Towards a Cognitive System for Decision Support in Cyber Operations Alessandro Oltramari and Christian Lebiere Lowell Vizenor Functional Modeling Systems Lab Refinery 29 Department of Psychology New York, NY, USA Carnegie Mellon University Pittsburgh, USA Wen Zhu Randall Dipert Department of Philosophy Alion Science and Technology University of Buffalo Washington D.C., USA Abstract— This paper presents the general requirements to cognitive architectures into an intelligent system capable of build a “cognitive system for decision support”, capable of supporting humans in cyber operations as wells as acting simulating defensive and offensive cyber operations. We aim to autonomously as a team member. identify the key processes that mediate interactions between The paper is divided into four main parts. After introducing defenders, adversaries and the public, focusing on cognitive and some aspects of special interest to modeling cyber warfare ontological factors. We describe a controlled experimental phase (Section II), in Section III we present a hybrid decision support where the system performance is assessed on a multi-purpose system based on cognitive architectures and ontologies. environment, which is a critical step towards enhancing Section IV unfolds the experimentation plan to test the system situational awareness in cyber warfare. by means of a scalable synthetic environment, and Section V Keywords—ontology, cognitive architecture, cyber security delineates a framework of implementation centered on an object-based infrastructure. I. INTRODUCTION II. RELEVANT CHARACTERISTICS OF CYBER WARFARE A cyber attack by a hostile nation-state or political organization is widely regarded as one of the most serious In general, time variables play an important role in the threats that the U.S. will face in the next decades. While greatly design of decision support systems [3]: temporal constraints increased use of information systems has contributed become even more stringent when those systems have to deal enormously to economic growth, and has fueled a much more with cyber attacks, where real time responses are typically efficient and agile national defense, it has also made the U.S. hindered by the knowledge-intensive nature of cyber enormously vulnerable to a variety of Internet and non-Internet operations and associated tasks. Some decisions on where and cyber attacks, and to cyber espionage [1]. when to invoke various methods of cyber defense and mitigate There are numerous factors that make cyber warfare and damage, as well as decisions to launch a cyber counterattack, pure cyber defense, namely cyber security, especially need to be made quickly. Large-scale cyber attacks or problematic. The kinds of threats are diverse: destruction or counterattacks are likely going to require careful, human theft of data, or interference with information systems and decision-making for some time into the future. Yet there are networks, across a spectrum of private and public interests. The other responses to cyber attacks or cyber espionage that could legal and ethical status of cyber attacks or counterattacks by and should be done immediately, such as revoking an states are also unclear, at least when deaths or permanent employee’s access if suspicious activity is detected, blocking destruction of physical objects does not result. It is still an open all remote access or from certain URLs and through certain question what U.S. policy is or should be, and how cyber servers, immediate assessment of likely damage and risks, and threats are analogous to traditional threats and policies—for so on. What we propose in this paper is the building of a example whether “first use” deterrence, and in-kind responses cognitive system for decision support that will emulate ideal apply, and whether a policy of pure cyber defense does not put human responses to cyber attacks. This would be accomplished the far greater burden on attacked rather than attacking nations through careful design of its architecture, both in terms of [2]. As this overview may suggest, untangling the complexity cognitive mechanisms and knowledge resources, and by of cyber attacks becomes a key element for augmenting comparing its outputs on case studies with actions of human situational awareness in the cyber environment: in this position agents. The benefits are threefold. First, by cognitive modeling paper, we propose to tackle this problem from a semantic and we come to better understand the mechanisms underlying cognitive modeling perspective, combining ontologies and human decisions in the realm of cyber warfare and cyber This research was partially supported by a Defense Threat Reduction Agency (DTRA) grant number: HDTRA1-09-1-0053 to Christian Lebiere (Principal Investigator) and Alessandro Oltramari. STIDS 2013 Proceedings Page 94 espionage, coupling the cognitive aspects and the semantic based on ACT-R 2 cognitive architecture [10]. The contents of decision-making. Second, after extensive testing we models will focus on: learning mechanisms, memory could use this intelligent decision-making system to and attentional limitations, decision-making