Simulating phishing email processing with instance-based learning and cognitive chunk activation

Abstract

We present preliminary steps applying computational cognitive modeling to research decision-making of cybersecurity users. Building from a recent empirical study, we adapt Instance-Based Learning Theory and ACT-R’s description of memory chunk activation in a cognitive model representing the mental process of users processing emails. In this model, a user classifies emails as phishing or legitimate by counting the number of suspicious-seeming cues in each email; these cues are themselves classified by examining similar, past classifications in long-term memory. When the sum of suspicious cues passes a threshold value, that email is classified as phishing. In a simulation, we manipulate three parameters (suspicion threshold; maximum number of cues processed; weight of similarity term) and examine their effects on accuracy, false positive/negative rates, and email processing time.