Cyber security has been a growing focus within the human factors community. Over the last several years, human-centered cyber research has provided valuable insights into the cognitive and collaborative work within cyber operations, but has largely ignored how the genesis, intentions, methods and outcomes of cyber attacks impact human-related outcomes. Leveraging insights from other, more technologically focused communities, the goal of this paper is to synthesize previous work and to present a unified, descriptive framework of cyber attacks. Our framework, which consists of three dimensions, adversarial, methodological, and operational, aims to maintain the rich interactions between the components of a cyber attack while offering a further abstraction useful to future human factors research. We present each dimension in terms of the previous techno-centered research, demonstrate how the human factors community can contribute to our understanding, and ground each within the context of the StuxNet virus.
Get full access to this article
View all access options for this article.
References
1.
BahrG. S.FordR. A. (2011). How and why pop-ups don’t work: Pop-up prompted eye movements, user affect and decision making. Computers in Human Behavior, 27 (2), 776-783.
2.
BalloraM.GiacobeN. A.McNeeseM.HallD. L. (2012). Information data fusion and computer network defense. In OnwubikoC.OwensT. (Eds.), Situational awareness in computer network defense: Principles, methods and applications (pp. 141-164). Hershey, PA: IGI Global.
3.
BilgeL.DumitrasT. (2012, October). Before we knew it: An empirical study of zero-day attacks in the real world. Paper presented at the 2012 ACM Conference on Computer and Communications Security, Raleigh, NC.
4.
BishopM. (1999). Vulnerabilities analysis. Proceedings of the Recent Advances in Intrusion Detection (RAID) International Symposium, 2, 125-136.
5.
ChampionM. A.RajivanP.CookeN. J.JariwalaS. (2012, March). Team-based cyber defense analysis. IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support, 2, 218-221.
6.
ChenT. M.Abu-NimehS. (2011). Lessons from StuxNet. Computer, 44 (4), 91-93.
7.
DuttV.AhnY. S.GonzalezC. (2013). Cyber situation awareness modeling: Detection of cyber attacks with instance-based learning theory. Human Factors: The Journal of the Human Factors and Ergonomics Society, 55 (3), 605-618.
FinomoreV.SitzA.BlairE.RahillK.ChampionM.FunkeG.MancusoV.KnottB. (2013). Effects of Cyber Disruption in a Distributed Team Decision Making Task. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 55, 394-398.
10.
GiacobeN. A. (2013). A Picture is Worth a Thousand Alerts. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 57, 172-176.
11.
HancockP. A.SzalmaJ. L.Operator Stress and Display Design. Ergonomics in Design: The Quarterly of Human Factors Applications, 11, 13-18
12.
HansmanS.HuntR. (2005). A Taxonomy of Network and Computer Attacks. Computers & Security, 24(1), 31-43.
13.
HowardJ. D. (1997). An Analysis of Security Incidents on the Internet 1989-1995 (DTIC Publication No. ADA 38-9085). Retrieved from DoD Technical Information to Support the Warfighter website: http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA389085.
14.
HongK. W.KelleyC. M.TembeR.Murphy-HillE.MayhornC. B. (2013). Keeping Up with the Joneses: Assessing Phishing Susceptibility in an Email Task. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 57, 1012-1016.
15.
IqbalS. T.HorvitzE. (2007, May). Disruption and Recovery of Computing Tasks: Field Study, Analysis, and Directions. Paper Presented at the 2007 SIGCHI Conference on Human Factors in Computing Systems, San Jose, CA.
16.
JyothsnaV.PrasadV. V.PrasadK. M. (2011). A Review of Anomaly Based Intrusion Detection Systems. International Journal of Computer Applications, 28(7), 26-35.
KelleyC. M.HongK. W.MayhornC. B.Murphy-HillE. (2012). Something Smells Phishy: Exploring Definitions, Consequences, and Reactions to Phishing. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 56, 2108-2112.
19.
KjaerlandM. (2005). A Classification of Computer Security Incidents Based on Reported Attack Data. Journal of Investigative Psychology and Offender Profiling, 2(2), 105-120.
20.
KnottB. A.MancusoV. F.BennettK.FinomoreV.McNeeseM.McKneelyJ. A.BeecherM. (2013). Human Factors in Cyber Warfare Alternative Perspectives. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 57, 399-403.
21.
LandwehrC. E.BullA. R.McDermottJ. P.ChoiW. S. (1994). A Taxonomy of Computer Program Security Flaws. ACM Computing Surveys (CSUR), 26(3), 211-254.
LangtonJ. T.BakerA. (2013, June). Information Visualization metrics and Methods for Cyber Security Evaluation. Paper presented at 2013 IEEE International Conference on Information Visualization Metrics and Methods for Cyber Security Evaluation. In Intelligence and Security Informatics (ISI), 292-294). Seattle, WA.
24.
LoughD. L. (2001). A Taxonomy of Computer Attacks with Applications to Wireless Networks (Doctoral dissertation). Retrieved from Virginia Polytechnic Institute and State University Digital Library and Archives website: http://scholar.lib.vt.edu/theses/available/etd-04252001-234145.
MancusoV.FunkeG. J.FinomoreV.KnottB. A. (2013). Exploring the Effects of “Low and Slow” Cyber Attacks on Team Decision Making. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 57, 389-393.
28.
MancusoV.McNeeseM. D. (2012). Effects of Integrated and Differentiated Team Knowledge Structures on Distributed Team Cognition. Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 56, 388-392.
29.
MeyersC.PowersS.FaissolD. (2009). Taxonomies of Cyber Adversaries and Attacks: A Survey of Incidents and Approaches (Report No. LLNL-TR-419041). Retrived from Lawrence Livermore National Laboratory website: https://e-reports-ext.llnl.gov/pdf/379498.pdf.
30.
ParasuramanR.SheridanT. B.WickensC. D. (2000). A model for types and levels of human interaction with automation. IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans, 30(3), 286-297.
31.
RoweN. (2006, March). A taxonomy of deception in cyberspace. Paper Presented at International Conference on Information Warfare and Security, Princess Anne, MD, 173-181.
32.
ScheirerJ.FernandezR.KleinJ.PicardR. W. (2002). Frustrating the user on purpose: a step toward building an affective computer. Interacting with computers, 14(2), 93-118.
TyworthM.GiacobeN.MancusoV.McNeeseM.HallD. (2013) A Human-In-The-Loop Approach to Understanding Situation Awareness in Cyber Defense Analysis. EAI Endorsed Transactions on Security and Safety. 13 (3), 1-10.
35.
U.S. Joint Staff. (2006). Joint Publication 3-13: Doctrine for Information Operations. Washington, D.C.: U.S. Government Printing Office. Retrieved from http://www.dtic.mil/doctrine/new_pubs/jp3_13.pdf.
36.
Van HeerdenR. P.IrwinB.BurkeI. D. (2012). Classifying network attack scenarios using an Ontology. Proceedings of the International Conference on Information Warfare and Security, 7, 311-324.
37.
WilshusenG. (2007) Cybersecurity: A Better Defined and Implemented National Strategy is Needed to Address Persistent Challenges (GAO-13-462T). Retrieved From U.S. Government Accountability website: http://www.gao.gov/assets/660/652817.pdf