strategies, recommend steps to human decision-makers—e.g., risk perception, and trusted judgments. recommendations to gather further information, or actually to act in a certain way and to assess the risks of not acting. • Ontologies – design and development of applied Finally, in cases where the reliability of the system is high, and formal ontologies to 1) serve as a knowledge base for where time is of the essence or the actions have little risk (such our cognitive models (Cyber Security Ontologies) and as revoking one employee’s system access, or access to one to 2) classify and annotate cyber security test and URL), the intelligent system could act swiftly and training data (Scenario Ontologies). autonomously. Some forms of attacks, such as Distributed Denial Of • Live, Virtual, Constructive (LVC) Integration – Service (DDoS) and other botnet jamming of networks or Enable the analysis of cyber defense strategies; servers, show signs of admitting purely technological solutions. support training for cyber security personnel; validate However, human error by employees has repeatedly been cited the cognitive models developed with an as the most common source of vulnerability [4], [5], [6], [7]. attack/mitigate/counter-attack scenarios and enhance One technique of gaining illegitimate access to an information them by leveraging learning mechanisms. system that still appears with remarkable frequency is spear- phishing: emails to DOD employees or defense contractors By integrating these elements in a coherent multi-purpose with spoofed addresses from acquaintances that seem to have a system, we aim at unraveling the complex structures that harmless photograph, PDF, or other attachment1. While this mediate interactions among defenders, adversaries and the exploitation might not alone gain direct access to secure public: in this respect, the overall goal is to enhance systems, it may allow an attacker to gather personal situational awareness in cyber warfare by assessing human information that can be used to guess passwords, answer performance in a simulated environment. The system is also security questions, and so on. Social networking sites and other meant to interact autonomously in a hybrid team, i.e. playing open data and the use of analytics allow attackers to identify the role of a “teammate” sentinel in support of humans, employers, friends, relatives, shopping and driving habits, and eventually capable of prompting decisions and perform so on. This aids an attacker enormously in the identification of actions in more mature stages of development. targets and gaining access: for instance, in a recent case the To provide a richer characterization of our approach, New York Times’ sites were brought down when a group Section B illustrates the functional requirements of the claiming to be the Syrian Free Electronic Army used social envisioned system, while Section C and D will narrow the media and spear phishing to gain access to employees' focus to, respectively, ACT-R cognitive architecture (the passwords to the server that handled the NY Times' Domain central component of the system) and the ontologies needed to Network System (DNS). Likewise even if smartphones and frame the knowledge component of the architecture. other portable devices are not used at secure locations and do not contain classified or sensitive data, hacking into them (or B. Functional models of cyber operations intercepting cellular and WiFi communications, including with Modeling decision-making in the cyber security framework vehicles and home monitoring devices) can provide personal requires multiple factors to be investigated: (i) the size and the data that can be utilized to make direct attacks. variety of knowledge which is necessary to classify and analyze III. TOWARDS A COGNITIVE SYSTEM FOR DECISION attacks and defensive actions; (ii) the flexible behavior required SUPPORT IN CYBER WARFARE by coupling alternative strategies of response to specific cyber threats, updating and revising strategies when the A. General methodology circumstances of the attack or the environmental conditions Our approach is inspired by the notion of “sociotechnical evolve; (iii) learning by experience how to deal with cyber system” [8], which emphasizes the interaction between people attacks; (iv) interacting in a team by building a mental and technology in workplace. Ontology analysis has recently representation of the co-workers as well as of the enemies. proved to be an effective tool for investigating these complex These factors can be mapped to the 12 criteria distilled in [11] aspects [9]: nevertheless, the interactive nature of socio- (from the original list compiled by Newell in [12]) that a technical systems demands a broader framework, where cognitive architecture would have to satisfy in order to achieve human behavior can be studied not only in terms of action human-level functionality. In these regards, cognition is not schematics, planning and rules, but also as a genuinely considered as a “tool” for optimal problem solving but, rather, cognitive phenomenon, which can be properly investigated as a set of limited information processing capacities (so-called only as a dynamic system. Accordingly, the key elements of ‘bounded rationality’ [13])3. In a similar fashion, Wooldridge our proposed method for modeling cyber operations are: had identified the requirements that an agent should satisfy in order to act on a rational basis [14], namely: reactivity, the • Cognitive architecture – design and development of capacity of properly reacting to perceptual stimuli; proactivity, cognitive models of decision-making in cyber defense the capacity of operating to pursue a goal; autonomy, implying 2 Pronounced, “act-ARE”: Adaptive Control of Thought—Rational. 