of the latter include links to appealing Web pages and or downloadable software applications, such as those for sharing pictures or music files.
Another channel for social engineering is the service providers on which many organizations and individuals rely. Both individuals and organizations obtain Internet connectivity from Internet service providers. Many organizations make use of external firms to arrange employee travel or to manage their IT security or repair needs. Many organizations also obtain cybersecurity services from third parties, such as a security software vendor that might be bribed or otherwise persuaded to ignore a particular virus. Service providers are potential security vulnerabilities, and thus might well be intermediate targets in an offensive operation directed at the true (ultimate) target.
Decision Making Under Uncertainty
Decision making under conditions of high uncertainty will almost surely characterize U.S. policy makers responding to the first reports of a significant cyber incident, as described above in Section 4.1.2. Under conditions of high uncertainty, crisis decision-making processes are often flawed. Stein describes a number of issues that affect decision making in this context.14
For example, under the category of factors affecting a rational decision-making process, Stein points to uncertainty about realities on the ground as an important influence. In this view, decision making yields suboptimal outcomes because the actors involved do not have or understand all of the relevant information about the situation. Uncertainties may relate to the actual balance of power (e.g., difficulties of cyber threat assessment), the intentions of the various actors (e.g., defensive actions by A are seen as provocative by B, inadvertent actions by A are seen as deliberate by B), the bureaucratic interests pushing decision makers in certain directions (e.g., cyber warriors pushing for operational use of cyber tools), and the significance of an actor’s violation of generally accepted norms.
Under the category of psychological factors influencing decision making, Stein points out that because the information-processing capability of people is limited, they are forced in confusing situations to use a variety of cognitive shortcuts and heuristics to “simplify complexity, manage uncertainty, handle information, make inferences, and generate threat perceptions.”15 For example, people often:
14 Janice Gross Stein, “Threat Perception in International Relations,” in The Oxford Handbook of Political Psychology, 2nd Edition, Leonie Huddy, David O. Sears, and Jack S. Levy (eds.), Oxford University Press, 2013.
15 Stein, “Threat Perception in International Relations,” 2013.