Cherin Lim and John Diaz, University of Washington; Sridhar Venkatesan, Jonathan Pfautz, and John Banya, Peraton Labs; Palvi Aggarwal, University of Texas at El Paso; Cleotilde Gonzalez, Carnegie Mellon University; Prashanth Rajivan, University of Washington
This study investigates how the Hot Hand Fallacy, a well-established cognitive bias, influences decision-making in cyber attack contexts. Specifically, through an online experiment, we examined whether prior success with a particular brute force technique biases attackers toward repeating that technique, even when such success is unrelated to future outcomes. Seventy-five participants with security knowledge completed two main sets of questionnaires: the Cyber Method (CM), featuring attack scenarios designed to test the hot hand effect, and the Established Method (EM), based on canonical hot hand fallacy questionnaires. In the CM portion, participants assumed the role of a cyber attacker, reviewed NMAP scan reports, and selected among four brute force sub-techniques across three experimental conditions: Control, Moderate Streak, and Extended Streak. Conditions varied in the amount of prior success information provided. Results show that participants were significantly more likely to repeat the same attack after a success compared to a failure across all conditions. Such findings can contribute to understanding how cognitive biases such as the hot hand fallacy may shape attacker behavior, offering insights for cybersecurity defense strategies.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
