“Prevalence Paradox” Captures Hacker Strategy, Design Solutions, and the Human Factors Prize

Wednesday, November 15, 2017


Ben D. Sawyer (Massachusetts Institute of Technology) and Peter A. Hancock (University of Central Florida) were awarded the Human Factors Prize for Excellence in Human Factors research on October 10 at the Annual Meeting of the Human Factors and Ergonomics Society.

Their study examines e-mail cyber attacks in the context of a psychophysical theory called the prevalence effect. Under this theory, as the number of incoming signals (e-mails, in this case) declines, it becomes less likely that the recipient will be able to detect them or respond appropriately. The study demonstrates, for the first time, how the prevalence effect works in e-mail-based cybersecurity.

E-mail cyber attacks and “spearphishing,” in which the attack is tailored to the victim, accounted for 40% of total cyber attack costs in 2016 (Ponemon Institute). But cyber attackers have recently reduced the number of e-mail attacks, even as the impact of such malicious messages has increased (Symantec). Sawyer and Hancock’s study has shown how this reduced number of attacks actually makes attacked users more likely to engage with the e-mails - creating a security breach - and less likely to report an attack.

In the study, spearphishing cyber attacks were hidden among 300 simulated e-mails. As the percentage of delivered e-mail attacks was reduced, participants’ ability to detect these malicious messages dropped, even though the time they spent reviewing each e-mail increased.

Software can shield users from attacks by removing illegitimate e-mails, but because this protection also reduces the number of attacks the user sees, he or she is at an increased risk from the attacks that actually make it to the inbox. The authors coined the term prevalence paradox to describe circumstances in which software success results in a situation in which “human operators are increasingly likely to fail to detect and report remaining attacks.” Sawyer and Hancock conclude with suggested design strategies to mitigate prevalence effects and strengthen human-machine teaming.

The Human Factors Prize confers a $10,000 cash award and publication of the work in a special issue of the Human Factors journal.

Two finalists were also selected to be included in the Human Factors Prize special issue:

“Information-Pooling Bias in Collaborative Security Incident Correlation Analysis” by Prashanth Rajivan, Carnegie Mellon University, and Nancy Cooke, Arizona State University

“The Triad of Risk-Related Behavior (TriRB): A Three-Dimensional Model of Cyber-Risk-Taking” by Noam Ben-Asher, U.S. Army Research Laboratory, and Joachim Meyer, Tel Aviv University

To receive a prepublication copy of “Hacking the Human: The Prevalence Paradox in Cybersecurity” for media-reporting purposes, contact HFES Communications Director Lois Smith (310/394-1811, lois@hfes.org).


The Human Factors and Ergonomics Society is the world’s largest scientific association for human factors/ergonomics professionals, with more than 4,500 members globally. HFES members include psychologists and other scientists, designers, and engineers, all of whom have a common interest in designing systems and equipment to be safe and effective for the people who operate and maintain them. “Human Factors and Ergonomics: People-Friendly Design Through Science and Engineering.”