1 3 Because of their prevalence and complexity in terms of kind and number of Despite the relevance of emotions in decision-making [34], our approach cognitive agents, we intend to include these as paradigms of our use-cases. doesn’t extend to the investigation of affective aspects at this stage. STIDS 2013 Proceedings Page 95 an unsupervised decision making process; social ability, the them in well-defined synthetic environments. The rest of the capacity of interacting with other agents and revising mental paper presents in more detail the basic components of such a states accordingly. hybrid framework. State-of-the-art research on cognitive architectures (SOAR, ACT-R, CLARION, OpenCog, LIDA, etc.) has produced a C. Replicating cognitive mechanisms with ACT-R significant amount of results on specifying this extensive range Cognitive architectures attempt to capture at the of functions4 : by and large, ACT-R has accounted for the computational level the invariant mechanisms of human broadest range of cognitive activities at a high level of fidelity, cognition, including those underlying the functions of control, reproducing aspects of human data such as learning, errors, learning, memory, adaptivity, perception, decision-making, and latencies, eye movements and patterns of brain activity [10]. action. ACT-R [10] is a modular architecture including However, these results have often involved relatively narrow perceptual, motor and declarative memory components, and predictable tasks. Most importantly, cognitive architectures synchronized by a procedural module through limited capacity have just started to tackle the problem of how to model social buffers (see figure 1 for the general diagram of the ability [15], which is a crucial aspect of our approach. A architecture). Declarative memory module (DM) plays an fundamental feature of human social ability is “mindreading” important role in the ACT-R system. At the symbolic level, [16], i.e. to understand and predict the actions of others by ACT-R agents perform two major operations on DM: 1) means of postulating their intentions, goals and expectations: accumulating knowledge “chunks” learned from internal this process of interpretation is feasible only if an agent can operations or from interacting with objects and other agents learn to represent the mental states of others on the basis of populating the environment and 2) retrieving chunks that cumulative experience and background knowledge, combining provide needed information. ACT-R distinguishes ‘declarative the resulting mental model with the continuous stream of data knowledge’ from ‘procedural knowledge’, the latter being from the environment, aiming at replicating the cognitive conceived as a set of procedures (production rules or processes that have likely motivated the other agents to “productions”) which coordinate information processing perform the observed actions. Scaling up ACT-R to account for between its various modules [10]: according to this framework, more extensive multi-agent scenarios can help to build agents accomplish their goals on the basis of declarative comprehensive models 5 of social conflict and cooperation, representations elaborated through procedural steps (in the which are critical to discern the governing dynamics of cyber form of if-then clauses). This dissociation between declarative defense. But if leveraging the ACT-R framework might be and procedural knowledge is grounded in experimental sufficient to replicate the mechanisms described in (ii)-(iv), the cognitive psychology; major studies in cognitive neuroscience knowledge functionality (i) can to be fulfilled only by injecting also indicate a specific role of the hippocampus in “forming a fair amount of highly expressive knowledge structures into permanent declarative memories” and of the basal ganglia in the architecture: accordingly, ontologies can be provide these production processes (see [22], pp. 96-99, for a general structures in the form of semantic specifications of declarative mapping of ACT-R modules and buffers to brain areas and memory contents [17]. As [18], [19], and [20] show, up to this [23] for a detailed neural model of the basal ganglia’s role in time most research efforts have focused on designing methods controlling information flow between cortical regions). ACT-R for mapping large knowledge bases to ACT-R declarative performs cognitive tasks by combining rules and knowledge: module, but with scarce success. Here we commit to a more for reasons of space, a complete analysis of how the