Project Details and Objectives
Please contact cyber.attack.study@gmail.com with any questions or if you are interested in the study!
We represent an international team of researchers across the domains of Cybersecurity and Cognitive Science from GrammaTech Inc (New York, US), The University of Newcastle (NSW, Australia), and Social Machines (Portsmouth, UK). We are studying cyber-attack behavior to better understand malicious actors’ mindsets and inform cyber defenses in new behaviorally focused ways. This work is funded by the Intelligence Advanced Research Projects Activity (IARPA) and aims to bolster national cybersecurity defense capabilities.
Our team is soliciting skilled participants in the area of cyber-security with experience in system defenses, white-hat hacking, and/or penetration testing for participation in a two-part study. We are seeking participants with at least some relevant cybersecurity background, but are open to a range of skill levels. Relevant tasks might include identifying the structure of partially protected, networked systems; basic password cracking or reverse engineering; data exfiltration; exploiting common vulnerabilities in networked systems; and bypassing various levels of commonly-deployed security measures.
Collected data will be fully anonymized and rigorously protected in accordance with best practices and IRB oversight (via the Office of Human Research Protections – OHRP). Your privacy is our chief concern.
Protocol Overview
There are two rounds of experiments – Stage 1 is now complete. We are actively recruiting for Stage 2, which includes individual cyber objectives in cyber-contexts typical of lab-type experiments. Both stages include traditional psychological study type questionnaires to assess individual participant baselines. Both stages will include a precursor cyber-skills test to allow both our team and interested participants to decide whether to proceed with the full study. If you have participated in earlier parts of the study, you will not take the skills test or repeat most additional components.
We expect the various components of the study to take different amounts of times:
• Cyber skills test: 20 minutes
• Stage 2 cyber objectives: 30-60 minutes per objective
• Psychological activities: 5-10 minutes each
• Psychological survey: 1 hour
Reward Structure
The reward structure is largely dependent on a participant’s ability to complete objectives, which range in sophistication and skill focus. Participants will receive compensation for each objective completed in Stage 2, ranging from $5 to $75 per objective. A baseline of $150 will be added for the psychological components. We expect the maximum payout to be $700 for all of Stage 2 (over the course of several sessions), which we may recontact you to continue in the following months.
Tentative Schedule
Focused Stage 2 experiments will run from November 2024 to March 2025. Stage 2 is rolling in nature – we may recontact you to see if you would like to participate in additional objectives during this period.
FAQ
Q1: Will my data be tied to me in any way that could impact me negatively?
A1: Data collected will be fully anonymized and not tied to you in any way beyond the email you provide for follow-up contact and compensation (this email will not be shared outside our immediate analysis team). Feel free to use an email address not connected to your online presence, if you would like further mitigation here.
Q2: How will the data be used?
A2: We will use data for government reporting and potential academic publications, with all the same anonymization and privacy caveats noted previously. Identifying information will never be used outside of data collection done only by our team.
Q3: How will data be stored?
A3: All data will be stored securely on protected networks and services. The duration of storage will be at least 4 years, possibly more if follow-on studies or analysis are funded.
Q4: How do I get in contact with your team or ask further questions?
A4: Email us at cyber.attack.study@gmail.com with any questions or concerns.
Q5: Can I withdraw data after taking part in the study?
A5: Yes, if you wish to retract your data, email us at cyber.attack.study@gmail.com within two weeks of completing the study and we will remove your data from consideration.