Eye-Tracking Technology and Understanding the Human Element of Cybersecurity

By Cheryl I'anson
March 07, 2023
4 min read

Eye-Tracking Technology and Understanding the Human Element of Cybersecurity

As discussed by Professor John McAlaney (Bournemouth University) at Impact 2023 Conference.

On Thursday 2nd March 2023 Professor John McAlaney of Bournemouth University presented a fascinating and insightful talk titled: “Cybersecurity is in the eye of the beholder”, at the Impact 2023 conference presented by CybSafe.

John begins by utilising the weapon of comedy, presenting several real-world and humorous examples of how the human element of cybersecurity can often lead to erroneous situations. One example shown was the reverse functionality of the design of the below security gate. Not only can it be opened by putting your arm through the gaps in the bars, but it also now presents would-be-criminals with a ladder to climb into the premises.

Image from Google

Cybersecurity attacks often depend on some form of interaction by the target, such as clicking links on phishing emails.  To ensure our own digital safety, we must understand the decision-making processes that drive social engineering attacks and other exploits. However, people are not fully consciously aware of their mental processes (cognitions) when they are subjected to a social engineering attack, so how exactly can this be measured and evaluated?

John and his colleagues at Bournemouth University have been trying to answer this question using cutting-edge eye-tracking technology. As a non-invasive method, eye-tracking can measure where individuals look and how much cognitive processing they are doing, whilst they are part of a cybersecurity incident (such as being the recipient of a phishing email). Cognitive processing is inferred from several factors, including fixation duration (how long the eyes were stationary), saccade length (how much time the eyes were moving), and several regressions (how many times the eyes returned to a previously fixated point).

Phishing emails are one form of social engineering, (the use of manipulation to gain sensitive information or access to a system). John explains how an individual’s decision-making is often based on mental shortcuts based on past experiences (heuristics), used to simplify decision-making and problem-solving. However, this can result in systematic errors in thinking or decision-making that can lead to inaccurate judgments and perceptions (cognitive biases).

For example, the assumption that all blue crisp packets are cheese and onion flavoured (the standard for the popular brand “Walkers”). If an individual doesn’t pay close attention when purchasing their crisps, they could end up with “cheesy beans on toast” flavour by mistake.

Images from Google

Therefore, we know that individuals may not always pay full attention, and this applies to the cues and prompts that digital systems provide, encouraging safe use. Individuals may not detect and respond to potential threats appropriately. This was highlighted by John through the presentation of the below footage from work by Miyamoto et al. (2015) at the University of Tokyo. Showing the difference in eye movements of a novice individual, and a cybersecurity expert (someone trained to understand cyber threats such as phishing websites).

Novice viewing a phishing site:

 

 

Expert viewing a phishing site:

 

Videos from Eye can tell: On the correlation between eye movement and phishing identification by Miyamoto et al. (2015)

John and his colleagues at Bournemouth University (McAlaney & Hills, 2020) conducted an exploratory study, using eye-tracking analysis. Participants engaged with a series of emails, some of which contained common indicators of a phishing email: namely misspellings, financial information, a request for urgent action and the use of threatening language. The laboratory-based eye-tracking analysis found the trustworthiness of emails was influenced by the presence or absence of these phishing indicators. However, the eye movements of participants did not match what would be anticipated from the trustworthiness rating they had provided. Suggesting a more complex relationship between the elements of a phishing email and its effectiveness.

To finish off his talk, John explains the multiplicity of applications for the ever-advancing eye-tracking technology, and how it can be utilised outside of the laboratory to improve cybersecurity in everyday settings, such as fake news and how it spreads, gambling addiction and website design, and understanding how individuals interact with cybersecurity training and other online safety tools and interfaces.

Overall, Professor John McAlaney presented an informative and engaging talk, showcasing how cutting-edge eye-tracking technology can be used to measure and evaluate the decision-making processes that drive social engineering attacks and other cybersecurity exploits.

The eye sees all, but the mind shows us what we want to see.”

William Shakespeare

Remember, in cybersecurity, even though our eyes see all we must train the mind to distinguish what we need to see from what we want to see.

 

References

McAlaney, J., & Hills, P. J. (2020). Understanding phishing email processing and perceived trustworthiness through eye tracking. Frontiers in Psychology, 11(1756). doi:10.3389/fpsyg.2020.01756

Miyamoto, D., Blanc, G., & Kadobayashi, Y. (2015). Eye can tell: On the correlation between eye movement and phishing identification. In Neural Information Processing: 22nd International Conference, ICONIP 2015, Istanbul, Turkey, November 9-12, 2015, Proceedings Part III 22 (pp. 223-232). Springer International Publishing.