efficient approach: modular ontologies. Modularity has become architecture instantiates this cognitive-based processing is not a key issue in ontology engineering. Research into aspects of suitable here. Nevertheless, two core mechanisms need to be ontological modularity covers a wide spectrum: [21] gives a mentioned: i) partial matching, the probability of association good overview of the breadth of this field. Our modular between two distinct declarative knowledge chunks, computed approach guarantees wide coverage and “manageability”: on the basis of adequate similarity measures (e.g. a bag is more instead of tying ACT-R to a single large ontology, which is likely to resemble a basket than a tree); ii) spreading of hard to maintain, update and query, we propose a suite of activation, the phenomenon by which a chunk distributionally ontologies that reliably combine different dimensions of the activates the different contexts in which it occurs (a bag can cyber defense context, e.g. representation of secure information evoke shopping, travel, work, etc.). These two basic systems at different levels of granularity (requirements, mechanisms belong to the general sub-symbolic computation guidelines, functions, implementation steps); categorization of underlying chunk activation, which in ACT-R controls the attacks, viruses, malware, worms, bots; descriptions of defense retrieval of declarative knowledge elements by procedural strategies; the mental attitudes of the assailant, and so on. rules. In particular, ACT-R chunk activation is calculated by In our context, the computational system resulting from the the following equation: combination of cognitive and knowledge functionalities aims at fostering a better understanding of cyber attacks, supporting Ai = ln " t !d (1) j + "Wk Ski + " MPl Simli + N (0, ! ) human operators in cyber warfare, eventually cooperating with j k l 4 See [33] for a comprehensive overview of the most recent advancements in On the basis of the first term, the more recently and the area of cognitive architectures research. 5 frequently a chunk i has been retrieved, the higher the Note that the distinction between ‘model’ and ‘agent’ when dealing with activation and the chances of being retrieved (tj is the time cognitive architectures is a blurred one. For clarity’s sake we will henceforth elapsed since the jth reference to chunk i and d represents the use ‘agent’ to avoid ambiguities with the notion of semantic model (ontology). In general, an agent is a cognitive model that dynamically memory decay rate). In the second term of the equation, the interacts with the environment. contextual activation of a chunk i is set by the attentional STIDS 2013 Proceedings Page 96 weight Wk, given the element k and the strength of association view, which seeks to accurately represent the human-side of Ski between k and the i. The third term states that, under partial cyber security, we also expand our analysis to: (i) the different matching, ACT-R can retrieve the chunk that matches the roles that system users, defenders and policy makers play in retrieval constraints to the greatest degree, combining the the context of cyber security; (ii) the different jobs and similarity Simli between l and i (a negative score that is functions that the members of cyber defender team play and assigned to discriminate the ‘distance’ between two terms) the knowledge, skills and abilities needed to fulfill these with the scaling mismatch penalty MP. The final factor of the functions. In order to reduce the level of effort, we will reuse equation adds a random component to the retrieval process by existing ontologies when possible 6 and only create new including Gaussian noise to make retrieval probabilistic. ontologies that support the use cases we select. The intertwined connection between declarative and The decentralization of knowledge organization and procedural knowledge, weighted by stochastic computations, maintenance to a variety of interconnected ontology modules represents the necessary substrate for realizing at the leverages a shared bridging component, i.e. BFO reference computational level the functionalities outlined in section B: ontology7: in this sense, BFO plays the role of the common more specifically, we claim that ACT-R can successfully be semantic infrastructure to define, populate and update multiple used to emulate human behavior in selecting and executing context-driven cyber ontologies. The various modules will be defense strategies, matching input data from on-going cyber encoded in W3C language OWL8: the process of porting them attacks to deeply structured background knowledge of cyber into ACT-R is managed automatically at the architecture level operations. In the past, ACT-R architecture has been by built-in LISP functions, which are able to a. read and successfully used in context where integrating declarative and interpret the XML-based syntax of the semantic model and b. procedural knowledge was also a fundamental issue, e.g. air convert it into ACT-R declarative format. A set of broad traffic control simulations [24]. schemas drives this conversion process: for instance, the