Security and Privacy News

Using Psychology to Bolster Cybersecurity

Getting into the minds of attackers to protect the enterprise.

brain icons on an aisle of computers

Psychology studies human behavior, inferring what people think based on what they do. Cyberpsychology studies how people act on the Internet.

A new cyberpsychology research program, Reimagining Security with Cyberpsychology-Informed Network Defenses (ReSCIND) from the U.S. Defense Department’s Intelligence Advanced Research Projects activity (IARPA,, focuses on how cybercriminals act and think.

According to IARPA program manager Kimberly Ferguson-Walter, the ReSCIND program aims to study the cyberpsychology of cybercriminals in order to isolate the weaknesses in how they think to improve cybersecurity.

The research could lead to cyber defenses that slow or prevent attacks by leveraging those weaknesses to influence attacker behavior. The ReSCIND program will apply scientific methods to human subjects showing cybercriminal behavior.

The government and the private sector engage cybersecurity vendors to help protect information assets using advanced deception technologies.

According to Ferguson-Walter, classical deception approaches have used fake machines and passwords called decoys and honey tokens to lure and distract cybercriminals while alerting cyber defenders.

Today’s deception techniques use advances in emerging technologies to protect complex modern Information Technology (IT) and Operational Technology (OT) environments.

Cyberpsychologists and cybersecurity experts alike have high hopes for cyberpsychology enhancements to cybersecurity. Some have short-term expectations for practical applications.

Yet challenges remain.

Back to Top

How Cyberpsychology Could Bolster Cybersecurity

Most of the progress in the cybersecurity arena involves cyberpsychology, said Fred Cohen, an American computer scientist best known as the inventor of computer virus defense techniques, now CEO of the company Management Analytics.

“The cyberpsychology field is much richer than the technical field. We have largely burned out the technical aspects of cybersecurity,” said Cohen.

According to Cohen, the experimental research that yielded his 2001 paper “Red Teaming Experiments” with Deception Technologies established the long-term viability of cyberpsychology for cybersecurity.

IARPA ReSCIND could take cyberpsychology beyond deception techniques.

“The ReSCIND program aims to improve cybersecurity by developing a novel set of cyberpsychology-informed defenses that leverage attackers’ human limitations, such as their innate decision-making biases or cognitive vulnerabilities,” said Ferguson-Walter.

A cybercriminal’s cognitive biases are the weaknesses in how they think that lead them to show certain behaviors during attacks. Using cyberpsychology, defenders could exploit those weaknesses, triggering behaviors to their advantage.

According to Ferguson-Walter, the IARPA ReSCIND program wants to develop algorithms that automatically adapt new cyber defenses to the same cybercriminal behaviors seen in the research.

Research from Palvi Aggarwal, assistant professor of computer science at the University of Texas at El Paso, offers an example of how such algorithms could work.

In Aggarwal’s research, published in Computer & Security, attackers were risk-averse in their decision-making. Criminal hackers showed their risk-averse behavior by demonstrating their preference for attacks on machines with low rewards but a high probability of success. It appeared far more important to them to avoid the appearance of failure of an attack than it was to see a significant payoff for their efforts.

If, for example, the ReSCIND program could use Aggarwal’s results in its algorithms, the resulting cyber defenses might present criminal hackers with low-risk, low-reward targets to steer them away from the high-value assets an organization needs to protect the most.

Aggarwal has applied to take part in the ReSCIND program.

Back to Top

Learning How Cybercriminals Think

The ReSCIND program needs new human-subjects research to explore dynamic cyberattack tasks with skilled human participants, said Ferguson-Walter.

The ReSCIND program must study subjects engaging in criminal hacker behavior.

Mary Aiken, professor of cyberpsychology at Capitol Technology University in Laurel, MD, who applied to take part in ReSCIND, has gathered some interesting data on cybercrime behaviors from human subjects.

According to Aiken, she investigated the human and technical drivers of cybercrime during her time as the lead researcher on a pan-European research project. Aiken said she surveyed 8,000 16- to 19-year-olds across nine EU countries.

What she found in that research was just under half the participants (47.76%) reported having engaged in cybercriminal behavior in the previous 12 months, said Aiken.

She also found that 11.8% of teens surveyed reported they use Dark Web Forums and, even more concerningly, 10.7% reported use of Darknet Markets, she reported.

Darknet Markets host malicious tools for cybercriminals and stolen data, including user credentials (such as usernames and passwords).

“A unique and significant finding from our research was a strong relationship between key risk-taking and cybercriminal behaviors,” said Aiken. The behaviors included hacking, cyber fraud, and identity theft, among others, according to Aiken.

In a survey of 8,000 16- to 19-year-olds across nine European countries, nearly half admitted engaging in cybercrinimal behavior in the previous 12 months.

“We also investigated relevant behavioral traits,” said Aiken. These include compulsive, impulsive, and obsessive behaviors online, she explained.

