Exploratory Analysis of Decision-Making Biases of Professional Red Teamers in a Cyber-Attack Dataset

Attacker psychology is currently under-examined in cybersecurity research. A prior, large-scale study sought to understand attackers' behavior by testing both technological and psychological deception. Professional "red team" members participated over two days in various conditions. This data was examined for further evidence that cognitive biases, a potential disruption for attackers, may be present, and may be affecting the outcome. An applied, novel methodology for measuring confirmation bias and framing effects is presented using this realistic dataset. Both confirmation bias and the framing effect occurred in this interpretation. The framing effect appears to have reduced attacker interactions with systems in the network, which may benefit cyber defenders. These results provide additional, exploratory evidence that biases in the decision-making of cyber attackers could be used as part of a defensive cyber strategy. Limitations to the approach and directions for future study of attackers are discussed.