Many phish in the C: A coexisting‐choice‐criteria model of security behavior

Abstract Normative decision theory proves inadequate for modeling human responses to the social‐engineering campaigns of advanced persistent threat (APT) attacks. Behavioral decision theory fares better, but still falls short of capturing social‐engineering attack vectors which operate through emotions and peripheral‐route persuasion. We introduce a generalized decision theory, under which any decision will be made according to one of multiple coexisting choice criteria. We denote the set of possible choice criteria by C. Thus, the proposed model reduces to conventional Expected Utility theory when |CEU|=1, while Dual‐Process (thinking fast vs. thinking slow) decision making corresponds to a model with |CDP|=2. We consider a more general case with |C|≥2, which necessitates careful consideration of how, for a particular choice‐task instance, one criterion comes to prevail over others. We operationalize this with a probability distribution that is conditional upon traits of the decisionmaker as well as upon the context and the framing of choice options. Whereas existing signal detection theory (SDT) models of phishing detection commingle the different peripheral‐route persuasion pathways, in the present descriptive generalization the different pathways are explicitly identified and represented. A number of implications follow immediately from this formulation, ranging from the conditional nature of security‐breach risk to delineation of the prerequisites for valid tests of security training. Moreover, the model explains the “stepping‐stone” penetration pattern of APT attacks, which has confounded modeling approaches based on normative rationality.


INTRODUCTION
The human element in decision making is not only deliberative, but also emotional, intuitive, and fallible.(3)(4)(5)(6)(7) A major lacuna for security-behavior modeling is that standard decision theory fails to capture the peripheral-route persuasion pathways that are exploited in social-engineering campaigns.
In contrast, Signal Detection Theory (SDT) has been successfully adapted to model human responses to phishing attacks. 1 The flexibility of SDT is instrumental in this context.This flexibility has been exploited to study the distinct consequences for security-breach risk estimates of premising the model solely upon normative decision theory, solely upon behavioral decision theory, or upon the combination of behavioral decision theory and susceptibility to peripheralroute persuasion. (8)Unsurprisingly, the latter combination proves most useful and informative.
Nevertheless, two limitations may be observed in the existing SDT-based approach: (i) decision makers are assumed to be permanently characterized by one fixed decision-making model, and (ii) the effects of different peripheral-route persuasion pathways feed into, and become commingled in, a single value of the discriminability parameter. 2Descriptive validity favors relaxation of the former, while interpretability of modeling favors relaxation of the latter.
We introduce a generalization of decision theory that fulfills these desiderata. 3The generalization comprises two principal components.
(3)(4)(5)(6)(7) This approach therefore generalizes not only EU and PT, but also Dual-Process (DP) theories. 4t also formalizes the notion -to which the paper's title alludes -that there are several distinct types or classes of phishing ploy, and that individuals' susceptibility differs across qualitatively distinct social-engineering attack vectors.It is important to distinguish between these distinct phishing attack vectors -both to understand individuals' behavioral responses to them, and to understand organizations' total security-breach risk exposure.A phishing ploy that plays upon the prospect of a time-delimited opportunity for wealth is constructed very differentlyand is processed very differently by its recipient(s) -than a phishing ploy that plays upon employees' standard routines of unquestioningly responding to bosses' and colleagues' emails, opening any appended email attachments, and clicking on enclosed links.An organization's email security training may effectively address the former, but in many organizations the latter remains a worrying vulnerability.
The second component of the generalization is a conditional probability distribution over the different choice criteria, i.e. over the elements of the set C. As each new choice task is confronted, a draw from this distribution determines which choice criterion becomes operative, and so we will refer to it as the State-of-Mind (SoM) distribution for an individual i at time t.We allow an individual's SoM distribution to be conditional upon: their psychological traits and decision-experiences, the situational context of the decision, and the framing of the choice options.This approach is similar to that of two existing addiction models (13,14) although we extend those models by allowing the framing of the choice options to be strategically determined by an adversarial agent (the attacker), and by allowing both the prior-experiences and situational context of a decision to be strategically influenced by an allied agent (the Information Security Officer).