direct mapping between the “chunk-type” primitives in ACT-R and classes in the ontologies has been designed. Further schemas at a narrower level of granularity will be provided, as engineered for an analogous framework presented at STIDS 2012 [28]. IV. COGNITIVE SIMULATIONS OF CYBER OPERATIONS A. Experimental Design The first objective of building an intelligent system endowed with adequate representation of cyber security knowledge is to use it in scalable synthetic environments for training human decision-makers. In addition, once the system has incorporated the necessary rational capabilities (defined in the previous section) and learned the dynamics of team interaction, we aim at testing the possibility of deploying it as Figure 1 ACT-R Modular Structures an autonomous defensive agent in virtual cyber operations. In order to achieve the necessary degree of robustness and D. Augmenting ACT-R with cyber security ontologies dependability, we plan simulations at different levels of The development of cyber security ontologies is a critical complexity, as follows: step in the transformation of cyber security from an art to a BSE — Basic Synthetic Environment: two ACT-R agents science. In 2010, the DOD sponsored a study to examine the face each other playing the role of assailant and defender; theory and practice of cyber security, and evaluate whether HSE — Hybrid Synthetic Environment: an ACT-R agent there are underlying fundamental principles that would make and a human face each other playing the role of assailant it possible to adopt a more scientific approach. The study team and defender; concluded that: HSGE — Hybrid Synthetic Group Environment: two teams, each constituted by humans and ACT-R agents face The most important attributes would be the construction of each other playing the role of assailant and defender. a common language and a set of basic concepts about which In order to run these incremental simulations, we will the security community can develop a shared understanding. initially collect an experimental dataset of cyber attacks, to be A common language and agreed-upon experimental protocols split into train and test set. In particular, we will focus on spear will facilitate the testing of hypotheses and validation of phishing attacks, as delineated in section II. The datasets will concepts [25]. be organized to instantiate classes and properties of the defined modular ontologies. Each level of the cognitive-based The need for controlled vocabularies, taxonomies, and simulation will be conceived as a block composed of multiple ontologies to make progress toward a science of cyber security is recognized in [26] and [27] as well. In the domain of cyber 6 security, the ontologies would include, among other things, For instance, exploiting material from this portal: http://militaryontology.com/cyber-security-ontology.html the classification of cyber attacks, cyber incidents, and 7 http://ontology.buffalo.edu/bfo/ malicious and impacted software programs. From our point of 8 http://www.w3.org/TR/owl-features/ STIDS 2013 Proceedings Page 97 trials9. At the BSE level, the simulation aims at assessing the require integration with other technical components and soundness of the cognitive mechanisms executed by the agent, frameworks. We see an opportunity to apply the concepts serving also as a system debugging and evaluation of described in this paper for the development of an application experimental settings. In the HSE, the agent will have to capable of assessing and reducing information systems compete against humans, whose potentially erratic behavior vulnerabilities though live, virtual, and constructive (LVC) will be exploited by the agent as a primary source of simulations. Such an application can support a wide range of acquisition of cyber warfare strategies and mental cyber defense objectives, including: (i) analysis of cyber representation of the opponent. Finally, in HSGE the scenario defense strategies and identification of network; vulnerabilities will get more complex by shifting to a multi-agent framework, through simulated attacker-defender interaction in BSE – HSE where each defending agent will have to learn intra-group – HSGE scenarios; (ii) training for cyber security personnel cooperation and build mental representation of the opponent as with a suitable ACT-R agent simulating the attacker against a group (whose members act complementarily and collectively human players; (iii) validation and enhancement of the to harm the defending team). cognitive models developed with an attack counter-attack In the delineated experimental phase we plan to expand our scenario. To support LVC simulations, the application will previous work on applying cognitive architectures to decision- need to work with existing distributed modeling and simulation making in non-zero sum games [29]: cooperative and infrastructures, such as the High Level Architecture (HLA)10 or conflicting phenomena have been comprehensively studied Testing and Training Enabling Architecture (TENA)11. The using game theory [30], in which complex social dynamics are key integration activities include: narrowed down to