Ferguson-Walter has hypothesized several cognitive biases that could apply to influencing attacker behavior. New defender solutions could use these biases to get an attacker to believe they had achieved a lot of obfuscation inside the network so they will take more chances. That could make it easier for defenders to catch them.

“But a cyber defender might have different goals,” said Ferguson-Walter. “They might want attackers to take less-risky behavior because they’re trying to protect some key asset and need more time to mitigate the attack,” she explained.

Back to Top

How Cyberpsychology Is Used in Cybersecurity

Advances in deception techniques, such as digital twins and operational technology (OT) simulations, have served public and private organizations well.

CounterCraft’s External Attack Surface Management with Digital Twins: A Case Study ( describes how a CounterCraft global banking customer used that company’s The Edge deception solution to create a digital twin of its application programming interface (API) system to lure attackers and gather intelligence about attacks on the bank’s systems.

A digital twin is indistinguishable from the genuine system. It enabled the bank to quickly attract an organized, successful attack on the digital twin. The bank used CounterCraft’s The Edge threat intelligence solution to filter and collect the attackers’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs). IoCs are clues to an attack, and TTPs are how cybercriminals go about attacks. The record of the attack enabled the bank to harden the API system and other systems against similar vulnerabilities in future attacks.

According to a whitepaper from Pacific Northwest National Laboratory (PNNL) and Attivo Networks titled Model Driven Deception for Defense of Operational Technology Environments, the U.S. Department of Energy (DoE) uses deception technologies to safeguard critical infrastructure. The report recounts a Proof of Concept (PoC) using deception to protect operational technology (OT) at an electrical distribution substation.

The PoC used the Attivo BOTsink platform, which presented the believable yet simulated results of an OT attack to cybercriminals. The BOTsink solution convinced the attackers that downstream sensors had detected them turning off a simulated valve.

OT devices communicate using multiple network protocols, controlling and monitoring variables and responding according to a specified logic. OT controllers and applications exchange commands based on sensor data. Attackers expect to see reactions in controllers in response to their malicious activities.

The OT simulation foresaw the real-world symptoms and events and duplicated them effectively. (Sentinel One acquired Attivo Networks in 2022.)

Back to Top

Short-Term Returns, Hopes, and Challenges

Practical applications from cyberpsychology research should appear in the marketplace within three to five years, according to Justin Cappos, associate professor of computer science and engineering at the New York University Tandon School of Engineering. “We’re looking at more intuitive API behavior and smarter cellphone use, such as smartphone permission and privacy policy use,” said Cappos.

“The attackers here are the API designers at Facebook, making money from getting users not to value their privacy correctly. They are the ones exploiting user weakness to achieve their goals,” said Cappos. “The best APIs are so clear that they are hard to misuse. An informed user would often make very different privacy choices than what they do today,” he said.

So, understanding the cyberpsychology of API designers could bolster cybersecurity by requiring transparent and intuitive APIs across the industry. It could also inform users, who could deny smartphone permissions for apps and make other privacy choices.

However, challenges to cyberpsychology remain.

For one, “We need more good researchers in this area of cyberpsychology,” said Cappos.

“There’s much potential here. It’s just that it requires a mix of deep technical and psychological skills. We rarely see those skills together,” Cappos said.

Yet recognition of the significance of the field of cyberpsychology is growing, and funding from IARPA for the ReSCIND program is a clear sign of it.

“When the government puts money into an area, it can jump-start research throughout industry and academia. We invest in high-risk, high-payoff research to achieve things that industry and academia wouldn’t have pursued promptly,” said Ferguson-Walter, referring to IARPA’s recent investment in cyberpsychology via ReSCIND.

It will be interesting to see what well-funded cyberpsychology research can do for cybersecurity. However, no amount of money will turn it into a cure-all for cyberthreats.

“It’s doubtful that cyberpsychology alone can make a major dent, because so many people are trying to attack us from so many angles.”

Said Cappos, “It’s doubtful that cyberpsychology alone can make a major dent, because so many people are trying to attack us from so many angles. I’m optimistic about it helping us make certain things better. Still, I don’t think it’s going to be the silver bullet for cybersecurity problems.”

*  Further Reading

CounterCraft—Cyberspace Deception U.S. Defense Innovation Unit,

Ferguson-Walter, K.J.
An Empirical Assessment of the Effectiveness of Deception for Cyber Defense. March 2020. University of Massachusetts, Amherst.

Edgar, T.W., Hofer, W., and Feghali, M.
Model Driven Deception for Defense of Operational Technology Environments. September 2020. Pacific Northwest National Laboratory. Attivo Networks.

Aggarwal, P. et al.
Designing effective masking strategies for cyber defense through human experimentation and cognitive models. June 2022. Computer & Security.

Fred Cohen & Associates, Red Teaming Experiments with Deception Technologies,


Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More