A key advantage of the present formulation is the top-level differentiation of the decision maker's susceptibility to different kinds of phishing ploys.This formulation yields a number of immediate implications.First, the overall security-breach risk due to phishing can not be conceived in unconditional terms.Since an individual's susceptibility to phishing depends on the type of phishing ploy, the phishing-ploy-type exposure distribution takes on importance, as does the intensity of this exposure (i.e. the total number of phishing emails traversing the spam filter) and the quality of phishing-ploy execution.Second, a single test-phishing email is insufficient for evaluating the effectiveness of email security training.Email security training does not necessarily generalize across different choice criteria.Hence, a single test-phishing email may determine the robustness of security practice towards one particular phishing ploy, but it is orthogonal to potential vulnerabilities within the remaining choice criteria.Third, not only is the organization's security-breach risk conditional, but the attacker gets to choose the phishing-ploy-type exposure distribution, as well as the intensity of this exposure.The attacker has first-mover advantage.Moreover, the attacker always has the option to develop new phishing-ploy types that are not addressed by the organization's existing working practices and training materials.
Fourth, given working practices in most organizations and given the dimensions over which the attacker can tailor a phishing campaign, it is clear that the attacker can attain a very high total probability of successfully breaching the target organization's cybersecurity.In part, this is due to the fact that typical working practices in non-high-security organizations 5 do not involve special treatment of embedded links or attached files. 6It is also due to the disjunctive accumulation (addition, rather than multiplication) of successful-security-breach probabilities over spam-filter-traversing phishing emails.But it is also due to the scope for using rich contextual information to tailor a campaign into a spear-phishing attack -i.e. to specifically target the 'routinely click-straight-through' choice criterion characterized by automaticity.Furthermore, our model supports an explanation for the 'stepping-stone penetration pattern' that is common in APT attacks.Whereas models of security behavior premised upon normative rationality have not been successful in explaining the stepping-stone pattern, we show that in light of a coexisting-choice-criteria model of security behavior, the stepping-stone penetration pattern may be recovered as a constrained-optimal attack vector.
The sequel is organized as follows.Section 2 briefly reviews the phishing literature, showing that phishing attacks employ social-engineering techniques that circumvent deliberatively rational decision processes.Section 3 reviews the empirical literature in which multiple 'ways of deciding' have been documented empirically, establishing a rigorous empirically grounded basis for the coexisting-choice-criteria model.Section 4 introduces the coexisting-choice-criteria model, and illustrates some of its properties, including its ability to support an explanation of the stepping-stone penetration pattern (Section 4.3).Section 5 concludes.

PHISHING TARGETS THE HUMAN ELEMENT
The capacity for rational deliberation is a feature of human beings, albeit not the overriding trait it was thought to be when Carl Linnaeus coined the binary nomenclature, Homo sapiens. 7th large-scale and narrowly targeted social engineering are predicated upon the intuitive, emotional, and fallible nature of human behavior, and it is now recognized that psychology is an essential component -alongside engineering and economics -for understanding information security. (15)re than half of all US government network security-incident reports concern phishing attacks, and the number of phishing emails being sent to users of federal networks is growing rapidly. (16,17)The FBI and the DHS recently issued an amber alert warning of APT activity targeting energy -especially, nuclear power8 -and other sectors. (19)In this broad APT campaign, spear phishing was the preferred initial-breach technique.The corporate sector is targeted more widely, commonly using phishing to create an entry point, for the purposes of extortion, illegally acquiring customer-information (and credentials) databases, as well as for acquiring commercially sensitive information.The incidence of corporate cyber espionage is not systematically disclosed, but many of the high-profile examples of corporate hacking that have come into the public domain were staged via phishing. (20)line scams such as phishing and spear phishing employ techniques of persuasion that have collectively been labeled 'social engineering'. (2,6)These techniques eschew direct, rational argumentation in favor of 'peripheral' routes to persuasion.)(4)(5)(6)(7) Scams9 typically augment peripheral-route persuasion by setting up a scenario that creates psychological pressure by triggering visceral emotions that override rational deliberation. (3,21,22)sceral emotions -such as greed, envy, pity, lust, fear and anxiety -generate psychological discomfort as long as the underlying need remains unfulfilled, and psychological pleasure or even euphoria when that need is fulfilled.The manipulative scenario is deliberately structured so that the scammer's proposition offers the double prospect of relief from the visceral discomfort as well as visceral satisfaction upon fulfilling the underlying need.
