Simulation of Human Organizations with Computational Human Factors Against Phishing Campaigns

Abstract

Traditionally, cybersecurity has focused on identifying and addressing system-level vulnerabilities that cybercriminals could exploit. As technical defenses have become more sophisticated, cybercriminals have shifted their tactics toward exploiting human users through social engineering techniques. This shift demonstrates how a single mistake by an individual within an organization can allow attackers to bypass even the most robust cybersecurity systems. Consequently, researchers have long sought to understand which human factors make individuals more susceptible to social engineering attacks. While the relationship between susceptibility to social engineering attacks and static human factors, such as age, gender, and personality, has been widely explored in empirical studies, research into the relationship between dynamic human factors, such as fatigue, perceived vulnerability, and job performance, and susceptibility to social engineering tactics has been limited. To address this gap, we propose a simulation-based methodology to explore how dynamic human factors correlate with susceptibility to spearphishing, one of the most prevalent forms of social engineering. In this study, we replicate a real-world human organization that was previously the subject of a spearphishing empirical study. Then, we computationally model dynamic human factors such as fatigue, perceived vulnerability, and job performance by integrating regression models from various human factors studies. Next, we simulate spearphishing attacks using different combinations of dynamic human factor values to explore their relationship with susceptibility to these attacks. Our simulation study reveals that when end users within an organization exhibit higher perceived vulnerability, higher job performance, and lower fatigue, they are more likely to adhere to security policies, which in turn results in both the overall number of users tricked by a spearphishing campaign and the total amount of exfiltrated data decreasing. Based on these hypotheses derived from simulation results and statistical analysis, we recommend which organizational policies should be prioritized to effectively mitigate spearphishing risks.