Psychology & Cybersecurity

This January work began on a major new long-term project, which will lay the groundwork for a new, highly interdisciplinary science in which psychology plays a critical role. At stake are not only the personal and financial information of individuals everywhere, but the safety of nations, and the lives of individuals in combat and other state ventures across the globe. Not surprisingly, the White House has an interest and will have direct oversight of the project. 

Bennett Bertenthal, the James H. Rudy Professor of Psychological and Brain Sciences, is one of 17 principal investigators from five major universities to receive a grant, awarded in October, from the Army Research Lab to collaborate in a ten-year study of cybersecurity. The group, brought together by Penn State researcher Patrick McDaniel, a professor of computer science and engineering, was chosen from a competitive field to launch a research program on cybersecurity with an initial five-year grant of $24 million. An opportunity to renew in another five years makes this a nearly $50 million project. 

Bertenthal is one of three principal investigators at IU, who together have received $3.5 million of these funds. The others at IU include School of Informatics and Computing professor L. Jean Camp and School of Public and Environmental Affairs professor Diane Henshel.

As Bertenthal explains, “The army has become increasingly concerned about the vulnerability of its defense networks and wants to have a comprehensive research agenda to ensure they are doing everything possible to detect, prevent, and assess the risk of attack.” 

As a cognitive scientist, his work addresses the human dimension of a problem that ranges widely across heterogeneous systems of computer networks and can involve the entire army command around the world.

Many instances of cyber-warfare, he says, “are attacks on actual physical systems or on software itself. But a huge component remains the human dimension and the degree to which individuals can be deceived into providing secure information or just because of their own lack of knowledge provide information that will reduce the security of the computer system.”

“The weak links,” he says, “are often people—people not knowing that they are being deceived into providing credentials or secure information.”
The initial task in the study will be to identify and create models of different kinds of computer users, from attackers to defenders. They will conduct surveys of various groups, both computer experts and novices, from students and ordinary citizens, to army personnel of all ranks, as well as computer hackers. (They will attend a hackers’ conference this summer for this purpose.)

In a second phase of research he and his research staff, he says, “will look at real-time behavior in a computer environment to see how variables such as fatigue, cognitive load, depletion of cognitive resources, or multitasking might lead someone to become less guarded about warnings or signs of an attack. Experimental research on individuals will then be compared to the different models that people in the group are developing.”

“Ultimately,” he explains, “a lot of what we’re doing is trying to understand scenarios where there is risk, figure out how to identify real attacks and how to mitigate against them. You want to develop models that will help to detect and diagnose if a computer is being attacked.” 

And whether we are talking about military secrets, personal banking information, or a database full of social security numbers, the problem, he adds, “does not stop with the military. It affects all of us now.

“That is why it is a ten-year project.”