An ideally scripted scam scenario contrives a compelling, credible need for immediate action.
If a scam-scenario script falls short of this ideal, it will almost invariably emphasize the urgency with which action must be taken. (3,21,22)In itself, this introduces visceral anxiety where none existed before, and simultaneously, precludes the availability of time for cooling off and for rational deliberation.Visceral emotions have both a direct hedonic impact as well as an impact via altering the relative desirability of different cues and attributes.Crucially, visceral emotions also affect how decision makers process information, narrowing and restricting attention to the focal hedonic cue and its availability (or absence) in the present. (21,22)Since visceral emotionsand their concomitant effects on attention and relative desirability of different cues/attributes -are short lived, scam scripts contrive reasons for immediate action. 10 sufficiently high levels of intensity, visceral emotions can override rational deliberation entirely. (21)Mass phishing scams often aim to exploit human emotions in this fashion.Spear phishing attacks, on the other hand, typically aim to exploit the intuitive and fallible nature of human decision making without necessarily stoking emotion.This approach targets the routinization and automaticity (12) upon which successful management of a high-volume inbox rests.For most civilian organizations outside the security community, employees trust emails -and any embedded URLs and file attachments -sent by bosses and immediate colleagues, and frequently also those sent by more distant contacts.Failure to do so would bring most organizations to a halt.Spear phishing thus exploits this routine and unquestioning trust that is automatically extended to bosses, colleagues, and contacts -and unintendedly, to plausible facsimiles thereof.
More surprising is the fact that spear phishing emails endowed with rich contextual information have been deployed successfully on both sides of the civilian/non-civilian and security/nonsecurity divides.,24) When implemented well with appropriate contextual information, a spear-phishing email simply does not attract critical evaluation, and its contents are acted upon in a routine and automatic fashion.

COEXISTING CHOICE CRITERIA: EMPIRICAL PROVENANCE
Decision theorists are gradually coming to terms with the implications of dual-process theory, which has been developed by psychologists and recently popularized by Daniel Kahneman in Thinking, Fast and Slow. (25)anwhile, a well-established stream of empirical-decision-theory literature offers legitimation for the notion that there may be more than one way of reaching a decision.That literature captures heterogeneity in choice criteria with Finite Mixture (FM) models.Standard estimation procedures for such models allow the data to determine how many different choice criteria are present, and then to provide, for each individual, the respective criterion-type membership probabilities.In Glenn Harrison and Elisabet Rutström's FM models, 11 the traditional single-criterion specification is statistically rejected, in their words providing "a decent funeral for the representative agent model that assumes only one type of decision process." (26)In turn, Coller et al.'s FM models show that "observed choices in discounting experiments are consistent with roughly one-half of the subjects using exponential discounting and one-half using quasihyperbolic discounting." (27)And using a Bayesian approach, Houser et al. show that different people use different decision rules -specifically, one of three different criteria -when solving dynamic decision problems. (28)ltiple choice criteria are also well established in the empirical-game-theory literature.
Stahl and Wilson fit an FM model to data on play in several classes of of 3×3 normal-form games, and find that players fall into five different boundedly rational choice-criteria classes. (29)Guessing games -a.k.a.Beauty-Contest games -have been pivotal in showing not only that backward induction and dominance-solvability break down, but also that game play can be characterized by membership in a boundedly rational, discrete (level-k) depth-of-reasoning class. (30)FM models are the technique of choice for analyzing Beauty-Contest data, revealing that virtually all 'nontheorist' subjects12 (94%) fall into one of three boundedly rational depth-of-reasoning classes (levels 0, 1 or 2). (31,32)FM models are being applied increasingly in empirical game theoryincluding to the analysis of e.g.trust-game data, social-preferences data, and common-pool-resource data -demonstrating the broad applicability of a multiple-criteria approach.The theoretical relevance of level-k reasoning to adversarial interactions such as phishing has been further demonstrated by Rothschild et al., (33) however we know of no existing paper in this field that allows alternative choice criteria to coexist.
