Human interaction plays a key role in the achievement of cybersecurity goals. Addressing cyber threats necessitates an emphasis on human behavior and cognitive models, not merely relying on technical details, since individuals are the weakest link in the cybersecurity context. Thus, the design of cybersecurity-related training programs should be carried out accordingly to increase their efectiveness. The following research proposes a framework, called "CRASTE", which maps human factors and perception, the Red and Blue Team simulation and the Cyber Kill Chain to improve cybersecurity education with respect. The introduction of Artificial Intelligence (AI) in this process can foster the proper employment of the MITRE ATT&CK, which is the most used knowledge base in cybersecurity, to present how the Large Language Models (LLMs) can support both Red and Blue Teams during attacks and their defense.
Cybersecurity plays a crucial role in today’s era of technological innovation and the burgeoning digital
economy. Threat actors pose risks to individual safety in terms of the integrity of their intellectual
property by conducting attacks on several levels, such as illicit sales on the dark web or leveraging for
ransom demands [
This implies that, in this field, human’s characteristics cover an important role since most of the
security challenges comes from their behaviours and skills. Thus, it is necessary to explore human
behavior when considering cyber threats to the mission, the mission-enabling infrastructure against
which attacks occur, the human defenders’ operational processes, and the roles that humans play in
cyberspace operations [
The integration of Artificial Intelligence (AI) in any field can boost productivity while providing
humans with enhanced skills and abilities thanks to the high computational power [
Cybersecurity is an intricate domain and it is influenced by multiple factors. In this section, background concepts and additional context is provided concerning human-factors and perception, the Red and Blue teams, and the CKC.
The way that individuals interact with computers and make decisions is a dynamic and intricate issue,
encompassing numerous factors [
The CKC is one of the defense models designed to help companies and large organizations mitigate the most advanced cyber-attacks. The goal is to compromise a particular asset that contains specific data or valuable information [14, 15]. A characteristic to keep in mind of this attack is that the attacker’s actions are performed over a considerable time.
The phases of the Kill Chain improve visibility into an attack and enrich the analyst’s understanding of the adversary’s tactics, techniques and procedures. It consists of 7 phases [16, 17]: 1. Reconnaissance: the goal of this phase is to collect information about the victim and to understand which are the most appropriate actions to perform during the attack; This process is also called "footprinting" since at the end it is possible to obtain a detailed "snapshot" of the target. 2. Weaponization: it is the preparation and staging phase which has the objective to define a penetration plan utilizing the information gathered from the previous stage. 3. Delivery: it is the malware transmission and delivery phase. It is expected that the victim downloads and/or executes malicious files or visits malicious web pages. 4. Exploitation: in this phase the vulnerability previously found are exploited by the attacker to obtain access to the target system and conduct the attack. 5. Installation: in this phase the backdoor or any equivalent systems is installed on the victim’s device to guarantee the attacker persistent access in time. 6. Command & Control (C2): in this phase the victim is manipulated by the attacker through the malicious code previously installed. 7. Actions on Objectives: in this phases the attacker execute the attack reaching their objective.
Typically, the attackers aim to perform data exfiltration which involves collecting, encrypting and extracting information from the victim environment.
The cybersecurity field can be described referring to two diferent and opposite perspective: Red Team and Blue Team which represent the attack and defence side respectively. The Blue Team is "the group responsible for defending an enterprise’s use of information systems by maintaining its security posture against a group of mock attackers" [18]; the Red Team is "a group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture" [19].
This approach is employed from organizations to deeply understand how to face a cyber threat being able to "think like an attacker"; it brings benefits in terms of risk assessment, detection, and evolution of threats [20, 21].
The success of the Blue Team vs. Red Team approach hinges on interaction and mutual feedback. The primary goal is to refine an organization’s detection and response capabilities. Through this collaboration, it is possible to increase awareness of attack techniques and bring to light the vulnerabilities in the attacker’s defense infrastructure. It is important to highlight that when a Security Operations Center (SOC) fails to detect an intrusion, it is not always due to operator preparation or technological ineficiency. Instead, the attacker’s success may result from the inefectiveness of controls against sophisticated, previously unknown techniques. Therefore, the actions of the Red Team are functional in exposing these control deficiencies, preventing them from being exploited to cause real damage [ 22]. For this reason, a final report must be created to highlight the details concerning all the aspects related to the attack (e.g. how the breach occurred, the timeline of the attack, the details of the vulnerabilities that were exploited to gain access, the business impact to the company, etc.) [23].
In this section, CRASTE is presented. It is a framework concerning the integration of human factors and perception at various stages of the CKC. The goal is to understand how such human aspects can improve training in cybersecurity and the Red/Blue simulation.
Human Factors They refer to environmental, organisational and job factors, and human and individual characteristics, which influence behaviour at work in a way which can afect health and safety [24]. This concept includes three main aspects that must be considered: • Job: the nature of the task, workload, the working environment, the design of displays and controls, and the role of procedures (What people are being asked to do). • Individual: this aspect includes his/her competence, skills, personality, attitude, and risk perception. Individual characteristics influence behaviour in complex ways ( Who is doing it). • Organization: the work patterns, the culture of the workplace, resources, communications, leadership and so on (Where they are working).
