As technology advances and organizations implement more robust security systems, it has become increasingly difficult for cybercriminals to penetrate these defenses using purely technical methods. In response, cybercriminal groups start to leverage techniques that exploit human errors within the organization to bypass security systems. The two most critical human mistakes that can occur within an organization are clicking on links or downloading files from suspicious emails and failing to update operating systems, software, or browsers in a timely manner. In this paper, we simulate hybrid spearphishing and watering hole attacks to analyze the actual effectiveness of investments in phishing education and system updates. Each simulation adjusts the level of phishing training and the employees’ proactivity in system updates to evaluate how these measures effectively reduce organizational vulnerability to cyber attacks. This study clarifies the efficacy of cybersecurity investments, assisting organizations to establish security policies based on clearer evidence.
MacalCMNorthMJ.Agent-based modeling and simulation. In: Proceedings of the 2009 winter simulation conference (WSC), 13 December 2009, pp. 86–98. IEEE.
11.
CarleyKMFridsmaDBCasmanE, et al. BioWar: scalable agent-based model of bioattacks. IEEE Trans Syst Man Cybern Part A Syst Hum2006; 36: 252–265.
12.
KavakHPadillaJJVernon-BidoD, et al. Simulation for cybersecurity: state of the art and future directions. J Cybersecur2021; 7: 1–13.
13.
VestadAYangB. A survey of agent-based modeling for cybersecurity. In: Human factors in cybersecurity, 2024.
14.
GorodetskiVIKarsayevOKhabalovA, et al. Agent-based model of computer network security system: a case study. In: Information assurance in computer networks: methods, models and architectures for network security international workshop MMM-ACNS, St. Petersburg, 21–23 May 2001, pp. 39–50. Berlin: Springer.
15.
ZakiMSobhTS.A cooperative agent-based model for active security systems. J Netw Comput Appl2004; 27: 201–220.
16.
KotenkoI. Agent-based modeling and simulation of cyber-warfare between malefactors and security agents in internet. In: 19th European simulation multiconference simulation in wider Europe, 1 Jun 2005.
17.
ShinJCarleyLRDobsonGB, et al. Beyond accuracy: cybersecurity resilience evaluation of intrusion detection system against DoS attacks using agent-based simulation. In: 2023 winter simulation conference (WSC), 10 December 2023, pp. 118–129. New York: IEEE.
18.
CharitoudiKBlythAJ.An agent-based socio-technical approach to impact assessment for cyber defense. Inf Secur J2014; 23: 125–136.
19.
BurnsAJPoseyCCourtneyJF, et al. Organizational information security as a complex adaptive system: insights from three agent-based models. Inf Syst Front2017; 19: 509–524.
20.
DobsonGBCarleyKM.Cyber-FIT: an agent-based modelling approach to simulating cyber warfare. In: Social, cultural, and behavioral modeling: 10th international conference, SBP-BRiMS 2017, Washington, DC, 5–8 July 2017, pp. 139–148. Cham: Springer International Publishing.
21.
OsterritterLJCarleyKM. Modeling interventions for insider threat. In: Social, cultural, and behavioral modeling: 13th international conference, SBP-BRiMS 2020, Washington, DC, 18–21 October 2020, pp. 55–64. Cham: Springer International Publishing.
22.
ShinJDobsonGBCarleyKM, et al. OSIRIS: organization simulation in response to intrusion strategies. In: International conference on social computing, behavioral-cultural modeling and prediction and behavior representation in modeling and simulation, 18 September 2022, pp. 134–143. Cham: Springer International Publishing.
23.
BlytheJBotelloASuttonJ, et al. Testing cyber security with simulated humans. Proc AAAI Conf Artif Intell2011; 25: 1622–1627.
24.
RajivanPJanssenMACookeNJ.Agent-based model of a cyber security defense analyst team. Proc Human Factors Ergon Soc Annu Meet2013; 57: 314–318.