Outside decision theory and empirical game theory, the necessity of allowing for multiple choice criteria has also been recognized in the fields of transportation research and consumer research.Within a Latent Class (LC) model framework, 13 Hess et al. study the question of whether "actual behavioral processes used in making a choice may in fact vary across respondents within a single dataset." (34)Preference heterogeneity documented in conventional single-choice-criterion models 14 may be a logical consequence of the single-choice-criterion restriction (i.e.misspecification).Hess et al. account for choice-criterion heterogeneity in four different transport-mode-choice datasets by fitting LC models.These LC models distinguish between conventional random utility and the lexicographic choice criterion (dataset 1), among choice criteria with different reference points (dataset 2), 15 between standard random utility and the elimination-by-aspects choice criterion (dataset 3), and between standard random utility and the random-regret choice criterion (dataset 4). (34)Finally, Swait and Adamowicz show that consumers also fall into different 'decision strategy' LCs, and that increasing either the complexity of the choice task or the cumulative task burden induces switching toward simpler decision strategies. (35)These results underscore an interpretation of the choice-criterion probabilities that is only implicit in the above-mentioned studies: that (a) decision makers should not be characterized solely in terms of their modal choice criterion, but in terms of their choicecriterion mixtures, and that (b) the criterion that is operative for a particular choice task is obtained as a draw from the probability distribution over choice criteria, which in turn is conditional upon features of the context, the framing and presentation of the choice options,and the current psychological characteristics of the decision maker.
In light of these FM-and LC-model findings, accommodation of multiple choice criteria emerges as a natural step toward improving the descriptive validity of theoretical models. 13Latent Class (LC) models are specializations of FM models. 14e.g.heterogeneity in risk aversion in EU models, and heterogeneity in probability weighting in PT models 15 note that standard random utility has no reference point

Coexisting-choice-criteria model
The econometric evidence reviewed in Section 3 warrants a generalization of decision theory to incorporate multiple coexisting choice criteria.An abstract formulation of such a theory naturally draws upon the formal specification of econometric latent class models that capture choice-criterion heterogeneity. (34,35)t C denote the set of coexisting choice criteria.The elements of this set are distinguished by the integer-valued index c, where 1 ≤ c ≤ C := | C|.
We specialize the present formulation to the context of phishing-security modeling by populating the set of choice criteria C with a view to capturing the essential features of human beings in the security setting, as reviewed in Section 2. Email recipients are capable of rational deliberation, but they are not overwhelmingly predisposed to it.They may instead form subjective beliefs and valuations as captured by behavioral decision theory, but they also frequently act in an intuitive or routinized fashion.Thus the empirical evidence reviewed in Section 2 suggests that human responses to phishing campaigns range across (at least) four identifiable choice criteria, which we summarize in Table 1. 16ble 1: Email recipients' coexisting choice criteria.again, the remaining consistency axioms are abandoned. 16Although the present formulation moves beyond the simplicity of a single-decision-criterion world view, each criterion of Table 1 can be formalized by an existing theoretical framework.Normative deliberation is underpinned by the axiomatizations of e.g.von Neumann and Morgenstern, or Leonard Savage.Descriptively valid, partly deliberative behavioral rationality is underpinned by axiomatizations of Cumulative Prospect Theory by e.g.Wakker and Tversky. (36)The deliberative-rationality-displacing role of visceral emotions has been recognized in the evolutionary study of behavior, represented in economics in particular by e.g.Robert H. Frank. (37)Automaticity, in which deliberative rationality is not so much bypassed as simply 'not engaged', has been given theoretical underpinning in the psychology literature by Moors and De Houwer. (12)Imperfect and fallible recognition, categorization, and procedural responses have been widely documented, (38)(39)(40)(41)(42) for which general theoretical underpinning may be obtained from e.g.Philippe Jehiel's concept of analogy-based expectations equilibrium. (43)n general the choice-criterion selection probability will be conditional upon the decision maker's State of Mind, which in turn depends on an array of subject-and task-specific variables.
