Simulating Phishing Email Processing with Instance-Based Learning and Cognitive Chunk Activation

  • Matthew ShonmanEmail author
  • Xiangyang LiEmail author
  • Haoruo ZhangEmail author
  • Anton DahburaEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11309)


We present preliminary steps applying computational cognitive modeling to research decision-making of cybersecurity users. Building from a recent empirical study, we adapt Instance-Based Learning Theory and ACT-R’s description of memory chunk activation in a cognitive model representing the mental process of users processing emails. In this model, a user classifies emails as phishing or legitimate by counting the number of suspicious-seeming cues in each email; these cues are themselves classified by examining similar, past classifications in long-term memory. When the sum of suspicious cues passes a threshold value, that email is classified as phishing. In a simulation, we manipulate three parameters (suspicion threshold; maximum number of cues processed; weight of similarity term) and examine their effects on accuracy, false positive/negative rates, and email processing time.


Phishing Cognitive modeling Chunk activation 



This work is supported under the National Science Foundation Award No. 1544493.


  1. 1.
  2. 2.
    Anderson, J.R.: ACT: a simple theory of complex cognition. Am. Psychol. 51(4), 355–365 (1995)CrossRefGoogle Scholar
  3. 3.
    Gonzalez, C., Lerch, J.F., Lebiere, C.: Instance-based learning in dynamic decision making. Cogn. Sci. 27, 591–635 (2003)CrossRefGoogle Scholar
  4. 4.
    Gudkova, D., Vergelis, M., Shcherbakova, T., Demidova, N.: Spam and phishing in 2017. Securelist (2018). Accessed 8 Oct 2018
  5. 5.
    Jones, R.M., et al.: Modeling and integrating cognitive agents within the emerging cyber domain. In: Interservice/Industry Training, Simulation, and Education Conference (2015)Google Scholar
  6. 6.
    Kaur, A., Dutt, V., Gonzalez, C.: Modelling the security analyst’s role: effects of similarity and past experience on cyber attack detection. In: Proceedings of the 22nd Annual Conference on Behavior Representation in Modeling and Simulation (2013)Google Scholar
  7. 7.
    Laird, J.: The Soar Cognitive Architecture. MIT Press, Cambridge (2012)Google Scholar
  8. 8.
    Molinaro, K., Bolton, M.L.: Evaluating the applicability of the double system lens model to the analysis of phishing email judgments. Comput. Secur. 77, 128–137 (2018). Scholar
  9. 9.
    Veksler, V.D., Buchler, N.: Know your enemy: applying cognitive modeling in security domain. In: 38th Annual Meeting of the Cognitive Science Society, Philadelphia (2016)Google Scholar
  10. 10.
    Veksler, V.D., et al.: Simulations in cyber-security: a review of cognitive modeling of network attackers, defenders, and users. Front. Psychol. 9 (2018).
  11. 11.
    Vishwanath, A., Harrison, B., Ng, Y.J.: Suspicion, Cognition, Automaticity Model (SCAM) of Phishing Susceptibility. Communication Research (in-press)Google Scholar
  12. 12.
    Zhang, H., Singh, S., Li, X., Dahbura, A., Xie, M.: Multitasking and monetary incentive in a realistic phishing study. In: British Human Computer Interaction Conference (2018)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Johns Hopkins University Information Security InstituteBaltimoreUSA

Personalised recommendations