Many Phish in the $\mathcal{C}$: A Coexisting-Choice-Criteria Model of Security Behavior
Authors:
Iain Embrey,
Kim Kaivanto
Abstract:
Normative decision theory proves inadequate for modeling human responses to the social-engineering campaigns of Advanced Persistent Threat (APT) attacks. Behavioral decision theory fares better, but still falls short of capturing social-engineering attack vectors, which operate through emotions and peripheral-route persuasion. We introduce a generalized decision theory, under which any decision wi…
▽ More
Normative decision theory proves inadequate for modeling human responses to the social-engineering campaigns of Advanced Persistent Threat (APT) attacks. Behavioral decision theory fares better, but still falls short of capturing social-engineering attack vectors, which operate through emotions and peripheral-route persuasion. We introduce a generalized decision theory, under which any decision will be made according to one of multiple coexisting choice criteria. We denote the set of possible choice criteria by $\mathcal{C}$. Thus the proposed model reduces to conventional Expected Utility theory when $|\,\mathcal{C}_{\text{EU}}|=1$, whilst Dual-Process (thinking fast vs. thinking slow) decision making corresponds to a model with $|\,\mathcal{C}_{\text{DP}}|=2$. We consider a more general case with $|\,\mathcal{C}|\geq 2$, which necessitates careful consideration of _how_, for a particular choice-task instance, one criterion comes to prevail over others. We operationalize this with a probability distribution that is conditional upon traits of the decision maker as well as upon the context and the framing of choice options. Whereas existing Signal Detection Theory (SDT) models of phishing detection commingle the different peripheral-route persuasion pathways, in the present descriptive generalization the different pathways are explicitly identified and represented. A number of implications follow immediately from this formulation, ranging from the conditional nature of security-breach risk to delineation of the prerequisites for valid tests of security training. Moreover, the model explains the `step**-stone' penetration pattern of APT attacks, which has confounded modeling approaches based on normative rationality.
△ Less
Submitted 15 November, 2018;
originally announced November 2018.
Risks and Transaction Costs of Distributed-Ledger Fintech: Boundary Effects and Consequences
Authors:
Kim Kaivanto,
Daniel Prince
Abstract:
Fintech business models based on distributed ledgers -- and their smart-contract variants in particular -- offer the prospect of democratizing access to faster, anywhere-accessible, lower cost, reliable-and-secure high-quality financial services. In addition to holding great, economically transformative promise, these business models pose new, little-studied risks and transaction costs. However, t…
▽ More
Fintech business models based on distributed ledgers -- and their smart-contract variants in particular -- offer the prospect of democratizing access to faster, anywhere-accessible, lower cost, reliable-and-secure high-quality financial services. In addition to holding great, economically transformative promise, these business models pose new, little-studied risks and transaction costs. However, these risks and transaction costs are not evident during the demonstration and testing phases of development, when adopters and users are drawn from the community of developers themselves, as well as from among non-programmer fintech evangelists. Hence, when the new risks and transaction costs become manifest -- as the fintech business models are rolled out across the wider economy -- the consequences may also appear to be new and surprising. The present study represents an effort to get ahead of these developments by delineating risks and transaction costs inherent in distributed-ledger- and smart-contracts-based fintech business models. The analysis focuses on code risk and moral-hazard risk, as well as on mixed-economy risks and the unintended consequences of replicating bricks-and-mortar-generation contract forms within the ultra-low transaction-cost environment of fintech.
△ Less
Submitted 27 February, 2017;
originally announced February 2017.