The net effect of all such variables determines an individual's probability of adopting a given choice criterion c at a given point in time, which we denote by π c it .Note that we necessarily have 0 ≤ π c it ≤ 1 and C c=1 π c it = 1 for all individuals i and time-points t.The email recipient is one of many agents who interact in a strategic phishing game.We analyze an attacker's optimal response to Figure 1 in Section 4.3, and we discuss the model's implications for organizational security policy in Section 4.4.Before doing so, we complete the model by expanding the π c it expression for an agent i at time t.In general, π c it is operationalized through a probability distribution that may be conditional upon: the characteristics of the decision maker X it , the situational context Z it , and the attributes of the present choice task α t .
The current characteristics X it of agent i are jointly determined by their stable psychological traits Γ i , and by the history of: decision contexts {Z i } <t , decision-attributes {α} <t , and decisionoutcomes {D i } <t that constitutes their current set of experiences.
In order to develop a tractable expression for π c it we generalize the notion of match quality introduced in the SDT literature (8) and we specialize the vectors appearing in (4.1a) to the phishing-email application.For this application, the context Z it is that in which the agent receives his emails.An agent whose context Z it and recent context history {Z i } <t leaves him stressed, distracted, or hungry, will be less likely to respond deliberatively.The implications of this observation for personal practice and organizational security policy are clear, 17 and so we suppress Z it hereafter to focus on the strategic interaction between attackers and recipients.For simplicity we also suppress time subscripts hereafter to focus on the short-run implications of the model.
Let us consider a phishing email with attributes α constructed within a finite attribute space A = [0, 1] A .Each of the A components of email α captures the emphasis that it places on each of A possible cues.The attacker chooses which cues to emphasize in order to influence the recipient's State of Mind.This determination of email 'content' is the attacker's primary decision variable.
The attacker is nevertheless constrained, in that increasing the emphasis placed on any one cue necessarily diminishes the emphasis on the others.We model this constraint by requiring The salient characteristics of the recipient are his idiosyncratic susceptibility to each type of cue S i , and his baseline propensity χ c i to apply each choice criterion c. 18 S i is an C × A dimensional matrix, each row of which s c i specifies the effectiveness of each possible cue type 17 These are discussed further in Section 4.4, 18 The baseline propensity to adopt a deliberative choice criterion χ 1 i is a stable trait (44) that can be measured by the cognitive Reflection Test of Frederick (42) , or the Decision-Making Competence scale of Parker and Fischhoff (45) .
in invoking the choice criterion c.The agent's characteristics X i are therefore a matrix in [0, 1] A×C × (R + ) C , each row of which is a pair {s c i , χ c i } that will determine the match quality between the attacker's choice of email cues α, and the susceptabilities of the receiving agent i.
We may now extend the approach of Kaivanto (8) by defining the choice-criterion-specific match-quality function For illustrative purposes, the simplest non-degenerate functional form for m c would be the separable linear specification where • denotes the vector dot product.
Agent i's choice-criterion-selection probabilies for a given email with cue bundle α may then be defined in terms of the match-quality functions as follows:

Contrast with normatively rational deliberative special case
Under a normative decision-theoretic model of email-recipient decision making it is difficult to explain the existence of phishing as an empirical phenomenon.Normatively rational decision making is a special case of the coexisting-choice-criteria model in which π 1 = 1 and π 2 = π 3 = π 4 = 0.If all email recipients were characterized by choice-criterion #1 alone, then the success of an email phishing campaign would be determined entirely by factors largely outside the attacker's control: the benefit from correctly opening a non-malicious email (B TN ), the cost of erroneously quarantining non-malicious email (C FP ), the cost of erroneously opening a malicious email (C FN ), and the benefit of correctly quarantining a malicious email (B TP ).
