bias has a significant effect on their success. On average, participants found 25% fewer flags compared to those who did not exhibit this bias. Our findings provide valuable insights into how cognitive biases can be strategically employed to enhance cybersecurity outcomes, education, and measurements through the lens of CTF challenges.