relatively simplified frameworks of strategic interaction. Valid models of real-world phenomena can provide • Identification and creation of reusable ‘objects’. A better understanding of the underlying socio-cognitive distributed modeling and simulation framework such variables that influence strategic interaction: of course these as TENA encourages objects representing things such models need be consistent with the structural characteristics of as targets and assets to be reused across simulations12. games, and with the actual everyday situations at hand. In this In particular, within the intelligent decision support respect, the goal of the planned cognitive simulations is to system, we see opportunities at two levels: 1) creation study decision-making by deploying computational rational of reusable objects representing attackers and agents in cyber attack “gamified” scenarios. defenders (these objects can be used to simulate behaviors of the actors); 2) creation of reusable objects B. Evaluation plans representing IT Infrastructure components that could As recent studies have shown [31], training users to be under cyber attacks (these objects model the respond to cyber attacks becomes effective only after several commands and instructions that can be sent to various iterations. But high time-costs in training can expose socio- components and their responses). technical systems to harmful consequences, with no chance of recovering stolen information or, even worse, of fully • Integration of reusable objects in to the middleware restoring the functionalities of the system. Our approach aims layer of the modeling and simulation framework. to improve cyber defense strategies and speed up the Figure 2 shows a reusable TENA object (representing deployment of counter-measures. In particular, we plan to cyber attackers) plugged into the middleware layer. assess the correspondence between the models’ simulations and the human behavior in cyber-operations by analyzing • Implementation of runtime knowledge sharing in the human data in decision-making processes. Accordingly, we modeling and simulation framework. In the example will apply different analytical methods, such as computing shown in figure 2, the ACT-R cognitive model means and standard errors (for decisions), medians and the 1st (representing the defender) is integrated with and 3rd quartiles (for decision times) — similar approaches knowledge sources incrementally stored in ACT-R have been successfully proposed in [32]. We will encode declarative memory module: a) modular cyber security conversion functions in the system to format the outputs as ontologies, retrieved from the TENA Repository and; discrete decisions (e.g. “delete spear phishing email”, “scan b) the modular ontologies of the scenario [1] , for malware”, “reactivate firewall”, etc.). Exploiting ACT-R incrementally stored in TENA Event Data internal clock module, we will also be able to reproduce Management. decision times at human granularity scale, tracking the relevant stages of the rational decision-making process. V. APPLICATION FRAMEWORK So far we have discussed the general requirements and described the high-level cognitive structures of an intelligent system for decision support in cyber warfare. However, a product or a solution based on these requirements and architecture will need to address specific problems in the 10 http://standards.ieee.org/findstds/standard/1516-2010.html business domain. Furthermore, the end product would likely 11 Test and Training Enabling Architecture (TENA): https://www.tena- sda.org/display/intro/Home 9 12 Setting to 100 the number of trials should guarantee a satisfactory level of TENA object-oriented modeling features well fit our ontology-driven stochasticity in the results. cognitive system. STIDS 2013 Proceedings Page 98 VI. CONCLUSION The novelty of our approach relies on grounding a decision support system in a broad spectrum of human-level cognitive functionalities blended with highly structured knowledge resources. In particular, by focusing on learning mechanism, context-driven semantic specifications and scalable simulations, the obtained computational system can serve both as a training environment for cyber personnel and as autonomous team member operating in advanced security settings. Our position paper aims at fostering the discussion within the communities of interest and can play the role of a starting platform for a scientific project proposal. [2] Figure 2 The Cognitive System realized in the TENA framework. [11] John R. Anderson and Christian Lebiere, "The Newell Test for a theory of cognition," Behavioral and Brain Sciences, vol. 26, no. 5, REFERENCES pp. 587-637, 2003. [1] R. Dipert, "Other-Than-Internet(OTI) Cyberwarfare: Challenges [12] Allen Newell, Unified Theories of Cognition. Cambridge , For Ethics, Law, and Policy," Journal of Military Ethics, vol. 12, Massachusetts: Harvard University Press, 1990. no. 1, pp. 34-53, April 2013. [13] H. Simon, "Bounded Rationality and Organizational Learning," [2] R. R. Dipert, "The Ethics of Cyberwarfare," Journal of Military Organization Science, vol. 2, no. 1, pp. 125-134. Ethics, vol. 9, no. 4, pp. 384-410, December 2010. [14] M. Wooldridge, Reasoning about Rational Agents. Cambridge, [3] M.I. Hwang, "Decision Making under time pressure: A model for MA, United States of America: The MIT Press, 2000. information systems research," Information and Management, vol. 27 , pp. 197-203, 1994. [15] R. Sun, Cognition and Multi-agent Interaction, R. Sun, Ed.: Cambridge University Press, 2006. [4] Symantec. (2013, June) Symantec. [Online]. HYPERLINK "http://www.symantec.com/about/news/release/article.jsp?prid=201 [16] Paul Bello, "Cognitive Foundations for a Computational Theory of 30605_01" Mindreading," Advances in Cognitive Systems, vol. 1, pp. 59-72, http://www.symantec.com/about/news/release/article.jsp?prid=201 2012. 