Instead, variation in phishing campaigns' success rate is driven by factors that do not directly affect B TN , C FP , C FN and B TP . (2,4,6,7) is straightforward to explain the existence of phishing and its empirical characteristics under a coexisting-choice-criteria model of email-recipient behavior in which π 1 < 1 and π 2 , π 3 , π 4 > 0. For instance choice-criterion #4 (routine, automaticity) is triggered by a phish-ing email that masquerades as being part of the normal work flow by exploiting rich contextual information about the employee, the organizational structure (e.g.boss' and colleagues' names, responsibities, and working practices), and current organizational events and processes.Here the email recipient simply does not engage in a deliberative process to evaluate whether the email should be opened or not.
6)(7) Importantly, there is variation between individuals in their susceptibility to particular levers of psychological influence. (7,46,47)For instance scarcity 19 and authority 20 have been found to be more effective for young users, while reciprocation 21 and liking/affinity 22 have been found to be more effective for older users. (7)These observations motivate the agent-specific subscript i in π c i and m c i , and they are important in establishing the constrained-optimal APT attack pattern in the following Subsection.
None of the aforementioned psychological levers would be effective if email users were solely c ≡ 1 normatively rational deliberators.Similarly, the well-documented effects of commitment, 23 perceptual contrast, 24 and social proof 25 (see (2,4,6,7) ) are naturally explained by the existence of coexisting choice criteria.

Stepping-stone penetration
Forensic investigations of APT attacks have found that the initial breach point is typically several steps removed from the ultimate information-resource target(s).Deliberation-based models of normatively rational decision making offer no particular insight into this empirical regularity.In contrast, the coexisting-choice-criteria model encodes differentiation with which the steppingstone penetration pattern may be recovered as a constrained-optimal attack vector.
Let us consider an attacker who wishes to achieve a click-through from one of a minority 19 e.g.Don't miss out on this 'once-in-a-lifetime opportunity!' 20 e.g. law enforcement officers, tax officials 21 the tendency to repay in kind even though there is no implicit obligation to do so 22 the tendency to comply with requests made by people whom the user likes or with whom the user shares common interests or common affiliations 23 Also referred to as 'consistency'.People feel obliged to behave in line with -consistently with -their previous actions and commitments.
subset of m target individuals within an organization consisting of n members.The target individuals may be those who can authorize expenditure, or those with particular (e.g.database) access rights.The attacker's strategy at any given point in time consists of a choice of cue-bundle α k , taken to solve the program max where π c i (α k ) is the probability with which an individual will adopt choice criterion c given the cues present in phishing email α k , where ρ c is the probability of click-through given choice criterion c, where V is the expected value of a successful attack, and where e(α k ) is the cost of the effort expended in the production and distribution of email α k .This formulation accords with the near-zero marginal cost of including additional recipients to any existing email. (48,49)e attacker may send one, or more, emails α k .Each email may be designed to induce one particular State-of-Mind c, or could in principle adopt a mixed strategy.However, since (by construction and by necessity) c∈C π c i = 1, any mixture of asymmetrically effective pure strategies must be strictly less effective than at least one pure strategy.We therefore proceed by characterizing the available pure strategies on the basis of the phishing literature, (2,4,6) before eliminating strictly dominated strategies.The quantities summarized in Table 2 determine the costs and expected benefits to the attackers of targeting choice criterion c through their choice of α.There are two values of the selection probability max α {π c } for each choice criterion c: the prior likelihood of invoking that criterion, without insider information, and the posterior likelihood once access to such insider information is obtained.Insider information does not affect the attackers' ability to invoke choice criteria c ∈ {1, 2, 3}, but it does greatly aid the attacker's ability to 'spoof' (i.e.simulate) a routine email from a trusted colleague, and hence it substantially increases the posterior selection probability for c = 4.The mechanism by which attackers may gain such insider information is the successful phishing of a non-target member of the organization.
