A Descriptive Model for Modelling Attacker Decision-Making in Cyber-Deception

TL;DR

This paper introduces a descriptive model that captures the psychological and strategic factors influencing an attacker's decision to engage or withdraw in cyber-deception scenarios, aiming for more realistic and effective defense strategies.

Contribution

It presents a novel model incorporating cognitive and strategic components to analyze attacker engagement decisions, filling a gap in existing game-theoretic approaches.

Findings

Framework for analyzing engagement decisions in cyber-deception

Experimental design combining behavioural and biometric data

Potential to improve understanding of adversarial decision-making

Abstract

Cyber-deception is an increasingly important defensive strategy, shaping adversarial decision making through controlled misinformation, uncertainty, and misdirection. Although game-theoretic, Bayesian, Markov decision process, and reinforcement learning models offer insight into deceptive interactions, they typically assume an attacker has already chosen to engage. Such approaches overlook cognitive and perceptual factors that influence an attacker's initial decision to engage or withdraw. This paper presents a descriptive model that incorporates the psychological and strategic elements shaping this decision. The model defines five components, belief (B), scepticism (S), deception fidelity (D), reconnaissance (R), and experience (E), which interact to capture how adversaries interpret deceptive cues and assess whether continued engagement is worthwhile. The framework provides a structured method for analysing engagement decisions in cyber-deception scenarios. A series of experiments has been designed to evaluate this model through Capture the Flag activities incorporating varying levels of deception, supported by behavioural and biometric observations. These experiments have not yet been conducted, and no experimental findings are presented in this paper. These experiments will combine behavioural observations with biometric indicators to produce a multidimensional view of adversarial responses. Findings will improve understanding of the factors influencing engagement decisions and refine the model's relevance to real-world cyber-deception settings. By addressing the gap in existing models that presume engagement, this work supports more cognitively realistic and strategically effective cyber-deception practices.