25.
DobsonGBCarleyKM. A computational model of cyber situational awareness. In: Social, cultural, and behavioral modeling: 11th international conference, SBP-BRiMS 2018, Washington, DC, 10–13 July 2018, pp. 395–400. Cham: Springer International Publishing.
26.
ShinJCarleyLRDobsonGB, et al. Modeling and simulation of the human firewall against phishing attacks in small and medium-sized businesses. In: 2023 Annual modeling and simulation conference (ANNSIM), 23 May 2023, pp. 369–380. IEEE.
27.
ShinJChangalTCarleyLR, et al. Impact of operating system updates on cybercriminal access duration: a simulation-based study. In: 2024 winter simulation conference (WSC) poster session.
28.
PwC Threat Intelligence. Yellow Liderc ships its scripts and delivers IMAPLoader malware. PwC2023.
29.
ShinJCarleyLRCarleyKM. Simulation-based study on false alarms in intrusion detection systems for organizations facing dual phishing and dos attacks. In: 2024 annual modeling and simulation conference (ANNSIM), 20 May 2024, pp. 1–13. IEEE.
30.
ShinJDobsonGBCarleyLR, et al. Revelation of system and human vulnerabilities across MITRE ATT&CK techniques with insights from ChatGPT. CASOS technical report, 28December2023.
31.
ShinJCarleyKMCarleyLR. Integrating human factors into agent-based simulation for dynamic phishing susceptibility. In: International conference on social computing, behavioral-cultural modeling and prediction and behavior representation in modeling and simulation, 16 September 2023, pp. 169–178. Cham: Springer Nature.
32.
KumaraguruPRheeYShengS, et al. Getting users to pay attention to anti-phishing education: evaluation of retention and transfer. In: Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, 4 October 2007, pp. 70–81.
33.
ShinJCarleyRCarleyK. Simulation of human organizations with computational human factors against phishing campaigns. In: International conference on cyber warfare and security, 1 March 2025, pp. 614–623. Academic Conferences International Limited.
34.
TianQBaiJWuT.Should we be” challenging” employees? A study of job complexity and job crafting. Int J Hosp Manag2022; 102: 103165.
35.
AkerstedtTAxelssonJLekanderM, et al. Do sleep, stress, and illness explain daily variations in fatigue? A prospective study. J Psychosom Res2014; 76: 280–285.
36.
RehmanWUJanjuaSYNaeemH.Impact of burnout on employees’ performance: an analysis of banking industry. World Rev Entrep Manag Sustain Dev2015; 11: 88–105.
37.
MwaisakaDK’AolGOumaC.Influence of supportive and directive leadership styles on employee job satisfaction in commercial banks in Kenya. Int J Hum Capital Manag2019; 3: 42–60.
38.
BasitAHassanZ.Impact of job stress on employee performance. Int J Acc Bus Manag2017; 5: 13–33.
39.
AlqarniZAlgarniAXuY. Toward predicting susceptibility to phishing victimization on Facebook. In: 2016 IEEE international conference on services computing (SCC), 27 June 2016, pp. 419–426. IEEE.
40.
Kamal HassanSMMorsySM. Effect of work conditions and fatigue on job performance of staff nurse’s at Al Eman General Hospital. Assiut Sci Nurs J2023; 11: 317–327.
41.
CarleyKM.Validating computational models, 1996.
42.
ShinJDobsonGBCarleyLR, et al. Design, modeling and simulation of cybercriminal personality-based cyberattack campaigns. In: 2024 winter simulation conference (WSC), 15 December 2024, pp. 2058–2069. IEEE.
43.
RubinS.2025 unit 42 global incident response report. Palo Alto Networks, 2025.
44.
Di TizioGArmelliniMMassacciF. Software updates strategies: a quantitative evaluation against advanced persistent threats. IEEE Trans Softw Eng2022; 49: 1359–1373.