The most immediate implication of Equation (4.5) and Table 2 is that the Deliberative strategy is strictly dominated by the Behavioral strategy, due to the negligible click-through probability of the former.We next observe that the Behavioral strategy is, in turn, strictly dominated by the Impulsive strategy whenever That is whenever the expected click-through probability under a Behavioral choice criterion is less than the relative ease of invoking the Behavioral state compared to invoking the Impulsive state.Table 2 suggests that this criterion is typically satisfied.
Next we consider the case of an attacker who has no insider information.In this case it is trivial to see that an email which aims to invoke the Impulsive choice criterion strictly dominates an email which aims to invoke the Routine choice criterion, due to the lower effort cost of the former.The respective probabilities of successfully gaining a click-through from a target individual are then: target clickthrough which demonstrates that there is a greater likelihood of the attacker gaining a click-through from a non-target individual than from a target individual in any attack without insider information.Note that this conclusion would be further strengthened if we were to assume that target individuals were less susceptible to phishing attacks than the average individual.
The attackers' first attempt therefore has three possible outcomes: (i) they may have successfully achieved their objective, (ii) they may have gained insider information by achieving a non-target click-through, or (iii) they may have achieved nothing.In the first case the attackers move on to acquire and exfiltrate the information.In the third case the situation is unchanged, and so the phishing campaign is continued with further broadcast of phishing email(s) containing (possibly modified) Impulsive cues.But in the second case insider information is obtained, whereby the posterior click-through likelihoods of Table 2 become operative.In this case, it is evident from Table 2 that an email which aims to invoke the Routine choice criterion is likely to dominate an email which aims to invoke the Impulsive criterion, specifically whenever Thus the attacker's optimal approach is likely to lead to a 'stepping-stone' attack, wherein a non-target individual is first compromised by invoking an impulsive choice criterion, so that a target individual can then be compromised by using insider information to invoke a Routine choice criterion.Sufficient conditions for this to be the most likely outcome are those of Table 2 and inequalities (4.6) and (4.7).

Implications for Organizational Security Policy
The model we present has important implications for organizational security policy.Let us first consider the cultural and procedural aspects of organizational security, before turning to specific implications for email security training and evaluation.
In Section 4.1 we noted the potential importance of the situational context Z it in which an email is received.2) The present model makes plain the security-vulnerability dangers of highly routinized emailprocessing practices, even if these would otherwise be efficient.Relatedly, it is vital that organizational culture supports the precautionary verification of suspicious messages, since any criticism of such verification practices is likely to increase the risk of behavioral click-throughs in future.These observations suggest that Information Security Officers should actively engage with wider aspects of organizational culture and practices.
The model also yields specific procedural implications for email security training.It is clear that the direct effect of a training course in which participants consciously classify emails as either genuine or malicious would be to reduce ρ 1 (see Figure 1), however for most individuals ρ 1 is already relatively low (see Table 2): given that an individual implements a deliberative choice criterion they are relatively unlikely to fall prey to a phishing attack.Section 4.3 demonstrated that a strategic attacker would instead seek to exploit the much greater vulnerabilities of ρ 3 and ρ 4 , and so training that focuses on reducing ρ 1 is likely to have limited effectiveness.
The challenge for Information Security Officers is that the vulnerabilities ρ 3 and ρ 4 are essentially fixed at 1. 26 Once an Impulsive or Routine State of Mind takes over, click-through is a foregone conclusion.Training should therefore focus on reducing individuals' criterion-selection probabilities π 3 and π 4 .There is evidence that an individual's propensity to act deliberatively can be raised through external interventions, (42) and the coexisting-choice-criteria framework suggests that this could best be achieved by helping employees to understand: (i) their inherent vulnerability to phishing when making choices either Routinely or Impulsively, and (ii) the psychological ploys by which attackers may induce Impulsive or Routine States of Mind.
Analogous implications exist for procedures which aim to test organizational security by means of simulated phishing emails.Where such a test is appended to a training module, it tests (at best) some combination of ρ 1 and ρ 2 , because trainees will be aware that they are attempting to identify phishing emails.Furthermore, the literature on incentives suggests that where such a test is incentivized with some required pass-rate, it is likely to be less informative as to the true vulnerability level because it is more likely to generate a pure measure of ρ 1 .Tests of security should therefore be blinded, for example by an unannounced simulation of an email attack.Moreover, such tests should be varied and repeated, since any single email α can only contain one specific cue bundle, and so can only test an individual's susceptibility π c (α) to that particular cue bundle.