Perception It is a subjective process influenced by various factors which shape how individuals
interpret and comprehend their surroundings. These factors influence the selection, organization, and
interpretation of sensory information, resulting in diverse and unique perceptions among people. For
this reason, it is essential to design a learning and playful environment that integrates diferent aspects
of cybersecurity education; in this way individuals can be allowed to expand their knowledge beyond
technical aspects and consider human factor risks [
Table 1 presents the human factors and perceptions identified in the previous work [
This section aims at gathering insights into the influence of AI in cybersecurity by considering the
MITRE ATT&CK framework, human factors and perception. The diference between the MITRE
ATT&CK and the CKC lies in the fact that the first is a knowledge base that encompasses all the
elements, tools, techniques, and procedures that belong to cyber-attacks [
The integration of AI can bring significant advantages because it can provide details, explanations, and suggestions concerning aspects that humans might not detect by themselves. It can strongly influence human factors and perception of users while being involved in an attack from both perspectives (i.e., Red and Blue Team). The correlation between the elements presented in Table 1 with the specific role of LLMs is discussed below. (E1) Social Engineering This element of the framework exploits human psychology to manipulate individuals in order to make them perform actions that are in favor of the attacker. The integration of LLMs in this component becomes crucial in the Reconnaissance phase, since it can allow humans to receive easily-understandable information concerning the threat target and suggest a suitable delivery method for the attacker based on their expertise; it influences their perception of the attack’s success and their own abilities.
Human factors are influenced in terms of individual skills, in fact, when a red team consists of multiple individuals, they are all influenced by where the operation takes place and the tasks assigned to others to carry out the attack. (E2) User Awareness It refers to the perception of risks and humans’ understanding of safe practices. In this case, for Weaponization, a LLM can suggests techniques for the attack design and tools. During Installation, an AI agent can help in the implementation of a strong and long-lasting backdoor. Perception is influenced by the success or failure of implementing these suggestions. Humans can utilize AI to understand ongoing situations (both from blue and red team perspectives) - user awareness. (E3) Usability and Security Trade-Ofs Lack of usability can lead to issues in the efective communication between humans and any kind of system. This implies that users might attempt to find workarounds to ignore security protocols or warnings that could prevent them from falling into dangers. In this case, a LLM tool can suggest exploit and malware installation methods, leveraging usability and security. It influences red team human factors in terms of skills and support for conducting an attack. (E4) Organizational Culture This element encompasses the array of values, anticipations, and behaviors that direct and shape the behavior of every team member. An organization that allows the employment of LLMs when it comes to cybersecurity can allow individuals to improve their understanding of dangerous situations, providing support in obtaining explanations regarding notions or techniques. The blue team can improve its understanding reconnaissance, delivery, and action methods. Organizational culture is considered because individuals within the blue team behave according to their skills, workplace environment, and organizational influences. (E5) Risk Assessment Being able to appropriately assess risks and threats implies possessing the right judging skills in order to find the proper danger levels. The blue team, with the help of AI, understands how attacks are executed to perform risk assessments. Perception is influenced in terms of the ability to manage, confront, and evaluate situations. (E6) Risk Detection It gathers the processes and actions to identify concealed threats inside a network or system and responding to them. AI assists the blue team in risk detection to understand how attacks are executed. It afects how the blue team interprets and evaluates the attack, consequently afecting their ability to counter it. For example, an individual can ask a LLM model to interpret or analyze an email in order to understand if it is phishing. The LLM can provide human-like explanations, fully understandable even by non-experts. (E7) Incident Response It refers to how individuals respond to security incidents and how to report them. AI helps the red team understand how the blue team might counter the attack, and the blue team in actually countering it. Human factors and perception are influenced. Human factors include personal skills and their impact on their work and organization (from both perspectives); perception is influenced by the success of the attack (red team) and the response skills (blue team). Perception in terms of dificulty. (E8) Response to Threat It refers to security threats and incidents that have actually happened. Referring to the timing of the attack, AI can signal real-time attacks for the blue team. For the red team, AI can monitor the attack’s progress and assess if their objectives are met. It influences the blue team’s perception of how the attack is interpreted and the stress it causes, while the red team focuses on the attack’s success and efects. (E9) Compliance It ensures an organization’s security measures meet regulatory standards and guidelines. These standards are designed to protect the integrity, confidentiality, and availability of sensitive data from various cyber threats. With AI, the blue team can evaluate if security measures comply with regulations. Thus, the blue team’s perception refers to how they perceive their security measures based on whether the attack was successful or not.
In conclusion, the employment of LLMs with the MITRE ATT&CK can bring positive implications on cybersecurity education. Through the explanations and indications provided by LLMs, individuals are enabled to receive real-time and personalized feedback that can be adapted to specific threats and dangerous situations. In this way, individuals can avoid feeling lost when facing cybersecurity risks, especially in case of low levels of expertise.
This paper analyzes how human factors and perception, integrated in the CKC, can support the activities concerning the attack and defence perspective. This aspect is further investigated considering a broader context concerning the MITRE ATT&CK framework along with the impact that LLMs can have on human’s behaviors and feelings. By integrating AI functionalities it is possible to improve the training process of both perspective having, in some cases, a real-time feedback and suggestion. The CRASTE framework maps the elements of human factors and perception at the various stages of the CKC to improve cybersecurity training.
Future work concerns the execution of experiments of this approach in university courses to compare how the integration and analysis of these aspects can improve the knowledge about attacks (Red Team) and defense (Blue Team). It is also intended to introduce gaming elements in the learning process to increase student’s knowledge and skills by recreating red and blue team simulations through the application of gamification and serious games.
This study has been partially supported by the following projects: SSA - “Secure Safe Apulia - Regional Security Center” (Codice Progetto 6ESURE5) and SERICS - “Security and Rights In the CyberSpace SERICS” (PE00000014) under the MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU. The research of Antonio Curci and Miriana Calvano is supported by the co-funding of the European Union - Next Generation EU: NRRP Initiative, Mission 4, Component 2, Investment 1.3 – Partnerships extended to universities, research centers, companies, and research D.D. MUR n. 341 del 15.03.2022 – Next Generation EU (PE0000013 – “Future Artificial Intelligence Research – FAIR” - CUP: H97G22000210007).