Does subnetting and port hardening influence human adversarial decisions? An investigation via a HackIT tool

Abstract

Prior research in cyber deception has investigated the effectiveness of the timing of deception on human decisions using simulation tools. However, there exists a gap in the literature on how the availability of subnets and port-hardening influence human decisions to attack a system. We tested the influence of subnets and port-hardening on human attack decisions in a simulated environment using the HackIT tool. Availability of subnets (present/absent) within a network and port-hardening (easy-to-attack/hard-to-attack) were varied across four between-subject conditions (N = 30 in each condition): with-subnet with easy-to-attack, with-subnet with hard-to-attack, without-subnet with easy-to-attack, and without-subnet with hard-to-attack. In with-subnet conditions, 40 systems were connected in a hybrid topology network with ten subnets connected linearly, and each subnet contained four connected systems. In without-subnet conditions, all 40 systems were connected in a bus topology. In hard-to-attack (easy-to-attack) conditions, the probabilities of successfully attacking real systems and honeypots were kept low (high) and high (low), respectively. In an experiment, human participants were randomly assigned to one of the four conditions to attack as many real systems as possible and steal credit card information. Results revealed a significant decrease in the proportion of real system attacks in the availability of subnetting and port hardening within the network. Also, more honeypots were attacked in with-subnet conditions than without-subnet conditions. Moreover, a significantly lower proportion of real systems were attacked in the port-hardened condition. This research highlights the implications of subnetting and port-hardening with honeypots to reduce real system attacks. These findings are relevant in developing advanced intrusion detection systems trained on hackers' behavior.