CONCLUSION
As the basis for understanding and modeling the behavior of phishing targets, normative deliberative rationality proves wholly inadequate.This paper introduces a coexisting-choice-criteria model of decision making that generalizes both normative and 'dual process' theories of decision making.We show that this model offers a tractable working framework within which to develop an understanding of phishing-email response behavior.This offers an improvement over existing SDT-based models of phishing-response behavior, (8,9) insofar as it avoids the commingling of peripheral-route-persuasion pathways.
We also show that the framework may be usefully deployed in modeling the choices and tradeoffs confronted by APT attackers, who must make decisions about the nature, composition, and roll-out of phishing campaigns.We illustrate this by tackling a problem that has confounded conventional normative-rationality-based modeling approaches: Why do so many APT attacks follow a 'stepping-stone' penetration pattern?Under the coexisting-choice-criteria model, the attacker faces a tradeoff between (i) designing an email that is highly targeted, invokes the 'Routine' choice criterion, but requires detailed inside information, and (ii) designing an email that cannot be targeted as effectively, invokes the 'Impulsive' choice criterion, and requires only public information.However, success with (ii) provides the attacker with access to the inside information with which to implement (i).Thus the stepping-stone attack vector arises out of the attacker's tradeoffs precisely when confronting email users whose behavior is captured by the coexisting-choice-criteria model.
We further demonstrate that the model provides new insights with practical relevance for Information Security Officers.We derive specific recommendations for information training and testing as well as for organizational procedures, practices, and policies.In particular, the Finally, the coexisting-choice-criteria model highlights organizations' vulnerability to spearphishing attacks that invoke automatic email processing routines.Working practices in most commercial, voluntary, and public-sector organizations presume that links and email attachments are benign when sent from within the organization or by customers, suppliers, or partner organizations.This is a major vulnerability that is as much a reflection of organizational culture as it is a reflection of explicit security protocols (or absence thereof).This suggests that Information Security Officers could -and perhaps should -be afforded a broader role in shaping organizational culture.

c = 1
Normative deliberation: characterized by the internal-consistency axioms of completeness, transitivity, independence of irrelevant alternatives (iia), continuity, Bayesian updating, and time consistency (i.e.exponential discounting).c = 2 Behavioral: characterized by the weakening of iia, Bayesian updating, and time consistency (i.e. to hyperbolic discounting), as per the behavioral decision making literature.c = 3 Impulsively click through: characterized by dominance of visceral emotions, which suppress and displace deliberative reasoning; the remaining consistency axioms are abandoned.c = 4 Routinely click straight through: characterized by routinization and automaticity;

Figure 1
Figure 1 illustrates a single agent's stochastic State-of-Mind response to an arbitrary email.This begins with the diamond-within-a-circle chance node, whereby the incoming email probabilistically triggers one of the four State-of-Mind choice criteria.The fact that the 'Routine' (c = 4) and 'Impulsive' (c = 3) choice criteria override the possibility of sufficient deliberation to result in a 'quarantine' choice with probability ρ = 1 is indicated by the absence of these respective edges.The email recipient's incomplete information -over whether the email is benign or malicious -is reflected in the broken-line information sets surrounding terminal-node payoffs.

Figure 1 : 1 it
Figure 1: An agent's stochastic State-of-Mind response to an email.
model highlights the importance of considering the composite between the probability of being induced into State of Mind c and the probability of then clicking through given this State of Mind.Hence training must address the different State-of-Mind selection probabilities π c as well as the associated conditional click-through probabilities ρ c .Similarly, training-effectiveness testing -assurance of learning, in effect -must also cover the range of different State-of-Mind choice criteria.In light of the coexisting-choice-criteria model, the single-test-email approach should be deprecated.