Social Behavioral and Economic Sciences (SBE) Address Human Factors in Cybersecurity
1. Social Behavioral and Economic
Sciences (SBE) in Secure and
Trustworthy Cyberspace (SaTC)
Peter Muhlberger
Program Director
SBE / SaTC
2. Motivation
• Government, industry, scientists, cybersecurity
people worried about American vulnerabilities
– Estimates of home user machines that are
compromised: 15-50%
– Estimated amount of corporate information hacked
each day: petabytes
– Anticipated vulnerability to cyberattack by state
actors: e.g., (unsophisticated) Iran cyber attacks at
multiple U.S. banks, including Capital One
• Greater cybersecurity is a pressing national need.
3. Why SBE sciences?
• Increasing recognition by government officials and computer scientists that
cybersecurity is not merely a technical problem
– Attackers: intentional agents
• Look for and find vulnerabilities
– Users: intentional and imperfect agents
• Intentions & incentives / motivation: insider threat
• Intentions & incentives: trying to get work done in competitive environments, often don’t make time
for arcane issues
• Numerous limitations in cognitive processes
• Addressing cybersecurity issues necessarily involves addressing the human
component of these issues
• SBE sciences offer a rigorous, scientific approach to developing generalizations
about human motivation, behavior, and cognition
– Such an approach should be more effective than purely applied approaches: allows
abstraction, generalization; allows understanding causal mechanisms; allows prediction
– Admittedly, the capacity and accuracy of generalization and prediction in the social sciences is
not like in physics, but few things are
– Still, we can do better than hit or miss, purely applied approaches
– Can tap enormous literatures and apply these in cybersecurity settings, perhaps with new
twists
4. SBE Challenges
• Computer scientists and govt officials not familiar
• Particularly not familiar with non-economic approaches
– NITRD: Networking and Information Technology Research and
Development Subcommittee has defined 5 Cybersecurity R&D Themes
• Only one of these is social science and calls for research in cybereconomic
incentives
• A broad swath of the social sciences could be brought to bear,
including research in economic incentives and systems, cognition,
motivation, organizations, political actors, social networks,
criminology and much more.
– Behavioral economics: Already aware of ‘non-economic’ approaches
• A challenge to social scientists but also computer scientists: to
know enough about each other’s work to see what might prove
highly fruitful if strands of research were combined.
• Another challenge: working together while meeting career goals.
5. Goals for Today
• Build awareness of what is going on in the
social sciences and computer sciences
• Identify what might prove valuable to your
research
• Make connections that might eventually grow
into collaborations