Hacking the Human: The Prevalence Paradox in Cybersecurity

This paper is the winner of the 2017 Human Factor’s Prize!

Rare signals are more difficult to find, even when taking into account their low occurrence. This phenomenon is termed “the prevalence effect”, and these failures-to-find represent diminished human capability to both detect and respond. It is a recognized, and often deadly problem in air traffic control, baggage screening, and cancer diagnosis. In cybersecurity the environment is entirely artificial, it may actually be possible to manufacture conditions enhancing or degrading human performance. This work assesses the efficacy of the “prevalence effect” as a form of human-directed cyberattack. To do so, we employed The Email Testbed (ET), a simulation of a clerical work setting requiring responding to workplace messages containing sensitive personal information. Within this testbed, participant received cyberattacks either rarely, infrequently, or frequently. Results demonstrated the existence and power of prevalence effects in email cybersecurity, with rare attacks significantly more likely to succeed. In the cyber realm, the potential to artificially inflict this state on adversaries is considered, and evidence is presented that hackers are already using such attacks. We further suggest a “prevalence paradox” in which, as automation reduces the number of attacks each human operator encounters, they are increasingly likely to fail in detecting and reporting remaining attacks. When machine successes become the seeds of human failure, what implications to human-machine teaming must arise from this prevalence paradox?

This paper is still in press…