30605_01 [17] A. Oltramari and C. Lebiere, "Knowledge in Action: Integrating [5] Brian Montopoli. (2013, May) CBS News. [Online]. Cognitive Architectures and Ontologies," in New Trends of HYPERLINK "http://www.cbsnews.com/8301-201_162- Research in Ontologies and Lexical Resources, Alessandro, 57586624/how-chinese-hackers-steal-u.s-secrets/" Vossen, Piek Oltramari, Lu Qin, and Ed. Hovy, Eds.: Springer, pp. http://www.cbsnews.com/8301-201_162-57586624/how-chinese- 135-154. hackers-steal-u.s-secrets/ [18] J. Ball, S. Rodgers, and K. Gluck, "Integrating ACT-R and Cyc in a [6] (2013, May) Wall Street Journal. [Online]. HYPERLINK large-scale model of language comprehension for use in intelligent "http://online.wsj.com/article/PR-CO-20130530- agents," in Papers from the AAAI Workshop, Menlo Park, CA, pp. 906764.html?mod=googlenews_wsj" 19-25. http://online.wsj.com/article/PR-CO-20130530- 906764.html?mod=googlenews_wsj [19] B. J. Best, N. Gerhart, and C. Lebiere, "Extracting the Ontological Structure of OpenCyc for Reuse and Portability of Cognitive [7] J. C. Forsythe, A. Silva, S. Stevens-Adams, and J. Bradshaw, Models. ," in Proceedings of the 17th Conference on Behavioral "Human Dimensions in Cyber Operations Research and Representation in Modeling and Simulation, 2010. Development Priorities," SANDIA Report 2012-9188, Technical 2012. [20] S. Douglas, J. Ball, and S. Rodgers, "Large declarative memories in ACT-R," in Proceedings of the 9th International Conference of [8] K. B. De Greene, Sociotechnical systems: factors in analysis, Cognitive Modeling, Manchester, UK. design, and management.: Prentice-Hall, 1973. [21] H. Stuckenschmidt, C. Parent, and S. Spaccapietra, "Modular [9] N. Guarino, E. Bottazzi, R. Ferrario, and G. Sartor, "Open Ontologies - Concepts, Theories and Techniques for Knowledge Ontology-Driven Sociotechnical Systems: Transparency as a Key Modularization," , 2009. for Business Resiliency," in Information Systems: Crossroads for Organization, Management, Accounting and Engineering., 2012, [22] J. R. Anderson, How Can the Human Mind Occur in the Physical pp. 535-542. Universe? New York: Oxford University Press. [10] John R. Anderson and Christian J Lebiere, The Atomic Components [23] A. Stocco, C. Lebiere, and J. R. Anderson, "Conditional Routing of of Thought.: Erlbaum, 1998. Information to the Cortex: A Model of the Basal Ganglia's Role in Cognitive Coordination," Psychological Review, vol. 117, no. 2, pp. STIDS 2013 Proceedings Page 99 541-574, 2010. Modeling), Ottawa, 2013. [24] C. Lebiere,. Constrained Functionality: Application of the ACT-R [30] A. Rapoport, M. J. Guyer, and D. G. Gordon, The 2 x 2 game. Ann Cognitive Architecture to the AMBR Modeling Comparison. Arbor, MI: University of Michigan Press, 1976. Mahwah, NJ: Erlbaum, 2005. [31] B. M. Bowen, D. Ramaswamy, and S. Stolfo, "Measuring the [25] The MITRE Corporation, "Science of Cyber-Security," The Human Factor of Cyber Security," Homeland Security Affairs, vol. MITRE Corporation, McLean, VA, Technical 2010 (extract). 5, no. 2, 2012. [26] D. A. Mundie and D. M. McIntire, "The MAL: A Malware [32] J. N. Marewski and K. Mehlhorn, "Using the ACT-R Architecture Analysis Lexicon," CERT® Program - Carnegie Mellon University to specify 39 quantitative process models of decision making," , Technical 2013. Judgement and Decision Making, vol. 6, pp. 439-519, August 2011 [27] Randall Dipert, "The Essential Features of an Ontology for [33] J.E. Laird, The SOAR Cognitive Architecture. USA: The MIT Cyberwarfare," in Conflict and Cooperation in Cyberspace - The Press, 2012. Challenge to National Security, Panayotis A Yannakogeorgos and A. B. Lowther, Eds.: Taylor & Francis, 2013, pp. 35-48. [34] C. L. Dancy, F. E. Ritter, and F. E. Berry, "Towards adding a physiological substrate to ACT-R," in Proceedings of the 21st [28] A. Oltramari and C. Lebiere, "Using Ontologies in a Cognitive- Conference on Behavior Representation in Modeling and Grounded System: Automatic Action Recognition in Video Simulation, Ameli a Island, FL, 2012, pp. 78-85. Surveillance," in Proceedings of STIDS 2012 (7th International Conference on "Semantic Technology for Intelligence, Defense, and Security"), Fairfax, VA, 2012. [29] A. Oltramari, C. Lebiere, N. Ben-Asher, and C. Gonzalez, "Strategic Dynamics Under Alternative Information Conditions," in Proceedings of ICCM 2013 (International Conference of Cognitive STIDS 2013 Proceedings Page 100